feat: ecs cloud connector based on binary scanner

Author: hayk99

examples/single-account-ecs/main.tf

@@ -1,3 +1,8 @@
+locals {
+  deploy_image_scanning   = var.deploy_image_scanning_ecr || var.deploy_image_scanning_ecs
+  deploy_scanning_infra   = local.deploy_image_scanning && !var.use_standalone_scanner
+
+}
 #-------------------------------------
 # general resources
 #-------------------------------------
@@ -21,13 +26,13 @@ module "ssm" {
 #
 
 module "codebuild" {
-  count = var.deploy_image_scanning_ecr || var.deploy_image_scanning_ecs ? 1 : 0
+  count = local.deploy_scanning_infra ? 1 : 0
 
   source                       = "../../modules/infrastructure/codebuild"
   name                         = "${var.name}-codebuild"
   secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
 
-  tags = var.tags
+  tags       = var.tags
   # note. this is required to avoid racing conditions
   depends_on = [module.ssm]
 }
@@ -45,6 +50,7 @@ module "cloud_connector" {
 
   deploy_image_scanning_ecr = var.deploy_image_scanning_ecr
   deploy_image_scanning_ecs = var.deploy_image_scanning_ecs
+  use_standalone_scanner    = var.use_standalone_scanner
 
   is_organizational = false
 

modules/services/cloud-connector-ecs/cloudconnector-config.tf

@@ -1,43 +1,50 @@
 locals {
   default_config = yamlencode(merge({
-    logging = "info"
-    rules   = []
+    logging   = "info"
+    rules     = []
     ingestors = [
       {
         cloudtrail-sns-sqs = merge(
-          {
-            queueURL = module.cloud_connector_sqs.cloudtrail_sns_subscribed_sqs_url
-          },
-          var.is_organizational ? {
-            assumeRole = var.organizational_config.sysdig_secure_for_cloud_role_arn
-          } : {}
+        {
+          queueURL = module.cloud_connector_sqs.cloudtrail_sns_subscribed_sqs_url
+        },
+        var.is_organizational ? {
+          assumeRole = var.organizational_config.sysdig_secure_for_cloud_role_arn
+        } : {}
         )
       }
     ]
-    },
-    {
-      scanners = local.deploy_image_scanning ? [
-        merge(var.deploy_image_scanning_ecr ? {
-          aws-ecr = merge({
-            codeBuildProject         = var.build_project_name
-            secureAPITokenSecretName = var.secure_api_token_secret_name
-            },
-            var.is_organizational ? {
-              masterOrganizationRole       = var.organizational_config.sysdig_secure_for_cloud_role_arn
-              organizationalRolePerAccount = var.organizational_config.organizational_role_per_account
-          } : {})
-          } : {},
-          var.deploy_image_scanning_ecs ? {
-            aws-ecs = merge({
-              codeBuildProject         = var.build_project_name
-              secureAPITokenSecretName = var.secure_api_token_secret_name
-              },
-              var.is_organizational ? {
-                masterOrganizationRole       = var.organizational_config.sysdig_secure_for_cloud_role_arn
-                organizationalRolePerAccount = var.organizational_config.organizational_role_per_account
-            } : {})
+  },
+  {
+    scanners = local.deploy_image_scanning ? [
+      merge(
+      local.ecs_scanning_with_infra ? {
+        aws-ecr = merge({
+          codeBuildProject         = var.build_project_name
+          secureAPITokenSecretName = var.secure_api_token_secret_name
+        },
+        var.is_organizational ? {
+          masterOrganizationRole       = var.organizational_config.sysdig_secure_for_cloud_role_arn
+          organizationalRolePerAccount = var.organizational_config.organizational_role_per_account
         } : {})
-      ] : []
-    }
+      } : {},
+      local.ecs_scanning_with_infra ? {
+        aws-ecs = merge({
+          codeBuildProject         = var.build_project_name
+          secureAPITokenSecretName = var.secure_api_token_secret_name
+        },
+        var.is_organizational ? {
+          masterOrganizationRole       = var.organizational_config.sysdig_secure_for_cloud_role_arn
+          organizationalRolePerAccount = var.organizational_config.organizational_role_per_account
+        } : {})
+      } : {}),
+      local.ecr_scanning_with_infra ? {
+        aws-ecr-inline = {},
+      } : {},
+      local.ecs_standalone_scanning ? {
+        aws-ecs-inline = {},
+      } : {}
+    ] : []
+  }
   ))
 }

modules/services/cloud-connector-ecs/locals.tf

@@ -1,3 +1,8 @@
 locals {
   deploy_image_scanning = var.deploy_image_scanning_ecs || var.deploy_image_scanning_ecr
+  deploy_scanning_infra   = local.deploy_image_scanning && !var.use_standalone_scanner
+  ecr_standalone_scanning = var.deploy_image_scanning_ecr && var.use_standalone_scanner
+  ecs_standalone_scanning = var.deploy_image_scanning_ecs && var.use_standalone_scanner
+  ecr_scanning_with_infra = var.deploy_image_scanning_ecr && !var.use_standalone_scanner
+  ecs_scanning_with_infra = var.deploy_image_scanning_ecs && !var.use_standalone_scanner
 }

modules/services/cloud-connector-ecs/permissions.tf

@@ -78,13 +78,13 @@ data "aws_iam_policy_document" "iam_role_task_policy" {
 # scan images
 #
 resource "aws_iam_role_policy" "trigger_scan" {
-  count  = local.deploy_image_scanning ? 1 : 0
+  count  = local.deploy_scanning_infra ? 1 : 0
   name   = "${var.name}-TriggerScan"
   role   = local.ecs_task_role_id
   policy = data.aws_iam_policy_document.trigger_scan[0].json
 }
 data "aws_iam_policy_document" "trigger_scan" {
-  count = local.deploy_image_scanning ? 1 : 0
+  count = local.deploy_scanning_infra ? 1 : 0
   statement {
     effect = "Allow"
     actions = [