Skip to content

container_registry

Manages container registry connections in CrowdStrike Falcon Container Security. This resource allows you to connect container registries for image scanning and vulnerability assessment.

The following API scopes are required:

  • Falcon Container Image: READ
  • Falcon Container Image: WRITE
terraform {
required_providers {
crowdstrike = {
source = "registry.terraform.io/crowdstrike/crowdstrike"
}
}
}
provider "crowdstrike" {
cloud = "us-2"
}
# Docker Hub registry
resource "crowdstrike_container_registry" "dockerhub" {
url = "https://registry-1.docker.io/"
type = "dockerhub"
user_defined_alias = "My Docker Hub"
url_uniqueness_key = "my-dockerhub-account"
credential = {
username = "myusername"
password = "<your-dockerhub-token>"
}
}
# AWS ECR registry
resource "crowdstrike_container_registry" "ecr" {
url = "https://123456789012.dkr.ecr.us-east-1.amazonaws.com"
type = "ecr"
user_defined_alias = "Production ECR"
credential = {
aws_iam_role = "arn:aws:iam::123456789012:role/FalconContainerRole"
aws_external_id = "<your-external-id>"
}
}
# Azure ACR registry (password authentication)
resource "crowdstrike_container_registry" "acr_password" {
url = "https://myregistry.azurecr.io/"
type = "acr"
user_defined_alias = "Production ACR"
credential = {
username = "<your-service-principal-name>"
password = "<your-acr-password>"
}
}
# Google Artifact Registry
resource "crowdstrike_container_registry" "gar" {
url = "https://us-docker.pkg.dev/"
type = "gar"
user_defined_alias = "US Artifact Registry"
url_uniqueness_key = "us-artifacts"
credential = {
project_id = "my-gcp-project"
scope_name = "us-docker.pkg.dev/my-gcp-project"
service_account_json = {
type = "service_account"
private_key_id = "<your-key-id>"
private_key = "<your-private-key>"
client_email = "falcon-scanner@my-gcp-project.iam.gserviceaccount.com"
client_id = "<your-client-id>"
project_id = "my-gcp-project"
}
}
}
# Azure ACR registry (certificate authentication)
resource "crowdstrike_container_registry" "acr_cert" {
url = "https://myregistry.azurecr.io/"
type = "acr"
user_defined_alias = "Production ACR (cert)"
credential = {
auth_type = "cert"
tenant_id = "<your-azure-tenant-id>"
client = "<your-azure-client-id>"
cert = "<base64-encoded-pem-certificate>"
}
}
# GitHub Container Registry
resource "crowdstrike_container_registry" "github" {
url = "https://ghcr.io"
type = "github"
user_defined_alias = "GitHub Packages"
url_uniqueness_key = "my-github-org"
credential = {
username = "<your-github-username>"
password = "<your-personal-access-token>"
domain_url = "https://api.github.com"
credential_type = "PAT"
}
}
  • credential (Attributes) The credentials for accessing the registry. Required fields depend on the registry type. (see below for nested schema)
  • type (String) The type of container registry. Must be one of: acr, artifactory, docker, dockerhub, ecr, gar, gcr, github, gitlab, harbor, icr, mirantis, nexus, openshift, oracle, quay.io.
  • url (String) The URL of the container registry. Provide the base URL only; if your registry URL contains an alias, supply it via url_uniqueness_key.
  • url_uniqueness_key (String) A unique key for registries where multiple accounts can use the same URL (e.g., Docker Hub, Google registries). This is a create-only input that is not returned by the API; the server-generated url_uniqueness_alias is returned instead. Applies to: dockerhub, gar, gcr, icr, oracle.
  • user_defined_alias (String) A user-defined friendly name for the registry.
  • created_at (String) Timestamp when the registry was created.
  • id (String) The UUID of the registry entity.
  • last_refreshed_at (String) Timestamp when the registry was last refreshed.
  • next_refresh_at (String) Timestamp when the registry will be refreshed next.
  • refresh_interval (Number) The refresh interval in seconds.
  • state (String) The current state of the registry entity.
  • state_changed_at (String) Timestamp when the state last changed.
  • updated_at (String) Timestamp when the registry was last updated.
  • url_uniqueness_alias (String) System-generated URL uniqueness alias.

Optional:

  • auth_type (String) Authentication type. Required for: acr (certificate auth). Valid value: cert.
  • aws_external_id (String) AWS external ID. Required for: ecr.
  • aws_gov_using_commercial_connection (Boolean) Whether AWS GovCloud uses commercial connection. Optional for: ecr.
  • aws_iam_role (String) AWS IAM role ARN. Required for: ecr.
  • cert (String, Sensitive) Azure service principal certificate as base64-encoded PEM. Required for: acr (certificate auth).
  • client (String) Azure client ID. Required for: acr (certificate auth).
  • compartment_ids (Set of String) Oracle compartment IDs. Optional for: oracle (compartment connections).
  • credential_type (String) Type of credential. Required for: github, gitlab. Valid value: PAT.
  • domain_url (String) Domain URL for API access. Required for: github, gitlab.
  • password (String, Sensitive) Password, API key, or access token. Required for: dockerhub, docker, github, gitlab, icr, artifactory, acr (password auth), mirantis, oracle, openshift, quay.io, nexus, harbor.
  • project_id (String) GCP project ID. Required for: gar, gcr.
  • scope_name (String) Scope name. Required for: gar. Optional for: oracle (compartment connections).
  • service_account_json (Attributes) GCP service account JSON. Required for: gar, gcr. (see below for nested schema)
  • tenant_id (String) Azure tenant ID. Required for: acr (certificate auth).
  • username (String) Username for authentication. Required for: dockerhub, docker, github, gitlab, icr, artifactory, acr (password auth), mirantis, oracle, openshift, quay.io, nexus, harbor.

Read-Only:

  • credential_created_at (String) Timestamp when the credential was created.
  • credential_expired (Boolean) Whether the credential has expired.
  • credential_expired_at (String) Timestamp when the credential expired.
  • credential_id (String) The ID of the credential.
  • credential_updated_at (String) Timestamp when the credential was last updated.

Nested Schema for credential.service_account_json

Section titled “Nested Schema for credential.service_account_json”

Optional:

  • client_email (String) Client email.
  • client_id (String) Client ID.
  • private_key (String, Sensitive) Private key.
  • private_key_id (String) Private key ID.
  • project_id (String) Project ID.
  • type (String) Service account type. Typically service_account.

Import is supported using the following syntax:

Terminal window
# container registry can be imported by specifying the registry id.
terraform import crowdstrike_container_registry.example f0bb103e-f9ae-4d88-8fb3-c61caf1f3b89