Skip to content

Commit 01f0d92

Browse files
watany-devwatany-dev
authored
feat(ecr): repo.grantPush (#25845)
For example, I realized that the role given to perform a push from Github Actions to ECR is excessive if using grantPullPush. The Readme was temporarily updated to fulfill the conditions of a 'feat' commit. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
1 parent d90dffa commit 01f0d92

12 files changed

+857
-8
lines changed

packages/@aws-cdk-testing/framework-integ/test/aws-ecr/test/integ.grant.js.snapshot/aws-ecr-integ-stack.assets.json

+19
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
{
2+
"version": "32.0.0",
3+
"files": {
4+
"b4b94e1885964eca81c7f59f0375c3da2e9ce1532690efad69d539c9ed62cf4c": {
5+
"source": {
6+
"path": "aws-ecr-integ-stack.template.json",
7+
"packaging": "file"
8+
},
9+
"destinations": {
10+
"current_account-current_region": {
11+
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
12+
"objectKey": "b4b94e1885964eca81c7f59f0375c3da2e9ce1532690efad69d539c9ed62cf4c.json",
13+
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
14+
}
15+
}
16+
}
17+
},
18+
"dockerImages": {}
19+
}

packages/@aws-cdk-testing/framework-integ/test/aws-ecr/test/integ.grant.js.snapshot/aws-ecr-integ-stack.template.json

+154
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,154 @@
1+
{
2+
"Resources": {
3+
"Repo02AC86CF": {
4+
"Type": "AWS::ECR::Repository",
5+
"Properties": {
6+
"LifecyclePolicy": {
7+
"LifecyclePolicyText": "{\"rules\":[{\"rulePriority\":1,\"selection\":{\"tagStatus\":\"any\",\"countType\":\"imageCountMoreThan\",\"countNumber\":5},\"action\":{\"type\":\"expire\"}}]}"
8+
},
9+
"RepositoryPolicyText": {
10+
"Statement": [
11+
{
12+
"Action": "ecr:GetDownloadUrlForLayer",
13+
"Effect": "Allow",
14+
"Principal": {
15+
"AWS": "*"
16+
}
17+
}
18+
],
19+
"Version": "2012-10-17"
20+
}
21+
},
22+
"UpdateReplacePolicy": "Retain",
23+
"DeletionPolicy": "Retain"
24+
},
25+
"MyUserDC45028B": {
26+
"Type": "AWS::IAM::User"
27+
},
28+
"MyUserDefaultPolicy7B897426": {
29+
"Type": "AWS::IAM::Policy",
30+
"Properties": {
31+
"PolicyDocument": {
32+
"Statement": [
33+
{
34+
"Action": [
35+
"ecr:BatchCheckLayerAvailability",
36+
"ecr:BatchGetImage",
37+
"ecr:CompleteLayerUpload",
38+
"ecr:GetDownloadUrlForLayer",
39+
"ecr:InitiateLayerUpload",
40+
"ecr:PutImage",
41+
"ecr:UploadLayerPart"
42+
],
43+
"Effect": "Allow",
44+
"Resource": {
45+
"Fn::GetAtt": [
46+
"Repo02AC86CF",
47+
"Arn"
48+
]
49+
}
50+
},
51+
{
52+
"Action": "ecr:GetAuthorizationToken",
53+
"Effect": "Allow",
54+
"Resource": "*"
55+
}
56+
],
57+
"Version": "2012-10-17"
58+
},
59+
"PolicyName": "MyUserDefaultPolicy7B897426",
60+
"Users": [
61+
{
62+
"Ref": "MyUserDC45028B"
63+
}
64+
]
65+
}
66+
}
67+
},
68+
"Outputs": {
69+
"RepositoryURI": {
70+
"Value": {
71+
"Fn::Join": [
72+
"",
73+
[
74+
{
75+
"Fn::Select": [
76+
4,
77+
{
78+
"Fn::Split": [
79+
":",
80+
{
81+
"Fn::GetAtt": [
82+
"Repo02AC86CF",
83+
"Arn"
84+
]
85+
}
86+
]
87+
}
88+
]
89+
},
90+
".dkr.ecr.",
91+
{
92+
"Fn::Select": [
93+
3,
94+
{
95+
"Fn::Split": [
96+
":",
97+
{
98+
"Fn::GetAtt": [
99+
"Repo02AC86CF",
100+
"Arn"
101+
]
102+
}
103+
]
104+
}
105+
]
106+
},
107+
".",
108+
{
109+
"Ref": "AWS::URLSuffix"
110+
},
111+
"/",
112+
{
113+
"Ref": "Repo02AC86CF"
114+
}
115+
]
116+
]
117+
}
118+
}
119+
},
120+
"Parameters": {
121+
"BootstrapVersion": {
122+
"Type": "AWS::SSM::Parameter::Value<String>",
123+
"Default": "/cdk-bootstrap/hnb659fds/version",
124+
"Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
125+
}
126+
},
127+
"Rules": {
128+
"CheckBootstrapVersion": {
129+
"Assertions": [
130+
{
131+
"Assert": {
132+
"Fn::Not": [
133+
{
134+
"Fn::Contains": [
135+
[
136+
"1",
137+
"2",
138+
"3",
139+
"4",
140+
"5"
141+
],
142+
{
143+
"Ref": "BootstrapVersion"
144+
}
145+
]
146+
}
147+
]
148+
},
149+
"AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
150+
}
151+
]
152+
}
153+
}
154+
}

packages/@aws-cdk-testing/framework-integ/test/aws-ecr/test/integ.grant.js.snapshot/cdk.out

+1
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
{"version":"32.0.0"}

packages/@aws-cdk-testing/framework-integ/test/aws-ecr/test/integ.grant.js.snapshot/cdkecrintegtestgrantDefaultTestDeployAssertC6198E0B.assets.json

+19
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
{
2+
"version": "32.0.0",
3+
"files": {
4+
"21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
5+
"source": {
6+
"path": "cdkecrintegtestgrantDefaultTestDeployAssertC6198E0B.template.json",
7+
"packaging": "file"
8+
},
9+
"destinations": {
10+
"current_account-current_region": {
11+
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
12+
"objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
13+
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
14+
}
15+
}
16+
}
17+
},
18+
"dockerImages": {}
19+
}

packages/@aws-cdk-testing/framework-integ/test/aws-ecr/test/integ.grant.js.snapshot/cdkecrintegtestgrantDefaultTestDeployAssertC6198E0B.template.json

+36
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
{
2+
"Parameters": {
3+
"BootstrapVersion": {
4+
"Type": "AWS::SSM::Parameter::Value<String>",
5+
"Default": "/cdk-bootstrap/hnb659fds/version",
6+
"Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
7+
}
8+
},
9+
"Rules": {
10+
"CheckBootstrapVersion": {
11+
"Assertions": [
12+
{
13+
"Assert": {
14+
"Fn::Not": [
15+
{
16+
"Fn::Contains": [
17+
[
18+
"1",
19+
"2",
20+
"3",
21+
"4",
22+
"5"
23+
],
24+
{
25+
"Ref": "BootstrapVersion"
26+
}
27+
]
28+
}
29+
]
30+
},
31+
"AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
32+
}
33+
]
34+
}
35+
}
36+
}

packages/@aws-cdk-testing/framework-integ/test/aws-ecr/test/integ.grant.js.snapshot/integ.json

+12
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
{
2+
"version": "32.0.0",
3+
"testCases": {
4+
"cdk-ecr-integ-test-grant/DefaultTest": {
5+
"stacks": [
6+
"aws-ecr-integ-stack"
7+
],
8+
"assertionStack": "cdk-ecr-integ-test-grant/DefaultTest/DeployAssert",
9+
"assertionStackName": "cdkecrintegtestgrantDefaultTestDeployAssertC6198E0B"
10+
}
11+
}
12+
}

packages/@aws-cdk-testing/framework-integ/test/aws-ecr/test/integ.grant.js.snapshot/manifest.json

+129
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,129 @@
1+
{
2+
"version": "32.0.0",
3+
"artifacts": {
4+
"aws-ecr-integ-stack.assets": {
5+
"type": "cdk:asset-manifest",
6+
"properties": {
7+
"file": "aws-ecr-integ-stack.assets.json",
8+
"requiresBootstrapStackVersion": 6,
9+
"bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
10+
}
11+
},
12+
"aws-ecr-integ-stack": {
13+
"type": "aws:cloudformation:stack",
14+
"environment": "aws://unknown-account/unknown-region",
15+
"properties": {
16+
"templateFile": "aws-ecr-integ-stack.template.json",
17+
"validateOnSynth": false,
18+
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
19+
"cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
20+
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/b4b94e1885964eca81c7f59f0375c3da2e9ce1532690efad69d539c9ed62cf4c.json",
21+
"requiresBootstrapStackVersion": 6,
22+
"bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
23+
"additionalDependencies": [
24+
"aws-ecr-integ-stack.assets"
25+
],
26+
"lookupRole": {
27+
"arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}",
28+
"requiresBootstrapStackVersion": 8,
29+
"bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
30+
}
31+
},
32+
"dependencies": [
33+
"aws-ecr-integ-stack.assets"
34+
],
35+
"metadata": {
36+
"/aws-ecr-integ-stack/Repo/Resource": [
37+
{
38+
"type": "aws:cdk:logicalId",
39+
"data": "Repo02AC86CF"
40+
}
41+
],
42+
"/aws-ecr-integ-stack/MyUser/Resource": [
43+
{
44+
"type": "aws:cdk:logicalId",
45+
"data": "MyUserDC45028B"
46+
}
47+
],
48+
"/aws-ecr-integ-stack/MyUser/DefaultPolicy/Resource": [
49+
{
50+
"type": "aws:cdk:logicalId",
51+
"data": "MyUserDefaultPolicy7B897426"
52+
}
53+
],
54+
"/aws-ecr-integ-stack/RepositoryURI": [
55+
{
56+
"type": "aws:cdk:logicalId",
57+
"data": "RepositoryURI"
58+
}
59+
],
60+
"/aws-ecr-integ-stack/BootstrapVersion": [
61+
{
62+
"type": "aws:cdk:logicalId",
63+
"data": "BootstrapVersion"
64+
}
65+
],
66+
"/aws-ecr-integ-stack/CheckBootstrapVersion": [
67+
{
68+
"type": "aws:cdk:logicalId",
69+
"data": "CheckBootstrapVersion"
70+
}
71+
]
72+
},
73+
"displayName": "aws-ecr-integ-stack"
74+
},
75+
"cdkecrintegtestgrantDefaultTestDeployAssertC6198E0B.assets": {
76+
"type": "cdk:asset-manifest",
77+
"properties": {
78+
"file": "cdkecrintegtestgrantDefaultTestDeployAssertC6198E0B.assets.json",
79+
"requiresBootstrapStackVersion": 6,
80+
"bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
81+
}
82+
},
83+
"cdkecrintegtestgrantDefaultTestDeployAssertC6198E0B": {
84+
"type": "aws:cloudformation:stack",
85+
"environment": "aws://unknown-account/unknown-region",
86+
"properties": {
87+
"templateFile": "cdkecrintegtestgrantDefaultTestDeployAssertC6198E0B.template.json",
88+
"validateOnSynth": false,
89+
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
90+
"cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
91+
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
92+
"requiresBootstrapStackVersion": 6,
93+
"bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
94+
"additionalDependencies": [
95+
"cdkecrintegtestgrantDefaultTestDeployAssertC6198E0B.assets"
96+
],
97+
"lookupRole": {
98+
"arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}",
99+
"requiresBootstrapStackVersion": 8,
100+
"bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
101+
}
102+
},
103+
"dependencies": [
104+
"cdkecrintegtestgrantDefaultTestDeployAssertC6198E0B.assets"
105+
],
106+
"metadata": {
107+
"/cdk-ecr-integ-test-grant/DefaultTest/DeployAssert/BootstrapVersion": [
108+
{
109+
"type": "aws:cdk:logicalId",
110+
"data": "BootstrapVersion"
111+
}
112+
],
113+
"/cdk-ecr-integ-test-grant/DefaultTest/DeployAssert/CheckBootstrapVersion": [
114+
{
115+
"type": "aws:cdk:logicalId",
116+
"data": "CheckBootstrapVersion"
117+
}
118+
]
119+
},
120+
"displayName": "cdk-ecr-integ-test-grant/DefaultTest/DeployAssert"
121+
},
122+
"Tree": {
123+
"type": "cdk:tree",
124+
"properties": {
125+
"file": "tree.json"
126+
}
127+
}
128+
}
129+
}

0 commit comments

Comments
 (0)