feat: new beta scanning ecr (#131)

⚠️  currently for testing purpose only. not supported yet

available examples
- ✅  single and org ecs
- ✅ single k8s, apprunner
--- 
to be tested with snippet (for org)

```
terraform {
  required_providers {
    sysdig = {
      source = "sysdiglabs/sysdig"
    }
  }
}

provider "sysdig" {
  sysdig_secure_url       = var.url
  sysdig_secure_api_token = var.api_token
}

provider "aws" {
  region = var.region
}

provider "aws" {
  alias = "member"
  region = var.region
  assume_role {
    role_arn = var.assume_role_arn
  }
}

module "secure-for-cloud_example_organizational" {
  providers = {
    aws.member = aws.member
  }
  source                    = "github.com/sysdiglabs/terraform-aws-cloudvision//examples/organizational?ref=new-beta-scanning-ecr" 
  name                      = var.name
  deploy_beta_image_scanning_ecr = true
  sysdig_secure_for_cloud_member_account_id = var.member_account_id
}

---
before merging
- ✅ [revert the tag before merge and rollback to
`quay.io/sysdig/cloud-connector:latest`](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/compare/new-beta-scanning-ecr?expand=1#diff-ce830ac4b16a540ab381428ae0ff9d043ceae7063638ff36a93ef3daf2b7a82eR128)
   -  this has been partially released already


```

<!--
Thank you for your contribution!

## General recommendations
Check contribution guidelines at
https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/CONTRIBUTE.md#contribution-checklist

For a cleaner PR make sure you follow these recommendations:
- Review modified files and delete small changes that were not intended
and maybe slip the commit.
- Use Pull Request Drafts for visibility on Work-In-Progress branches
and use them on daily mob/pairing for team review
- Unless an external revision is desired, in order to validate or gather
some feedback, you are free to merge as long as **validation checks are
green-lighted**

## Checklist

- [ ] If `test/fixtures/*/main.tf` files are modified. I have updated:
    - [ ] the snippets in the README.md file under root folder.
- [ ] the snippets in the README.md file for the corresponding example.
- [ ] If `examples` folder are modified. I have updated:
    - [ ] README.md file with pertinent changes.
- [ ] `test/fixtures/*/main.tf` in case the snippet needs modifications.
- [ ] If any architectural change has been made, I have updated the
diagrams.

-->

Co-authored-by: Hayk Kocharyan <[email protected]>
Co-authored-by: iru <[email protected]>

Author: 3 people

examples/organizational/README.md

@@ -187,6 +187,7 @@ $ terraform apply
 | <a name="input_connector_ecs_task_role_name"></a> [connector\_ecs\_task\_role\_name](#input\_connector\_ecs\_task\_role\_name) | Name for the ecs task role. This is only required to resolve cyclic dependency with organizational approach | `string` | `"organizational-ECSTaskRole"` | no |
 | <a name="input_deploy_benchmark"></a> [deploy\_benchmark](#input\_deploy\_benchmark) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no |
 | <a name="input_deploy_benchmark_organizational"></a> [deploy\_benchmark\_organizational](#input\_deploy\_benchmark\_organizational) | true/false whether benchmark module should be deployed on organizational or single-account mode (1 role per org accounts if true, 1 role in default aws provider account if false)</li></ul> | `bool` | `true` | no |
+| <a name="input_deploy_beta_image_scanning_ecr"></a> [deploy\_beta\_image\_scanning\_ecr](#input\_deploy\_beta\_image\_scanning\_ecr) | true/false whether to deploy the beta image scanning on ECR pushed images (experimental and unsupported) | `bool` | `false` | no |
 | <a name="input_deploy_image_scanning_ecr"></a> [deploy\_image\_scanning\_ecr](#input\_deploy\_image\_scanning\_ecr) | true/false whether to deploy the image scanning on ECR pushed images | `bool` | `false` | no |
 | <a name="input_deploy_image_scanning_ecs"></a> [deploy\_image\_scanning\_ecs](#input\_deploy\_image\_scanning\_ecs) | true/false whether to deploy the image scanning on ECS running images | `bool` | `false` | no |
 | <a name="input_ecs_cluster_name"></a> [ecs\_cluster\_name](#input\_ecs\_cluster\_name) | Name of a pre-existing ECS (elastic container service) cluster. If defaulted, a new ECS cluster/VPC/Security Group will be created. If specified all three parameters `ecs_cluster_name`, `ecs_vpc_id` and `ecs_vpc_subnets_private_ids` are required. ECS location will/must be within the `sysdig_secure_for_cloud_member_account_id` parameter accountID | `string` | `"create"` | no |

examples/organizational/main.tf

@@ -3,7 +3,8 @@
 # with default provider
 #-------------------------------------
 locals {
-  deploy_same_account = data.aws_caller_identity.me.account_id == var.sysdig_secure_for_cloud_member_account_id
+  deploy_same_account                      = data.aws_caller_identity.me.account_id == var.sysdig_secure_for_cloud_member_account_id
+  deploy_old_image_scanning_with_codebuild = (var.deploy_image_scanning_ecr && !var.deploy_beta_image_scanning_ecr) || var.deploy_image_scanning_ecs
 }
 
 module "resource_group" {
@@ -40,7 +41,7 @@ module "ssm" {
 # cloud-connector
 #-------------------------------------
 module "codebuild" {
-  count = var.deploy_image_scanning_ecr || var.deploy_image_scanning_ecs ? 1 : 0
+  count = local.deploy_old_image_scanning_with_codebuild ? 1 : 0
 
   providers = {
     aws = aws.member
@@ -64,8 +65,9 @@ module "cloud_connector" {
 
   secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
 
-  deploy_image_scanning_ecr = var.deploy_image_scanning_ecr
-  deploy_image_scanning_ecs = var.deploy_image_scanning_ecs
+  deploy_beta_image_scanning_ecr = var.deploy_beta_image_scanning_ecr
+  deploy_image_scanning_ecr      = var.deploy_image_scanning_ecr
+  deploy_image_scanning_ecs      = var.deploy_image_scanning_ecs
 
   #
   # note;

examples/organizational/variables.tf

@@ -82,6 +82,12 @@ variable "existing_cloudtrail_config" {
 # scanning configuration
 #
 
+variable "deploy_beta_image_scanning_ecr" {
+  type        = bool
+  description = "true/false whether to deploy the beta image scanning on ECR pushed images (experimental and unsupported)"
+  default     = false
+}
+
 variable "deploy_image_scanning_ecr" {
   type        = bool
   description = "true/false whether to deploy the image scanning on ECR pushed images"

examples/single-account-apprunner/README.md

@@ -101,6 +101,7 @@ $ terraform apply
 | <a name="input_cloudtrail_kms_enable"></a> [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether cloudtrail delivered events to S3 should persist encrypted | `bool` | `true` | no |
 | <a name="input_cloudtrail_sns_arn"></a> [cloudtrail\_sns\_arn](#input\_cloudtrail\_sns\_arn) | ARN of a pre-existing cloudtrail\_sns. If defaulted, a new cloudtrail will be created. ARN of a pre-existing cloudtrail\_sns. If defaulted, a new cloudtrail will be created. If specified, sysdig deployment account and region must match with the specified SNS | `string` | `"create"` | no |
 | <a name="input_deploy_benchmark"></a> [deploy\_benchmark](#input\_deploy\_benchmark) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no |
+| <a name="input_deploy_beta_image_scanning_ecr"></a> [deploy\_beta\_image\_scanning\_ecr](#input\_deploy\_beta\_image\_scanning\_ecr) | true/false whether to deploy the beta image scanning on ECR pushed images (experimental and unsupported) | `bool` | `false` | no |
 | <a name="input_deploy_image_scanning_ecr"></a> [deploy\_image\_scanning\_ecr](#input\_deploy\_image\_scanning\_ecr) | true/false whether to deploy the image scanning on ECR pushed images | `bool` | `false` | no |
 | <a name="input_deploy_image_scanning_ecs"></a> [deploy\_image\_scanning\_ecs](#input\_deploy\_image\_scanning\_ecs) | true/false whether to deploy the image scanning on ECS running images | `bool` | `false` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |

examples/single-account-apprunner/main.tf

@@ -43,8 +43,11 @@ module "cloud_connector" {
   build_project_name = length(module.codebuild) == 1 ? module.codebuild[0].project_name : "na"
 
   cloudconnector_ecr_image_uri = var.cloudconnector_ecr_image_uri
-  deploy_image_scanning_ecr    = var.deploy_image_scanning_ecr
-  deploy_image_scanning_ecs    = var.deploy_image_scanning_ecs
+
+
+  deploy_beta_image_scanning_ecr = var.deploy_beta_image_scanning_ecr
+  deploy_image_scanning_ecr      = var.deploy_image_scanning_ecr
+  deploy_image_scanning_ecs      = var.deploy_image_scanning_ecs
 
   cloudtrail_sns_arn = local.cloudtrail_sns_arn
   tags               = var.tags

examples/single-account-apprunner/variables.tf

@@ -30,6 +30,12 @@ variable "cloudtrail_kms_enable" {
 # scanning configuration
 #
 
+variable "deploy_beta_image_scanning_ecr" {
+  type        = bool
+  description = "true/false whether to deploy the beta image scanning on ECR pushed images (experimental and unsupported)"
+  default     = false
+}
+
 variable "deploy_image_scanning_ecr" {
   type        = bool
   description = "true/false whether to deploy the image scanning on ECR pushed images"

examples/single-account-ecs/README.md

@@ -102,6 +102,7 @@ $ terraform apply
 | <a name="input_cloudtrail_s3_bucket_expiration_days"></a> [cloudtrail\_s3\_bucket\_expiration\_days](#input\_cloudtrail\_s3\_bucket\_expiration\_days) | Number of days that the logs will persist in the bucket | `number` | `5` | no |
 | <a name="input_cloudtrail_sns_arn"></a> [cloudtrail\_sns\_arn](#input\_cloudtrail\_sns\_arn) | ARN of a pre-existing cloudtrail\_sns. If defaulted, a new cloudtrail will be created. If specified, sysdig deployment account and region must match with the specified SNS | `string` | `"create"` | no |
 | <a name="input_deploy_benchmark"></a> [deploy\_benchmark](#input\_deploy\_benchmark) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no |
+| <a name="input_deploy_beta_image_scanning_ecr"></a> [deploy\_beta\_image\_scanning\_ecr](#input\_deploy\_beta\_image\_scanning\_ecr) | true/false whether to deploy the beta image scanning on ECR pushed images (experimental and unsupported) | `bool` | `false` | no |
 | <a name="input_deploy_image_scanning_ecr"></a> [deploy\_image\_scanning\_ecr](#input\_deploy\_image\_scanning\_ecr) | true/false whether to deploy the image scanning on ECR pushed images | `bool` | `false` | no |
 | <a name="input_deploy_image_scanning_ecs"></a> [deploy\_image\_scanning\_ecs](#input\_deploy\_image\_scanning\_ecs) | true/false whether to deploy the image scanning on ECS running images | `bool` | `false` | no |
 | <a name="input_ecs_cluster_name"></a> [ecs\_cluster\_name](#input\_ecs\_cluster\_name) | Name of a pre-existing ECS (elastic container service) cluster. If defaulted, a new ECS cluster/VPC/Security Group will be created. If specified all three parameters `ecs_cluster_name`, `ecs_vpc_id` and `ecs_vpc_subnets_private_ids` are required. | `string` | `"create"` | no |

examples/single-account-ecs/main.tf

@@ -43,8 +43,9 @@ module "cloud_connector" {
 
   secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
 
-  deploy_image_scanning_ecr = var.deploy_image_scanning_ecr
-  deploy_image_scanning_ecs = var.deploy_image_scanning_ecs
+  deploy_beta_image_scanning_ecr = var.deploy_beta_image_scanning_ecr
+  deploy_image_scanning_ecr      = var.deploy_image_scanning_ecr
+  deploy_image_scanning_ecs      = var.deploy_image_scanning_ecs
 
   is_organizational = false
 

examples/single-account-ecs/variables.tf

@@ -77,6 +77,12 @@ variable "ecs_task_memory" {
 # scanning configuration
 #
 
+variable "deploy_beta_image_scanning_ecr" {
+  type        = bool
+  description = "true/false whether to deploy the beta image scanning on ECR pushed images (experimental and unsupported)"
+  default     = false
+}
+
 variable "deploy_image_scanning_ecr" {
   type        = bool
   description = "true/false whether to deploy the image scanning on ECR pushed images"

examples/single-account-k8s/README.md

@@ -120,6 +120,7 @@ $ terraform apply
 | <a name="input_cloudtrail_sns_arn"></a> [cloudtrail\_sns\_arn](#input\_cloudtrail\_sns\_arn) | ARN of a pre-existing cloudtrail\_sns. If defaulted, a new cloudtrail will be created. If specified, deployment region must match Cloudtrail S3 bucket region | `string` | `"create"` | no |
 | <a name="input_deploy_aws_iam_user"></a> [deploy\_aws\_iam\_user](#input\_deploy\_aws\_iam\_user) | true/false whether to deploy an iam user. if set to false, check [required role permissions](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/resources/policy-single-account-k8s-aws.json) | `bool` | `true` | no |
 | <a name="input_deploy_benchmark"></a> [deploy\_benchmark](#input\_deploy\_benchmark) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no |
+| <a name="input_deploy_beta_image_scanning_ecr"></a> [deploy\_beta\_image\_scanning\_ecr](#input\_deploy\_beta\_image\_scanning\_ecr) | true/false whether to deploy the beta image scanning on ECR pushed images (experimental and unsupported) | `bool` | `false` | no |
 | <a name="input_deploy_image_scanning_ecr"></a> [deploy\_image\_scanning\_ecr](#input\_deploy\_image\_scanning\_ecr) | true/false whether to deploy the image scanning on ECR pushed images | `bool` | `false` | no |
 | <a name="input_deploy_image_scanning_ecs"></a> [deploy\_image\_scanning\_ecs](#input\_deploy\_image\_scanning\_ecs) | true/false whether to deploy the image scanning on ECS running images | `bool` | `false` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |