container_registry
Manages container registry connections in CrowdStrike Falcon Container Security. This resource allows you to connect container registries for image scanning and vulnerability assessment.
API Scopes
Section titled “API Scopes”The following API scopes are required:
- Falcon Container Image: READ
- Falcon Container Image: WRITE
Example Usage
Section titled “Example Usage”terraform { required_providers { crowdstrike = { source = "registry.terraform.io/crowdstrike/crowdstrike" } }}
provider "crowdstrike" { cloud = "us-2"}
# Docker Hub registryresource "crowdstrike_container_registry" "dockerhub" { url = "https://registry-1.docker.io/" type = "dockerhub" user_defined_alias = "My Docker Hub" url_uniqueness_key = "my-dockerhub-account"
credential = { username = "myusername" password = "<your-dockerhub-token>" }}
# AWS ECR registryresource "crowdstrike_container_registry" "ecr" { url = "https://123456789012.dkr.ecr.us-east-1.amazonaws.com" type = "ecr" user_defined_alias = "Production ECR"
credential = { aws_iam_role = "arn:aws:iam::123456789012:role/FalconContainerRole" aws_external_id = "<your-external-id>" }}
# Azure ACR registry (password authentication)resource "crowdstrike_container_registry" "acr_password" { url = "https://myregistry.azurecr.io/" type = "acr" user_defined_alias = "Production ACR"
credential = { username = "<your-service-principal-name>" password = "<your-acr-password>" }}
# Google Artifact Registryresource "crowdstrike_container_registry" "gar" { url = "https://us-docker.pkg.dev/" type = "gar" user_defined_alias = "US Artifact Registry" url_uniqueness_key = "us-artifacts"
credential = { project_id = "my-gcp-project" scope_name = "us-docker.pkg.dev/my-gcp-project"
service_account_json = { type = "service_account" private_key_id = "<your-key-id>" private_key = "<your-private-key>" client_email = "falcon-scanner@my-gcp-project.iam.gserviceaccount.com" client_id = "<your-client-id>" project_id = "my-gcp-project" } }}
# Azure ACR registry (certificate authentication)resource "crowdstrike_container_registry" "acr_cert" { url = "https://myregistry.azurecr.io/" type = "acr" user_defined_alias = "Production ACR (cert)"
credential = { auth_type = "cert" tenant_id = "<your-azure-tenant-id>" client = "<your-azure-client-id>" cert = "<base64-encoded-pem-certificate>" }}
# GitHub Container Registryresource "crowdstrike_container_registry" "github" { url = "https://ghcr.io" type = "github" user_defined_alias = "GitHub Packages" url_uniqueness_key = "my-github-org"
credential = { username = "<your-github-username>" password = "<your-personal-access-token>" domain_url = "https://api.github.com" credential_type = "PAT" }}Schema
Section titled “Schema”Required
Section titled “Required”credential(Attributes) The credentials for accessing the registry. Required fields depend on the registry type. (see below for nested schema)type(String) The type of container registry. Must be one of:acr,artifactory,docker,dockerhub,ecr,gar,gcr,github,gitlab,harbor,icr,mirantis,nexus,openshift,oracle,quay.io.url(String) The URL of the container registry. Provide the base URL only; if your registry URL contains an alias, supply it viaurl_uniqueness_key.
Optional
Section titled “Optional”url_uniqueness_key(String) A unique key for registries where multiple accounts can use the same URL (e.g., Docker Hub, Google registries). This is a create-only input that is not returned by the API; the server-generatedurl_uniqueness_aliasis returned instead. Applies to:dockerhub,gar,gcr,icr,oracle.user_defined_alias(String) A user-defined friendly name for the registry.
Read-Only
Section titled “Read-Only”created_at(String) Timestamp when the registry was created.id(String) The UUID of the registry entity.last_refreshed_at(String) Timestamp when the registry was last refreshed.next_refresh_at(String) Timestamp when the registry will be refreshed next.refresh_interval(Number) The refresh interval in seconds.state(String) The current state of the registry entity.state_changed_at(String) Timestamp when the state last changed.updated_at(String) Timestamp when the registry was last updated.url_uniqueness_alias(String) System-generated URL uniqueness alias.
Nested Schema for credential
Section titled “Nested Schema for credential”Optional:
auth_type(String) Authentication type. Required for:acr(certificate auth). Valid value:cert.aws_external_id(String) AWS external ID. Required for:ecr.aws_gov_using_commercial_connection(Boolean) Whether AWS GovCloud uses commercial connection. Optional for:ecr.aws_iam_role(String) AWS IAM role ARN. Required for:ecr.cert(String, Sensitive) Azure service principal certificate as base64-encoded PEM. Required for:acr(certificate auth).client(String) Azure client ID. Required for:acr(certificate auth).compartment_ids(Set of String) Oracle compartment IDs. Optional for:oracle(compartment connections).credential_type(String) Type of credential. Required for:github,gitlab. Valid value:PAT.domain_url(String) Domain URL for API access. Required for:github,gitlab.password(String, Sensitive) Password, API key, or access token. Required for:dockerhub,docker,github,gitlab,icr,artifactory,acr(password auth),mirantis,oracle,openshift,quay.io,nexus,harbor.project_id(String) GCP project ID. Required for:gar,gcr.scope_name(String) Scope name. Required for:gar. Optional for:oracle(compartment connections).service_account_json(Attributes) GCP service account JSON. Required for:gar,gcr. (see below for nested schema)tenant_id(String) Azure tenant ID. Required for:acr(certificate auth).username(String) Username for authentication. Required for:dockerhub,docker,github,gitlab,icr,artifactory,acr(password auth),mirantis,oracle,openshift,quay.io,nexus,harbor.
Read-Only:
credential_created_at(String) Timestamp when the credential was created.credential_expired(Boolean) Whether the credential has expired.credential_expired_at(String) Timestamp when the credential expired.credential_id(String) The ID of the credential.credential_updated_at(String) Timestamp when the credential was last updated.
Nested Schema for credential.service_account_json
Section titled “Nested Schema for credential.service_account_json”Optional:
client_email(String) Client email.client_id(String) Client ID.private_key(String, Sensitive) Private key.private_key_id(String) Private key ID.project_id(String) Project ID.type(String) Service account type. Typicallyservice_account.
Import
Section titled “Import”Import is supported using the following syntax:
# container registry can be imported by specifying the registry id.terraform import crowdstrike_container_registry.example f0bb103e-f9ae-4d88-8fb3-c61caf1f3b89