feat: apprunner cloud connector based on binary scanner

Author: hayk99

examples/single-account-apprunner/main.tf

@@ -1,3 +1,8 @@
+locals {
+  deploy_image_scanning   = var.deploy_image_scanning_ecr || var.deploy_image_scanning_ecs
+  deploy_scanning_infra   = local.deploy_image_scanning && !var.use_standalone_scanner
+}
+
 #-------------------------------------
 # general resources
 #-------------------------------------
@@ -19,13 +24,13 @@ module "ssm" {
 # cloud-connector
 #-------------------------------------
 module "codebuild" {
-  count = var.deploy_image_scanning_ecr || var.deploy_image_scanning_ecs ? 1 : 0
+  count = local.deploy_scanning_infra ? 1 : 0
 
   source                       = "../../modules/infrastructure/codebuild"
   name                         = "${var.name}-codebuild"
   secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
 
-  tags = var.tags
+  tags       = var.tags
   # note. this is required to avoid race conditions
   depends_on = [module.ssm]
 }
@@ -45,6 +50,7 @@ module "cloud_connector" {
   cloudconnector_ecr_image_uri = var.cloudconnector_ecr_image_uri
   deploy_image_scanning_ecr    = var.deploy_image_scanning_ecr
   deploy_image_scanning_ecs    = var.deploy_image_scanning_ecs
+  use_standalone_scanner       = var.use_standalone_scanner
 
   cloudtrail_sns_arn = local.cloudtrail_sns_arn
   tags               = var.tags

examples/single-account-ecs/main.tf

@@ -1,7 +1,6 @@
 locals {
   deploy_image_scanning   = var.deploy_image_scanning_ecr || var.deploy_image_scanning_ecs
   deploy_scanning_infra   = local.deploy_image_scanning && !var.use_standalone_scanner
-
 }
 #-------------------------------------
 # general resources

modules/services/cloud-connector-apprunner/apprunner.tf

@@ -98,7 +98,7 @@ data "aws_iam_policy_document" "cloud_connector" {
 
 
   dynamic "statement" {
-    for_each = var.deploy_image_scanning_ecr || var.deploy_image_scanning_ecs ? [1] : []
+    for_each = local.deploy_scanning_infra ? [1] : []
     content {
       sid    = "AllowCodebuild"
       effect = "Allow"

modules/services/cloud-connector-apprunner/cloudconnector-config.tf

@@ -1,32 +1,39 @@
 locals {
   default_config = yamlencode(merge({
-    logging = "info"
-    rules   = []
+    logging   = "info"
+    rules     = []
     ingestors = [
       {
         cloudtrail-sns-sqs = merge(
-          {
-            queueURL = module.cloud_connector_sqs.cloudtrail_sns_subscribed_sqs_url
-          }
+        {
+          queueURL = module.cloud_connector_sqs.cloudtrail_sns_subscribed_sqs_url
+        }
         )
       }
     ]
-    },
-    {
-      scanners = local.deploy_image_scanning ? [
-        merge(var.deploy_image_scanning_ecr ? {
-          aws-ecr = {
-            codeBuildProject         = var.build_project_name
-            secureAPITokenSecretName = var.secure_api_token_secret_name
-          }
-          } : {},
-          var.deploy_image_scanning_ecs ? {
-            aws-ecs = {
-              codeBuildProject         = var.build_project_name
-              secureAPITokenSecretName = var.secure_api_token_secret_name
-            }
-        } : {})
-      ] : []
-    }
+  },
+  {
+    scanners = local.deploy_image_scanning ? [
+      merge(
+      local.ecr_scanning_with_infra ? {
+        aws-ecr = {
+          codeBuildProject         = var.build_project_name
+          secureAPITokenSecretName = var.secure_api_token_secret_name
+        }
+      } : {},
+      local.ecs_scanning_with_infra ? {
+        aws-ecs = {
+          codeBuildProject         = var.build_project_name
+          secureAPITokenSecretName = var.secure_api_token_secret_name
+        }
+      } : {}),
+      local.ecs_standalone_scanning ? {
+        aws-ecs-inline = {}
+      } : {},
+      local.ecr_standalone_scanning ? {
+        aws-ecr-inline = {},
+      } : {}
+    ] : []
+  }
   ))
 }

modules/services/cloud-connector-apprunner/main.tf

@@ -1,4 +1,9 @@
 locals {
   verify_ssl            = var.verify_ssl == "auto" ? length(regexall("https://.*?\\.sysdig(cloud)?.com/?", data.sysdig_secure_connection.current.secure_url)) == 1 : var.verify_ssl == "true"
   deploy_image_scanning = var.deploy_image_scanning_ecs || var.deploy_image_scanning_ecr
+  deploy_scanning_infra   = local.deploy_image_scanning && !var.use_standalone_scanner
+  ecr_standalone_scanning = var.deploy_image_scanning_ecr && var.use_standalone_scanner
+  ecs_standalone_scanning = var.deploy_image_scanning_ecs && var.use_standalone_scanner
+  ecr_scanning_with_infra = var.deploy_image_scanning_ecr && !var.use_standalone_scanner
+  ecs_scanning_with_infra = var.deploy_image_scanning_ecs && !var.use_standalone_scanner
 }

modules/services/cloud-connector-apprunner/variables.tf

@@ -30,6 +30,11 @@ variable "deploy_image_scanning_ecs" {
   default     = false
 }
 
+variable "use_standalone_scanner" {
+  type        = bool
+  description = "true/false whether use inline scanner or not"
+  default     = false
+}
 #
 # general
 #