diff --git a/modules/ecr-registry/main.tf b/modules/ecr-registry/main.tf
index a78b236..e6f9228 100644
--- a/modules/ecr-registry/main.tf
+++ b/modules/ecr-registry/main.tf
@@ -3,7 +3,7 @@ locals {
     package = "terraform-aws-container"
     version = trimspace(file("${path.module}/../../VERSION"))
     module  = basename(path.module)
-    name    = data.aws_caller_identity.this.id
+    name    = local.account_id
   }
   module_tags = {
     "module.terraform.io/package"   = local.metadata.package
@@ -27,156 +27,21 @@ locals {
 # Registry Policy
 ###################################################
 
-data "aws_iam_policy_document" "replication" {
-  count = length(try(var.replication_policies, [])) > 0 ? 1 : 0
-
-  dynamic "statement" {
-    for_each = try(var.replication_policies, [])
-
-    content {
-      sid    = "ReplicationAccess${statement.value.account_id}"
-      effect = "Allow"
-      principals {
-        type = "AWS"
-        identifiers = [
-          "arn:aws:iam::${statement.value.account_id}:root"
-        ]
-      }
-      actions = compact([
-        try(statement.value.allow_create_repository, true) ? "ecr:CreateRepository" : null,
-        "ecr:ReplicateImage",
-      ])
-      resources = [
-        for repository in statement.value.repositories :
-        "arn:aws:ecr:${local.region}:${local.account_id}:repository/${repository}"
-      ]
-    }
-  }
-}
-
-data "aws_iam_policy_document" "pull_through_cache" {
-  count = length(try(var.pull_through_cache_policies, [])) > 0 ? 1 : 0
-
-  dynamic "statement" {
-    for_each = try(var.pull_through_cache_policies, [])
-
-    content {
-      sid    = "PullThroughCacheAccess-${statement.key}"
-      effect = "Allow"
-      principals {
-        type        = "AWS"
-        identifiers = try(statement.value.iam_entities, [])
-      }
-      actions = compact([
-        try(statement.value.allow_create_repository, true) ? "ecr:CreateRepository" : null,
-        "ecr:BatchImportUpstreamImage",
-      ])
-      resources = [
-        for repository in statement.value.repositories :
-        "arn:aws:ecr:${local.region}:${local.account_id}:repository/${repository}"
-      ]
-    }
-  }
-}
-
 data "aws_iam_policy_document" "this" {
-  source_policy_documents = concat(
-    try(data.aws_iam_policy_document.replication[*].json, []),
-    try(data.aws_iam_policy_document.pull_through_cache[*].json, []),
-  )
+  source_policy_documents = compact([
+    one(data.aws_iam_policy_document.replication[*].json),
+    one(data.aws_iam_policy_document.pull_through_cache[*].json),
+  ])
 
   override_policy_documents = var.policy != null ? [var.policy] : null
 }
 
 resource "aws_ecr_registry_policy" "this" {
-  count = length(var.replication_policies) > 0 || length(var.pull_through_cache_policies) > 0 || var.policy != null ? 1 : 0
+  count = anytrue([
+    length(var.replication_policies) > 0,
+    length(var.pull_through_cache_policies) > 0,
+    var.policy != null,
+  ]) ? 1 : 0
 
   policy = data.aws_iam_policy_document.this.json
 }
-
-
-###################################################
-# Replication Configurations
-###################################################
-
-resource "aws_ecr_replication_configuration" "this" {
-  count = length(var.replication_destinations) > 0 ? 1 : 0
-
-  replication_configuration {
-    rule {
-      dynamic "destination" {
-        for_each = var.replication_destinations
-
-        content {
-          registry_id = destination.value.registry_id
-          region      = destination.value.region
-        }
-      }
-    }
-  }
-}
-
-
-###################################################
-# Pull Through Cache Rule
-###################################################
-
-locals {
-  default_namespaces = {
-    "quay.io"        = "quay"
-    "public.ecr.aws" = "ecr-public"
-  }
-}
-
-resource "aws_ecr_pull_through_cache_rule" "this" {
-  for_each = {
-    for rule in var.pull_through_cache_rules :
-    try(rule.namespace, local.default_namespaces[rule.upstream_url]) => rule
-  }
-
-  ecr_repository_prefix = each.key
-  upstream_registry_url = each.value.upstream_url
-}
-
-
-###################################################
-# Scanning Configuration
-###################################################
-
-resource "aws_ecr_registry_scanning_configuration" "this" {
-  scan_type = var.scanning_type
-
-  dynamic "rule" {
-    for_each = length(var.scanning_on_push_filters) > 0 ? ["go"] : []
-
-    content {
-      scan_frequency = "SCAN_ON_PUSH"
-
-      dynamic "repository_filter" {
-        for_each = var.scanning_on_push_filters
-
-        content {
-          filter      = repository_filter.value
-          filter_type = "WILDCARD"
-        }
-      }
-    }
-  }
-
-  dynamic "rule" {
-    for_each = length(var.scanning_continuous_filters) > 0 ? ["go"] : []
-
-    content {
-      scan_frequency = "CONTINUOUS_SCAN"
-
-      dynamic "repository_filter" {
-        for_each = var.scanning_continuous_filters
-
-        content {
-          filter      = repository_filter.value
-          filter_type = "WILDCARD"
-        }
-      }
-    }
-  }
-}
diff --git a/modules/ecr-registry/outputs.tf b/modules/ecr-registry/outputs.tf
index 16278e2..52f88fb 100644
--- a/modules/ecr-registry/outputs.tf
+++ b/modules/ecr-registry/outputs.tf
@@ -13,33 +13,40 @@ output "policy" {
   value       = one(aws_ecr_registry_policy.this[*].policy)
 }
 
-output "replication_destinations" {
-  description = "A list of destinations for ECR registry replication."
-  value       = var.replication_destinations
+output "replication_policies" {
+  description = "A list of replication policies for ECR Registry."
+  value       = var.replication_policies
+}
+
+output "replication_rules" {
+  description = "A list of replication rules for ECR Registry."
+  value       = var.replication_rules
+}
+
+output "pull_through_cache_policies" {
+  description = "A list of Pull Through Cache policies for ECR Registry."
+  value       = var.pull_through_cache_policies
 }
 
 output "pull_through_cache_rules" {
   description = "A list of Pull Through Cache Rules for ECR registry."
-  value = [
-    for id, rule in aws_ecr_pull_through_cache_rule.this : {
-      id           = id
-      namespace    = rule.ecr_repository_prefix
-      upstream_url = rule.upstream_registry_url
-    }
-  ]
+  value       = var.pull_through_cache_rules
 }
 
 output "scanning_type" {
-  description = "The scanning type for the registry."
+  description = "The scanning type to set for the registry."
   value       = aws_ecr_registry_scanning_configuration.this.scan_type
 }
 
-output "scanning_on_push_filters" {
-  description = "A list of repository filter to scan on push."
-  value       = var.scanning_on_push_filters
+output "scanning_rules" {
+  description = "A list of scanning rules to determine which repository filters are used and at what frequency scanning will occur."
+  value       = var.scanning_rules
 }
 
-output "scanning_continuous_filters" {
-  description = "A list of repository filter to scan continuous."
-  value       = var.scanning_continuous_filters
-}
+# output "debug" {
+#   value = {
+#     pull_through_cache_rules = aws_ecr_pull_through_cache_rule.this
+#     replication_rules        = aws_ecr_replication_configuration.this
+#     scanning_rules           = aws_ecr_registry_scanning_configuration.this
+#   }
+# }
diff --git a/modules/ecr-registry/pull-through-cache.tf b/modules/ecr-registry/pull-through-cache.tf
new file mode 100644
index 0000000..1435ad0
--- /dev/null
+++ b/modules/ecr-registry/pull-through-cache.tf
@@ -0,0 +1,62 @@
+###################################################
+# Pull Through Cache Policy
+###################################################
+
+data "aws_iam_policy_document" "pull_through_cache" {
+  count = length(var.pull_through_cache_policies) > 0 ? 1 : 0
+
+  dynamic "statement" {
+    for_each = var.pull_through_cache_policies
+    iterator = policy
+
+    content {
+      sid    = "PullThroughCacheAccess-${policy.key}"
+      effect = "Allow"
+
+      principals {
+        type        = "AWS"
+        identifiers = policy.value.iam_entities
+      }
+      actions = (policy.value.allow_create_repository
+        ? ["ecr:CreateRepository", "ecr:BatchImportUpstreamImage"]
+        : ["ecr:BatchImportUpstreamImage"]
+      )
+      resources = [
+        for repository in policy.value.repositories :
+        "arn:aws:ecr:${local.region}:${local.account_id}:repository/${repository}"
+      ]
+    }
+  }
+}
+
+
+###################################################
+# Pull Through Cache Rules
+###################################################
+
+locals {
+  default_namespaces = {
+    "ghcr.io"               = "github"
+    "myregistry.azurecr.io" = "azure"
+    "public.ecr.aws"        = "ecr-public"
+    "quay.io"               = "quay"
+    "registry-1.docker.io"  = "docker-hub"
+    "registry.gitlab.com"   = "gitlab"
+    "registry.k8s.io"       = "kubernetes"
+  }
+}
+
+resource "aws_ecr_pull_through_cache_rule" "this" {
+  for_each = {
+    for rule in var.pull_through_cache_rules :
+    coalesce(rule.namespace, local.default_namespaces[rule.upstream_url]) => rule
+  }
+
+  ecr_repository_prefix = each.key
+  upstream_registry_url = each.value.upstream_url
+
+  credential_arn = (each.value.credential != null
+    ? each.value.credential.secretsmanager_secret
+    : null
+  )
+}
diff --git a/modules/ecr-registry/replication.tf b/modules/ecr-registry/replication.tf
new file mode 100644
index 0000000..88f693d
--- /dev/null
+++ b/modules/ecr-registry/replication.tf
@@ -0,0 +1,69 @@
+###################################################
+# Replication Policy
+###################################################
+
+data "aws_iam_policy_document" "replication" {
+  count = length(var.replication_policies) > 0 ? 1 : 0
+
+  dynamic "statement" {
+    for_each = var.replication_policies
+    iterator = policy
+
+    content {
+      sid    = "ReplicationAccess${policy.value.account}"
+      effect = "Allow"
+
+      principals {
+        type = "AWS"
+        identifiers = [
+          "arn:aws:iam::${policy.value.account}:root"
+        ]
+      }
+      actions = (policy.value.allow_create_repository
+        ? ["ecr:CreateRepository", "ecr:ReplicateImage"]
+        : ["ecr:ReplicateImage"]
+      )
+      resources = [
+        for repository in policy.value.repositories :
+        "arn:aws:ecr:${local.region}:${local.account_id}:repository/${repository}"
+      ]
+    }
+  }
+}
+
+
+###################################################
+# Replication Rules
+###################################################
+
+resource "aws_ecr_replication_configuration" "this" {
+  count = length(var.replication_rules) > 0 ? 1 : 0
+
+  replication_configuration {
+    dynamic "rule" {
+      for_each = var.replication_rules
+      iterator = rule
+
+      content {
+        dynamic "destination" {
+          for_each = rule.value.destinations
+
+          content {
+            registry_id = coalesce(destination.value.account, local.account_id)
+            region      = destination.value.region
+          }
+        }
+
+        dynamic "repository_filter" {
+          for_each = rule.value.filters
+          iterator = filter
+
+          content {
+            filter_type = filter.value.type
+            filter      = filter.value.value
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/modules/ecr-registry/scanning.tf b/modules/ecr-registry/scanning.tf
new file mode 100644
index 0000000..ef36335
--- /dev/null
+++ b/modules/ecr-registry/scanning.tf
@@ -0,0 +1,25 @@
+###################################################
+# Scanning Configuration
+###################################################
+
+resource "aws_ecr_registry_scanning_configuration" "this" {
+  scan_type = var.scanning_type
+
+  dynamic "rule" {
+    for_each = var.scanning_rules
+
+    content {
+      scan_frequency = rule.value.frequency
+
+      dynamic "repository_filter" {
+        for_each = rule.value.filters
+        iterator = filter
+
+        content {
+          filter_type = filter.value.type
+          filter      = filter.value.value
+        }
+      }
+    }
+  }
+}
diff --git a/modules/ecr-registry/variables.tf b/modules/ecr-registry/variables.tf
index 75b5fb9..93524af 100644
--- a/modules/ecr-registry/variables.tf
+++ b/modules/ecr-registry/variables.tf
@@ -2,39 +2,70 @@ variable "policy" {
   description = "(Optional) The policy document for ECR registry. This is a JSON formatted string."
   type        = string
   default     = null
+  nullable    = true
 }
 
 variable "replication_policies" {
-  description = "(Optional) A list of ECR Registry Policies for replication. `account_id` is source AWS account for replication. If `allow_create_repository` is false, you need to create repositories with the same name whithin your registry. `repositories` is a list of target repositories. Support glob expressions for `repositories` like `*`."
+  description = <<EOF
+  (Optional) A list of replication policies for ECR Registry. Each block of `replication_policies` as defined below.
+    (Required) `account` - The AWS account ID of the source registry owner.
+    (Optional) `allow_create_repository` - Whether to auto-create the replicated repositories with the same name within the current registry. Defaults to `false`.
+    (Required) `repositories` - A list of target repositories. Support glob expressions like `*`.
+  EOF
   type = list(object({
-    account_id              = string
-    allow_create_repository = bool
+    account                 = string
+    allow_create_repository = optional(bool, false)
     repositories            = list(string)
   }))
   default  = []
   nullable = false
 }
 
-variable "replication_destinations" {
-  description = "(Optional) A list of destinations for ECR registry replication. `registry_id` is the account ID of the destination registry to replicate to. `region` is required to replicate to."
+variable "replication_rules" {
+  description = <<EOF
+  (Optional) A list of replication rules for ECR Registry. Each rule represents the replication destinations and repository filters for a replication configuration. Each block of `replication_rules` as defined below.
+    (Required) `destinations` - A list of destinations for replication rule. Each block of `destinations` as defined below.
+      (Optional) `account` - The AWS account ID of the ECR private registry to replicate to. Only required for cross-account replication.
+      (Required) `region` - The Region to replicate to.
+    (Optional) `filters` - The filter settings used with image replication. Specifying a repository filter to a replication rule provides a method for controlling which repositories in a private registry are replicated. If no filters are added, the contents of all repositories are replicated. Each block of `filters` as defined below.
+      (Optional) `type` - The repository filter type. The only supported value is `PREFIX_MATCH`, which is a repository name prefix. Defaults to `PREFIX_MATCH`.
+      (Required) `value` - The repository filter value.
+  EOF
   type = list(object({
-    registry_id = string
-    region      = string
+    destinations = list(object({
+      account = optional(string)
+      region  = string
+    }))
+    filters = optional(list(object({
+      type  = optional(string, "PREFIX_MATCH")
+      value = string
+    })), [])
   }))
   default  = []
   nullable = false
+
+  validation {
+    condition = alltrue([
+      for rule in var.replication_rules :
+      alltrue([
+        for filter in rule.filters :
+        contains(["PREFIX_MATCH"], filter.type)
+      ])
+    ])
+    error_message = "Valid values for `type` are `PREFIX_MATCH`."
+  }
 }
 
 variable "pull_through_cache_policies" {
   description = <<EOF
-  (Optional) A list of ECR Registry Policies for Pull Through Cache. Each value of `pull_through_cache_policies` as defined below.
-    (Required) `iam_entities` - Specify one or more IAM principals to grant permission. Support the ARN of IAM entities, or AWS account ID.
-    (Required) `allow_create_repository` - Need to create target repositories if `allow_create_repository` is false.
+  (Optional) A list of ECR Registry Policies for Pull Through Cache. Each block of `pull_through_cache_policies` as defined below.
+    (Required) `iam_entities` - One or more IAM principals to grant permission. Support the ARN of IAM entities, or AWS account ID.
+    (Optional) `allow_create_repository` - Whether to auto-create the cached repositories with the same name within the current registry. Defaults to `false`.
     (Required) `repositories` - A list of target repositories. Support glob expressions for `repositories` like `*`.
   EOF
   type = list(object({
     iam_entities            = list(string)
-    allow_create_repository = bool
+    allow_create_repository = optional(bool, false)
     repositories            = list(string)
   }))
   default  = []
@@ -46,29 +77,68 @@ variable "pull_through_cache_rules" {
   (Optional) A list of Pull Through Cache Rules for ECR registry. A `pull_through_cache_rules` block as defined below.
     (Required) `upstream_url` - The registry URL of the upstream public registry to use as the source.
     (Optional) `namespace` - The repository name prefix to use when caching images from the source registry. Default value is used if not provided.
+    (Optional) `credential` - The configuration for credential to use to authenticate against the registry. A `credential` block as defined below.
+      (Required) `secretsmanager_secret` - The ARN of the Secrets Manager secret to use for authentication.
   EOF
-  type        = list(any)
-  default     = []
-  nullable    = false
+  type = list(object({
+    upstream_url = string
+    namespace    = optional(string)
+    credential = optional(object({
+      secretsmanager_secret = string
+    }))
+  }))
+  default  = []
+  nullable = false
 }
 
 variable "scanning_type" {
-  description = "(Optional) The scanning type to set for the registry. Can be either `ENHANCED` or `BASIC`."
+  description = <<EOF
+  (Optional) The scanning type to set for the registry. Valid values are `ENHANCED` or `BASIC`. Defaults to `BASIC`.
+  EOF
   type        = string
   default     = "BASIC"
   nullable    = false
-}
 
-variable "scanning_on_push_filters" {
-  description = "(Optional) A list of repository filter to scan on push. Wildcard character is allowed."
-  type        = list(string)
-  default     = []
-  nullable    = false
+  validation {
+    condition     = contains(["ENHANCED", "BASIC"], var.scanning_type)
+    error_message = "Valid values for `scanning_type` are `ENHANCED`, `BASIC`."
+  }
 }
 
-variable "scanning_continuous_filters" {
-  description = "(Optional) A list of repository filter to scan continuous. Wildcard character is allowed."
-  type        = list(string)
-  default     = []
-  nullable    = false
+variable "scanning_rules" {
+  description = <<EOF
+  (Optional) A list of scanning rules to determine which repository filters are used and at what frequency scanning will occur. Each block of `scanning_rules` as defined below.
+    (Required) `frequency` - The frequency that scans are performed at for a private registry. Valid values are `SCAN_ON_PUSH`, `CONTINUOUS_SCAN`.
+    (Optional) `filters` - The configuration of repository filters for image scanning.
+      (Optional) `type` - The repository filter type. The only supported value is `WILDCARD`. A filter with no wildcard will match all repository names that contain the filter. A filter with a wildcard (*) matches on any repository name where the wildcard replaces zero or more characters in the repository name. Defaults to `WILDCARD`.
+      (Required) `value` - The repository filter value.
+  EOF
+  type = list(object({
+    frequency = string
+    filters = optional(list(object({
+      type  = optional(string, "WILDCARD")
+      value = string
+    })), [])
+  }))
+  default  = []
+  nullable = false
+
+  validation {
+    condition = alltrue([
+      for rule in var.scanning_rules :
+      contains(["SCAN_ON_PUSH", "CONTINUOUS_SCAN"], rule.frequency)
+    ])
+    error_message = "Valid values for `frequency` are `SCAN_ON_PUSH`, `CONTINUOUS_SCAN`."
+  }
+
+  validation {
+    condition = alltrue([
+      for rule in var.scanning_rules :
+      alltrue([
+        for filter in rule.filters :
+        contains(["WILDCARD"], filter.type)
+      ])
+    ])
+    error_message = "Valid values for `type` are `WILDCARD`."
+  }
 }
diff --git a/modules/ecr-registry/versions.tf b/modules/ecr-registry/versions.tf
index 426109f..d35eba6 100644
--- a/modules/ecr-registry/versions.tf
+++ b/modules/ecr-registry/versions.tf
@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 1.5"
+  required_version = ">= 1.6"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.10"
+      version = ">= 5.37"
     }
   }
 }