diff --git a/aws/ecr/ecr-repo-app.tf b/aws/ecr/ecr-repo-app.tf
new file mode 100644
index 000000000..c2b37ee31
--- /dev/null
+++ b/aws/ecr/ecr-repo-app.tf
@@ -0,0 +1,40 @@
+module "kops_ecr_app" {
+  source       = "git::https://github.com/cloudposse/terraform-aws-kops-ecr.git?ref=tags/0.1.0"
+  namespace    = "${var.namespace}"
+  stage        = "${var.stage}"
+  name         = "${var.repository_name}"
+  cluster_name = "${var.region}.${var.zone_name}"
+
+  users = [
+    "${module.kops_ecr_user.user_name}",
+  ]
+
+  tags = {
+    Cluster = "${var.region}.${var.zone_name}"
+  }
+}
+
+output "kops_ecr_app_registry_id" {
+  value       = "${module.kops_ecr_app.registry_id}"
+  description = "Registry app ID"
+}
+
+output "kops_ecr_app_registry_url" {
+  value       = "${module.kops_ecr_app.repository_url}"
+  description = "Registry app URL"
+}
+
+output "kops_ecr_app_repository_name" {
+  value       = "${module.kops_ecr_app.name}"
+  description = "Registry app name"
+}
+
+output "kops_ecr_app_role_name" {
+  value       = "${module.kops_ecr_app.role_name}"
+  description = "Assume Role name to get access app registry"
+}
+
+output "kops_ecr_app_role_arn" {
+  value       = "${module.kops_ecr_app.role_arn}"
+  description = "Assume Role ARN to get access app registry"
+}
diff --git a/aws/ecr/ecr-user.tf b/aws/ecr/ecr-user.tf
new file mode 100644
index 000000000..82648c170
--- /dev/null
+++ b/aws/ecr/ecr-user.tf
@@ -0,0 +1,35 @@
+module "kops_ecr_user" {
+  source    = "git::https://github.com/cloudposse/terraform-aws-iam-system-user.git?ref=tags/0.3.0"
+  namespace = "${var.namespace}"
+  stage     = "${var.stage}"
+  name      = "cicd"
+
+  tags = {
+    Cluster = "${var.region}.${var.zone_name}"
+  }
+}
+
+output "kops_ecr_user_name" {
+  value       = "${module.kops_ecr_user.user_name}"
+  description = "Normalized IAM user name"
+}
+
+output "kops_ecr_user_arn" {
+  value       = "${module.kops_ecr_user.user_arn}"
+  description = "The ARN assigned by AWS for the user"
+}
+
+output "kops_ecr_user_unique_id" {
+  value       = "${module.kops_ecr_user.user_unique_id}"
+  description = "The user unique ID assigned by AWS"
+}
+
+output "kops_ecr_user_access_key_id" {
+  value       = "${module.kops_ecr_user.access_key_id}"
+  description = "The access key ID"
+}
+
+output "kops_ecr_user_secret_access_key" {
+  value       = "${module.kops_ecr_user.secret_access_key}"
+  description = "The secret access key. This will be written to the state file in plain-text"
+}
diff --git a/aws/ecr/main.tf b/aws/ecr/main.tf
new file mode 100644
index 000000000..cfe482419
--- /dev/null
+++ b/aws/ecr/main.tf
@@ -0,0 +1,39 @@
+terraform {
+  required_version = ">= 0.11.2"
+
+  backend "s3" {}
+}
+
+variable "aws_assume_role_arn" {
+  type = "string"
+}
+
+variable "namespace" {
+  type        = "string"
+  description = "Namespace (e.g. `cp` or `cloudposse`)"
+}
+
+variable "stage" {
+  type        = "string"
+  description = "Stage (e.g. `prod`, `dev`, `staging`)"
+}
+
+variable "region" {
+  type        = "string"
+  description = "AWS region"
+}
+
+variable "zone_name" {
+  type        = "string"
+  description = "DNS zone name"
+}
+
+variable "repository_name" {
+  description = "Repository name"
+}
+
+provider "aws" {
+  assume_role {
+    role_arn = "${var.aws_assume_role_arn}"
+  }
+}
diff --git a/aws/ecr/terraform.tfvars.example b/aws/ecr/terraform.tfvars.example
new file mode 100644
index 000000000..0322c1a61
--- /dev/null
+++ b/aws/ecr/terraform.tfvars.example
@@ -0,0 +1,4 @@
+namespace="cp"
+stage="staging"
+region="us-west-2"
+zone_name="us-west-2.staging.cloudposse.co"