chore(main): release 4.0.1

CHANGELOG.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## [4.0.1](https://github.com/nullplatform/tofu-modules/compare/v4.0.0...v4.0.1) (2026-06-09)
+
+
+### Bug Fixes
+
+* **ecr:** add cross-account pull and repository policy support ([#384](https://github.com/nullplatform/tofu-modules/issues/384)) ([cf6431f](https://github.com/nullplatform/tofu-modules/commit/cf6431f69c5ce3055c60ff3d659a23c12d9162f9))
+
 ## [4.0.0](https://github.com/nullplatform/tofu-modules/compare/v3.5.2...v4.0.0) (2026-06-02)
 
 

infrastructure/aws/acm/README.md

@@ -18,7 +18,7 @@ The module creates an aws_acm_certificate resource with DNS validation, which is
 
 ```hcl
 module "acm" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/acm?ref=v4.0.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/acm?ref=v4.0.1"
 
   domain_name = "your-domain-name"
   zone_id     = "your-zone-id"

infrastructure/aws/aws_load_balancer_controller/README.md

@@ -18,7 +18,7 @@ This module creates a helm_release resource to deploy the AWS Load Balancer Cont
 
 ```hcl
 module "aws_load_balancer_controller" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/aws_load_balancer_controller?ref=v4.0.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/aws_load_balancer_controller?ref=v4.0.1"
 
   cluster_name = "your-cluster-name"
   vpc_id       = "your-vpc-id"

infrastructure/aws/backend/README.md

@@ -20,7 +20,7 @@ This module creates an S3 bucket with versioning and server-side encryption enab
 
 ```hcl
 module "backend" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/backend?ref=v4.0.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/backend?ref=v4.0.1"
 }
 ```
 

infrastructure/aws/dns/README.md

@@ -20,7 +20,7 @@ The module conditionally creates an aws_route53_zone resource for a public hoste
 
 ```hcl
 module "dns" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/dns?ref=v4.0.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/dns?ref=v4.0.1"
 
   domain_name = "your-domain-name"
   vpc_id      = "your-vpc-id"

infrastructure/aws/eks/README.md

@@ -22,7 +22,7 @@ The module wraps terraform-aws-modules/eks to create the EKS cluster (aws_eks_cl
 
 ```hcl
 module "eks" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/eks?ref=v4.0.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/eks?ref=v4.0.1"
 
   aws_subnets_private_ids = "your-aws-subnets-private-ids"
   aws_vpc_vpc_id          = "your-aws-vpc-vpc-id"

infrastructure/aws/iam/agent/README.md

@@ -19,7 +19,7 @@ This module creates an IAM role for a Kubernetes service account using the terra
 
 ```hcl
 module "agent" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/agent?ref=v4.0.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/agent?ref=v4.0.1"
 
   agent_namespace                     = "your-agent-namespace"
   aws_iam_openid_connect_provider_arn = "your-aws-iam-openid-connect-provider-arn"

infrastructure/aws/iam/aws_load_balancer_controller_iam/README.md

@@ -19,7 +19,7 @@ This module creates an IAM role for the AWS Load Balancer Controller using the t
 
 ```hcl
 module "aws_load_balancer_controller_iam" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/aws_load_balancer_controller_iam?ref=v4.0.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/aws_load_balancer_controller_iam?ref=v4.0.1"
 
   aws_iam_openid_connect_provider_arn = "your-aws-iam-openid-connect-provider-arn"
   cluster_name                        = "your-cluster-name"

infrastructure/aws/iam/cert_manager/README.md

@@ -21,7 +21,7 @@ An aws_iam_policy is created granting Route53 permissions (GetChange, ChangeReso
 
 ```hcl
 module "cert_manager" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/cert_manager?ref=v4.0.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/cert_manager?ref=v4.0.1"
 
   aws_iam_openid_connect_provider_arn = "your-aws-iam-openid-connect-provider-arn"
   cluster_name                        = "your-cluster-name"

infrastructure/aws/iam/ecr/README.md

@@ -2,25 +2,26 @@
 
 ## Description
 
-Creates IAM resources for managing ECR repositories and CI/CD build workflows within a named cluster namespace, with optional cross-account pull access
+Provisions IAM resources for ECR image management and optional cross-account ECR pull access within a named cluster namespace
 
 ## Architecture
 
-The module creates an aws_iam_role (application role) with a configurable assume-role principal, an aws_iam_policy granting ECR management permissions, and an aws_iam_user with an aws_iam_access_key for CI/CD build workflows. The ECR policy is attached to the application role via aws_iam_role_policy_attachment and to an aws_iam_group via aws_iam_group_policy_attachment, with the build user added to that group through aws_iam_user_group_membership. When enable_cross_account_pull is true, a second aws_iam_role and aws_iam_policy are conditionally created and attached, allowing specified external AWS account IDs to assume the role for read-only ECR pulls.
+The module creates two aws_iam_role resources (an application role with a configurable assume-role principal and an optional cross-account pull role), an aws_iam_policy for ECR management actions, and an aws_iam_user with an aws_iam_access_key for CI/CD build workflows. The ECR manager policy is attached to both the application role via aws_iam_role_policy_attachment and to an aws_iam_group via aws_iam_group_policy_attachment, with the build workflow user added to that group through aws_iam_user_group_membership. When enable_cross_account_pull is true, a separate aws_iam_role and aws_iam_policy scoped to read-only ECR actions are created and linked, with pull_account_ids driving the Principal trust statements.
 
 ## Features
 
-- Creates an aws_iam_role for application workloads with a configurable assume-role principal ARN
-- Creates an aws_iam_policy granting full ECR repository lifecycle management permissions
-- Creates an aws_iam_user and aws_iam_access_key for CI/CD build workflows with ECR push access
-- Organizes ECR access via an aws_iam_group with policy attachment and user membership
-- Optionally creates a cross-account aws_iam_role and read-only ECR policy for external AWS accounts to pull images
+- Creates a namespaced aws_iam_role for application image pulling with a configurable assume-role principal
+- Creates an aws_iam_policy granting full ECR repository lifecycle permissions including push, pull, and repository management
+- Creates an aws_iam_user and aws_iam_access_key for CI/CD build workflow authentication to ECR
+- Creates an aws_iam_group and attaches the ECR manager policy for group-based permission management
+- Optionally creates a cross-account aws_iam_role and read-only ECR pull policy for external AWS accounts
+- Outputs a ready-to-use ECR repository policy JSON for cross-account pull access configuration
 
 ## Basic Usage
 
 ```hcl
 module "ecr" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/ecr?ref=v4.0.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/ecr?ref=v4.0.1"
 
   cluster_name = "your-cluster-name"
 }
@@ -79,19 +80,21 @@ resource "example_resource" "this" {
 | <a name="output_build_workflow_access_key_id"></a> [build\_workflow\_access\_key\_id](#output\_build\_workflow\_access\_key\_id) | Access key ID for the CI/CD build workflow IAM user |
 | <a name="output_build_workflow_access_key_secret"></a> [build\_workflow\_access\_key\_secret](#output\_build\_workflow\_access\_key\_secret) | Secret access key for the CI/CD build workflow IAM user |
 | <a name="output_cross_account_pull_role_arn"></a> [cross\_account\_pull\_role\_arn](#output\_cross\_account\_pull\_role\_arn) | ARN of the IAM role that cross-account principals can assume to pull ECR images. Empty string when enable\_cross\_account\_pull is false. |
+| <a name="output_ecr_repository_policy"></a> [ecr\_repository\_policy](#output\_ecr\_repository\_policy) | ECR repository policy JSON granting pull access to the configured cross-account IDs. Empty string when enable\_cross\_account\_pull is false. |
 <!-- END_TF_DOCS -->
 
 <!-- BEGIN_AI_METADATA
 {
   "name": "ecr",
-  "description": "Creates IAM resources for managing ECR repositories and CI/CD build workflows within a named cluster namespace, with optional cross-account pull access",
-  "architecture": "The module creates an aws_iam_role (application role) with a configurable assume-role principal, an aws_iam_policy granting ECR management permissions, and an aws_iam_user with an aws_iam_access_key for CI/CD build workflows. The ECR policy is attached to the application role via aws_iam_role_policy_attachment and to an aws_iam_group via aws_iam_group_policy_attachment, with the build user added to that group through aws_iam_user_group_membership. When enable_cross_account_pull is true, a second aws_iam_role and aws_iam_policy are conditionally created and attached, allowing specified external AWS account IDs to assume the role for read-only ECR pulls.",
+  "description": "Provisions IAM resources for ECR image management and optional cross-account ECR pull access within a named cluster namespace",
+  "architecture": "The module creates two aws_iam_role resources (an application role with a configurable assume-role principal and an optional cross-account pull role), an aws_iam_policy for ECR management actions, and an aws_iam_user with an aws_iam_access_key for CI/CD build workflows. The ECR manager policy is attached to both the application role via aws_iam_role_policy_attachment and to an aws_iam_group via aws_iam_group_policy_attachment, with the build workflow user added to that group through aws_iam_user_group_membership. When enable_cross_account_pull is true, a separate aws_iam_role and aws_iam_policy scoped to read-only ECR actions are created and linked, with pull_account_ids driving the Principal trust statements.",
   "features": [
-    "Creates an aws_iam_role for application workloads with a configurable assume-role principal ARN",
-    "Creates an aws_iam_policy granting full ECR repository lifecycle management permissions",
-    "Creates an aws_iam_user and aws_iam_access_key for CI/CD build workflows with ECR push access",
-    "Organizes ECR access via an aws_iam_group with policy attachment and user membership",
-    "Optionally creates a cross-account aws_iam_role and read-only ECR policy for external AWS accounts to pull images"
+    "Creates a namespaced aws_iam_role for application image pulling with a configurable assume-role principal",
+    "Creates an aws_iam_policy granting full ECR repository lifecycle permissions including push, pull, and repository management",
+    "Creates an aws_iam_user and aws_iam_access_key for CI/CD build workflow authentication to ECR",
+    "Creates an aws_iam_group and attaches the ECR manager policy for group-based permission management",
+    "Optionally creates a cross-account aws_iam_role and read-only ECR pull policy for external AWS accounts",
+    "Outputs a ready-to-use ECR repository policy JSON for cross-account pull access configuration"
   ],
   "inputs": [
     {
@@ -119,8 +122,9 @@ resource "example_resource" "this" {
     "application_role_arn",
     "build_workflow_access_key_id",
     "build_workflow_access_key_secret",
-    "cross_account_pull_role_arn"
+    "cross_account_pull_role_arn",
+    "ecr_repository_policy"
   ],
-  "hash": "919aeb658197d87037609619914d6040"
+  "hash": "3fec1e27ab807f00fd3468e628c7cae3"
 }
 END_AI_METADATA -->

infrastructure/aws/iam/external_dns/README.md

@@ -21,7 +21,7 @@ The module creates an aws_iam_policy granting Route53 permissions scoped to the
 
 ```hcl
 module "external_dns" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/external_dns?ref=v4.0.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/external_dns?ref=v4.0.1"
 
   aws_iam_openid_connect_provider_arn = "your-aws-iam-openid-connect-provider-arn"
   cluster_name                        = "your-cluster-name"

infrastructure/aws/iam/s3/README.md

@@ -19,7 +19,7 @@ The module creates an aws_s3_bucket_policy resource attached to an existing S3 b
 
 ```hcl
 module "s3" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/s3?ref=v4.0.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/s3?ref=v4.0.1"
 
   bucket_arn = "your-bucket-arn"
   bucket_id  = "your-bucket-id"

infrastructure/aws/ingress/README.md

@@ -22,7 +22,7 @@ The module creates up to two kubernetes_ingress_v1 resources — one for an inte
 
 ```hcl
 module "ingress" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/ingress?ref=v4.0.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/ingress?ref=v4.0.1"
 
   certificate_arn = "your-certificate-arn"
 }

infrastructure/aws/security/README.md

@@ -22,7 +22,7 @@ The module uses data sources (aws_eks_cluster, aws_vpc) to derive VPC ID and CID
 
 ```hcl
 module "security" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/security?ref=v4.0.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/security?ref=v4.0.1"
 
   cluster_name = "your-cluster-name"
 }

infrastructure/aws/vpc/README.md

@@ -22,7 +22,7 @@ This module creates a terraform-aws-modules/vpc/aws module resource with DNS hos
 
 ```hcl
 module "vpc" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/vpc?ref=v4.0.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/vpc?ref=v4.0.1"
 
   account      = "your-account"
   organization = "your-organization"

infrastructure/azure/acr/README.md

@@ -18,7 +18,7 @@ The module uses the azurerm_container_registry resource to create the container
 
 ```hcl
 module "acr" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/acr?ref=v4.0.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/acr?ref=v4.0.1"
 
   containerregistry_name = "your-containerregistry-name"
   location               = "your-location"

infrastructure/azure/aks/README.md

@@ -22,7 +22,7 @@ The module wraps the Azure/aks/azurerm community module (version 11.0.0) and use
 
 ```hcl
 module "aks" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/aks?ref=v4.0.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/aks?ref=v4.0.1"
 
   cluster_name        = "your-cluster-name"
   location            = "your-location"

infrastructure/azure/aks_route_table/README.md

@@ -19,7 +19,7 @@ The module uses an azurerm_resources data source to discover the route table cre
 
 ```hcl
 module "aks_route_table" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/aks_route_table?ref=v4.0.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/aks_route_table?ref=v4.0.1"
 
   node_resource_group = "your-node-resource-group"
   subnet_id           = "your-subnet-id"

infrastructure/azure/dns/README.md

@@ -18,7 +18,7 @@ This module creates an azurerm_dns_zone resource and configures it with the prov
 
 ```hcl
 module "dns" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/dns?ref=v4.0.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/dns?ref=v4.0.1"
 
   domain_name         = "your-domain-name"
   resource_group_name = "your-resource-group-name"

infrastructure/azure/iam/README.md

@@ -21,7 +21,7 @@ The module creates an azurerm_user_assigned_identity resource in the specified r
 
 ```hcl
 module "iam" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/iam?ref=v4.0.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/iam?ref=v4.0.1"
 
   location             = "your-location"
   name                 = "your-name"

infrastructure/azure/private_dns/README.md

@@ -18,7 +18,7 @@ This module creates an azurerm_private_dns_zone resource and optionally multiple
 
 ```hcl
 module "private_dns" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/private_dns?ref=v4.0.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/private_dns?ref=v4.0.1"
 
   domain_name           = "your-domain-name"
   resource_group_name   = "your-resource-group-name"

infrastructure/azure/resource_group/README.md

@@ -18,7 +18,7 @@ This module creates an azurerm_resource_group resource and outputs its name and
 
 ```hcl
 module "resource_group" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/resource_group?ref=v4.0.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/resource_group?ref=v4.0.1"
 
   location            = "your-location"
   resource_group_name = "your-resource-group-name"

infrastructure/azure/security/README.md

@@ -21,7 +21,7 @@ The module uses azurerm_kubernetes_cluster and azurerm_virtual_network data sour
 
 ```hcl
 module "security" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/security?ref=v4.0.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/security?ref=v4.0.1"
 
   cluster_name        = "your-cluster-name"
   resource_group_name = "your-resource-group-name"

infrastructure/azure/vnet/README.md

@@ -18,7 +18,7 @@ This module creates an Azure virtual network using the azurerm provider and conf
 
 ```hcl
 module "vnet" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/vnet?ref=v4.0.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/vnet?ref=v4.0.1"
 
   address_space       = "your-address-space"
   location            = "your-location"

infrastructure/commons/cert_manager/README.md

@@ -21,7 +21,7 @@ The module creates two core helm_release resources: cert-manager from the Jetsta
 
 ```hcl
 module "cert_manager" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/commons/cert_manager?ref=v4.0.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/commons/cert_manager?ref=v4.0.1"
 
   account_slug        = "your-account-slug"
   cloud_provider      = "your-cloud-provider"
@@ -34,7 +34,7 @@ module "cert_manager" {
 
 ```hcl
 module "cert_manager" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/commons/cert_manager?ref=v4.0.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/commons/cert_manager?ref=v4.0.1"
 
   account_slug        = "your-account-slug"
   cloud_provider      = "gcp"
@@ -49,7 +49,7 @@ module "cert_manager" {
 
 ```hcl
 module "cert_manager" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/commons/cert_manager?ref=v4.0.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/commons/cert_manager?ref=v4.0.1"
 
   account_slug              = "your-account-slug"
   azure_client_id           = "your-azure-client-id"  # Required when cloud_provider = "azure"
@@ -67,7 +67,7 @@ module "cert_manager" {
 
 ```hcl
 module "cert_manager" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/commons/cert_manager?ref=v4.0.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/commons/cert_manager?ref=v4.0.1"
 
   account_slug           = "your-account-slug"
   cloud_provider         = "cloudflare"
@@ -82,7 +82,7 @@ module "cert_manager" {
 
 ```hcl
 module "cert_manager" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/commons/cert_manager?ref=v4.0.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/commons/cert_manager?ref=v4.0.1"
 
   account_slug        = "your-account-slug"
   aws_region          = "your-aws-region"  # Required when cloud_provider = "aws"
@@ -97,7 +97,7 @@ module "cert_manager" {
 
 ```hcl
 module "cert_manager" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/commons/cert_manager?ref=v4.0.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/commons/cert_manager?ref=v4.0.1"
 
   account_slug         = "your-account-slug"
   cloud_provider       = "oci"