diff --git a/.github/workflows/deploy_terraform.yml b/.github/workflows/deploy_terraform.yml
index fe52a1e2..d90d9912 100644
--- a/.github/workflows/deploy_terraform.yml
+++ b/.github/workflows/deploy_terraform.yml
@@ -55,4 +55,10 @@ jobs:
       - name: Terraform Plan (shared)
         run: |
           cd infrastructure/terraform/shared
-          terraform plan -var-file=dev.tfvars
\ No newline at end of file
+          terraform plan -var-file=dev.tfvars
+
+      # # only run once
+      # - name: Terraform Apply (shared)
+      #   run: |
+      #     cd infrastructure/terraform/shared
+      #     terraform apply -auto-approve -var-file=dev.tfvars
\ No newline at end of file
diff --git a/infrastructure/terraform/modules/ecr/main.tf b/infrastructure/terraform/modules/ecr/main.tf
index 468ef3d2..dfed0712 100644
--- a/infrastructure/terraform/modules/ecr/main.tf
+++ b/infrastructure/terraform/modules/ecr/main.tf
@@ -1,7 +1,6 @@
 resource "aws_ecr_repository" "my_repository" {
-  name                 = "${var.ecr_name}"
+  name                 = var.ecr_name
   image_tag_mutability = "MUTABLE"
-  # Allows overwriting image tags, change to IMMUTABLE if you want to prevent overwriting
 
   image_scanning_configuration {
     scan_on_push = true
@@ -13,13 +12,27 @@ resource "aws_ecr_lifecycle_policy" "my_repository_policy" {
 
   policy = jsonencode({
     rules = [
+      # 1️⃣ PROTECT important environment tags forever
       {
         rulePriority = 1
-        description  = "Retain only the last 10 images"
-        selection    = {
+        description  = "Keep prod, main, dev images forever"
+        selection = {
+          tagStatus     = "tagged"
+          tagPrefixList = ["prod", "main", "dev"]
+        }
+        action = {
+          type = "retain"
+        }
+      },
+
+      # 2️⃣ Expire everything else beyond the most recent 20 images
+      {
+        rulePriority = 2
+        description  = "Expire old non-protected images"
+        selection = {
           tagStatus   = "any"
           countType   = "imageCountMoreThan"
-          countNumber = 10
+          countNumber = 20
         }
         action = {
           type = "expire"
@@ -27,4 +40,4 @@ resource "aws_ecr_lifecycle_policy" "my_repository_policy" {
       }
     ]
   })
-}
\ No newline at end of file
+}
diff --git a/infrastructure/terraform/modules/ecr/outputs.tf b/infrastructure/terraform/modules/ecr/outputs.tf
index 53839718..7f045412 100644
--- a/infrastructure/terraform/modules/ecr/outputs.tf
+++ b/infrastructure/terraform/modules/ecr/outputs.tf
@@ -1,4 +1,10 @@
 output "ecr_repository_name" {
   description = "Name of the EPR repo in AWS"
   value       = aws_ecr_repository.my_repository.name
+}
+
+
+output "ecr_repository_url" {
+  description = "Full ECR repository URL"
+  value       = aws_ecr_repository.my_repository.repository_url
 }
\ No newline at end of file
diff --git a/infrastructure/terraform/shared/main.tf b/infrastructure/terraform/shared/main.tf
index 9d90ae61..393def46 100644
--- a/infrastructure/terraform/shared/main.tf
+++ b/infrastructure/terraform/shared/main.tf
@@ -288,4 +288,13 @@ module "ses" {
 
 output "ses_dns_records" {
   value = module.ses.dns_records
+}
+
+
+################################################
+# One ECR to rule all the lambdas
+################################################
+module "lambda_shared_ecr" {
+  source   = "../modules/ecr"
+  ecr_name = "lambda-shared-${var.stage}"
 }
\ No newline at end of file