Skip to content

Add support for image_tag_mutability_exclusion_filter in ECR repositories #153

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 15 commits into from
Sep 22, 2025
Merged

Add support for image_tag_mutability_exclusion_filter in ECR repositories #153

merged 15 commits into from
Sep 22, 2025

Conversation

Copilot
Copy link
Contributor

@Copilot Copilot AI commented Sep 18, 2025
edited by Benbentwo
Loading

This PR implements support for the image_tag_mutability_exclusion_filter feature in AWS ECR repositories, allowing fine-grained control over tag mutability settings.

Problem

ECR repositories previously only supported global image_tag_mutability settings (MUTABLE or IMMUTABLE), which applied to all tags uniformly. This created limitations in scenarios where users needed mixed mutability - for example, keeping production tags immutable while allowing development tags like latest, dev-*, or feature-* to be mutable.

Solution

Added comprehensive support for image_tag_mutability_exclusion_filter which allows users to define specific tag patterns that should be excluded from the repository's global mutability setting.

Key Changes

  1. New Variable: Added image_tag_mutability_exclusion_filter variable with proper type definition:

    image_tag_mutability_exclusion_filter = [
  {
    filter      = "latest"
    filter_type = "WILDCARD"
  },
  {
    filter      = "dev-"
    filter_type = "WILDCARD"
  }
]

  2. Dynamic Resource Block: Implemented dynamic block in aws_ecr_repository resource to conditionally apply exclusion filters.

  3. Comprehensive Validation: Added validation rules to ensure:

    • filter_type must be a valid value (WILDCARD)
    • filter values cannot be empty or whitespace-only

  4. Provider Version Update: Updated minimum AWS provider version to >= 6.8.0 to support this feature across all modules and examples.

Usage Example

module "ecr" {
  source = "cloudposse/ecr/aws"
  
  namespace              = "company"
  stage                  = "prod"
  name                   = "api"
  image_tag_mutability   = "IMMUTABLE_WITH_EXCLUSIONS"
  
  # Allow specific tag patterns to be mutable while keeping others immutable
  image_tag_mutability_exclusion_filter = [
    {
      filter      = "latest"
      filter_type = "WILDCARD"
    },
    {
      filter      = "dev-"
      filter_type = "WILDCARD"
    }
  ]
}

This enables scenarios where production tags remain immutable for safety, while development and utility tags maintain flexibility for iterative workflows.

Documentation

Updated README.md with comprehensive documentation including:

  • Advanced usage examples showing real-world scenarios
  • Provider version requirements and migration notes
  • Complete variable reference in the inputs table

Testing

  • ✅ All Terraform validation passes
  • ✅ Formatting checks pass across all modules
  • ✅ Variable validation correctly catches invalid configurations
  • ✅ Examples updated and validated
  • ✅ Backward compatibility maintained

Breaking Changes

This is an additive feature that defaults to an empty list, preserving existing behavior.

HOWEVER the AWS Provider is updated two major versions.

Requirements

  • AWS Provider >= 6.8.0 (updated across all modules and examples)
  • Terraform >= 0.13.0 (unchanged)

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • checkpoint-api.hashicorp.com
    • Triggering command: terraform version (dns block)
    • Triggering command: terraform init (dns block)
    • Triggering command: terraform fmt -check (dns block)
  • esm.ubuntu.com
    • Triggering command: /usr/lib/apt/methods/https (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

This pull request was created as a result of the following prompt from Copilot chat.

Implement support for image_tag_mutability_exclusion_filter in the AWS ECR repository resource in main.tf. This entails:

  • Adding a new variable to the module for configuring exclusion filters.
  • Using a dynamic block for image_tag_mutability_exclusion_filter in the resource, referencing the new variable(s).
  • Documenting the new variable(s) in the README.md, with usage examples and a note about the minimum AWS provider version (>= 6.8.0).
  • Updating versions.tf to bump the minimum AWS provider version to 6.8.0.
  • Updating changelog and examples if needed.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@mergify mergify bot closed this Sep 18, 2025
@mergify Mergify
Copy link

mergify bot commented Sep 18, 2025

This pull request was automatically closed as it no longer contains any changes.

This typically happens when another merged pull request has already included this request's
proposed modifications into the default branch.

@mergify mergify bot added no-changes No changes were made in this PR triage Needs triage labels Sep 18, 2025
@Benbentwo Benbentwo reopened this Sep 18, 2025
@mergify mergify bot added the wip Work in Progress: Not ready for final review or merge label Sep 18, 2025
@Copilot Copilot AI changed the title [WIP] Implement image_tag_mutability_exclusion_filter support for AWS ECR repository (requires AWS provider >= 6.8.0) Add support for image_tag_mutability_exclusion_filter in ECR repositories Sep 18, 2025
@Copilot Copilot AI requested a review from Benbentwo September 18, 2025 19:53
Copilot finished work on behalf of Benbentwo September 18, 2025 19:53
@mergify mergify bot removed the wip Work in Progress: Not ready for final review or merge label Sep 18, 2025
@Benbentwo Benbentwo marked this pull request as ready for review September 18, 2025 19:58
@Benbentwo Benbentwo requested review from a team as code owners September 18, 2025 19:58
@Benbentwo Benbentwo requested review from hans-d and kevcube September 18, 2025 19:58
@Benbentwo
Copy link
Member

/terratest

@Benbentwo Benbentwo added major Breaking changes (or first stable release) and removed no-changes No changes were made in this PR triage Needs triage labels Sep 18, 2025
@Benbentwo
Copy link
Member

/terratest

@Benbentwo
Copy link
Member

/terratest

@Benbentwo
Copy link
Member

/terratest

@Benbentwo
Copy link
Member

/terratest

@Benbentwo
Copy link
Member

/terratest

@Benbentwo
Copy link
Member

/terratest

@Benbentwo
Copy link
Member

/terratest

@Benbentwo
Copy link
Member

/terratest

@Benbentwo
Copy link
Member

/terratest

@Benbentwo
Copy link
Member

/terratest

@Benbentwo
Copy link
Member

/terratest

@Benbentwo Benbentwo merged commit 9a49665 into main Sep 22, 2025
18 checks passed
@Benbentwo Benbentwo deleted the copilot/fix-7d6b6c27-e54c-419f-bb97-e9127134b18f branch September 22, 2025 17:45
@github-actions GitHub Actions
Copy link
Contributor

These changes were released in v1.0.0.

This was referenced Sep 25, 2025
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@goruha goruha goruha approved these changes

@Benbentwo Benbentwo Awaiting requested review from Benbentwo

@hans-d hans-d Awaiting requested review from hans-d hans-d is a code owner automatically assigned from cloudposse/contributors

@kevcube kevcube Awaiting requested review from kevcube kevcube is a code owner automatically assigned from cloudposse/contributors

Assignees

@Benbentwo Benbentwo

Copilot code review Copilot

Labels
major Breaking changes (or first stable release)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Copilot @Benbentwo @goruha