Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(bootstrap): Allow to enable tag immutability in ECR repos #18376

Closed
1 of 2 tasks
Hi-Fi opened this issue Jan 12, 2022 · 3 comments · Fixed by #19937
Closed
1 of 2 tasks

(bootstrap): Allow to enable tag immutability in ECR repos #18376

Hi-Fi opened this issue Jan 12, 2022 · 3 comments · Fixed by #19937
Labels
effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p1 package/tools Related to AWS CDK Tools or CLI

Comments

@Hi-Fi
Copy link
Contributor

Hi-Fi commented Jan 12, 2022
edited
Loading

Description

Currently when CDK bootstrap is running, it created ECR repositories to bootstrapped (target) account. That ECR repository has Tag immutability disabled (actually not set which defaults to MUTABLE).

https://github.com/aws/aws-cdk/blob/master/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml#L203-L211
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecr-repository.html#cfn-ecr-repository-imagetagmutability

Use Case

Security requirements require that deployed images are immutable, so it would be easy to prove if tag immutability would be possible to enable when bootstrapping.

Proposed Solution

Flag in bootstrapping to mark created ECR repo Tag immutability to Enabled.

  ContainerAssetsRepository:
    Type: AWS::ECR::Repository
    Properties:
      ImageScanningConfiguration:
        ScanOnPush: true
      ImageTagMutability: <MUTABLE/IMMUTABLE according flag, default to MUTABLE>
      RepositoryName:
        Fn::If:
          - HasCustomContainerAssetsRepositoryName
          - Fn::Sub: "${ContainerAssetsRepositoryName}"
          - Fn::Sub: cdk-${Qualifier}-container-assets-${AWS::AccountId}-${AWS::Region}

Other information

No response

Acknowledge

  • I may be able to implement this feature request
  • This feature might incur a breaking change
@Hi-Fi Hi-Fi added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Jan 12, 2022
@Hi-Fi Hi-Fi changed the title (bootstrap): Allos to enable tag immutability in ECR repos (bootstrap): Allow to enable tag immutability in ECR repos Jan 12, 2022
@github-actions github-actions bot added the package/tools Related to AWS CDK Tools or CLI label Jan 12, 2022
@rix0rrr
Copy link
Contributor

rix0rrr commented Feb 8, 2022

We will not add a flag. I think this should be a safe default. Is this a new feature? Is this likely to not be available in all AWS Regions yet?

@rix0rrr rix0rrr added effort/small Small work item – less than a day of effort p1 and removed needs-triage This issue or PR still needs to be triaged. labels Feb 8, 2022
@rix0rrr rix0rrr removed their assignment Feb 8, 2022
@Hi-Fi
Copy link
Contributor Author

Hi-Fi commented Feb 8, 2022

New since July 2019 (https://aws.amazon.com/about-aws/whats-new/2019/07/amazon-ecr-now-supports-immutable-image-tags/). At least there's no mention about specific regions.

@Hi-Fi Hi-Fi mentioned this issue Apr 15, 2022
Merged
4 tasks
@mergify mergify bot closed this as completed in #19937 May 17, 2022
mergify bot pushed a commit that referenced this issue May 17, 2022
@Hi-Fi
feat(cli): make ecr images immutable when created from cdk bootstrap (#…
0ef4bb4 
…19937)

As CDK creates images always with different name/tag, it can be ensured that those are not changed at the repository side.

Changes default functionality without offering immutability setting

[`AWS::ECR::Repository.ImageTagMutability`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecr-repository.html#cfn-ecr-repository-imagetagmutability)

Fixes #18376

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

wphilipw pushed a commit to wphilipw/aws-cdk that referenced this issue May 23, 2022
@Hi-Fi @wphilipw
feat(cli): make ecr images immutable when created from cdk bootstrap (a…
ed50cea 
…ws#19937)

As CDK creates images always with different name/tag, it can be ensured that those are not changed at the repository side.

Changes default functionality without offering immutability setting

[`AWS::ECR::Repository.ImageTagMutability`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecr-repository.html#cfn-ecr-repository-imagetagmutability)

Fixes aws#18376

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@HBobertz HBobertz mentioned this issue Oct 3, 2024
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p1 package/tools Related to AWS CDK Tools or CLI
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(cli): make ecr images immutable when created from cdk bootstrap Hi-Fi/aws-cdk
2 participants
@rix0rrr @Hi-Fi