[Enhancement]: aws_ecr_repository data source support for external registries such as public.ecr.aws

Description

The AWS ECS service team introduced a regression where they started forcing container image ID pinning. This means that jobs using public containers like cloudwatch-agent/cloudwatch-agent or xray/aws-xray-daemon will fail to launch after the upstream image tags are updated, which means that it would be really useful to be able to use something like data.aws_ecr_repository.xray.most_recent_image_tags tags in Terraform rather than setting up for future deployment failures when the latest tag changes.

This is also complicated because the aws_ecr_repository resource does not implement all of the attributes which the data source provides, so if you want to manage this currently in Terraform you have to do the following:

Enable pull-through caching (e.g. “ecr-public”)
Create an aws_ecr_repository resource with the target container (e.g. "ecr-public/cloudwatch-agent/cloudwatch-agent") to ensure that Terraform won't fail due to errors before the container image has been pulled at least once.
Create an aws_ecr_repository data source to get the most recent image tags
Filter the desired tags

Affected Resource(s) and/or Data Source(s)

aws_ecr_repository

Potential Terraform Configuration

data "aws_ecr_repository" "xray-daemon" {
    name = "cloudwatch-agent/cloudwatch-agent"
    repository_url = "public.ecr.aws"
}

References

https://github.com/hashicorp/terraform-provider-aws/issues/22509 was opened earlier but closed without progress.

There's a separate bug in aws_ecr_repository which causes the most_recent_image_tags attribute not to be populated (#36835) which is also a blocker.

Would you like to implement a fix?

None

hashicorp / terraform-provider-aws