diff --git a/infra/terraform/modules/account/README.md b/infra/terraform/modules/account/README.md
index ed6097f0b4..7c44e185a2 100644
--- a/infra/terraform/modules/account/README.md
+++ b/infra/terraform/modules/account/README.md
@@ -14,6 +14,7 @@ No providers.
| Name | Source | Version |
|------|--------|---------|
+| [ecr](#module\_ecr) | terraform-aws-modules/ecr/aws | ~> 1.6 |
| [github](#module\_github) | ../../modules/github | n/a |
## Resources
@@ -25,6 +26,8 @@ No resources.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [create\_github\_resources](#input\_create\_github\_resources) | Whether to create the GitHub resources. | `bool` | `true` | no |
+| [ecr\_read\_access\_arns](#input\_ecr\_read\_access\_arns) | The list of ARNs to attach to the ECR read role. | `list(string)` | `[]` | no |
+| [ecr\_read\_write\_access\_arns](#input\_ecr\_read\_write\_access\_arns) | The list of ARNs to attach to the ECR read-write role. | `list(string)` | `[]` | no |
| [github\_oidc\_readonly\_role\_policies](#input\_github\_oidc\_readonly\_role\_policies) | The map of policies to attach to the OIDC readonly role. | `map(string)` | `{}` | no |
| [github\_oidc\_role\_policies](#input\_github\_oidc\_role\_policies) | A map of policy names to policy ARNs to attach to the OIDC role. | `map(string)` | `{}` | no |
diff --git a/infra/terraform/modules/account/ecr.tf b/infra/terraform/modules/account/ecr.tf
index cc622d34bf..a3896b1ac9 100644
--- a/infra/terraform/modules/account/ecr.tf
+++ b/infra/terraform/modules/account/ecr.tf
@@ -1,13 +1,19 @@
+locals {
+ repositories = ["api", "selfserve", "internal"]
+}
+
module "ecr" {
+ for_each = toset(local.repositories)
+
source = "terraform-aws-modules/ecr/aws"
version = "~> 1.6"
- repository_name = "vol-app"
+ repository_name = "vol-app-${each.key}"
repository_read_access_arns = var.ecr_read_access_arns
repository_read_write_access_arns = var.ecr_read_write_access_arns
- create_lifecycle_policy = true
+ create_lifecycle_policy = true
repository_lifecycle_policy = jsonencode({
rules = [
{
@@ -46,7 +52,7 @@ module "ecr" {
scan_frequency = "SCAN_ON_PUSH"
filter = "*"
filter_type = "WILDCARD"
- }, {
+ }, {
scan_frequency = "CONTINUOUS_SCAN"
filter = "v*"
filter_type = "WILDCARD"