refactor(terraform): update ECR viewer module to latest commit

Author: alismx

IMPLEMENTATION.md

@@ -10,7 +10,6 @@
     - [Options for Secrets Management](#options-for-secrets-management)
       - [Option 1: AWS Secrets Manager](#option-1-aws-secrets-manager)
       - [Option 2: GitHub Secrets](#option-2-github-secrets)
-      - [Option 3: Direct Variable Injection](#option-3-direct-variable-injection)
   - [Common Issues and Solutions](#common-issues-and-solutions)
   - [Modules used in this repository](#modules-used-in-this-repository)
   - [Development Workflow](#development-workflow)
@@ -292,28 +291,17 @@ Configure secrets in your GitHub repository under **Settings > Secrets and varia
 
 ---
 
-#### Option 3: Direct Variable Injection
-
-You can also pass secrets directly as Terraform variables (not recommended for production).
+- [Return to Table of Contents](#table-of-contents)
 
-**Example tfvars file:**
+---
 
-```hcl
-# secrets.tfvars (keep this file out of version control)
-auth_client_id                        = "your-client-id"
-auth_issuer                           = "https://example.com"
-auth_secret                           = "your-auth-secret"
-auth_client_secret                    = "your-client-secret"
-secrets_manager_auth_secret_version   = "arn:aws:secretsmanager:..."
-```
+## Common Issues and Solutions
 
----
+- [Checking DIBBS App Logs](https://github.com/CDCgov/dibbs-aws/wiki/Checking-DIBBS-App-Logs)
 
-- [Return to Table of Contents](#table-of-contents)
 
----
+- [Manually Removing a Terraform Lock](https://github.com/CDCgov/dibbs-aws/wiki/Manually-Remove-a-Terraform-Lock)
 
-## Common Issues and Solutions
 
 | Issue | Solution |
 |-------|----------|

terraform/implementation/ecs/main.tf

@@ -35,7 +35,7 @@ module "db" {
 }
 
 module "ecs" {
-  source = "git::https://github.com/CDCgov/terraform-aws-dibbs-ecr-viewer.git?ref=588457a2beaa1371c1e5f01c9ece9bf83d937b00"
+  source = "git::https://github.com/CDCgov/terraform-aws-dibbs-ecr-viewer.git?ref=ddf160866657a18711fb98286553dfc3e1240900"
 
   public_subnet_ids  = flatten(module.vpc.public_subnets)
   private_subnet_ids = flatten(module.vpc.private_subnets)
@@ -61,6 +61,12 @@ module "ecs" {
   # To disable autoscaling, set enable_autoscaling to false (default is true when not set)
   enable_autoscaling = true
 
+  enable_alb_deletion_protection = false
+
+  cw_retention_in_days = 14
+  ecr_viewer_object_retention_days = 14
+  logging_object_retention_days = 14
+
   # If the intent is to enable alb deletion protection, set false (default is true when not set)
   # enable_alb_deletion_protection = false
 
@@ -100,8 +106,6 @@ module "ecs" {
       target_memory = 70
     }
   }
-
-  cw_retention_in_days = 30
 }
 
 resource "aws_route53_record" "alb" {

terraform/modules/oidc/_data.tf

@@ -85,6 +85,8 @@ data "aws_iam_policy_document" "wildcard" {
       "ec2:DescribeVpcPeeringConnections",
       "ecr:GetAuthorizationToken",
       "ecr:GetLifecyclePolicy",
+      "ecr:PutRegistryScanningConfiguration",
+      "ecr:GetRegistryScanningConfiguration",
       "ecs:DeregisterTaskDefinition",
       "ecs:DescribeTaskDefinition",
       "elasticloadbalancing:DescribeListeners",
@@ -98,6 +100,8 @@ data "aws_iam_policy_document" "wildcard" {
       "elasticloadbalancing:SetWebACL",
       "iam:ListPolicies",
       "iam:GetRolePolicy",
+      "inspector2:ListAccountPermissions",
+      "inspector2:Disable",
       "kms:CreateKey",
       "kms:CreateAlias",
       "kms:DescribeKey",