terraform-provider-google
terraform-provider-google copied to clipboard
hashicorp
Enable Vulnerability Scanning for container_registry
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.
Description
I'd like to contribute a few lines to allow users to enable Vulnerability Scanning if there is interest in such a feature.
New or Affected Resource(s)
Potential Terraform Configuration
resource "google_container_registry" "registry" {
project = "my-project"
location = "EU"
vulernability_scanning = true/false
}
References
None that I could dig up.
Hey @Claywd! This one is a bit of an unusual resource. Instead of provisioning it through the GCP API, it works by making a handshake with an api, which causes the resource to get provisioned. What API would enable the vulnerability scanning feature? Modifying the GCR GCS bucket?
I keep getting stumbled by this when I create a new Artifact Registry. It would great to enable this somehow.
I've been researching this today as I need to enable this feature.
There are 2 types of scanning:
-
automated, enabled by enabling Container Scanning API:containerscanning.googleapis.com -
ondemand, enabled by enabling Container Scanning API:ondemandscanning.googleapis.com
@rileykarson it's unusual also in this setting, as each of them is enabled by enabling the corresponding API. Given the structure vulernability_scanning field should probably be an enum with disabled|automated|ondemand as possible values.
Is possible overcome this limitation today by enabling the corresponding service using google_project_service resource:
resource "google_project_service" "project" {
# enabling this API enables automated GCR scanning
# https://cloud.google.com/container-analysis/docs/enable-container-scanning
# https://cloud.google.com/container-analysis/docs/automated-scanning-howto
# https://cloud.google.com/container-analysis/docs/controlling-costs
service = "containerscanning.googleapis.com"
disable_dependent_services = true
disable_on_destroy = true
}
resource "google_project_service" "project" {
# enabling this API enables on demand image scanning on GCR
# https://cloud.google.com/container-analysis/docs/enable-ods
# https://cloud.google.com/container-analysis/docs/on-demand-scanning-howto
# https://cloud.google.com/container-analysis/docs/controlling-costs
service = "ondemandscanning.googleapis.com"
disable_dependent_services = false
disable_on_destroy = true
}
(I've yet to test this, but I plan doing it in the next week or so)
Based on that + the linked cloud docs it seems to me that we don't need a new resource at all, and that this workflow is possible with existing resources?
Performing individual on-demand scans and browsing results don't seem like they obviously fit into a Terraform workflow, so they likely don't need to be added.
@claudio-vellage I can confirm that enabling containerscanning.googleapis.com API enables container security scanning. I've not tested the ondemand one, but I would expect it to work in the same way!