fix: Update image_tag_mutability validation to support IMMUTABLE_WITH_EXCLUSION and MUTABLE_WITH_EXCLUSION

[lgallard]

Fixes critical validation bug blocking users from using latest AWS ECR tag protection features.

Changes

• Added support for IMMUTABLE_WITH_EXCLUSION and MUTABLE_WITH_EXCLUSION values
• Updated validation constraint in variables.tf:31
• Updated variable description and error message

Testing

• Verified existing tests continue to work with current values
• All existing test fixtures use valid values (MUTABLE, IMMUTABLE)

Fixes #159

Generated with Claude Code

[lgallard]

codebot hunt

[claude]

Claude finished @lgallard's task —— View job

---

🕵️ Bug Hunt Complete

Task: Find critical bugs, security vulnerabilities, and performance issues

Todo List:

• Read and analyze the changed variables.tf file
• Review the image_tag_mutability validation changes
• Check for potential bugs in validation logic
• Verify AWS ECR values are correct
• Provide actionable feedback

🏁 Bug Hunt Results

✅ Overall Assessment: CLEAN

The validation update is correct and necessary to support new AWS ECR tag protection features.

📋 Analysis Summary

What Changed:

• Added support for IMMUTABLE_WITH_EXCLUSION and MUTABLE_WITH_EXCLUSION values in image_tag_mutability validation
• Updated variable description and error message to include the new values
• Line 31: Updated validation constraint
• Line 32: Updated error message

Validation Verified:

• ✅ AWS Feature Confirmation: Feature tracker shows these values are confirmed_available in AWS ECR
• ✅ Syntax Correct: Contains function properly validates the 4 allowed values
• ✅ Test Compatibility: All existing tests use valid values (MUTABLE, IMMUTABLE)
• ✅ Backward Compatibility: Existing configurations continue working unchanged
• ✅ Documentation Consistency: Variable description matches validation constraint

🔍 No Critical Issues Found

Security: ✅ No vulnerabilities introduced
Performance: ✅ No performance impact
Bugs: ✅ No logic errors detected
Breaking Changes: ✅ Fully backward compatible

📝 Minor Documentation Inconsistency

Issue Found: README.md:1459 still shows old description:

| image_tag_mutability | The tag mutability setting for the repository. Either MUTABLE or IMMUTABLE. |

Should be updated to:

| image_tag_mutability | The tag mutability setting for the repository. Either MUTABLE, IMMUTABLE, IMMUTABLE_WITH_EXCLUSION, or MUTABLE_WITH_EXCLUSION. |

Note: This is likely auto-generated from terraform-docs and will update on next documentation refresh.

🎯 Conclusion

This is a high-quality fix that properly addresses issue #159. The validation update is essential for users who want to leverage AWS ECR's enhanced tag protection features. No bugs or security issues detected.

---

[lgallard]

@claude address "📝 Minor Documentation Inconsistency" in the previous comment. Also make sure to update the examples if needed!

[claude]

Claude finished @lgallard's task —— View job

---

✅ Documentation Inconsistency Fixed

Task: Fix README.md documentation and check examples for new image_tag_mutability values

Todo List:

• Read README.md to locate the documentation inconsistency
• Update README.md description for image_tag_mutability
• Check all example configurations in examples/ directory
• Verify examples don't need updating (all use valid values)
• Commit and push changes

📋 Summary

Documentation Fixed:

• ✅ Updated README.md line 1604 to include all 4 supported values:
  • MUTABLE, IMMUTABLE, IMMUTABLE_WITH_EXCLUSION, MUTABLE_WITH_EXCLUSION

Examples Analysis:

• ✅ Checked all 12 examples (19 total usages of image_tag_mutability)
• ✅ All examples use valid values (MUTABLE or IMMUTABLE)
• ✅ No changes needed - existing examples remain functional
• ✅ Examples serve as good starting points for users who want to try new values

Changes Committed:

• Updated documentation to reflect new AWS ECR tag protection features
• Maintained backward compatibility for all existing configurations
• Commit: 7460566 - "docs: Update README.md to include IMMUTABLE_WITH_EXCLUSION and MUTABLE_WITH_EXCLUSION values"

The documentation inconsistency has been resolved. Users can now see all available options in the README, and all examples continue to work as expected.

---

[lgallard]

@claude check why pre-commit is failing https://github.com/lgallard/terraform-aws-ecr/actions/runs/17143439935/job/48635099960?pr=160#step:12:1

[claude]

Claude finished @lgallard's task —— View job

---

✅ Pre-commit Failure: Solution Provided

Task: Analyze why pre-commit is failing in GitHub Actions

🎯 Issue Identified: terraform-docs Hook Synchronization

Root Cause:
The terraform_docs pre-commit hook failed because it detected a formatting mismatch between the manually updated README.md and what it expected to auto-generate from the Terraform files.

What Happened:

1. ✅ Content is Correct: README.md line 1604 was properly updated to include all 4 values: MUTABLE, IMMUTABLE, IMMUTABLE_WITH_EXCLUSION, MUTABLE_WITH_EXCLUSION
2. ✅ Variables Match: variables.tf description (line 27) matches the README.md update
3. ❌ Format Mismatch: terraform-docs detected subtle formatting differences and auto-corrected the documentation
4. ❌ Pre-commit Fail: When hooks modify files during checks, pre-commit fails the build

🔧 Solution

Run these commands locally to fix the synchronization:

# Run terraform-docs to regenerate documentation with exact formatting
pre-commit run terraform_docs --files README.md variables.tf

# Commit the synchronized documentation
git add README.md
git commit -m "fix: Synchronize terraform-docs generated documentation

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-authored-by: Claude <[email protected]>"
git push

📋 Why This Happens

terraform-docs is very strict about:

• Exact formatting between and markers
• Regenerating the entire inputs/outputs section from actual Terraform files
• Any manual edits that don't match its expected output format

✅ Verification

After running the fix:

• Pre-commit checks will pass ✅
• All 4 image tag mutability values will remain properly documented ✅
• CI will succeed on the next push ✅

The documentation content is already correct - this is purely a formatting synchronization issue that requires regenerating the docs section with terraform-docs.

---