feat(ecr): add imageTagMutability prop #10557
Conversation
This property allows setting tag mutability on ECR repositoes. Tag mutability is useful to ensure image integrity and can prevent supply chain attacks. Closes aws#4640
add tag immutability example in description
In earlier commits, the imageTagMutability prop was set to MUTABLE by default, this commit reverts that change and fixes relevant tests
There was a problem hiding this comment.
Sorry for the delay, I'm catching up from some vacation time.
I'm wondering if you have a specific use case for adding the value as a property to the Repository instance? Adding support to specify mutability in props makes sense, but I wonder if its useful to add the property to the construct?
@aws/aws-ecs-devx may have some input.
| // repository image tag mutability | ||
| if (props.imageTagMutability !== undefined) { | ||
| this.imageTagMutability = props.imageTagMutability; | ||
| resource.imageTagMutability = props.imageTagMutability; | ||
| } | ||
|
|
There was a problem hiding this comment.
I'd say we should just move passing this property to the L1 resource up into the constructor. Like
const resource = new CfnRepository(this, 'Resource', {
repositoryName: this.physicalName,
// It says "Text", but they actually mean "Object".
repositoryPolicyText: Lazy.anyValue({ produce: () => this.policyDocument }),
lifecyclePolicy: Lazy.anyValue({ produce: () => this.renderLifecyclePolicy() }),
imageTagMutability: props.imageTagMutability,
});If its undefined the property won't be included in synth output.
There was a problem hiding this comment.
agreed, will make this change soon, thanks.
MrArnoldPalmer
requested review from
a team and
kohidave
and removed request for
a team
Merge Master from aws/aws-cdk v1.68.0
|
|
mergify
bot
dismissed
MrArnoldPalmer’s stale review
Pull request has been modified.
Also removed it as a contstruct prop.
|
requesting update here :) thank you. |
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
So, is this happening or? |
|
Looks like this needs to have the conflicts resolved, then it could go in? |
|
oh whoops I missed that this wasn't auto-merging successfully. Thanks for the pings @vsetka @rebelzach I'll work on updating this. |
mergify
bot
dismissed
MrArnoldPalmer’s stale review
Pull request has been modified.
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
This property allows setting tag mutability on ECR repositoes. Tag mutability is useful to ensure image integrity and can prevent supply chain attacks.
Closes #4640
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license