Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: ecr - enable scan on push and KMS encryption #161

Merged
merged 3 commits into from
Apr 30, 2024
Merged

feat: ecr - enable scan on push and KMS encryption #161

merged 3 commits into from
Apr 30, 2024

Conversation

kukushking
Copy link
Contributor

Issue #, if available:

Description of changes:
added image scan on push and KMS encryption to ECR module

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@kukushking
feat: ecr - enable scan on push and KMS encryption
2862664 
Signed-off-by: Anton Kukushkin <kukushkin.anton@gmail.com>
@malachi-constant
Copy link
Contributor

AWS CodeBuild CI Report

  • CodeBuild project: IDFModuleTestsInfrastructur-59JoFoVH64CI
  • Commit ID: 2862664
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

malachi-constant
malachi-constant previously approved these changes Apr 26, 2024
View reviewed changes
Copy link
Contributor

@malachi-constant malachi-constant left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kukushking
tests
90f45a7 
Signed-off-by: Anton Kukushkin <kukushkin.anton@gmail.com>
@malachi-constant
Copy link
Contributor

AWS CodeBuild CI Report

  • CodeBuild project: IDFModuleTestsInfrastructur-59JoFoVH64CI
  • Commit ID: 90f45a7
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

srinivasreddych
srinivasreddych reviewed Apr 28, 2024
View reviewed changes
modules/storage/ecr/stack.py
@@ -34,6 +42,11 @@ def __init__(
repository_name=repository_name,
image_tag_mutability=IMAGE_MUTABILITY[image_tag_mutability],
removal_policy=RemovalPolicy.DESTROY if removal_policy in ["DESTROY"] else RemovalPolicy.RETAIN,
image_scan_on_push=image_scan_on_push,
encryption=ENCRYPTION[encryption],
encryption_key=kms.Key.from_key_arn(self, "Key", key_arn=kms_key_arn)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

instead of asking for 2 input parameters encryption and kms-key-arn, can we just ask for 1 user input parameter kms-key-arn:

if kms-key-arn input param is declared, then encryption should be set to KMS else set to AES:

 encryption="KMS" if  kms_key_arn else "AES256",
 encryption_key=kms.Key.from_key_arn(self, "Key", key_arn=kms_key_arn) if kms_key_arn else None

Copy link
Contributor Author

@kukushking kukushking Apr 28, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If no custom key arn is passed, AWS-managed key is used thus the introduction of encryption param... I guess one option that will make the choices more clear is to change encryption to accept one of KMS_MANAGED, KMS_CUSTOM, AES256 - does that work?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense! Thanks for clarifying.

@kukushking
use KMS_MANAGED and KMS_CUSTOM options
3280919 
Signed-off-by: Anton Kukushkin <kukushkin.anton@gmail.com>
@kukushking
Copy link
Contributor Author

@malachi-constant @srinivasreddych another round of approvals, please.

@malachi-constant
Copy link
Contributor

AWS CodeBuild CI Report

  • CodeBuild project: IDFModuleTestsInfrastructur-59JoFoVH64CI
  • Commit ID: 3280919
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@kukushking kukushking merged commit ab6c525 into awslabs:main Apr 30, 2024
17 checks passed
@kukushking kukushking deleted the feat/ecr-ecryption-and-scan branch April 30, 2024 13:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@srinivasreddych srinivasreddych srinivasreddych approved these changes

@malachi-constant malachi-constant malachi-constant left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kukushking @malachi-constant @srinivasreddych