Inspector ECR scanning settings are not managed

[hannes-ucsc]

… by Terraform, and are inconsistent between accounts, for example

platform-temp-dev

platform-anvil-prod

Additionally, basic vs enhanced setting and the scan filters are not managed by TF either:

[hannes-ucsc]

We currently use a aws_inspector2_enabler resource to enable Inspector for EC2 and ECR but there is nothing in TF to change the re-scan duration. There is a feature request for it but that request is still open.

The API for updating the re-scan duration is https://docs.aws.amazon.com/inspector/v2/APIReference/API_UpdateConfiguration.html so we could piggy-back an invocation of that API as a provisioner script for a null resource that depends on (and is triggered by) the aws_inspector2_enabler resource. IIRC, the aws_inspector2_enabler was unreliable and its effect could only be observed after a delay, but we can at least try. Care must be taken for the provisioner script to be robust, idempotent and to reliably report failure so that the delay issue can be dealt with by retrying the deployment with Terraform.

The TF resource for basic vs enhanced setting and the scan filters appears to be

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_registry_scanning_configuration

and we should add that, again depending on (and triggered by) the aws_inspector2_enabler resource.

The aws_inspector2_enabler resource currently resides in the GitLab component so we need to move that first. There already is https://github.com/DataBiosphere/azul/issues/5760 for that.

[dsotirho-ucsc]

@hannes-ucsc: "Once we have clarity about the cause of #6354, assignee to manually modify the rescan duration in tempdev to be consistent with the other deployments. After that we can look into programmatically managing the resources as described above."