From 69311748ba9b2bdca3cd516937e042ece4428e38 Mon Sep 17 00:00:00 2001
From: Khushboo <46913995+khushboo9024@users.noreply.github.com>
Date: Fri, 23 Feb 2024 15:19:46 +0530
Subject: [PATCH] Add table aws_ecr_registry_scanning_configuration #2083
 (#2084)

Co-authored-by: Ved misra <47312748+misraved@users.noreply.github.com>
---
 .../dependencies.txt                          |  0
 .../test-get-expected.json                    | 21 +++++
 .../test-get-query.sql                        |  3 +
 .../variables.tf                              | 75 +++++++++++++++++
 aws/plugin.go                                 |  1 +
 ...aws_ecr_registry_scanning_configuration.go | 67 +++++++++++++++
 ...aws_ecr_registry_scanning_configuration.md | 84 +++++++++++++++++++
 7 files changed, 251 insertions(+)
 create mode 100644 aws-test/tests/aws_ecr_registry_scanning_configuration/dependencies.txt
 create mode 100644 aws-test/tests/aws_ecr_registry_scanning_configuration/test-get-expected.json
 create mode 100644 aws-test/tests/aws_ecr_registry_scanning_configuration/test-get-query.sql
 create mode 100644 aws-test/tests/aws_ecr_registry_scanning_configuration/variables.tf
 create mode 100644 aws/table_aws_ecr_registry_scanning_configuration.go
 create mode 100644 docs/tables/aws_ecr_registry_scanning_configuration.md

diff --git a/aws-test/tests/aws_ecr_registry_scanning_configuration/dependencies.txt b/aws-test/tests/aws_ecr_registry_scanning_configuration/dependencies.txt
new file mode 100644
index 000000000..e69de29bb
diff --git a/aws-test/tests/aws_ecr_registry_scanning_configuration/test-get-expected.json b/aws-test/tests/aws_ecr_registry_scanning_configuration/test-get-expected.json
new file mode 100644
index 000000000..d358ac3e7
--- /dev/null
+++ b/aws-test/tests/aws_ecr_registry_scanning_configuration/test-get-expected.json
@@ -0,0 +1,21 @@
+[
+  {
+    "region": "{{ output.aws_region.value }}",
+    "registry_id": "{{ output.aws_account.value }}",
+    "scanning_configuration": {
+      "Rules": [
+        {
+          "RepositoryFilters": [
+            {
+              "Filter": "example",
+              "FilterType": "WILDCARD"
+            }
+          ],
+          "ScanFrequency": "CONTINUOUS_SCAN"
+        }
+      ],
+      "ScanType": "ENHANCED"
+    },
+    "title": "{{ output.aws_account.value }}"
+  }
+]
\ No newline at end of file
diff --git a/aws-test/tests/aws_ecr_registry_scanning_configuration/test-get-query.sql b/aws-test/tests/aws_ecr_registry_scanning_configuration/test-get-query.sql
new file mode 100644
index 000000000..c98cfb688
--- /dev/null
+++ b/aws-test/tests/aws_ecr_registry_scanning_configuration/test-get-query.sql
@@ -0,0 +1,3 @@
+select registry_id, scanning_configuration, title, region
+from aws.aws_ecr_registry_scanning_configuration
+where region = '{{ output.aws_region.value }}'
\ No newline at end of file
diff --git a/aws-test/tests/aws_ecr_registry_scanning_configuration/variables.tf b/aws-test/tests/aws_ecr_registry_scanning_configuration/variables.tf
new file mode 100644
index 000000000..c4f418622
--- /dev/null
+++ b/aws-test/tests/aws_ecr_registry_scanning_configuration/variables.tf
@@ -0,0 +1,75 @@
+variable "resource_name" {
+  type        = string
+  default     = "turbot-test-20200125-create-update"
+  description = "Name of the resource used throughout the test."
+}
+
+variable "aws_profile" {
+  type        = string
+  default     = "default"
+  description = "AWS credentials profile used for the test. Default is to use the default profile."
+}
+
+variable "aws_region" {
+  type        = string
+  default     = "us-east-1"
+  description = "AWS region used for the test. Does not work with default region in config, so must be defined here."
+}
+
+variable "aws_region_alternate" {
+  type        = string
+  default     = "us-east-2"
+  description = "Alternate AWS region used for tests that require two regions (e.g. DynamoDB global tables)."
+}
+
+provider "aws" {
+  profile = var.aws_profile
+  region  = var.aws_region
+}
+
+provider "aws" {
+  alias   = "alternate"
+  profile = var.aws_profile
+  region  = var.aws_region_alternate
+}
+
+data "aws_partition" "current" {}
+data "aws_caller_identity" "current" {}
+data "aws_region" "primary" {}
+data "aws_region" "alternate" {
+  provider = aws.alternate
+}
+
+data "null_data_source" "resource" {
+  inputs = {
+    scope = "arn:${data.aws_partition.current.partition}:::${data.aws_caller_identity.current.account_id}"
+  }
+}
+
+resource "aws_ecr_registry_scanning_configuration" "configuration" {
+  scan_type = "ENHANCED"
+
+  rule {
+    scan_frequency = "CONTINUOUS_SCAN"
+    repository_filter {
+      filter      = "example"
+      filter_type = "WILDCARD"
+    }
+  }
+}
+
+output "registry_id" {
+  value = aws_ecr_registry_scanning_configuration.configuration.registry_id
+}
+
+output "aws_region" {
+  value = data.aws_region.primary.name
+}
+
+output "aws_partition" {
+  value = data.aws_partition.current.partition
+}
+
+output "aws_account" {
+  value = data.aws_caller_identity.current.account_id
+}
\ No newline at end of file
diff --git a/aws/plugin.go b/aws/plugin.go
index 5e27f0b11..ac7483243 100644
--- a/aws/plugin.go
+++ b/aws/plugin.go
@@ -208,6 +208,7 @@ func Plugin(ctx context.Context) *plugin.Plugin {
 			"aws_ec2_transit_gateway_vpc_attachment":                       tableAwsEc2TransitGatewayVpcAttachment(ctx),
 			"aws_ecr_image":                                                tableAwsEcrImage(ctx),
 			"aws_ecr_image_scan_finding":                                   tableAwsEcrImageScanFinding(ctx),
+			"aws_ecr_registry_scanning_configuration":                      tableAwsEcrRegistryScanningConfiguration(ctx),
 			"aws_ecr_repository":                                           tableAwsEcrRepository(ctx),
 			"aws_ecrpublic_repository":                                     tableAwsEcrpublicRepository(ctx),
 			"aws_ecs_cluster":                                              tableAwsEcsCluster(ctx),
diff --git a/aws/table_aws_ecr_registry_scanning_configuration.go b/aws/table_aws_ecr_registry_scanning_configuration.go
new file mode 100644
index 000000000..2bbc1d6ac
--- /dev/null
+++ b/aws/table_aws_ecr_registry_scanning_configuration.go
@@ -0,0 +1,67 @@
+package aws
+
+import (
+	"context"
+
+	"github.com/aws/aws-sdk-go-v2/service/ecr"
+
+	ecrv1 "github.com/aws/aws-sdk-go/service/ecr"
+
+	"github.com/turbot/steampipe-plugin-sdk/v5/grpc/proto"
+	"github.com/turbot/steampipe-plugin-sdk/v5/plugin"
+	"github.com/turbot/steampipe-plugin-sdk/v5/plugin/transform"
+)
+
+//// TABLE DEFINITION
+
+func tableAwsEcrRegistryScanningConfiguration(_ context.Context) *plugin.Table {
+	return &plugin.Table{
+		Name:        "aws_ecr_registry_scanning_configuration",
+		Description: "AWS ECR Registry Scanning Configuration",
+		List: &plugin.ListConfig{
+			Hydrate: getEcrRegistryScanningConfiguration,
+		},
+		GetMatrixItemFunc: SupportedRegionMatrix(ecrv1.EndpointsID),
+		Columns: awsRegionalColumns([]*plugin.Column{
+			{
+				Name:        "registry_id",
+				Description: "The ID of the registry.",
+				Type:        proto.ColumnType_STRING,
+			},
+			{
+				Name:        "scanning_configuration",
+				Description: "The scanning configuration for the registry.",
+				Type:        proto.ColumnType_JSON,
+			},
+			// Steampipe standard columns
+			{
+				Name:        "title",
+				Description: resourceInterfaceDescription("title"),
+				Type:        proto.ColumnType_STRING,
+				Transform:   transform.FromField("RegistryId"),
+			},
+		}),
+	}
+}
+
+func getEcrRegistryScanningConfiguration(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) {
+
+	// Create Session
+	svc, err := ECRClient(ctx, d)
+	if err != nil {
+		plugin.Logger(ctx).Error("aws_ecr_registry_scanning_configuration.getEcrRegistryScanningConfiguration", "connection_error", err)
+		return nil, err
+	}
+
+	params := &ecr.GetRegistryScanningConfigurationInput{}
+
+	op, err := svc.GetRegistryScanningConfiguration(ctx, params)
+	if err != nil {
+		plugin.Logger(ctx).Error("aws_ecr_registry_scanning_configuration.getEcrRegistryScanningConfiguration", "api_error", err)
+		return nil, err
+	}
+
+	d.StreamListItem(ctx, op)
+
+	return nil, nil
+}
diff --git a/docs/tables/aws_ecr_registry_scanning_configuration.md b/docs/tables/aws_ecr_registry_scanning_configuration.md
new file mode 100644
index 000000000..55a162335
--- /dev/null
+++ b/docs/tables/aws_ecr_registry_scanning_configuration.md
@@ -0,0 +1,84 @@
+---
+title: "Steampipe Table: aws_ecr_registry_scanning_configuration - Query AWS ECR Registry Scanning Configuration using SQL"
+description: "Allows users to query AWS ECR Registry Scanning Configuration at the private registry level on a per-region basis."
+---
+
+# Table: aws_ecr_registry_scanning_configuration - Query AWS ECR Registry Scanning Configuration using SQL
+
+The AWS ECR Registry Scanning Configurations are defined at the private registry level on a per-region basis. These refer to the settings and policies that govern how Amazon ECR scans your container images for vulnerabilities. Amazon ECR integrates with the Amazon ECR image scanning feature, which automatically scans your Docker and OCI images for software vulnerabilities.
+
+## Table Usage Guide
+
+The `aws_ecr_registry_scanning_configuration` table in Steampipe provides you with information about the scanning configurations of Amazon Elastic Container Registry (ECR). This table allows you, as a cloud administrator, security team member, or developer, to query the scanning rules associated with the registry. You can utilize this table to gather insights on scanning configurations, such as the rules, the repository filters, and the region name. The schema outlines the various attributes of the scanning configurations for you, including the region, rules, repository filters, scan type and scan frequency.
+
+## Examples
+
+### Basic configuration info
+Analyze the configuration to understand that Amazon ECR scans your container images for vulnerabilities. This is essential for several reasons, primarily centered around security, compliance, and operational efficiency in managing container images.
+
+```sql+postgres
+select
+  registry_id,
+  jsonb_pretty(scanning_configuration),
+  region
+from
+  aws_ecr_registry_scanning_configuration;
+```
+
+```sql+sqlite
+select
+  registry_id,
+  scanning_configuration,
+  region
+from
+  aws_ecr_registry_scanning_configuration;
+```
+
+### Configuration info for a particular region
+Determine the scanning configuration of container images for a specific region. This query is beneficial for understanding the scanning configuration of your container images in that particular region.
+
+```sql+postgres
+select
+  registry_id,
+  jsonb_pretty(scanning_configuration),
+  region
+from
+  aws_ecr_registry_scanning_configuration
+where
+  region = 'ap-south-1';
+```
+
+```sql+sqlite
+select
+  registry_id,
+  scanning_configuration,
+  region
+from
+  aws_ecr_registry_scanning_configuration
+where
+  region = 'ap-south-1';
+```
+
+
+### List the regions where enhanced scanning is enabled
+Identify regions where the enhanced scanning is enabled for container images. This helps determine whether enhanced vulnerability scanning features are available through integrations with AWS services or third-party tools.
+
+```sql+postgres
+select
+  registry_id,
+  region
+from
+  aws_ecr_registry_scanning_configuration
+where
+  scanning_configuration ->> 'ScanType' = 'ENHANCED'
+```
+
+```sql+sqlite
+select
+  registry_id,
+  region
+from
+  aws_ecr_registry_scanning_configuration
+where
+  json_extract(scanning_configuration, '$.ScanType') = 'ENHANCED';
+```