From 5a4f9d73816ed69c0a838f31208e352d62144481 Mon Sep 17 00:00:00 2001
From: "Jon R. Roma" <jonroma@jonroma.net>
Date: Thu, 5 Sep 2024 17:51:01 -0500
Subject: [PATCH] Add scan_on_push capability

AWS scan scan ECR images for vulnerabilities when they are pushed.
Add this capability via the `scan_on_push` variable, and set the
default to `true`.
---
 README.md    | 5 ++++-
 main.tf      | 4 ++++
 variables.tf | 6 ++++++
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index c3a11a7..20d8f62 100644
--- a/README.md
+++ b/README.md
@@ -20,7 +20,8 @@ module "foo" {
     "repo_name_1",
     "repo_name_2",
   ]
-  readers = ["arn:aws:iam::874445906176:root"]
+  readers      = ["arn:aws:iam::874445906176:root"]
+  scan_on_push = true
 }
 ```
 
@@ -39,6 +40,8 @@ The following arguments are supported:
 
 * `repos` - (Required) List of repository names.
 
+* `scan_on_push` – (Optional) Boolean indicating whether images are scanned after being pushed to the repository. Defaults to `true`.
+
 * `tags` - (Optional) Map of tags for resources where supported.
 
 * `writers` - (Optional) List of account ARNs that can push images.
diff --git a/main.tf b/main.tf
index 787dc39..caaab58 100644
--- a/main.tf
+++ b/main.tf
@@ -18,6 +18,10 @@ resource "aws_ecr_repository" "default" {
   for_each = toset(var.repos)
   name     = each.key
   tags     = var.tags
+
+  image_scanning_configuration {
+    scan_on_push = var.scan_on_push
+  }
 }
 
 resource "aws_ecr_lifecycle_policy" "default" {
diff --git a/variables.tf b/variables.tf
index 602de80..0c91d64 100644
--- a/variables.tf
+++ b/variables.tf
@@ -25,6 +25,12 @@ variable "repos" {
   type        = list(string)
 }
 
+variable "scan_on_push" {
+  description = "Boolean indicating whether images are scanned after being pushed to the repository"
+  type        = bool
+  default     = true
+}
+
 variable "tags" {
   description = "Map of tags for resources where supported"
   type        = map(string)