Skip to content

Commit 70046ee

Browse files
author
Bob Strahan
committed
Update ECR image scanning configuration to be optional for Pattern-2 Lambda containers
1 parent 23100bc commit 70046ee

File tree

2 files changed

+20
-1
lines changed

2 files changed

+20
-1
lines changed

patterns/pattern-2/template.yaml

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -110,6 +110,12 @@ Parameters:
110110
AllowedValues: ['true', 'false']
111111
Description: Enable X-Ray tracing
112112

113+
EnableECRImageScanning:
114+
Type: String
115+
Default: 'true'
116+
AllowedValues: ['true', 'false']
117+
Description: Enable automatic vulnerability scanning for Lambda container images in ECR
118+
113119
PermissionsBoundaryArn:
114120
Type: String
115121
Default: ""
@@ -147,6 +153,7 @@ Conditions:
147153
!Not [!Equals [!Ref CustomExtractionModelARN, ""]]
148154
HasPermissionsBoundary: !Not [!Equals [!Ref PermissionsBoundaryArn, ""]]
149155
HasAppSyncApi: !Not [!Equals [!Ref AppSyncApiArn, ""]]
156+
IsECRImageScanningEnabled: !Equals [!Ref EnableECRImageScanning, "true"]
150157

151158
Resources:
152159
Pattern2DockerBuildRole:
@@ -223,7 +230,7 @@ Resources:
223230
# checkov:skip=CKV_AWS_51: "Mutable tags allowed for workflow flexibility and version updates."
224231
Properties:
225232
ImageScanningConfiguration:
226-
ScanOnPush: true
233+
ScanOnPush: !If [IsECRImageScanningEnabled, true, false]
227234
EncryptionConfiguration:
228235
EncryptionType: KMS
229236
KmsKey: !Ref CustomerManagedEncryptionKeyArn

template.yaml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -328,6 +328,17 @@ Parameters:
328328
AllowedPattern: "^(|arn:aws[a-z-]*:iam::[0-9]{12}:policy/.+)$"
329329
ConstraintDescription: Must be empty or a valid IAM policy ARN
330330

331+
EnablePattern2ECRImageScanning:
332+
Type: String
333+
Default: "true"
334+
AllowedValues:
335+
- "true"
336+
- "false"
337+
Description: >-
338+
Enable automatic vulnerability scanning for Pattern-2 Lambda container images in ECR.
339+
Disabling may improve deployment reliability but reduces security posture.
340+
Recommended: true for production, false only if experiencing deployment issues.
341+
331342
# Logging configuration
332343
LogLevel:
333344
Type: String
@@ -960,6 +971,7 @@ Resources:
960971
ArtifactPrefix: "<ARTIFACT_PREFIX_TOKEN>"
961972
Pattern2SourceZipfile: "<PATTERN2_SOURCE_ZIPFILE_TOKEN>"
962973
EvaluationFunctionArn: !GetAtt EvaluationFunction.Arn
974+
EnableECRImageScanning: !Ref EnablePattern2ECRImageScanning
963975

964976
PATTERN3STACK:
965977
DependsOn:

0 commit comments

Comments
 (0)