mozilla · jbuck · Nov 22, 2025 · Nov 20, 2025 · Nov 20, 2025
diff --git a/google_gar/README.md b/google_gar/README.md
@@ -20,6 +20,7 @@ module "gar" {
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_application"></a> [application](#input\_application) | Application, e.g. bouncer. | `string` | n/a | yes |
+| <a name="input_cleanup_policies"></a> [cleanup\_policies](#input\_cleanup\_policies) | n/a | <pre>map(object({<br/>    id     = string<br/>    action = string<br/>    condition = optional(object({<br/>      tag_state             = string<br/>      tag_prefixes          = string<br/>      version_name_prefixes = any<br/>      package_name_prefixes = any<br/>      older_than            = any<br/>      newer_than            = any<br/>    }))<br/>    most_recent_versions = optional(object({<br/>      package_name_prefixes = any<br/>      keep_count            = any<br/>    }))<br/>  }))</pre> | n/a | yes |
 | <a name="input_description"></a> [description](#input\_description) | n/a | `string` | `null` | no |
 | <a name="input_format"></a> [format](#input\_format) | n/a | `string` | `"DOCKER"` | no |
 | <a name="input_location"></a> [location](#input\_location) | Location of the repository. Should generally be set to a multi-region location like 'us' or 'europe'. | `string` | `"us"` | no |

diff --git a/google_gar/main.tf b/google_gar/main.tf
@@ -11,22 +11,51 @@ resource "google_project_service" "gar" {
 }
 
 resource "google_artifact_registry_repository" "repository" {
-  provider      = google-beta
   depends_on    = [google_project_service.gar]
   repository_id = local.repository_id
   format        = var.format
   location      = var.location
   description   = var.description
   project       = var.project
 
+  dynamic "cleanup_policies" {
+    for_each = var.cleanup_policies
+
+    content {
+      id     = cleanup_policies.value.id
+      action = cleanup_policies.value.action
+
+      dynamic "condition" {
+        for_each = cleanup_policies.value.condition
+
+        content {
+          tag_state             = condition.value.tag_state
+          tag_prefixes          = condition.value.tag_prefixes
+          version_name_prefixes = condition.value.version_name_prefixes
+          package_name_prefixes = condition.value.package_name_prefixes
+          older_than            = condition.value.older_than
+          newer_than            = condition.value.newer_than
+        }
+      }
+
+      dynamic "most_recent_versions" {
+        for_each = cleanup_policies.value.most_recent_versions
+
+        content {
+          package_name_prefixes = most_recent_versions.value.package_name_prefixes
+          keep_count            = most_recent_versions.value.keep_count
+        }
+      }
+    }
+  }
+
   labels = {
     app_code = var.application
     realm    = var.realm
   }
 }
 
 resource "google_artifact_registry_repository_iam_member" "reader" {
-  provider   = google-beta
   for_each   = toset(var.repository_readers)
   project    = var.project
   location   = var.location
@@ -42,7 +71,6 @@ resource "google_service_account" "writer_service_account" {
 }
 
 resource "google_artifact_registry_repository_iam_member" "writer" {
-  provider   = google-beta
   project    = var.project
   location   = var.location
   repository = google_artifact_registry_repository.repository.name

diff --git a/google_gar/variables.tf b/google_gar/variables.tf
@@ -44,3 +44,22 @@ variable "writer_service_account_id" {
   type    = string
   default = "artifact-writer"
 }
+
+variable "cleanup_policies" {
+  type = map(object({
+    id     = string
+    action = string
+    condition = optional(object({
+      tag_state             = string
+      tag_prefixes          = string
+      version_name_prefixes = any
+      package_name_prefixes = any
+      older_than            = any
+      newer_than            = any
+    }))
+    most_recent_versions = optional(object({
+      package_name_prefixes = any
+      keep_count            = any
+    }))
+  }))
+}