diff --git a/packages/aws-cdk/README.md b/packages/aws-cdk/README.md index 265f4a39f1b7c..47ae9054fed83 100644 --- a/packages/aws-cdk/README.md +++ b/packages/aws-cdk/README.md @@ -510,10 +510,11 @@ $ cdk destroy --app='node bin/main.js' MyStackName ### `cdk bootstrap` -Deploys a `CDKToolkit` CloudFormation stack into the specified environment(s), that provides an S3 bucket that -`cdk deploy` will use to store synthesized templates and the related assets, before triggering a CloudFormation stack -update. The name of the deployed stack can be configured using the `--toolkit-stack-name` argument. The S3 Bucket -Public Access Block Configuration can be configured using the `--public-access-block-configuration` argument. +Deploys a `CDKToolkit` CloudFormation stack into the specified environment(s), that provides an S3 bucket +and ECR reposity that `cdk deploy` will use to store synthesized templates and the related assets, before +triggering a CloudFormation stack update. The name of the deployed stack can be configured using the +`--toolkit-stack-name` argument. The S3 Bucket Public Access Block Configuration can be configured using +the `--public-access-block-configuration` argument. ECR uses immutable tags for images. ```console $ # Deploys to all environments diff --git a/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml b/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml index d4f674dfa2cac..287beab9a0dfe 100644 --- a/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml +++ b/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml @@ -202,6 +202,7 @@ Resources: ContainerAssetsRepository: Type: AWS::ECR::Repository Properties: + ImageTagMutability: IMMUTABLE ImageScanningConfiguration: ScanOnPush: true RepositoryName: @@ -509,7 +510,7 @@ Resources: Type: String Name: Fn::Sub: '/cdk-bootstrap/${Qualifier}/version' - Value: '12' + Value: '13' Outputs: BucketName: Description: The name of the S3 bucket owned by the CDK toolkit stack diff --git a/packages/aws-cdk/package.json b/packages/aws-cdk/package.json index 268dadf736197..8efd1c3ff5f2b 100644 --- a/packages/aws-cdk/package.json +++ b/packages/aws-cdk/package.json @@ -13,7 +13,7 @@ "lint": "cdk-lint", "pkglint": "pkglint -f", "test": "cdk-test", - "integ": "jest --testMatch '**/?(*.)+(integ-test).js'", + "integ": "jest --testMatch '**/?(*.)+(integtest).js'", "package": "cdk-package", "build+test+package": "yarn build+test && yarn package", "build+test": "yarn build && yarn test", diff --git a/packages/aws-cdk/test/integ/cli/bootstrapping.integtest.ts b/packages/aws-cdk/test/integ/cli/bootstrapping.integtest.ts index 1298c77a5fca8..95f98145a0a16 100644 --- a/packages/aws-cdk/test/integ/cli/bootstrapping.integtest.ts +++ b/packages/aws-cdk/test/integ/cli/bootstrapping.integtest.ts @@ -252,3 +252,27 @@ integTest('can deploy modern-synthesized stack even if bootstrap stack name is u ], }); })); + +integTest('create ECR with tag IMMUTABILITY to set on', withDefaultFixture(async (fixture) => { + const bootstrapStackName = fixture.bootstrapStackName; + + await fixture.cdkBootstrapModern({ + verbose: true, + toolkitStackName: bootstrapStackName, + }); + + const response = await fixture.aws.cloudFormation('describeStackResources', { + StackName: bootstrapStackName, + }); + const ecrResource = response.StackResources?.find(resource => resource.LogicalResourceId === 'ContainerAssetsRepository'); + expect(ecrResource).toBeDefined(); + + const ecrResponse = await fixture.aws.ecr('describeRepositories', { + repositoryNames: [ + // This is set, as otherwise we don't end up here + ecrResource?.PhysicalResourceId ?? '', + ], + }); + + expect(ecrResponse.repositories?.[0].imageTagMutability).toEqual('IMMUTABLE'); +}));