AWS announced the most welcome feature of ECR automatically scanning images when you push them into repository. And first comment was pointing out the missing Cloudformation support for the feature :-)

While I completely agree there should be support for Cloudformation for all new features at launch, this also inspired me to write this post on how you can add support for any such missing feature using a simple pattern. And while doing that, reminded myself of couple things about Lambda runtimes and SDKs …

My first thought was this is an easy fix. I just need to create a lambda backed custom resource that will call putImageScanningConfiguration and set scanOnPush: true. There is nice generic custom resource lambda implementation I could use for this. It didn’t take long before I had the custom resource ready.

  Type: Custom::EcrImageScanningOnPush
    ServiceToken: !GetAtt CustomResource.Arn
    Service: ECR
      Action: putImageScanningConfiguration
        registryId: !Ref AWS::AccountId
        repositoryName: !Ref ContainerRepo
          scanOnPush: "true"

But for some odd reason it didn’t work. Instead I got an error saying there is no such thing as putImageScanningConfiguration?

After some trial and error, I realised it might be my AWS Javascript SDK that is also missing ECR image scanning support. SDK itself has it since 2.557.0 but Lambda Node.js runtime had much older version 2.488.0 :-(

Next thing was to build Lambda layer that has up-to-date Javascript SDK. Clearly I wasn’t the first person who needed this. So I followed these simple instructions and had my layer holding SDK with image scanning support ready.

After adding my layer to custom resource function I finally had cloudformation template that creates ECR repository and enables image scanning on push. It wasn’t quite as simple as I thought and I must admit Terraform is doing much better job at supporting new AWS features than Cloudformation … Assuming you have upgraded to latest version ;-)