Enable Vulnerability Scanning for container_registry

[claywd]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

I'd like to contribute a few lines to allow users to enable Vulnerability Scanning if there is interest in such a feature.

New or Affected Resource(s)

• google_container_registry

Potential Terraform Configuration

resource "google_container_registry" "registry" {
  project  = "my-project"
  location = "EU"
  vulernability_scanning = true/false
}

References

None that I could dig up.

[rileykarson]

Hey @claywd! This one is a bit of an unusual resource. Instead of provisioning it through the GCP API, it works by making a handshake with an api, which causes the resource to get provisioned. What API would enable the vulnerability scanning feature? Modifying the GCR GCS bucket?

[kustodian]

We also need this feature.

[bluemalkin]

I keep getting stumbled by this when I create a new Artifact Registry. It would great to enable this somehow.

[endorama]

I've been researching this today as I need to enable this feature.

There are 2 types of scanning:

• automated, enabled by enabling Container Scanning API: containerscanning.googleapis.com
• ondemand, enabled by enabling Container Scanning API: ondemandscanning.googleapis.com

@rileykarson it's unusual also in this setting, as each of them is enabled by enabling the corresponding API. Given the structure vulernability_scanning field should probably be an enum with disabled|automated|ondemand as possible values.

---

Is possible overcome this limitation today by enabling the corresponding service using google_project_service resource:

resource "google_project_service" "project" {
  # enabling this API enables automated GCR scanning
  # https://cloud.google.com/container-analysis/docs/enable-container-scanning
  # https://cloud.google.com/container-analysis/docs/automated-scanning-howto
  # https://cloud.google.com/container-analysis/docs/controlling-costs
  service = "containerscanning.googleapis.com"

  disable_dependent_services = true
  disable_on_destroy = true
}

resource "google_project_service" "project" {
  # enabling this API enables on demand image scanning on GCR
  # https://cloud.google.com/container-analysis/docs/enable-ods
  # https://cloud.google.com/container-analysis/docs/on-demand-scanning-howto
  # https://cloud.google.com/container-analysis/docs/controlling-costs
  service = "ondemandscanning.googleapis.com"

  disable_dependent_services = false
  disable_on_destroy = true
}

(I've yet to test this, but I plan doing it in the next week or so)

[rileykarson]

Based on that + the linked cloud docs it seems to me that we don't need a new resource at all, and that this workflow is possible with existing resources?

Performing individual on-demand scans and browsing results don't seem like they obviously fit into a Terraform workflow, so they likely don't need to be added.

[claudio-vellage]

@endorama Any update on this issue?

[endorama]

@claudio-vellage I can confirm that enabling containerscanning.googleapis.com API enables container security scanning. I've not tested the ondemand one, but I would expect it to work in the same way!

[roaks3]

It looks like this issue is resolve by enabling those APIs. (also note that Container Registry is now deprecated in favor of Artifact Registry #19661)