From 7444fab46dcbf0d89332396aadbc23609de209e5 Mon Sep 17 00:00:00 2001
From: Steven Nemetz <steven@appzen.com>
Date: Sat, 2 Nov 2019 16:45:05 -0700
Subject: [PATCH] Support immutability and scanning

---
 main.tf      | 11 ++++++++---
 variables.tf | 30 ++++++++++++++++++++----------
 2 files changed, 28 insertions(+), 13 deletions(-)

diff --git a/main.tf b/main.tf
index 587a10f..8a1174d 100644
--- a/main.tf
+++ b/main.tf
@@ -110,9 +110,14 @@ module "label" {
 }
 
 resource "aws_ecr_repository" "self" {
-  count = "${module.enabled.value}"
-  name  = "${var.use_fullname == "true" ? module.label.id : module.label.name}"
-  tags  = "${module.label.tags}"
+  count                = "${module.enabled.value}"
+  name                 = "${var.use_fullname == "true" ? module.label.id : module.label.name}"
+  image_tag_mutability = "${var.image_tag_mutability}"
+  tags                 = "${module.label.tags}"
+
+  image_scanning_configuration {
+    scan_on_push = "${var.scan_on_push}"
+  }
 }
 
 resource "aws_ecr_lifecycle_policy" "aged" {
diff --git a/variables.tf b/variables.tf
index 85cb976..6b7b0b9 100644
--- a/variables.tf
+++ b/variables.tf
@@ -1,8 +1,25 @@
+variable "accounts_ro" {
+  description = "AWS accounts to provide with readonly access to the ECR"
+  type        = "list"
+  default     = []
+}
+
+variable "accounts_rw" {
+  description = "AWS accounts to provide with full access to the ECR"
+  type        = "list"
+  default     = []
+}
+
 variable "enabled" {
   description = "Set to false to prevent the module from creating any resources"
   default     = true
 }
 
+variable "image_tag_mutability" {
+  description = "The tag mutability setting for the repository. Must be one of: MUTABLE or IMMUTABLE. Defaults to MUTABLE"
+  default     = "MUTABLE"
+}
+
 variable "max_image_age" {
   description = "Max container image age"
   default     = "0"
@@ -19,16 +36,9 @@ variable "max_image_count" {
   default     = "500"
 }
 
-variable "accounts_rw" {
-  description = "AWS accounts to provide with full access to the ECR"
-  type        = "list"
-  default     = []
-}
-
-variable "accounts_ro" {
-  description = "AWS accounts to provide with readonly access to the ECR"
-  type        = "list"
-  default     = []
+variable "scan_on_push" {
+  description = "Vulnerabiliy scan images automatically on push"
+  default     = false
 }
 
 variable "use_fullname" {