Support immutability and scanning

main.tf

@@ -110,9 +110,14 @@ module "label" {
 }
 
 resource "aws_ecr_repository" "self" {
-  count = "${module.enabled.value}"
-  name  = "${var.use_fullname == "true" ? module.label.id : module.label.name}"
-  tags  = "${module.label.tags}"
+  count                = "${module.enabled.value}"
+  name                 = "${var.use_fullname == "true" ? module.label.id : module.label.name}"
+  image_tag_mutability = "${var.image_tag_mutability}"
+  tags                 = "${module.label.tags}"
+
+  image_scanning_configuration {
+    scan_on_push = "${var.scan_on_push}"
+  }
 }
 
 resource "aws_ecr_lifecycle_policy" "aged" {

variables.tf

@@ -1,8 +1,25 @@
+variable "accounts_ro" {
+  description = "AWS accounts to provide with readonly access to the ECR"
+  type        = "list"
+  default     = []
+}
+
+variable "accounts_rw" {
+  description = "AWS accounts to provide with full access to the ECR"
+  type        = "list"
+  default     = []
+}
+
 variable "enabled" {
   description = "Set to false to prevent the module from creating any resources"
   default     = true
 }
 
+variable "image_tag_mutability" {
+  description = "The tag mutability setting for the repository. Must be one of: MUTABLE or IMMUTABLE. Defaults to MUTABLE"
+  default     = "MUTABLE"
+}
+
 variable "max_image_age" {
   description = "Max container image age"
   default     = "0"
@@ -19,16 +36,9 @@ variable "max_image_count" {
   default     = "500"
 }
 
-variable "accounts_rw" {
-  description = "AWS accounts to provide with full access to the ECR"
-  type        = "list"
-  default     = []
-}
-
-variable "accounts_ro" {
-  description = "AWS accounts to provide with readonly access to the ECR"
-  type        = "list"
-  default     = []
+variable "scan_on_push" {
+  description = "Vulnerabiliy scan images automatically on push"
+  default     = false
 }
 
 variable "use_fullname" {