From c0c3d19039981eb71bb37b2b1e3a1d5c12025b4f Mon Sep 17 00:00:00 2001
From: Peter Woodworth <44349620+peterwoodworth@users.noreply.github.com>
Date: Wed, 12 Apr 2023 05:43:23 -0700
Subject: [PATCH] fix: ecr policy warning always throws (#25041)

A change recently added a warning when the policy added to a Repository resource policy. Check length of array instead of existence of array

Closes #25028

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---
 packages/aws-cdk-lib/aws-ecr/lib/repository.ts   |  2 +-
 .../aws-cdk-lib/aws-ecr/test/repository.test.ts  | 16 ++++++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/packages/aws-cdk-lib/aws-ecr/lib/repository.ts b/packages/aws-cdk-lib/aws-ecr/lib/repository.ts
index 456e4bf026531..4ae13414e905d 100644
--- a/packages/aws-cdk-lib/aws-ecr/lib/repository.ts
+++ b/packages/aws-cdk-lib/aws-ecr/lib/repository.ts
@@ -669,7 +669,7 @@ export class Repository extends RepositoryBase {
    * It will fail if a resource section is present at all.
    */
   public addToResourcePolicy(statement: iam.PolicyStatement): iam.AddToResourcePolicyResult {
-    if (statement.resources) {
+    if (statement.resources.length) {
       Annotations.of(this).addWarning('ECR resource policy does not allow resource statements.');
     }
     if (this.policyDocument === undefined) {
diff --git a/packages/aws-cdk-lib/aws-ecr/test/repository.test.ts b/packages/aws-cdk-lib/aws-ecr/test/repository.test.ts
index e5ddd335a5d50..68d0907301bd9 100644
--- a/packages/aws-cdk-lib/aws-ecr/test/repository.test.ts
+++ b/packages/aws-cdk-lib/aws-ecr/test/repository.test.ts
@@ -386,6 +386,22 @@ describe('repository', () => {
     Annotations.fromStack(stack).hasWarning('*', 'ECR resource policy does not allow resource statements.');
   });
 
+  test('does not warn if repository policy does not have resources', () => {
+    // GIVEN
+    const app = new cdk.App();
+    const stack = new cdk.Stack(app, 'my-stack');
+    const repo = new ecr.Repository(stack, 'Repo');
+
+    // WHEN
+    repo.addToResourcePolicy(new iam.PolicyStatement({
+      actions: ['ecr:*'],
+      principals: [new iam.AnyPrincipal()],
+    }));
+
+    // THEN
+    Annotations.fromStack(stack).hasNoWarning('*', 'ECR resource policy does not allow resource statements.');
+  });
+
   test('default encryption configuration', () => {
     // GIVEN
     const app = new cdk.App();