diff --git a/modules/lambda-image-republish/main.tf b/modules/lambda-image-republish/main.tf
index 78d423c..85c751a 100644
--- a/modules/lambda-image-republish/main.tf
+++ b/modules/lambda-image-republish/main.tf
@@ -21,6 +21,12 @@ data "aws_caller_identity" "current" {}
 
 data "aws_region" "current" {}
 
+# Remove this once the AWS provider is >= 6.19 and can read public ECR image
+# metadata directly.
+data "docker_registry_image" "source_image" {
+  name = local.source_image_uri
+}
+
 resource "aws_ecr_repository" "destination" {
   name                 = local.repository_name
   force_delete         = true
@@ -82,6 +88,7 @@ resource "aws_ecr_repository_policy" "self_access" {
 
 resource "null_resource" "republish_image" {
   triggers = {
+    source_image_digest         = data.docker_registry_image.source_image.sha256_digest
     source_repository           = local.source_repo
     source_tag                  = var.source_lambda_tag
     destination_repository      = aws_ecr_repository.destination.repository_url
diff --git a/modules/lambda-image-republish/versions.tf b/modules/lambda-image-republish/versions.tf
index 69cb52b..abd393d 100644
--- a/modules/lambda-image-republish/versions.tf
+++ b/modules/lambda-image-republish/versions.tf
@@ -6,5 +6,11 @@ terraform {
       source  = "hashicorp/aws"
       version = "~> 4.0"
     }
+    # Remove this once the AWS provider is >= 6.19 and can read public ECR
+    # image metadata directly.
+    docker = {
+      source  = "kreuzwerker/docker"
+      version = "~> 3.5"
+    }
   }
 }