lacework · afiune · Nov 22, 2021 · Nov 17, 2021
@@ -22,6 +22,9 @@ A Terraform Module to integrate Amazon Container Registries (ECR) with Lacework.
 | wait_time                 | Amount of time to wait before the next resource is provisioned                                                   | `string`      | `"15s"`             | no       |
 | lacework_integration_name | The name of the external ECR integration                                                                         | `string`      | `"TF ECR IAM ROLE"` | no       |
 | non_os_package_support    | Whether or not the integration should check non-os packages in the container for vulnerabilities                 | `bool`        | `false`             | no       |
+| `limit_by_tags` |A list of image tags to limit the assessment of images with matching tags. If you specify limit_by_tags and limit_by_labels limits, they function as an AND. Supported field input can be ["mytext\*mytext", "mytext", "mytext\*", "mytext". Only one * wildcard is supported.| `list(string)` | no |
+| `limit_by_labels` |A list of image labels to limit the assessment of images with matching labels. If you specify limit_by_tags and limit_by_labels limits, they function as an AND. Supported field input can be ["mytext\*mytext", "mytext", "mytext*", "mytext"].Only one * wildcard is supported.| `list(string)` | no |
+| `limit_by_repositories` |A list of repositories to assess.| `list(string)` | no |
 
 ## Outputs
 

@@ -0,0 +1,26 @@
+# Configure Lacework ECR Integration
+
+This example creates a new least privilege IAM Role to access the Amazon Container Registry of the account running the automation and integrates it with Lacework.
+
+```hcl
+terraform {
+  required_providers {
+    lacework = {
+      source = "lacework/lacework"
+    }
+  }
+}
+
+provider "lacework" {}
+
+provider "aws" {}
+
+module "lacework_ecr" {
+  source  = "lacework/ecr/aws"
+  version = "~> 0.1"
+
+  limit_by_tags         = ["example*"]
+  limit_by_labels       = {example: "example"}
+  limit_by_repositories = ["foo","bar"]
+}
+```
@@ -0,0 +1,11 @@
+provider "lacework" {}
+
+provider "aws" {}
+
+module "lacework_ecr" {
+  source = "../.."
+
+  limit_by_tags         = ["example*"]
+  limit_by_labels       = {example: "example"}
+  limit_by_repositories = ["foo","bar"]
+}
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 0.12.26"
+
+  required_providers {
+    aws = "~> 3.0"
+    lacework = {
+      source = "lacework/lacework"
+    }
+  }
+}
@@ -41,5 +41,8 @@ resource "lacework_integration_ecr" "iam_role" {
     role_arn    = local.iam_role_arn
     external_id = local.iam_role_external_id
   }
-  depends_on = [time_sleep.wait_time]
+  limit_by_tags         = var.limit_by_tags  
+  limit_by_labels       = var.limit_by_labels   
+  limit_by_repositories = var.limit_by_repositories
+  depends_on            = [time_sleep.wait_time]
 }
@@ -12,6 +12,7 @@ TEST_CASES=(
   examples/default
   examples/custom
   examples/multi-region
+  examples/configure-lacework-ecr-integration
 )
 
 log() {

@@ -28,6 +28,24 @@ variable "iam_role_name" {
   description = "The IAM role name. Required to match with iam_role_arn if use_existing_iam_role is set to true"
 }
 
+variable "limit_by_tags" {
+  type        = list(string)
+  default     = []
+  description = "A list of tags to limit the assessment of images with matching tags. If you specify limit_by_tags and limit_by_label limits, they function as an AND."
+}
+
+variable "limit_by_labels" {
+  type        = map(string)
+  default     = {}
+  description = "A key based map of image labels to limit the assessment of images with matching labels. If you specify limit_by_tags and limit_by_label limits, they function as an AND."
+}
+
+variable "limit_by_repositories" {
+  type        = list(string)
+  default     = []
+  description = "A list of repositories to assess"
+}
+
 variable "external_id_length" {
   type        = number
   default     = 16