[Osaka/Yokohama/Tokushima] Looking for infrastructure/server side engineers!

[Osaka/Yokohama/Tokushima] Looking for infrastructure/server side engineers!

[Deployed by over 500 companies] AWS construction, operation, maintenance, and monitoring services

[Deployed by over 500 companies] AWS construction, operation, maintenance, and monitoring services

[Successor to CentOS] AlmaLinux OS server construction/migration service

[Successor to CentOS] AlmaLinux OS server construction/migration service

[For WordPress only] Cloud server “Web Speed”

[For WordPress only] Cloud server “Web Speed”

[Cheap] Website security automatic diagnosis “Quick Scanner”

[Cheap] Website security automatic diagnosis “Quick Scanner”

[Reservation system development] EDISONE customization development service

[Reservation system development] EDISONE customization development service

[Registration of 100 URLs is 0 yen] Website monitoring service “Appmill”

[Registration of 100 URLs is 0 yen] Website monitoring service “Appmill”

[Compatible with over 200 countries] Global eSIM “Beyond SIM”

[Compatible with over 200 countries] Global eSIM “Beyond SIM”

[If you are traveling, business trip, or stationed in China] Chinese SIM service “Choco SIM”

[If you are traveling, business trip, or stationed in China] Chinese SIM service “Choco SIM”

[Global exclusive service] Beyond's MSP in North America and China

[Global exclusive service] Beyond's MSP in North America and China

[YouTube] Beyond official channel “Biyomaru Channel”

[YouTube] Beyond official channel “Biyomaru Channel”

Build an ECR with Terraform that performs vulnerability scanning when pushing a container image

My name is Teraoka and I am an infrastructure engineer.
This time, we will add settings to perform vulnerability scanning when pushing a container image in AWS ECR.
I would like to try building it using Terraform.

ECR is AWS's managed container image registry.
It stores pushed container images, but
users must be aware of the vulnerabilities of the images themselves.

As one of ECR's functions, there is a setting to automatically run a vulnerability scan when pushing, so
I would like to build a repository with this setting enabled.

Create an ECR repository

We will use a resource called aws_ecr_repository.

#################### # Provider #################### variable "aws_access_key" { description = " AWS Access Key" } variable "aws_secret_key" { description = "AWS Secret Key" } variable "aws_role_arn" { description = "AWS Role Arn" } variable "aws_region" { default = "ap-northeast-1" } provider "aws" { access_key = "${var.aws_access_key}" secret_key = "${var.aws_secret_key}" region = "${var.aws_region}" assume_role { role_arn = "${var.aws_role_arn}" } } ##### ############### # ECR #################### resource "aws_ecr_repository" "image-scan-test" { name = "image-scan-test" image_tag_mutability = "MUTABLE" image_scanning_configuration { scan_on_push = true } }

Set scan_on_push to true in the image_scanning_configuration block.
Let's start with init.

$ terraform init Initializing the backend... Initializing provider plugins... - Checking for available provider plugins... - Downloading plugin for provider "aws" (hashicorp/aws) 2.56.0... The following providers do not have any version constraints in configuration, so the latest version was installed. To prevent automatic upgrades to new major versions that may contain breaking changes, it is recommended to add version = "..." constraints to the corresponding provider blocks in configuration, with the constraint strings suggested below. * provider.aws: version = "~> 2.56" Terraform has been successfully initialized! You may now begin working with Terraform. Try running "terraform plan" to see any changes that are required for your infrastructure. All Terraform commands should now work. If you ever set or change modules or backend configuration for Terraform, rerun this command to reinitialize your working directory. If you forget, other commands will detect it and remind you to do so if necessary.

Just to be sure, run Plan before reflecting.

$ terraform plan Refreshing Terraform state in-memory prior to plan... The refreshed state will be used to calculate this plan, but will not be persisted to local or remote state storage. ------------ -------------------------------------------------- ---------- An execution plan has been generated and is shown below. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # aws_ecr_repository.image-scan-test will be created + resource "aws_ecr_repository" "image-scan-test" { + arn = (known after apply) + id = (known after apply) + image_tag_mutability = "MUTABLE" + name = "image-scan-test" + registry_id = (known after apply) + repository_url = (known after apply) + image_scanning_configuration { + scan_on_push = true } } Plan: 1 to add, 0 to change, 0 to destroy. ---------------- -------------------------------------------------- ------ Note: You didn't specify an "-out" parameter to save this plan, so Terraform can't guarantee that exactly these actions will be performed if "terraform apply" is subsequently run.

Apply it to reflect it.

$ terraform apply An execution plan has been generated and is shown below. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # aws_ecr_repository.image-scan-test will be created + resource "aws_ecr_repository" "image -scan-test" { + arn = (known after apply) + id = (known after apply) + image_tag_mutability = "MUTABLE" + name = "image-scan-test" + registry_id = (known after apply) + repository_url = ( known after apply) + image_scanning_configuration { + scan_on_push = true } } Plan: 1 to add, 0 to change, 0 to destroy. Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes aws_ecr_repository.image-scan-test: Creating... aws_ecr_repository.image-scan-test: Creation complete after 0s [id=image-scan-test] Apply complete! Resources: 1 added, 0 changed, 0 destroyed

It has been reflected.

Push the container image to ECR

We will use the image below, which seems to be full of vulnerabilities from the name.
Let's pull it locally in advance.
https://hub.docker.com/r/cved/cve-2019-9978

If you want to push to ECR, just use the aws ecr get-login command to obtain authentication information, then
just run the docker push command as usual.

$(aws ecr get-login --no-include-email --region ap-northeast-1 --profile test-profile) $ docker tag cved/cve-2019-9978 XXXXXXXXXXXX.dkr.ecr.ap-northeast-1 .amazonaws.com/image-scan-test:latest $ docker push XXXXXXXXXXXX.dkr.ecr.ap-northeast-1.amazonaws.com/image-scan-test:latest

After pushing, check it from the management console.

The scan will be executed automatically and you can check the results.
Even so, the fight against the large number of vulnerabilities is never ending. . .

summary

What did you think?
The setup itself is easy, and if you code it with Terraform, it will be easy to deploy later.
Everyone please try using it.

If you found this article helpful , please give it a like!
1
Loading...
1 vote, average: 1.00 / 11
2,371
X facebook Hatena Bookmark pocket
[2025.6.30 Amazon Linux 2 support ended] Amazon Linux server migration solution

[2025.6.30 Amazon Linux 2 support ended] Amazon Linux server migration solution

[Osaka/Yokohama] Actively recruiting infrastructure engineers and server side engineers!

[Osaka/Yokohama] Actively recruiting infrastructure engineers and server side engineers!

The person who wrote this article

About the author

Yuki Teraoka

Joined Beyond in 2016 and is currently in his 6th year as an Infrastructure Engineer
MSP, where he troubleshoots failures while
also designing and building infrastructure using public clouds such as AWS.
Recently, I
have been working with Hashicorp tools such as Terraform and Packer as part of building container infrastructure such as Docker and Kubernetes and automating operations, and I
also play the role of an evangelist who speaks at external study groups and seminars.

・GitHub
https://github.com/nezumisannn

・Presentation history
https://github.com/nezumisannn/my-profile

・Presentation materials (SpeakerDeck)
https://speakerdeck.com/nezumisannn

・Certification:
AWS Certified Solutions Architect - Associate
Google Cloud Professional Cloud Architect