Add scan_on_push capability

AWS scan scan ECR images for vulnerabilities when they are pushed. Add this capability via the `scan_on_push` variable, and set the default to `true`.
techservicesillinois · Sep 9, 2024 · 5a4f9d7 · 5a4f9d7
1 parent 386ac3c
commit 5a4f9d7
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -20,7 +20,8 @@ module "foo" {
     "repo_name_1",
     "repo_name_2",
   ]
-  readers = ["arn:aws:iam::874445906176:root"]
+  readers      = ["arn:aws:iam::874445906176:root"]
+  scan_on_push = true
 }
 ```
 
@@ -39,6 +40,8 @@ The following arguments are supported:
 
 * `repos` - (Required) List of repository names.
 
+* `scan_on_push` – (Optional) Boolean indicating whether images are scanned after being pushed to the repository. Defaults to `true`.
+
 * `tags` - (Optional) Map of tags for resources where supported.
 
 * `writers` - (Optional) List of account ARNs that can push images.

diff --git a/main.tf b/main.tf
@@ -18,6 +18,10 @@ resource "aws_ecr_repository" "default" {
   for_each = toset(var.repos)
   name     = each.key
   tags     = var.tags
+
+  image_scanning_configuration {
+    scan_on_push = var.scan_on_push
+  }
 }
 
 resource "aws_ecr_lifecycle_policy" "default" {

diff --git a/variables.tf b/variables.tf
@@ -25,6 +25,12 @@ variable "repos" {
   type        = list(string)
 }
 
+variable "scan_on_push" {
+  description = "Boolean indicating whether images are scanned after being pushed to the repository"
+  type        = bool
+  default     = true
+}
+
 variable "tags" {
   description = "Map of tags for resources where supported"
   type        = map(string)