feat(cli): make ecr images immutable when created from cdk bootstrap (#…

…19937) As CDK creates images always with different name/tag, it can be ensured that those are not changed at the repository side. Changes default functionality without offering immutability setting [`AWS::ECR::Repository.ImageTagMutability`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecr-repository.html#cfn-ecr-repository-imagetagmutability) Fixes #18376 ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? * [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · May 17, 2022 · 0ef4bb4 · 0ef4bb4
1 parent 734faa5
commit 0ef4bb4
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 6 deletions.
diff --git a/packages/aws-cdk/README.md b/packages/aws-cdk/README.md
@@ -510,10 +510,11 @@ $ cdk destroy --app='node bin/main.js' MyStackName
 
 ### `cdk bootstrap`
 
-Deploys a `CDKToolkit` CloudFormation stack into the specified environment(s), that provides an S3 bucket that
-`cdk deploy` will use to store synthesized templates and the related assets, before triggering a CloudFormation stack
-update. The name of the deployed stack can be configured using the `--toolkit-stack-name` argument. The S3 Bucket
-Public Access Block Configuration can be configured using the `--public-access-block-configuration` argument.
+Deploys a `CDKToolkit` CloudFormation stack into the specified environment(s), that provides an S3 bucket 
+and ECR reposity that `cdk deploy` will use to store synthesized templates and the related assets, before 
+triggering a CloudFormation stack update. The name of the deployed stack can be configured using the 
+`--toolkit-stack-name` argument. The S3 Bucket Public Access Block Configuration can be configured using 
+the `--public-access-block-configuration` argument. ECR uses immutable tags for images.
 
 ```console
 $ # Deploys to all environments

diff --git a/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml b/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml
@@ -202,6 +202,7 @@ Resources:
   ContainerAssetsRepository:
     Type: AWS::ECR::Repository
     Properties:
+      ImageTagMutability: IMMUTABLE
       ImageScanningConfiguration:
         ScanOnPush: true
       RepositoryName:
@@ -509,7 +510,7 @@ Resources:
       Type: String
       Name:
         Fn::Sub: '/cdk-bootstrap/${Qualifier}/version'
-      Value: '12'
+      Value: '13'
 Outputs:
   BucketName:
     Description: The name of the S3 bucket owned by the CDK toolkit stack

diff --git a/packages/aws-cdk/package.json b/packages/aws-cdk/package.json
@@ -13,7 +13,7 @@
     "lint": "cdk-lint",
     "pkglint": "pkglint -f",
     "test": "cdk-test",
-    "integ": "jest --testMatch '**/?(*.)+(integ-test).js'",
+    "integ": "jest --testMatch '**/?(*.)+(integtest).js'",
     "package": "cdk-package",
     "build+test+package": "yarn build+test && yarn package",
     "build+test": "yarn build && yarn test",

diff --git a/packages/aws-cdk/test/integ/cli/bootstrapping.integtest.ts b/packages/aws-cdk/test/integ/cli/bootstrapping.integtest.ts
@@ -252,3 +252,27 @@ integTest('can deploy modern-synthesized stack even if bootstrap stack name is u
     ],
   });
 }));
+
+integTest('create ECR with tag IMMUTABILITY to set on', withDefaultFixture(async (fixture) => {
+  const bootstrapStackName = fixture.bootstrapStackName;
+
+  await fixture.cdkBootstrapModern({
+    verbose: true,
+    toolkitStackName: bootstrapStackName,
+  });
+
+  const response = await fixture.aws.cloudFormation('describeStackResources', {
+    StackName: bootstrapStackName,
+  });
+  const ecrResource = response.StackResources?.find(resource => resource.LogicalResourceId === 'ContainerAssetsRepository');
+  expect(ecrResource).toBeDefined();
+
+  const ecrResponse = await fixture.aws.ecr('describeRepositories', {
+    repositoryNames: [
+      // This is set, as otherwise we don't end up here
+      ecrResource?.PhysicalResourceId ?? '',
+    ],
+  });
+
+  expect(ecrResponse.repositories?.[0].imageTagMutability).toEqual('IMMUTABLE');
+}));