feat(ecr): Add support for IMMUTABLE_WITH_EXCLUSION image tag mutability

[yoshizawa56]

Rollback Plan

If a change needs to be reverted, we will publish an updated version of the library.

Changes to Security Controls

Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.

no

Description

This PR adds support for the IMMUTABLE_WITH_EXCLUSION image tag mutability mode for ECR repositories, allowing users to specify exclusion filters for tags that should remain mutable while enforcing immutability for all others.

Changes:

• Add image_tag_mutability_exclusion_filter configuration block
• Support IMMUTABLE_WITH_EXCLUSION as a valid image_tag_mutability value
• Add validation for exclusion filters (max 5 filters, max 128 chars, max 2 wildcards)
• Add cross-field validation to ensure filters are only used with appropriate mutability modes
• Add comprehensive acceptance tests including cross-field validation test
• Update documentation with examples and constraints

Relations

Closes #43569

References

Output from Acceptance Testing

$ make testacc TESTS=TestAccECRRepository_ PKG=ecr
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/ecr/... -v -count 1 -parallel 20 -run='TestAccECRRepository_' -timeout
 360m

--- PASS: TestAccECRRepository_basic (31.43s)
--- PASS: TestAccECRRepository_disappears (24.93s)
--- PASS: TestAccECRRepository_tags (50.47s)
--- PASS: TestAccECRRepository_immutability (29.31s)
--- PASS: TestAccECRRepository_immutabilityWithExclusion (39.86s)
--- PASS: TestAccECRRepository_immutabilityWithExclusion_validation (16.63s)
--- PASS: TestAccECRRepository_immutabilityWithExclusion_crossValidation (13.79s)
--- PASS: TestAccECRRepository_Image_scanning (55.66s)
--- PASS: TestAccECRRepository_Encryption_kms (60.19s)
--- PASS: TestAccECRRepository_Encryption_aes256 (42.97s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/ecr       63.755s

[github-actions]

Community Guidelines

This comment is added to every new Pull Request to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

• Please vote on this Pull Request by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
• Please see our prioritization guide for additional information on how the maintainers handle prioritization.
• Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Pull Request and do not help prioritize the request.

Pull Request Authors

• Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
• Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

[github-actions]

✅ Thank you for correcting the previously detected issues! The maintainers appreciate your efforts to make the review process as smooth as possible.

[tsjnsn]

fyi cli shows MUTABLE_WITH_EXCLUSION is available too

   --image-tag-mutability (string)
      The  tag mutability setting for the repository. If this parameter is
      omitted, the default setting of MUTABLE will be used which will  al-
      low image tags to be overwritten. If IMMUTABLE is specified, all im-
      age  tags within the repository will be immutable which will prevent
      them from being overwritten.

      Possible values:

      o MUTABLE

      o IMMUTABLE

      o IMMUTABLE_WITH_EXCLUSION

      o MUTABLE_WITH_EXCLUSION

[ewbankkit]

LGTM 🚀.

% make testacc TESTARGS='-run=TestAccECRRepository_' PKG=ecr ACCTEST_PARALELLISM=3
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go1.24.5 test ./internal/service/ecr/... -v -count 1 -parallel 20  -run=TestAccECRRepository_ -timeout 360m -vet=off
2025/08/06 11:07:53 Creating Terraform AWS Provider (SDKv2-style)...
2025/08/06 11:07:53 Initializing Terraform AWS Provider (SDKv2-style)...
=== RUN   TestAccECRRepository_basic
=== PAUSE TestAccECRRepository_basic
=== RUN   TestAccECRRepository_disappears
=== PAUSE TestAccECRRepository_disappears
=== RUN   TestAccECRRepository_tags
=== PAUSE TestAccECRRepository_tags
=== RUN   TestAccECRRepository_immutability
=== PAUSE TestAccECRRepository_immutability
=== RUN   TestAccECRRepository_immutabilityWithExclusion
=== PAUSE TestAccECRRepository_immutabilityWithExclusion
=== RUN   TestAccECRRepository_mutabilityWithExclusion
=== PAUSE TestAccECRRepository_mutabilityWithExclusion
=== RUN   TestAccECRRepository_immutabilityWithExclusion_validation
=== PAUSE TestAccECRRepository_immutabilityWithExclusion_validation
=== RUN   TestAccECRRepository_immutabilityWithExclusion_crossValidation
=== PAUSE TestAccECRRepository_immutabilityWithExclusion_crossValidation
=== RUN   TestAccECRRepository_Image_scanning
=== PAUSE TestAccECRRepository_Image_scanning
=== RUN   TestAccECRRepository_Encryption_kms
=== PAUSE TestAccECRRepository_Encryption_kms
=== RUN   TestAccECRRepository_Encryption_aes256
=== PAUSE TestAccECRRepository_Encryption_aes256
=== CONT  TestAccECRRepository_basic
=== CONT  TestAccECRRepository_immutabilityWithExclusion_validation
=== CONT  TestAccECRRepository_Encryption_kms
=== CONT  TestAccECRRepository_tags
=== CONT  TestAccECRRepository_disappears
=== CONT  TestAccECRRepository_immutability
=== CONT  TestAccECRRepository_Encryption_aes256
=== CONT  TestAccECRRepository_Image_scanning
=== CONT  TestAccECRRepository_immutabilityWithExclusion_crossValidation
=== CONT  TestAccECRRepository_mutabilityWithExclusion
=== CONT  TestAccECRRepository_immutabilityWithExclusion
--- PASS: TestAccECRRepository_immutabilityWithExclusion_crossValidation (3.47s)
--- PASS: TestAccECRRepository_immutabilityWithExclusion_validation (5.20s)
--- PASS: TestAccECRRepository_disappears (16.07s)
--- PASS: TestAccECRRepository_immutability (18.70s)
--- PASS: TestAccECRRepository_basic (18.76s)
--- PASS: TestAccECRRepository_immutabilityWithExclusion (26.67s)
--- PASS: TestAccECRRepository_mutabilityWithExclusion (27.25s)
--- PASS: TestAccECRRepository_Encryption_aes256 (32.96s)
--- PASS: TestAccECRRepository_tags (34.67s)
--- PASS: TestAccECRRepository_Image_scanning (41.34s)
--- PASS: TestAccECRRepository_Encryption_kms (47.64s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/ecr	53.187s

[jar-b]

LGTM 🚀

[ewbankkit]

@yoshizawa56 Thanks for the contribution 🎉 👏.

[github-actions]

Warning

This Issue has been closed, meaning that any additional comments are much easier for the maintainers to miss. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[github-actions]

This functionality has been released in v6.8.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.