Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ecr: When creating multiple repositories, the provider role only includes one in its policy #25308

Open
davidcosc opened this issue Apr 26, 2023 · 3 comments
Open

ecr: When creating multiple repositories, the provider role only includes one in its policy #25308

davidcosc opened this issue Apr 26, 2023 · 3 comments
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. effort/medium Medium work item – several days of effort p1

Comments

@davidcosc
Copy link
Contributor

Describe the bug

When creating multiple repositories using the Repository construct in conjunction with an aws lifecycle policy, only one of the repositories is added to the CustomECRAutoDeleteImagesCustomResourceProviderRole policy resources.

Expected Behavior

Both repositories are added to the role policy resources e.g.
"Resource": [ { "Fn::GetAtt": [ "Repository15A6F32E1", "Arn" ] }, { "Fn::GetAtt": [ "Repository25C81E63B", "Arn" ] } ]

Current Behavior

Only the first repository is added to the role policy resources e.g.
"Resource": [ { "Fn::GetAtt": [ "Repository15A6F32E1", "Arn" ] } ]

Reproduction Steps

I have the following stack defined:

import { RemovalPolicy, Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { Repository, TagStatus } from 'aws-cdk-lib/aws-ecr';

export class TestECRStack extends Stack {
  constructor(scope: Construct, id: string, namePrefix: string, props?: StackProps) {
    super(scope, id, props);
    const repository = new Repository(this, 'Repository1', {
      autoDeleteImages: true,
      imageScanOnPush: true,
      removalPolicy: RemovalPolicy.DESTROY,
      repositoryName: 'rep-one',
    });
    repository.addLifecycleRule({
      description: 'Delete untagged images if more than one.',
      maxImageCount: 1,
      rulePriority: 1,
      tagStatus: TagStatus.UNTAGGED,
    });
    const repository2 = new Repository(this, 'Repository2', {
      autoDeleteImages: true,
      imageScanOnPush: true,
      removalPolicy: RemovalPolicy.DESTROY,
      repositoryName: 'rep-two',
    });
    repository2.addLifecycleRule({
      description: 'Delete untagged images if more than one.',
      maxImageCount: 1,
      rulePriority: 1,
      tagStatus: TagStatus.UNTAGGED,
    });
  }
}

Using this stack e.g.

import { Stack } from "aws-cdk-lib";
import { TestECRStack } from "../lib/test-ecr-stack";
import { Template } from "aws-cdk-lib/assertions";

const rootStack = new Stack(undefined, 'TestStack');
const stack = new TestECRStack(rootStack, 'TestStack', 'blubb', {});
const template = Template.fromStack(stack);
console.log(JSON.stringify(template));

results in the following role template:

"CustomECRAutoDeleteImagesCustomResourceProviderRole665F2773": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Action": "sts:AssumeRole",
              "Effect": "Allow",
              "Principal": {
                "Service": "lambda.amazonaws.com"
              }
            }
          ]
        },
        "ManagedPolicyArns": [
          {
            "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
          }
        ],
        "Policies": [
          {
            "PolicyName": "Inline",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": [
                    "ecr:BatchDeleteImage",
                    "ecr:DescribeRepositories",
                    "ecr:ListImages",
                    "ecr:ListTagsForResource"
                  ],
                  "Resource": [
                    {
                      "Fn::GetAtt": [
                        "Repository15A6F32E1",
                        "Arn"
                      ]
                    }
                  ]
                }
              ]
            }
          }
        ]
      }
    }

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.70.0 (build c13a0f1)

Framework Version

No response

Node.js Version

v16.18.1

OS

Amazon Linux 2

Language

Typescript

Language Version

4.9.5

Other information

No response
@davidcosc davidcosc added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Apr 26, 2023
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Apr 26, 2023
@pahud
Copy link
Contributor

pahud commented Apr 26, 2023

Thanks for the report. I believe we should fix the enableAutoDeleteImages() to include all repos with autoDeleteImages prop enabled.

aws-cdk/packages/aws-cdk-lib/aws-ecr/lib/repository.ts

Line 792 in 460e487

private enableAutoDeleteImages() {

@pahud pahud added p2 feature-request A feature should be added or improved. effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. feature-request A feature should be added or improved. labels Apr 26, 2023
@davidcosc
Copy link
Contributor Author

davidcosc commented Apr 28, 2023
edited
Loading

Thanks a lot for the fast reply! The enableAutoDeleteImages function seems like the right place for the fix. How should i proceed with the Issue? For example, should i try to create a pull request? (Its my first time submitting a ticket so im not sure about the process yet)

@pahud pahud mentioned this issue May 2, 2023
Closed
@pahud pahud added p1 and removed p2 labels May 2, 2023
@pahud pahud changed the title (aws-cdk-lib/aws-ecr): (When creating multiple repositories, the provider role only includes one in its policy) ecr: When creating multiple repositories, the provider role only includes one in its policy May 2, 2023
@pahud pahud mentioned this issue Jun 19, 2023
Closed
@davidcosc
Copy link
Contributor Author

The following fix seems to already solve this issue #25964 .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. effort/medium Medium work item – several days of effort p1
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pahud @davidcosc