feat: new beta scanning ecr (#131)

⚠️  currently for testing purpose only. not supported yet

available examples
- ✅  single and org ecs
- ✅ single k8s, apprunner
--- 
to be tested with snippet (for org)

```
terraform {
  required_providers {
    sysdig = {
      source = "sysdiglabs/sysdig"
    }
  }
}

provider "sysdig" {
  sysdig_secure_url       = var.url
  sysdig_secure_api_token = var.api_token
}

provider "aws" {
  region = var.region
}

provider "aws" {
  alias = "member"
  region = var.region
  assume_role {
    role_arn = var.assume_role_arn
  }
}

module "secure-for-cloud_example_organizational" {
  providers = {
    aws.member = aws.member
  }
  source                    = "github.com/sysdiglabs/terraform-aws-cloudvision//examples/organizational?ref=new-beta-scanning-ecr" 
  name                      = var.name
  deploy_beta_image_scanning_ecr = true
  sysdig_secure_for_cloud_member_account_id = var.member_account_id
}

---
before merging
- ✅ [revert the tag before merge and rollback to
`quay.io/sysdig/cloud-connector:latest`](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/compare/new-beta-scanning-ecr?expand=1#diff-ce830ac4b16a540ab381428ae0ff9d043ceae7063638ff36a93ef3daf2b7a82eR128)
   -  this has been partially released already


```

<!--
Thank you for your contribution!

## General recommendations
Check contribution guidelines at
https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/CONTRIBUTE.md#contribution-checklist

For a cleaner PR make sure you follow these recommendations:
- Review modified files and delete small changes that were not intended
and maybe slip the commit.
- Use Pull Request Drafts for visibility on Work-In-Progress branches
and use them on daily mob/pairing for team review
- Unless an external revision is desired, in order to validate or gather
some feedback, you are free to merge as long as **validation checks are
green-lighted**

## Checklist

- [ ] If `test/fixtures/*/main.tf` files are modified. I have updated:
    - [ ] the snippets in the README.md file under root folder.
- [ ] the snippets in the README.md file for the corresponding example.
- [ ] If `examples` folder are modified. I have updated:
    - [ ] README.md file with pertinent changes.
- [ ] `test/fixtures/*/main.tf` in case the snippet needs modifications.
- [ ] If any architectural change has been made, I have updated the
diagrams.

-->

Co-authored-by: Hayk Kocharyan <[email protected]>
Co-authored-by: iru <[email protected]>

Author: 3 people

examples/organizational/README.md

@@ -187,6 +187,7 @@ $ terraform apply
 | <a name="input_connector_ecs_task_role_name"></a> [connector\_ecs\_task\_role\_name](#input\_connector\_ecs\_task\_role\_name) | Name for the ecs task role. This is only required to resolve cyclic dependency with organizational approach | `string` | `"organizational-ECSTaskRole"` | no |
 | <a name="input_deploy_benchmark"></a> [deploy\_benchmark](#input\_deploy\_benchmark) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no |
 | <a name="input_deploy_benchmark_organizational"></a> [deploy\_benchmark\_organizational](#input\_deploy\_benchmark\_organizational) | true/false whether benchmark module should be deployed on organizational or single-account mode (1 role per org accounts if true, 1 role in default aws provider account if false)</li></ul> | `bool` | `true` | no |
+| <a name="input_deploy_beta_image_scanning_ecr"></a> [deploy\_beta\_image\_scanning\_ecr](#input\_deploy\_beta\_image\_scanning\_ecr) | true/false whether to deploy the beta image scanning on ECR pushed images (experimental and unsupported) | `bool` | `false` | no |
 | <a name="input_deploy_image_scanning_ecr"></a> [deploy\_image\_scanning\_ecr](#input\_deploy\_image\_scanning\_ecr) | true/false whether to deploy the image scanning on ECR pushed images | `bool` | `false` | no |
 | <a name="input_deploy_image_scanning_ecs"></a> [deploy\_image\_scanning\_ecs](#input\_deploy\_image\_scanning\_ecs) | true/false whether to deploy the image scanning on ECS running images | `bool` | `false` | no |
 | <a name="input_ecs_cluster_name"></a> [ecs\_cluster\_name](#input\_ecs\_cluster\_name) | Name of a pre-existing ECS (elastic container service) cluster. If defaulted, a new ECS cluster/VPC/Security Group will be created. If specified all three parameters `ecs_cluster_name`, `ecs_vpc_id` and `ecs_vpc_subnets_private_ids` are required. ECS location will/must be within the `sysdig_secure_for_cloud_member_account_id` parameter accountID | `string` | `"create"` | no |

examples/organizational/main.tf

@@ -3,7 +3,8 @@
 # with default provider
 #-------------------------------------
 locals {
-  deploy_same_account = data.aws_caller_identity.me.account_id == var.sysdig_secure_for_cloud_member_account_id
+  deploy_same_account                      = data.aws_caller_identity.me.account_id == var.sysdig_secure_for_cloud_member_account_id
+  deploy_old_image_scanning_with_codebuild = (var.deploy_image_scanning_ecr && !var.deploy_beta_image_scanning_ecr) || var.deploy_image_scanning_ecs
 }
 
 module "resource_group" {
@@ -40,7 +41,7 @@ module "ssm" {
 # cloud-connector
 #-------------------------------------
 module "codebuild" {
-  count = var.deploy_image_scanning_ecr || var.deploy_image_scanning_ecs ? 1 : 0
+  count = local.deploy_old_image_scanning_with_codebuild ? 1 : 0
 
   providers = {
     aws = aws.member
@@ -64,8 +65,9 @@ module "cloud_connector" {
 
   secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
 
-  deploy_image_scanning_ecr = var.deploy_image_scanning_ecr
-  deploy_image_scanning_ecs = var.deploy_image_scanning_ecs
+  deploy_beta_image_scanning_ecr = var.deploy_beta_image_scanning_ecr
+  deploy_image_scanning_ecr      = var.deploy_image_scanning_ecr
+  deploy_image_scanning_ecs      = var.deploy_image_scanning_ecs
 
   #
   # note;

examples/organizational/variables.tf

@@ -82,6 +82,12 @@ variable "existing_cloudtrail_config" {
 # scanning configuration
 #
 
+variable "deploy_beta_image_scanning_ecr" {
+  type        = bool
+  description = "true/false whether to deploy the beta image scanning on ECR pushed images (experimental and unsupported)"
+  default     = false
+}
+
 variable "deploy_image_scanning_ecr" {
   type        = bool
   description = "true/false whether to deploy the image scanning on ECR pushed images"

examples/single-account-apprunner/README.md

@@ -101,6 +101,7 @@ $ terraform apply
 | <a name="input_cloudtrail_kms_enable"></a> [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether cloudtrail delivered events to S3 should persist encrypted | `bool` | `true` | no |
 | <a name="input_cloudtrail_sns_arn"></a> [cloudtrail\_sns\_arn](#input\_cloudtrail\_sns\_arn) | ARN of a pre-existing cloudtrail\_sns. If defaulted, a new cloudtrail will be created. ARN of a pre-existing cloudtrail\_sns. If defaulted, a new cloudtrail will be created. If specified, sysdig deployment account and region must match with the specified SNS | `string` | `"create"` | no |
 | <a name="input_deploy_benchmark"></a> [deploy\_benchmark](#input\_deploy\_benchmark) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no |
+| <a name="input_deploy_beta_image_scanning_ecr"></a> [deploy\_beta\_image\_scanning\_ecr](#input\_deploy\_beta\_image\_scanning\_ecr) | true/false whether to deploy the beta image scanning on ECR pushed images (experimental and unsupported) | `bool` | `false` | no |
 | <a name="input_deploy_image_scanning_ecr"></a> [deploy\_image\_scanning\_ecr](#input\_deploy\_image\_scanning\_ecr) | true/false whether to deploy the image scanning on ECR pushed images | `bool` | `false` | no |
 | <a name="input_deploy_image_scanning_ecs"></a> [deploy\_image\_scanning\_ecs](#input\_deploy\_image\_scanning\_ecs) | true/false whether to deploy the image scanning on ECS running images | `bool` | `false` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |

examples/single-account-apprunner/main.tf

@@ -43,8 +43,11 @@ module "cloud_connector" {
   build_project_name = length(module.codebuild) == 1 ? module.codebuild[0].project_name : "na"
 
   cloudconnector_ecr_image_uri = var.cloudconnector_ecr_image_uri
-  deploy_image_scanning_ecr    = var.deploy_image_scanning_ecr
-  deploy_image_scanning_ecs    = var.deploy_image_scanning_ecs
+
+
+  deploy_beta_image_scanning_ecr = var.deploy_beta_image_scanning_ecr
+  deploy_image_scanning_ecr      = var.deploy_image_scanning_ecr
+  deploy_image_scanning_ecs      = var.deploy_image_scanning_ecs
 
   cloudtrail_sns_arn = local.cloudtrail_sns_arn
   tags               = var.tags

examples/single-account-apprunner/variables.tf

@@ -30,6 +30,12 @@ variable "cloudtrail_kms_enable" {
 # scanning configuration
 #
 
+variable "deploy_beta_image_scanning_ecr" {
+  type        = bool
+  description = "true/false whether to deploy the beta image scanning on ECR pushed images (experimental and unsupported)"
+  default     = false
+}
+
 variable "deploy_image_scanning_ecr" {
   type        = bool
   description = "true/false whether to deploy the image scanning on ECR pushed images"

examples/single-account-ecs/README.md

@@ -102,6 +102,7 @@ $ terraform apply
 | <a name="input_cloudtrail_s3_bucket_expiration_days"></a> [cloudtrail\_s3\_bucket\_expiration\_days](#input\_cloudtrail\_s3\_bucket\_expiration\_days) | Number of days that the logs will persist in the bucket | `number` | `5` | no |
 | <a name="input_cloudtrail_sns_arn"></a> [cloudtrail\_sns\_arn](#input\_cloudtrail\_sns\_arn) | ARN of a pre-existing cloudtrail\_sns. If defaulted, a new cloudtrail will be created. If specified, sysdig deployment account and region must match with the specified SNS | `string` | `"create"` | no |
 | <a name="input_deploy_benchmark"></a> [deploy\_benchmark](#input\_deploy\_benchmark) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no |
+| <a name="input_deploy_beta_image_scanning_ecr"></a> [deploy\_beta\_image\_scanning\_ecr](#input\_deploy\_beta\_image\_scanning\_ecr) | true/false whether to deploy the beta image scanning on ECR pushed images (experimental and unsupported) | `bool` | `false` | no |
 | <a name="input_deploy_image_scanning_ecr"></a> [deploy\_image\_scanning\_ecr](#input\_deploy\_image\_scanning\_ecr) | true/false whether to deploy the image scanning on ECR pushed images | `bool` | `false` | no |
 | <a name="input_deploy_image_scanning_ecs"></a> [deploy\_image\_scanning\_ecs](#input\_deploy\_image\_scanning\_ecs) | true/false whether to deploy the image scanning on ECS running images | `bool` | `false` | no |
 | <a name="input_ecs_cluster_name"></a> [ecs\_cluster\_name](#input\_ecs\_cluster\_name) | Name of a pre-existing ECS (elastic container service) cluster. If defaulted, a new ECS cluster/VPC/Security Group will be created. If specified all three parameters `ecs_cluster_name`, `ecs_vpc_id` and `ecs_vpc_subnets_private_ids` are required. | `string` | `"create"` | no |

examples/single-account-ecs/main.tf

@@ -43,8 +43,9 @@ module "cloud_connector" {
 
   secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
 
-  deploy_image_scanning_ecr = var.deploy_image_scanning_ecr
-  deploy_image_scanning_ecs = var.deploy_image_scanning_ecs
+  deploy_beta_image_scanning_ecr = var.deploy_beta_image_scanning_ecr
+  deploy_image_scanning_ecr      = var.deploy_image_scanning_ecr
+  deploy_image_scanning_ecs      = var.deploy_image_scanning_ecs
 
   is_organizational = false
 

examples/single-account-ecs/variables.tf

@@ -77,6 +77,12 @@ variable "ecs_task_memory" {
 # scanning configuration
 #
 
+variable "deploy_beta_image_scanning_ecr" {
+  type        = bool
+  description = "true/false whether to deploy the beta image scanning on ECR pushed images (experimental and unsupported)"
+  default     = false
+}
+
 variable "deploy_image_scanning_ecr" {
   type        = bool
   description = "true/false whether to deploy the image scanning on ECR pushed images"

examples/single-account-k8s/README.md

@@ -120,6 +120,7 @@ $ terraform apply
 | <a name="input_cloudtrail_sns_arn"></a> [cloudtrail\_sns\_arn](#input\_cloudtrail\_sns\_arn) | ARN of a pre-existing cloudtrail\_sns. If defaulted, a new cloudtrail will be created. If specified, deployment region must match Cloudtrail S3 bucket region | `string` | `"create"` | no |
 | <a name="input_deploy_aws_iam_user"></a> [deploy\_aws\_iam\_user](#input\_deploy\_aws\_iam\_user) | true/false whether to deploy an iam user. if set to false, check [required role permissions](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/resources/policy-single-account-k8s-aws.json) | `bool` | `true` | no |
 | <a name="input_deploy_benchmark"></a> [deploy\_benchmark](#input\_deploy\_benchmark) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no |
+| <a name="input_deploy_beta_image_scanning_ecr"></a> [deploy\_beta\_image\_scanning\_ecr](#input\_deploy\_beta\_image\_scanning\_ecr) | true/false whether to deploy the beta image scanning on ECR pushed images (experimental and unsupported) | `bool` | `false` | no |
 | <a name="input_deploy_image_scanning_ecr"></a> [deploy\_image\_scanning\_ecr](#input\_deploy\_image\_scanning\_ecr) | true/false whether to deploy the image scanning on ECR pushed images | `bool` | `false` | no |
 | <a name="input_deploy_image_scanning_ecs"></a> [deploy\_image\_scanning\_ecs](#input\_deploy\_image\_scanning\_ecs) | true/false whether to deploy the image scanning on ECS running images | `bool` | `false` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |

examples/single-account-k8s/cloud-connector.tf

@@ -1,5 +1,5 @@
 locals {
-  deploy_image_scanning = var.deploy_image_scanning_ecr || var.deploy_image_scanning_ecs
+  deploy_image_scanning = var.deploy_image_scanning_ecr || var.deploy_image_scanning_ecs || var.deploy_beta_image_scanning_ecr
 }
 
 #-------------------------------------
@@ -14,7 +14,7 @@ module "cloud_connector_sqs" {
 }
 
 module "codebuild" {
-  count  = local.deploy_image_scanning ? 1 : 0
+  count  = var.deploy_image_scanning_ecr || var.deploy_image_scanning_ecs ? 1 : 0
   source = "../../modules/infrastructure/codebuild"
 
   name                         = var.name
@@ -82,11 +82,15 @@ resource "helm_release" "cloud_connector" {
         }
       ]
       scanners = local.deploy_image_scanning ? [
-        merge(var.deploy_image_scanning_ecr ? {
-          aws-ecr = {
-            codeBuildProject         = module.codebuild[0].project_name
-            secureAPITokenSecretName = module.ssm.secure_api_token_secret_name
-          }
+        merge(
+          var.deploy_beta_image_scanning_ecr ? {
+            aws-ecr-inline = {}
+          } : {},
+          var.deploy_image_scanning_ecr ? {
+            aws-ecr = {
+              codeBuildProject         = module.codebuild[0].project_name
+              secureAPITokenSecretName = module.ssm.secure_api_token_secret_name
+            }
           } : {},
           var.deploy_image_scanning_ecs ? {
             aws-ecs = {

examples/single-account-k8s/credentials.tf

@@ -3,7 +3,7 @@ module "iam_user" {
   count  = var.deploy_aws_iam_user ? 1 : 0
   name   = var.name
 
-  deploy_image_scanning = local.deploy_image_scanning
+  deploy_image_scanning = var.deploy_image_scanning_ecr || var.deploy_image_scanning_ecs
 
   ssm_secure_api_token_arn       = module.ssm.secure_api_token_secret_arn
   cloudtrail_s3_bucket_arn       = length(module.cloudtrail) > 0 ? module.cloudtrail[0].s3_bucket_arn : "*"

examples/single-account-k8s/variables.tf

@@ -42,6 +42,12 @@ variable "tags" {
 # scanning configuration
 #
 
+variable "deploy_beta_image_scanning_ecr" {
+  type        = bool
+  description = "true/false whether to deploy the beta image scanning on ECR pushed images (experimental and unsupported)"
+  default     = false
+}
+
 variable "deploy_image_scanning_ecr" {
   type        = bool
   description = "true/false whether to deploy the image scanning on ECR pushed images"

modules/services/cloud-connector-apprunner/apprunner.tf

@@ -81,7 +81,7 @@ data "aws_iam_policy_document" "cloud_connector" {
   }
 
   dynamic "statement" {
-    for_each = var.deploy_image_scanning_ecr ? [1] : []
+    for_each = var.deploy_image_scanning_ecr || var.deploy_beta_image_scanning_ecr ? [1] : []
     content {
       sid    = "AllowECR"
       effect = "Allow"
@@ -110,7 +110,7 @@ data "aws_iam_policy_document" "cloud_connector" {
   }
 
   dynamic "statement" {
-    for_each = var.deploy_image_scanning_ecs ? [1] : []
+    for_each = var.deploy_image_scanning_ecr || var.deploy_beta_image_scanning_ecr ? [1] : []
     content {
       sid    = "AllowECS"
       effect = "Allow"

modules/services/cloud-connector-apprunner/cloudconnector-config.tf

@@ -14,11 +14,15 @@ locals {
     },
     {
       scanners = local.deploy_image_scanning ? [
-        merge(var.deploy_image_scanning_ecr ? {
-          aws-ecr = {
-            codeBuildProject         = var.build_project_name
-            secureAPITokenSecretName = var.secure_api_token_secret_name
-          }
+        merge(
+          var.deploy_beta_image_scanning_ecr ? {
+            aws-ecr-inline = {}
+          } : {},
+          var.deploy_image_scanning_ecr ? {
+            aws-ecr = {
+              codeBuildProject         = var.build_project_name
+              secureAPITokenSecretName = var.secure_api_token_secret_name
+            }
           } : {},
           var.deploy_image_scanning_ecs ? {
             aws-ecs = {

modules/services/cloud-connector-apprunner/main.tf

@@ -1,4 +1,4 @@
 locals {
   verify_ssl            = var.verify_ssl == "auto" ? length(regexall("https://.*?\\.sysdig(cloud)?.com/?", data.sysdig_secure_connection.current.secure_url)) == 1 : var.verify_ssl == "true"
-  deploy_image_scanning = var.deploy_image_scanning_ecs || var.deploy_image_scanning_ecr
+  deploy_image_scanning = var.deploy_image_scanning_ecs || var.deploy_image_scanning_ecr || var.deploy_beta_image_scanning_ecr
 }

modules/services/cloud-connector-apprunner/variables.tf

@@ -18,6 +18,12 @@ variable "cloudtrail_sns_arn" {
 # scanning configuration
 #
 
+variable "deploy_beta_image_scanning_ecr" {
+  type        = bool
+  description = "true/false whether to deploy the beta image scanning on ECR pushed images (experimental and unsupported)"
+  default     = false
+}
+
 variable "deploy_image_scanning_ecr" {
   type        = bool
   description = "true/false whether to deploy the image scanning on ECR pushed images"

modules/services/cloud-connector-ecs/README.md

@@ -71,6 +71,7 @@ A task deployed on an **ECS deployment** will detect events in your infrastructu
 | <a name="input_secure_api_token_secret_name"></a> [secure\_api\_token\_secret\_name](#input\_secure\_api\_token\_secret\_name) | Sysdig Secure API token SSM parameter name | `string` | n/a | yes |
 | <a name="input_cloudwatch_log_retention"></a> [cloudwatch\_log\_retention](#input\_cloudwatch\_log\_retention) | Days to keep logs for CloudConnector | `number` | `5` | no |
 | <a name="input_connector_ecs_task_role_name"></a> [connector\_ecs\_task\_role\_name](#input\_connector\_ecs\_task\_role\_name) | Default ecs cloudconnector task role name | `string` | `"ECSTaskRole"` | no |
+| <a name="input_deploy_beta_image_scanning_ecr"></a> [deploy\_beta\_image\_scanning\_ecr](#input\_deploy\_beta\_image\_scanning\_ecr) | true/false whether to deploy the beta image scanning on ECR pushed images (experimental and unsupported) | `bool` | `false` | no |
 | <a name="input_deploy_image_scanning_ecr"></a> [deploy\_image\_scanning\_ecr](#input\_deploy\_image\_scanning\_ecr) | true/false whether to deploy the image scanning on ECR pushed images | `bool` | `false` | no |
 | <a name="input_deploy_image_scanning_ecs"></a> [deploy\_image\_scanning\_ecs](#input\_deploy\_image\_scanning\_ecs) | true/false whether to deploy the image scanning on ECS running images | `bool` | `false` | no |
 | <a name="input_ecs_task_cpu"></a> [ecs\_task\_cpu](#input\_ecs\_task\_cpu) | Amount of CPU (in CPU units) to reserve for cloud-connector task | `string` | `"256"` | no |

modules/services/cloud-connector-ecs/cloudconnector-config.tf

@@ -28,16 +28,23 @@ locals {
     },
     {
       scanners = local.deploy_image_scanning ? [
-        merge(var.deploy_image_scanning_ecr ? {
-          aws-ecr = merge({
-            codeBuildProject         = var.build_project_name
-            secureAPITokenSecretName = var.secure_api_token_secret_name
-            },
+        merge(var.deploy_beta_image_scanning_ecr ? {
+          aws-ecr-inline = merge({},
             var.is_organizational ? {
               masterOrganizationRole       = var.organizational_config.sysdig_secure_for_cloud_role_arn
               organizationalRolePerAccount = var.organizational_config.organizational_role_per_account
           } : {})
           } : {},
+          local.deploy_image_scanning_with_codebuild ? {
+            aws-ecr = merge({
+              codeBuildProject         = var.build_project_name
+              secureAPITokenSecretName = var.secure_api_token_secret_name
+              },
+              var.is_organizational ? {
+                masterOrganizationRole       = var.organizational_config.sysdig_secure_for_cloud_role_arn
+                organizationalRolePerAccount = var.organizational_config.organizational_role_per_account
+            } : {})
+          } : {},
           var.deploy_image_scanning_ecs ? {
             aws-ecs = merge({
               codeBuildProject         = var.build_project_name

modules/services/cloud-connector-ecs/locals.tf

@@ -1,3 +1,4 @@
 locals {
-  deploy_image_scanning = var.deploy_image_scanning_ecs || var.deploy_image_scanning_ecr
+  deploy_image_scanning                = var.deploy_image_scanning_ecs || var.deploy_image_scanning_ecr || var.deploy_beta_image_scanning_ecr
+  deploy_image_scanning_with_codebuild = (var.deploy_image_scanning_ecs || var.deploy_image_scanning_ecr) && !var.deploy_beta_image_scanning_ecr
 }

modules/services/cloud-connector-ecs/permissions.tf

@@ -98,13 +98,13 @@ data "aws_iam_policy_document" "iam_role_task_assume_role" {
 # scan images
 #
 resource "aws_iam_role_policy" "trigger_scan" {
-  count  = local.deploy_image_scanning ? 1 : 0
+  count  = local.deploy_image_scanning_with_codebuild ? 1 : 0
   name   = "${var.name}-TriggerScan"
   role   = local.ecs_task_role_id
   policy = data.aws_iam_policy_document.trigger_scan[0].json
 }
 data "aws_iam_policy_document" "trigger_scan" {
-  count = local.deploy_image_scanning ? 1 : 0
+  count = local.deploy_image_scanning_with_codebuild ? 1 : 0
   statement {
     effect = "Allow"
     actions = [
@@ -135,14 +135,14 @@ data "aws_iam_policy_document" "task_definition_reader" {
 
 # image scanning - ecr
 resource "aws_iam_role_policy" "ecr_reader" {
-  count  = var.deploy_image_scanning_ecr ? 1 : 0
+  count  = local.deploy_image_scanning_with_codebuild ? 1 : 0
   name   = "ECRReader"
   role   = local.ecs_task_role_id
   policy = data.aws_iam_policy_document.ecr_reader[0].json
 }
 
 data "aws_iam_policy_document" "ecr_reader" {
-  count = var.deploy_image_scanning_ecr ? 1 : 0
+  count = local.deploy_image_scanning_with_codebuild ? 1 : 0
   statement {
     effect = "Allow"
     actions = [