fix: Add ECR ECS scanning on apprunner (#97)

Author: hayk99

examples/organizational/README.md

@@ -143,8 +143,8 @@ $ terraform apply
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.15.1 |
-| <a name="provider_aws.member"></a> [aws.member](#provider\_aws.member) | 4.15.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.16.0 |
+| <a name="provider_aws.member"></a> [aws.member](#provider\_aws.member) | 4.16.0 |
 | <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | 0.5.37 |
 
 ## Modules

examples/single-account-apprunner/main.tf

@@ -43,6 +43,8 @@ module "cloud_connector" {
   build_project_name = length(module.codebuild) == 1 ? module.codebuild[0].project_name : "na"
 
   cloudconnector_ecr_image_uri = var.cloudconnector_ecr_image_uri
+  deploy_image_scanning_ecr    = var.deploy_image_scanning_ecr
+  deploy_image_scanning_ecs    = var.deploy_image_scanning_ecs
 
   cloudtrail_sns_arn = local.cloudtrail_sns_arn
   tags               = var.tags

examples/single-account-k8s/README.md

@@ -84,7 +84,7 @@ $ terraform apply
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.15.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.16.0 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | 2.5.1 |
 | <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | 0.5.37 |
 

examples/trigger-events/README.md

@@ -49,7 +49,7 @@ $ terraform apply
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.15.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.16.0 |
 
 ## Modules
 

modules/infrastructure/cloudtrail/README.md

@@ -12,7 +12,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.15.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.16.0 |
 
 ## Modules
 

modules/infrastructure/cloudtrail_s3-sns-sqs/README.md

@@ -46,7 +46,7 @@ EVENT FILTER/fine-tunning, regarding what we want to send to Sysdig Cloud-Connec
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.15.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.16.0 |
 
 ## Modules
 

modules/infrastructure/codebuild/README.md

@@ -12,7 +12,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.15.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.16.0 |
 
 ## Modules
 

modules/infrastructure/ecs-vpc/README.md

@@ -13,7 +13,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.15.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.16.0 |
 
 ## Modules
 

modules/infrastructure/permissions/cloud-connector/README.md

@@ -12,7 +12,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.15.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.16.0 |
 
 ## Modules
 

modules/infrastructure/permissions/cloud-scanning/README.md

@@ -12,7 +12,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.15.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.16.0 |
 
 ## Modules
 

modules/infrastructure/permissions/general/README.md

@@ -15,7 +15,7 @@ General permissions that apply to both cloud-connector and cloud-scanning module
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.15.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.16.0 |
 
 ## Modules
 

modules/infrastructure/permissions/iam-user/README.md

@@ -45,7 +45,7 @@ Note: Contact us if this authentication system does not match your requirement.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.15.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.16.0 |
 
 ## Modules
 

modules/infrastructure/permissions/org-role-ecs/README.md

@@ -31,8 +31,8 @@ The aim of this module is to manage the organizational **managed account** requi
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.15.1 |
-| <a name="provider_aws.member"></a> [aws.member](#provider\_aws.member) | 4.15.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.16.0 |
+| <a name="provider_aws.member"></a> [aws.member](#provider\_aws.member) | 4.16.0 |
 
 ## Modules
 

modules/infrastructure/permissions/org-role-eks/README.md

@@ -29,7 +29,7 @@ The aim of this module is to manage the organizational **managed account** requi
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.15.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.16.0 |
 
 ## Modules
 

modules/infrastructure/resource-group/README.md

@@ -13,7 +13,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.15.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.16.0 |
 
 ## Modules
 

modules/infrastructure/sqs-sns-subscription/README.md

@@ -12,7 +12,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.15.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.16.0 |
 
 ## Modules
 

modules/infrastructure/ssm/README.md

@@ -16,7 +16,7 @@ and pass it, in a safe way, to all the modules that require it.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.15.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.16.0 |
 
 ## Modules
 

modules/services/cloud-bench/README.md

@@ -26,7 +26,7 @@ Deployed on **Sysdig Backend**
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.15.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.16.0 |
 | <a name="provider_random"></a> [random](#provider\_random) | 3.2.0 |
 | <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | 0.5.37 |
 

modules/services/cloud-connector-apprunner/apprunner.tf

@@ -81,7 +81,7 @@ data "aws_iam_policy_document" "cloud_connector" {
   }
 
   dynamic "statement" {
-    for_each = var.deploy_image_scanning_ecr || var.deploy_image_scanning_ecs ? [1] : []
+    for_each = var.deploy_image_scanning_ecr ? [1] : []
     content {
       sid    = "AllowECR"
       effect = "Allow"
@@ -108,4 +108,16 @@ data "aws_iam_policy_document" "cloud_connector" {
       resources = [var.build_project_arn]
     }
   }
+
+  dynamic "statement" {
+    for_each = var.deploy_image_scanning_ecs ? [1] : []
+    content {
+      sid    = "AllowECS"
+      effect = "Allow"
+      actions = [
+        "ecs:DescribeTaskDefinition"
+      ]
+      resources = ["*"]
+    }
+  }
 }

modules/services/cloud-connector-ecs/README.md

@@ -15,7 +15,7 @@ A task deployed on an **ECS deployment** will detect events in your infrastructu
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.15.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.16.0 |
 | <a name="provider_sysdig"></a> [sysdig](#provider\_sysdig) | 0.5.37 |
 
 ## Modules