fix(bootstrap): ECR repository produces Security Hub finding [ECR.3] …

…because of missing lifecycle policy (#24735)

After enabling AWS Foundational Security Best Practices v1.0.0 in the security hub,
I am always frustrated when I see failed checks.

Similar to #24175 I would like to see a lifecycle rule that does not do much but at least per default resolves the finding.

I know that there is an RFC for garbage collection in the works but this is a simple immediate fix.

_This is heavily inspired by https://github.com/aws/aws-cdk/pull/24175_

Closes #24723.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml

@@ -235,6 +235,24 @@ Resources:
     Type: AWS::ECR::Repository
     Properties:
       ImageTagMutability: IMMUTABLE
+      # Untagged images should never exist but Security Hub wants this rule to exist
+      LifecyclePolicy:
+        LifecyclePolicyText: |
+          {
+            "rules": [
+              {
+                "rulePriority": 1,
+                "description": "Untagged images should not exist, but expire any older than one year",
+                "selection": {
+                  "tagStatus": "untagged",
+                  "countType": "sinceImagePushed",
+                  "countUnit": "days",
+                  "countNumber": 365
+                },
+                "action": { "type": "expire" }
+              }
+            ]
+          }
       RepositoryName:
         Fn::If:
           - HasCustomContainerAssetsRepositoryName
@@ -615,7 +633,7 @@ Resources:
       Type: String
       Name:
         Fn::Sub: '/cdk-bootstrap/${Qualifier}/version'
-      Value: '16'
+      Value: '17'
 Outputs:
   BucketName:
     Description: The name of the S3 bucket owned by the CDK toolkit stack