fix(ecr): repository grant uses correct resource ARN (#3220)

When granting to a cross-account principal the repository would
use a self-reference to obtain the right ARN to use in its own
resource policy, which can obviously never work.

The solution is to use a '*' resource ARN.

Fixes #2473.

Author: rix0rrr

packages/@aws-cdk/aws-ecr/lib/repository.ts

@@ -179,6 +179,7 @@ export abstract class RepositoryBase extends Resource implements IRepository {
       grantee,
       actions,
       resourceArns: [this.repositoryArn],
+      resourceSelfArns: ['*'],
       resource: this,
     });
   }

packages/@aws-cdk/aws-ecr/test/test.repository.ts

@@ -1,7 +1,7 @@
 import { expect, haveResource, haveResourceLike, ResourcePart } from '@aws-cdk/assert';
 import iam = require('@aws-cdk/aws-iam');
 import cdk = require('@aws-cdk/core');
-import { RemovalPolicy } from '@aws-cdk/core';
+import { RemovalPolicy, Stack } from '@aws-cdk/core';
 import { Test } from 'nodeunit';
 import ecr = require('../lib');
 
@@ -352,6 +352,35 @@ export = {
       "DeletionPolicy": "Delete"
     }, ResourcePart.CompleteDefinition));
     test.done();
-  }
+  },
+
+  'grant adds appropriate resource-*'(test: Test) {
+    // GIVEN
+    const stack = new Stack();
+    const repo = new ecr.Repository(stack, 'TestHarnessRepo');
+
+    // WHEN
+    repo.grantPull(new iam.AnyPrincipal());
+
+    // THEN
+    expect(stack).to(haveResource('AWS::ECR::Repository', {
+      "RepositoryPolicyText": {
+        "Statement": [
+          {
+            "Action": [
+              "ecr:BatchCheckLayerAvailability",
+              "ecr:GetDownloadUrlForLayer",
+              "ecr:BatchGetImage"
+            ],
+            "Effect": "Allow",
+            "Principal": "*",
+            "Resource": "*",
+          }
+        ],
+        "Version": "2012-10-17"
+      }
+    }));
 
+    test.done();
+  },
 };