(aws-cdk-lib/aws-ecr): (Cannot delete images upon ECR repo removal when multiple repo provisioned) #25388

hkford · 2023-05-02T06:59:07Z

Describe the bug

When you provision two ECR repositories, you cannot delete both repositories even if the removalPolicy property is RemovalPolicy.DESTROY and the autoDeleteImages property is true.

Expected Behavior

Run cdk destroy and both two repositories is deleted.

Current Behavior

Run cdk destroy and only one repository is deleted.

Reproduction Steps

Edit lib/ecr-debug-stack.ts and deploy the stack.

import { Stack, StackProps, RemovalPolicy, CfnOutput } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import {
  aws_ecr as ecr,
} from 'aws-cdk-lib';

export class EcrDebugStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);
    const repo1 = new ecr.Repository(this, "Repository1", {
      removalPolicy: RemovalPolicy.DESTROY,
      autoDeleteImages: true,
    });

    const repo2 = new ecr.Repository(this, "Repository2", {
      removalPolicy: RemovalPolicy.DESTROY,
      autoDeleteImages: true,
    });
  }
}

When you run cdk destroy the following error occurs.

Received response status [FAILED] from custom resource. Message returned: AccessDeniedException: U
ser: arn:aws:sts::<account id>:assumed-role/EcrDebugStack-CustomECRAutoDeleteImagesCustomResou-1CJ
EK96K90K78/EcrDebugStack-CustomECRAutoDeleteImagesCustomResou-bZeghogDhLCn is not authorized to pe
rform: ecr:DescribeRepositories on resource: arn:aws:ecr:us-east-1:<account id>:repository/ecrdebu
gstack-repository25c81e63b-h5ijafd7yenx because no identity-based policy allows the ecr:DescribeRe
positories action

Possible Solution

Generated IAM policy for custom resource is allowed to perform ecr:DescribeRepositories to only one repository.

Additional Information/Context

No response

CDK CLI Version

2.70.0 (build c13a0f1)

Framework Version

No response

Node.js Version

v18.12.1

OS

Amazon Linux 2

Language

Typescript

Language Version

No response

Other information

No response

The text was updated successfully, but these errors were encountered:

pahud · 2023-05-02T16:50:03Z

Thanks for the report. Closing in favor of #25308

github-actions · 2023-05-02T16:50:28Z

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

hkford added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels May 2, 2023

github-actions bot added the @aws-cdk/aws-ecr Related to Amazon Elastic Container Registry label May 2, 2023

pahud closed this as completed May 2, 2023

pahud added p1 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels May 2, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

(aws-cdk-lib/aws-ecr): (Cannot delete images upon ECR repo removal when multiple repo provisioned) #25388

(aws-cdk-lib/aws-ecr): (Cannot delete images upon ECR repo removal when multiple repo provisioned) #25388

hkford commented May 2, 2023

pahud commented May 2, 2023

github-actions bot commented May 2, 2023