Update ecr-registry module to support basic scanning version and registry version v2

posquit0 · posquit0 · commit cfac68f8aa49 · 2025-03-19T17:41:53.000+09:00
diff --git a/.tflint.hcl b/.tflint.hcl
@@ -2,7 +2,7 @@ config {
   plugin_dir = "~/.tflint.d/plugins"
 
   format = "compact"
-  module = true
+  call_module_type = "local"
   force = false
   disabled_by_default = false
 
diff --git a/modules/ecr-registry/README.md b/modules/ecr-registry/README.md
@@ -2,6 +2,7 @@
 
 This module creates following resources.
 
+- `aws_ecr_account_setting`
 - `aws_ecr_registry_policy` (optional)
 - `aws_ecr_replication_configuration` (optional)
 - `aws_ecr_pull_through_cache_rule` (optional)
@@ -12,14 +13,14 @@ This module creates following resources.
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.10 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.10 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.83 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.19.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.91.0 |
 
 ## Modules
 
@@ -29,6 +30,8 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [aws_ecr_account_setting.basic_scan_type_version](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_account_setting) | resource |
+| [aws_ecr_account_setting.registry_policy_scope](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_account_setting) | resource |
 | [aws_ecr_pull_through_cache_rule.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_pull_through_cache_rule) | resource |
 | [aws_ecr_registry_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_registry_policy) | resource |
 | [aws_ecr_registry_scanning_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_registry_scanning_configuration) | resource |
@@ -44,13 +47,14 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_policy"></a> [policy](#input\_policy) | (Optional) The policy document for ECR registry. This is a JSON formatted string. | `string` | `null` | no |
-| <a name="input_pull_through_cache_policies"></a> [pull\_through\_cache\_policies](#input\_pull\_through\_cache\_policies) | (Optional) A list of ECR Registry Policies for Pull Through Cache. Each value of `pull_through_cache_policies` as defined below.<br>    (Required) `iam_entities` - Specify one or more IAM principals to grant permission. Support the ARN of IAM entities, or AWS account ID.<br>    (Required) `allow_create_repository` - Need to create target repositories if `allow_create_repository` is false.<br>    (Required) `repositories` - A list of target repositories. Support glob expressions for `repositories` like `*`. | <pre>list(object({<br>    iam_entities            = list(string)<br>    allow_create_repository = bool<br>    repositories            = list(string)<br>  }))</pre> | `[]` | no |
-| <a name="input_pull_through_cache_rules"></a> [pull\_through\_cache\_rules](#input\_pull\_through\_cache\_rules) | (Optional) A list of Pull Through Cache Rules for ECR registry. A `pull_through_cache_rules` block as defined below.<br>    (Required) `upstream_url` - The registry URL of the upstream public registry to use as the source.<br>    (Optional) `namespace` - The repository name prefix to use when caching images from the source registry. Default value is used if not provided. | `list(any)` | `[]` | no |
-| <a name="input_replication_destinations"></a> [replication\_destinations](#input\_replication\_destinations) | (Optional) A list of destinations for ECR registry replication. `registry_id` is the account ID of the destination registry to replicate to. `region` is required to replicate to. | <pre>list(object({<br>    registry_id = string<br>    region      = string<br>  }))</pre> | `[]` | no |
-| <a name="input_replication_policies"></a> [replication\_policies](#input\_replication\_policies) | (Optional) A list of ECR Registry Policies for replication. `account_id` is source AWS account for replication. If `allow_create_repository` is false, you need to create repositories with the same name whithin your registry. `repositories` is a list of target repositories. Support glob expressions for `repositories` like `*`. | <pre>list(object({<br>    account_id              = string<br>    allow_create_repository = bool<br>    repositories            = list(string)<br>  }))</pre> | `[]` | no |
-| <a name="input_scanning_continuous_filters"></a> [scanning\_continuous\_filters](#input\_scanning\_continuous\_filters) | (Optional) A list of repository filter to scan continuous. Wildcard character is allowed. | `list(string)` | `[]` | no |
-| <a name="input_scanning_on_push_filters"></a> [scanning\_on\_push\_filters](#input\_scanning\_on\_push\_filters) | (Optional) A list of repository filter to scan on push. Wildcard character is allowed. | `list(string)` | `[]` | no |
-| <a name="input_scanning_type"></a> [scanning\_type](#input\_scanning\_type) | (Optional) The scanning type to set for the registry. Can be either `ENHANCED` or `BASIC`. | `string` | `"BASIC"` | no |
+| <a name="input_policy_version"></a> [policy\_version](#input\_policy\_version) | (Optional) The policy version of ECR registry. Valid values are `V1` or `V2`. Defaults to `V2`.<br/>    `V1` - Only support three actions: `ReplicateImage`, `BatchImportUpstreamImage`, and `CreateRepository`<br/>    `V2` - Support all ECR actions in the policy and enforce the registry policy in all ECR requests | `string` | `"V2"` | no |
+| <a name="input_pull_through_cache_policies"></a> [pull\_through\_cache\_policies](#input\_pull\_through\_cache\_policies) | (Optional) A list of ECR Registry Policies for Pull Through Cache. Each block of `pull_through_cache_policies` as defined below.<br/>    (Required) `iam_entities` - One or more IAM principals to grant permission. Support the ARN of IAM entities, or AWS account ID.<br/>    (Optional) `allow_create_repository` - Whether to auto-create the cached repositories with the same name within the current registry. Defaults to `false`.<br/>    (Required) `repositories` - A list of target repositories. Support glob expressions for `repositories` like `*`. | <pre>list(object({<br/>    iam_entities            = list(string)<br/>    allow_create_repository = optional(bool, false)<br/>    repositories            = list(string)<br/>  }))</pre> | `[]` | no |
+| <a name="input_pull_through_cache_rules"></a> [pull\_through\_cache\_rules](#input\_pull\_through\_cache\_rules) | (Optional) A list of Pull Through Cache Rules for ECR registry. A `pull_through_cache_rules` block as defined below.<br/>    (Required) `upstream_url` - The registry URL of the upstream public registry to use as the source.<br/>    (Optional) `namespace` - The repository name prefix to use when caching images from the source registry. Default value is used if not provided.<br/>    (Optional) `credential` - The configuration for credential to use to authenticate against the registry. A `credential` block as defined below.<br/>      (Required) `secretsmanager_secret` - The ARN of the Secrets Manager secret to use for authentication. | <pre>list(object({<br/>    upstream_url = string<br/>    namespace    = optional(string)<br/>    credential = optional(object({<br/>      secretsmanager_secret = string<br/>    }))<br/>  }))</pre> | `[]` | no |
+| <a name="input_replication_policies"></a> [replication\_policies](#input\_replication\_policies) | (Optional) A list of replication policies for ECR Registry. Each block of `replication_policies` as defined below.<br/>    (Required) `account` - The AWS account ID of the source registry owner.<br/>    (Optional) `allow_create_repository` - Whether to auto-create the replicated repositories with the same name within the current registry. Defaults to `false`.<br/>    (Required) `repositories` - A list of target repositories. Support glob expressions like `*`. | <pre>list(object({<br/>    account                 = string<br/>    allow_create_repository = optional(bool, false)<br/>    repositories            = list(string)<br/>  }))</pre> | `[]` | no |
+| <a name="input_replication_rules"></a> [replication\_rules](#input\_replication\_rules) | (Optional) A list of replication rules for ECR Registry. Each rule represents the replication destinations and repository filters for a replication configuration. Each block of `replication_rules` as defined below.<br/>    (Required) `destinations` - A list of destinations for replication rule. Each block of `destinations` as defined below.<br/>      (Optional) `account` - The AWS account ID of the ECR private registry to replicate to. Only required for cross-account replication.<br/>      (Required) `region` - The Region to replicate to.<br/>    (Optional) `filters` - The filter settings used with image replication. Specifying a repository filter to a replication rule provides a method for controlling which repositories in a private registry are replicated. If no filters are added, the contents of all repositories are replicated. Each block of `filters` as defined below.<br/>      (Optional) `type` - The repository filter type. The only supported value is `PREFIX_MATCH`, which is a repository name prefix. Defaults to `PREFIX_MATCH`.<br/>      (Required) `value` - The repository filter value. | <pre>list(object({<br/>    destinations = list(object({<br/>      account = optional(string)<br/>      region  = string<br/>    }))<br/>    filters = optional(list(object({<br/>      type  = optional(string, "PREFIX_MATCH")<br/>      value = string<br/>    })), [])<br/>  }))</pre> | `[]` | no |
+| <a name="input_scanning_basic_version"></a> [scanning\_basic\_version](#input\_scanning\_basic\_version) | (Optional) The version of basic scanning for the registry. Valid values are `AWS_NATIVE` or `CLAIR`. Defaults to `AWS_NATIVE`. `CLAIR` was deprecated. | `string` | `"AWS_NATIVE"` | no |
+| <a name="input_scanning_rules"></a> [scanning\_rules](#input\_scanning\_rules) | (Optional) A list of scanning rules to determine which repository filters are used and at what frequency scanning will occur. Each block of `scanning_rules` as defined below.<br/>    (Required) `frequency` - The frequency that scans are performed at for a private registry. Valid values are `SCAN_ON_PUSH`, `CONTINUOUS_SCAN`.<br/>    (Optional) `filters` - The configuration of repository filters for image scanning.<br/>      (Optional) `type` - The repository filter type. The only supported value is `WILDCARD`. A filter with no wildcard will match all repository names that contain the filter. A filter with a wildcard (*) matches on any repository name where the wildcard replaces zero or more characters in the repository name. Defaults to `WILDCARD`.<br/>      (Required) `value` - The repository filter value. | <pre>list(object({<br/>    frequency = string<br/>    filters = optional(list(object({<br/>      type  = optional(string, "WILDCARD")<br/>      value = string<br/>    })), [])<br/>  }))</pre> | `[]` | no |
+| <a name="input_scanning_type"></a> [scanning\_type](#input\_scanning\_type) | (Optional) The scanning type to set for the registry. Valid values are `ENHANCED` or `BASIC`. Defaults to `BASIC`. | `string` | `"BASIC"` | no |
 
 ## Outputs
 
@@ -59,9 +63,12 @@ No modules.
 | <a name="output_id"></a> [id](#output\_id) | The ID of the registry. |
 | <a name="output_name"></a> [name](#output\_name) | The name of the registry. |
 | <a name="output_policy"></a> [policy](#output\_policy) | The registry policy. |
+| <a name="output_policy_version"></a> [policy\_version](#output\_policy\_version) | The policy version of ECR registry. |
+| <a name="output_pull_through_cache_policies"></a> [pull\_through\_cache\_policies](#output\_pull\_through\_cache\_policies) | A list of Pull Through Cache policies for ECR Registry. |
 | <a name="output_pull_through_cache_rules"></a> [pull\_through\_cache\_rules](#output\_pull\_through\_cache\_rules) | A list of Pull Through Cache Rules for ECR registry. |
-| <a name="output_replication_destinations"></a> [replication\_destinations](#output\_replication\_destinations) | A list of destinations for ECR registry replication. |
-| <a name="output_scanning_continuous_filters"></a> [scanning\_continuous\_filters](#output\_scanning\_continuous\_filters) | A list of repository filter to scan continuous. |
-| <a name="output_scanning_on_push_filters"></a> [scanning\_on\_push\_filters](#output\_scanning\_on\_push\_filters) | A list of repository filter to scan on push. |
-| <a name="output_scanning_type"></a> [scanning\_type](#output\_scanning\_type) | The scanning type for the registry. |
+| <a name="output_replication_policies"></a> [replication\_policies](#output\_replication\_policies) | A list of replication policies for ECR Registry. |
+| <a name="output_replication_rules"></a> [replication\_rules](#output\_replication\_rules) | A list of replication rules for ECR Registry. |
+| <a name="output_scanning_basic_version"></a> [scanning\_basic\_version](#output\_scanning\_basic\_version) | The version of basic scanning for the registry. |
+| <a name="output_scanning_rules"></a> [scanning\_rules](#output\_scanning\_rules) | A list of scanning rules to determine which repository filters are used and at what frequency scanning will occur. |
+| <a name="output_scanning_type"></a> [scanning\_type](#output\_scanning\_type) | The scanning type to set for the registry. |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/ecr-registry/main.tf b/modules/ecr-registry/main.tf
@@ -27,6 +27,11 @@ locals {
 # Registry Policy
 ###################################################
 
+resource "aws_ecr_account_setting" "registry_policy_scope" {
+  name  = "REGISTRY_POLICY_SCOPE"
+  value = var.policy_version
+}
+
 data "aws_iam_policy_document" "this" {
   source_policy_documents = compact([
     one(data.aws_iam_policy_document.replication[*].json),
diff --git a/modules/ecr-registry/outputs.tf b/modules/ecr-registry/outputs.tf
@@ -8,6 +8,11 @@ output "id" {
   value       = aws_ecr_registry_scanning_configuration.this.registry_id
 }
 
+output "policy_version" {
+  description = "The policy version of ECR registry."
+  value       = aws_ecr_account_setting.registry_policy_scope.value
+}
+
 output "policy" {
   description = "The registry policy."
   value       = one(aws_ecr_registry_policy.this[*].policy)
@@ -38,6 +43,11 @@ output "scanning_type" {
   value       = aws_ecr_registry_scanning_configuration.this.scan_type
 }
 
+output "scanning_basic_version" {
+  description = "The version of basic scanning for the registry."
+  value       = aws_ecr_account_setting.basic_scan_type_version.value
+}
+
 output "scanning_rules" {
   description = "A list of scanning rules to determine which repository filters are used and at what frequency scanning will occur."
   value       = var.scanning_rules
diff --git a/modules/ecr-registry/scanning.tf b/modules/ecr-registry/scanning.tf
@@ -2,6 +2,11 @@
 # Scanning Configuration
 ###################################################
 
+resource "aws_ecr_account_setting" "basic_scan_type_version" {
+  name  = "BASIC_SCAN_TYPE_VERSION"
+  value = var.scanning_basic_version
+}
+
 resource "aws_ecr_registry_scanning_configuration" "this" {
   scan_type = var.scanning_type
 
diff --git a/modules/ecr-registry/variables.tf b/modules/ecr-registry/variables.tf
@@ -1,3 +1,19 @@
+variable "policy_version" {
+  description = <<EOF
+  (Optional) The policy version of ECR registry. Valid values are `V1` or `V2`. Defaults to `V2`.
+    `V1` - Only support three actions: `ReplicateImage`, `BatchImportUpstreamImage`, and `CreateRepository`
+    `V2` - Support all ECR actions in the policy and enforce the registry policy in all ECR requests
+  EOF
+  type        = string
+  default     = "V2"
+  nullable    = false
+
+  validation {
+    condition     = contains(["V1", "V2"], var.policy_version)
+    error_message = "Valid values for `policy_version` are `V1`, `V2`."
+  }
+}
+
 variable "policy" {
   description = "(Optional) The policy document for ECR registry. This is a JSON formatted string."
   type        = string
@@ -105,6 +121,20 @@ variable "scanning_type" {
   }
 }
 
+variable "scanning_basic_version" {
+  description = <<EOF
+  (Optional) The version of basic scanning for the registry. Valid values are `AWS_NATIVE` or `CLAIR`. Defaults to `AWS_NATIVE`. `CLAIR` was deprecated.
+  EOF
+  type        = string
+  default     = "AWS_NATIVE"
+  nullable    = false
+
+  validation {
+    condition     = contains(["AWS_NATIVE", "CLAIR"], var.scanning_basic_version)
+    error_message = "Valid values for `scanning_basic_version` are `AWS_NATIVE`, `CLAIR`."
+  }
+}
+
 variable "scanning_rules" {
   description = <<EOF
   (Optional) A list of scanning rules to determine which repository filters are used and at what frequency scanning will occur. Each block of `scanning_rules` as defined below.
diff --git a/modules/ecr-registry/versions.tf b/modules/ecr-registry/versions.tf
@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 1.6"
+  required_version = ">= 1.10"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.37"
+      version = ">= 5.83"
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -1,10 +1,10 @@`
`1`	`1`	`terraform {`
`2`		`- required_version = ">= 1.6"`
	`2`	`+ required_version = ">= 1.10"`
`3`	`3`
`4`	`4`	`required_providers {`
`5`	`5`	`aws = {`
`6`	`6`	`source = "hashicorp/aws"`
`7`		`- version = ">= 5.37"`
	`7`	`+ version = ">= 5.83"`
`8`	`8`	`}`
`9`	`9`	`}`
`10`	`10`	`}`