feat(aws-ecr): add onImageScanCompleted() support

packages/@aws-cdk/aws-ecr/lib/repository.ts

@@ -80,6 +80,21 @@ export interface IRepository extends IResource {
    * @param options Options for adding the rule
    */
   onCloudTrailImagePushed(id: string, options?: OnCloudTrailImagePushedOptions): events.Rule;
+
+  /**
+   * Defines an AWS CloudWatch event rule that can trigger a target when the image scan is completed
+   *
+   *
+   * @param id The id of the rule
+   * @param options Options for adding the rule
+   */
+  onImageScanCompleted(id: string, options?: OnImageScanCompletedOptions): events.Rule;
+
+  /**
+   * Defines a CloudWatch event rule which triggers for repository events. Use
+   * `rule.addEventPattern(pattern)` to specify a filter.
+   */
+  onEvent(id: string, options?: events.OnEventOptions): events.Rule;
 }
 
 /**
@@ -170,7 +185,41 @@ export abstract class RepositoryBase extends Resource implements IRepository {
     });
     return rule;
   }
+  /**
+   * Defines an AWS CloudWatch event rule that can trigger a target when an image scan is completed
+   *
+   *
+   * @param id The id of the rule
+   * @param options Options for adding the rule
+   */
+  public onImageScanCompleted(id: string, options: OnImageScanCompletedOptions = {}): events.Rule {
+    const rule = new events.Rule(this, id, options);
+    rule.addTarget(options.target);
+    rule.addEventPattern({
+      source: ['aws.ecr'],
+      detailType: ['ECR Image Scan'],
+      detail: {
+        'repository-name': [this.repositoryName],
+        'scan-status': ['COMPLETE'],
+        'image-tags': options.imageTags ? options.imageTags : undefined
+      }
+    });
+    return rule;
+  }
 
+  /**
+   * Defines a CloudWatch event rule which triggers for repository events. Use
+   * `rule.addEventPattern(pattern)` to specify a filter.
+   */
+  public onEvent(id: string, options: events.OnEventOptions = {}) {
+    const rule = new events.Rule(this, id, options);
+    rule.addEventPattern({
+      source: ['aws.ecr'],
+      resources: [this.repositoryArn]
+    });
+    rule.addTarget(options.target);
+    return rule;
+  }
   /**
    * Grant the given principal identity permissions to perform the actions on this repository
    */
@@ -225,6 +274,19 @@ export interface OnCloudTrailImagePushedOptions extends events.OnEventOptions {
   readonly imageTag?: string;
 }
 
+/**
+ * Options for the OnImageScanCompleted method
+ */
+export interface OnImageScanCompletedOptions extends events.OnEventOptions {
+  /**
+   * Only watch changes to the image tags spedified.
+   * Leave it undefined to watch the full repository.
+   *
+   * @default - Watch the changes to the repository with all image tags
+   */
+  readonly imageTags?: string[];
+}
+
 export interface RepositoryProps {
   /**
    * Name for this repository

packages/@aws-cdk/aws-ecr/test/integ.imagescan.expected.json

@@ -0,0 +1,85 @@
+{
+  "Resources": {
+    "Repo02AC86CF": {
+      "Type": "AWS::ECR::Repository",
+      "UpdateReplacePolicy": "Retain",
+      "DeletionPolicy": "Retain"
+    },
+    "RepoImageScanComplete7BC71935": {
+      "Type": "AWS::Events::Rule",
+      "Properties": {
+        "EventPattern": {
+          "source": [
+            "aws.ecr"
+          ],
+          "detail-type": [
+            "ECR Image Scan"
+          ],
+          "detail": {
+            "repository-name": [
+              {
+                "Ref": "Repo02AC86CF"
+              }
+            ],
+            "scan-status": [
+              "COMPLETE"
+            ]
+          }
+        },
+        "State": "ENABLED"
+      }
+    }
+  },
+  "Outputs": {
+    "RepositoryURI": {
+      "Value": {
+        "Fn::Join": [
+          "",
+          [
+            {
+              "Fn::Select": [
+                4,
+                {
+                  "Fn::Split": [
+                    ":",
+                    {
+                      "Fn::GetAtt": [
+                        "Repo02AC86CF",
+                        "Arn"
+                      ]
+                    }
+                  ]
+                }
+              ]
+            },
+            ".dkr.ecr.",
+            {
+              "Fn::Select": [
+                3,
+                {
+                  "Fn::Split": [
+                    ":",
+                    {
+                      "Fn::GetAtt": [
+                        "Repo02AC86CF",
+                        "Arn"
+                      ]
+                    }
+                  ]
+                }
+              ]
+            },
+            ".",
+            {
+              "Ref": "AWS::URLSuffix"
+            },
+            "/",
+            {
+              "Ref": "Repo02AC86CF"
+            }
+          ]
+        ]
+      }
+    }
+  }
+}

packages/@aws-cdk/aws-ecr/test/integ.imagescan.ts

@@ -0,0 +1,15 @@
+import cdk = require('@aws-cdk/core');
+import ecr = require('../lib');
+
+const app = new cdk.App();
+const stack = new cdk.Stack(app, 'aws-ecr-integ-stack');
+
+const repo = new ecr.Repository(stack, 'Repo');
+repo.onImageScanCompleted('ImageScanComplete', {
+});
+
+new cdk.CfnOutput(stack, 'RepositoryURI', {
+  value: repo.repositoryUri
+});
+
+app.synth();