fix(ecr): autoDeleteImages fails when repository is renamed (#26742)

go-to-k · web-flow · commit e264a2f2c95e · 2023-08-17T12:18:54.000Z
This PR fixes the bug that ECRAutoDeleteImages fails on repo rename. The customResource depends on the role, and when the repository name changes, the role is updated to match the new repository instead of the old one, before customResource runs and the old repository is deleted. It was difficult to delete the old repo before the role update ran, so I changed the resource of the role to a wildcard. Closes #26711. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecr/test/integ.repository-auto-delete-images.js.snapshot/aws-ecr-integ-stack.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecr/test/integ.repository-auto-delete-images.js.snapshot/aws-ecr-integ-stack.assets.json
@@ -14,15 +14,15 @@
         }
       }
     },
-    "32b456cdb8ff646c98c4580ff6d88bd51e84e33af74af927bb882158a53a0d21": {
+    "adb4722adf5406a51ec51892647c61e7ac61ba38b845cd1163397018822e542e": {
       "source": {
         "path": "aws-ecr-integ-stack.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "32b456cdb8ff646c98c4580ff6d88bd51e84e33af74af927bb882158a53a0d21.json",
+          "objectKey": "adb4722adf5406a51ec51892647c61e7ac61ba38b845cd1163397018822e542e.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecr/test/integ.repository-auto-delete-images.js.snapshot/aws-ecr-integ-stack.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecr/test/integ.repository-auto-delete-images.js.snapshot/aws-ecr-integ-stack.template.json
@@ -69,12 +69,31 @@
          ],
          "Resource": [
           {
-           "Fn::GetAtt": [
-            "Repo02AC86CF",
-            "Arn"
+           "Fn::Join": [
+            "",
+            [
+             "arn:",
+             {
+              "Ref": "AWS::Partition"
+             },
+             ":ecr:",
+             {
+              "Ref": "AWS::Region"
+             },
+             ":",
+             {
+              "Ref": "AWS::AccountId"
+             },
+             ":repository/*"
+            ]
            ]
           }
-         ]
+         ],
+         "Condition": {
+          "StringEquals": {
+           "ecr:ResourceTag/aws-cdk:auto-delete-images": "true"
+          }
+         }
         }
        ]
       }
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecr/test/integ.repository-auto-delete-images.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecr/test/integ.repository-auto-delete-images.js.snapshot/manifest.json
@@ -17,7 +17,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/32b456cdb8ff646c98c4580ff6d88bd51e84e33af74af927bb882158a53a0d21.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/adb4722adf5406a51ec51892647c61e7ac61ba38b845cd1163397018822e542e.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecr/test/integ.repository-auto-delete-images.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecr/test/integ.repository-auto-delete-images.js.snapshot/tree.json
@@ -28,8 +28,8 @@
                   }
                 },
                 "constructInfo": {
-                  "fqn": "aws-cdk-lib.aws_ecr.CfnRepository",
-                  "version": "0.0.0"
+                  "fqn": "constructs.Construct",
+                  "version": "10.2.69"
                 }
               },
               "AutoDeleteImagesCustomResource": {
@@ -40,20 +40,20 @@
                     "id": "Default",
                     "path": "aws-ecr-integ-stack/Repo/AutoDeleteImagesCustomResource/Default",
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.CfnResource",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.69"
                     }
                   }
                 },
                 "constructInfo": {
-                  "fqn": "aws-cdk-lib.CustomResource",
-                  "version": "0.0.0"
+                  "fqn": "constructs.Construct",
+                  "version": "10.2.69"
                 }
               }
             },
             "constructInfo": {
-              "fqn": "aws-cdk-lib.aws_ecr.Repository",
-              "version": "0.0.0"
+              "fqn": "constructs.Construct",
+              "version": "10.2.69"
             }
           },
           "Custom::ECRAutoDeleteImagesCustomResourceProvider": {
@@ -64,60 +64,60 @@
                 "id": "Staging",
                 "path": "aws-ecr-integ-stack/Custom::ECRAutoDeleteImagesCustomResourceProvider/Staging",
                 "constructInfo": {
-                  "fqn": "aws-cdk-lib.AssetStaging",
-                  "version": "0.0.0"
+                  "fqn": "constructs.Construct",
+                  "version": "10.2.69"
                 }
               },
               "Role": {
                 "id": "Role",
                 "path": "aws-ecr-integ-stack/Custom::ECRAutoDeleteImagesCustomResourceProvider/Role",
                 "constructInfo": {
-                  "fqn": "aws-cdk-lib.CfnResource",
-                  "version": "0.0.0"
+                  "fqn": "constructs.Construct",
+                  "version": "10.2.69"
                 }
               },
               "Handler": {
                 "id": "Handler",
                 "path": "aws-ecr-integ-stack/Custom::ECRAutoDeleteImagesCustomResourceProvider/Handler",
                 "constructInfo": {
-                  "fqn": "aws-cdk-lib.CfnResource",
-                  "version": "0.0.0"
+                  "fqn": "constructs.Construct",
+                  "version": "10.2.69"
                 }
               }
             },
             "constructInfo": {
-              "fqn": "aws-cdk-lib.CustomResourceProvider",
-              "version": "0.0.0"
+              "fqn": "constructs.Construct",
+              "version": "10.2.69"
             }
           },
           "RepositoryURI": {
             "id": "RepositoryURI",
             "path": "aws-ecr-integ-stack/RepositoryURI",
             "constructInfo": {
-              "fqn": "aws-cdk-lib.CfnOutput",
-              "version": "0.0.0"
+              "fqn": "constructs.Construct",
+              "version": "10.2.69"
             }
           },
           "BootstrapVersion": {
             "id": "BootstrapVersion",
             "path": "aws-ecr-integ-stack/BootstrapVersion",
             "constructInfo": {
-              "fqn": "aws-cdk-lib.CfnParameter",
-              "version": "0.0.0"
+              "fqn": "constructs.Construct",
+              "version": "10.2.69"
             }
           },
           "CheckBootstrapVersion": {
             "id": "CheckBootstrapVersion",
             "path": "aws-ecr-integ-stack/CheckBootstrapVersion",
             "constructInfo": {
-              "fqn": "aws-cdk-lib.CfnRule",
-              "version": "0.0.0"
+              "fqn": "constructs.Construct",
+              "version": "10.2.69"
             }
           }
         },
         "constructInfo": {
-          "fqn": "aws-cdk-lib.Stack",
-          "version": "0.0.0"
+          "fqn": "constructs.Construct",
+          "version": "10.2.69"
         }
       },
       "cdk-integ-auto-delete-images": {
@@ -144,22 +144,22 @@
                     "id": "BootstrapVersion",
                     "path": "cdk-integ-auto-delete-images/DefaultTest/DeployAssert/BootstrapVersion",
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.CfnParameter",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.69"
                     }
                   },
                   "CheckBootstrapVersion": {
                     "id": "CheckBootstrapVersion",
                     "path": "cdk-integ-auto-delete-images/DefaultTest/DeployAssert/CheckBootstrapVersion",
                     "constructInfo": {
-                      "fqn": "aws-cdk-lib.CfnRule",
-                      "version": "0.0.0"
+                      "fqn": "constructs.Construct",
+                      "version": "10.2.69"
                     }
                   }
                 },
                 "constructInfo": {
-                  "fqn": "aws-cdk-lib.Stack",
-                  "version": "0.0.0"
+                  "fqn": "constructs.Construct",
+                  "version": "10.2.69"
                 }
               }
             },
@@ -184,8 +184,8 @@
       }
     },
     "constructInfo": {
-      "fqn": "aws-cdk-lib.App",
-      "version": "0.0.0"
+      "fqn": "constructs.Construct",
+      "version": "10.2.69"
     }
   }
 }
diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json
@@ -636,18 +636,31 @@
          ],
          "Resource": [
           {
-           "Fn::GetAtt": [
-            "defaultresourcesmaxecrasset13112F7F9",
-            "Arn"
-           ]
-          },
-          {
-           "Fn::GetAtt": [
-            "defaultresourcesmaxecrasset2904B88A7",
-            "Arn"
+           "Fn::Join": [
+            "",
+            [
+             "arn:",
+             {
+              "Ref": "AWS::Partition"
+             },
+             ":ecr:",
+             {
+              "Ref": "AWS::Region"
+             },
+             ":",
+             {
+              "Ref": "AWS::AccountId"
+             },
+             ":repository/*"
+            ]
            ]
           }
-         ]
+         ],
+         "Condition": {
+          "StringEquals": {
+           "ecr:ResourceTag/aws-cdk:auto-delete-images": "true"
+          }
+         }
         }
        ]
       }
diff --git a/packages/aws-cdk-lib/aws-ecr/lib/repository.ts b/packages/aws-cdk-lib/aws-ecr/lib/repository.ts
@@ -20,11 +20,11 @@ import {
   CustomResource,
   CustomResourceProvider,
   CustomResourceProviderRuntime,
+  Aws,
 } from '../../core';
 
 const AUTO_DELETE_IMAGES_RESOURCE_TYPE = 'Custom::ECRAutoDeleteImages';
 const AUTO_DELETE_IMAGES_TAG = 'aws-cdk:auto-delete-images';
-const REPO_ARN_SYMBOL = Symbol.for('@aws-cdk/aws-ecr.RepoArns');
 
 /**
  * Represents an ECR repository.
@@ -867,12 +867,8 @@ export class Repository extends RepositoryBase {
     });
 
     if (firstTime) {
-      const repoArns = [this._resource.attrArn];
-      (provider as any)[REPO_ARN_SYMBOL] = repoArns;
-
       // Use a iam policy to allow the custom resource to list & delete
       // images in the repository and the ability to get all repositories to find the arn needed on delete.
-      // We lazily produce a list of repositories associated with this custom resource provider.
       provider.addToRolePolicy({
         Effect: 'Allow',
         Action: [
@@ -881,10 +877,13 @@ export class Repository extends RepositoryBase {
           'ecr:ListImages',
           'ecr:ListTagsForResource',
         ],
-        Resource: Lazy.list({ produce: () => repoArns }),
+        Resource: [`arn:${Aws.PARTITION}:ecr:${Stack.of(this).region}:${Stack.of(this).account}:repository/*`],
+        Condition: {
+          StringEquals: {
+            ['ecr:ResourceTag/' + AUTO_DELETE_IMAGES_TAG]: 'true',
+          },
+        },
       });
-    } else {
-      (provider as any)[REPO_ARN_SYMBOL].push(this._resource.attrArn);
     }
 
     const customResource = new CustomResource(this, 'AutoDeleteImagesCustomResource', {
diff --git a/packages/aws-cdk-lib/aws-ecr/test/repository.test.ts b/packages/aws-cdk-lib/aws-ecr/test/repository.test.ts
@@ -1006,18 +1006,22 @@ describe('repository', () => {
                   ],
                   Resource: [
                     {
-                      'Fn::GetAtt': [
-                        'Repo1DBD717D9',
-                        'Arn',
-                      ],
-                    },
-                    {
-                      'Fn::GetAtt': [
-                        'Repo2730A8200',
-                        'Arn',
-                      ],
+                      'Fn::Join': ['', [
+                        'arn:',
+                        { Ref: 'AWS::Partition' },
+                        ':ecr:',
+                        { Ref: 'AWS::Region' },
+                        ':',
+                        { Ref: 'AWS::AccountId' },
+                        ':repository/*',
+                      ]],
                     },
                   ],
+                  Condition: {
+                    StringEquals: {
+                      'ecr:ResourceTag/aws-cdk:auto-delete-images': 'true',
+                    },
+                  },
                 },
               ],
             },

Original file line number	Diff line number	Diff line change
`@@ -14,15 +14,15 @@`
`14`	`14`	`}`
`15`	`15`	`}`
`16`	`16`	`},`
`17`		`- "32b456cdb8ff646c98c4580ff6d88bd51e84e33af74af927bb882158a53a0d21": {`
	`17`	`+ "adb4722adf5406a51ec51892647c61e7ac61ba38b845cd1163397018822e542e": {`
`18`	`18`	`"source": {`
`19`	`19`	`"path": "aws-ecr-integ-stack.template.json",`
`20`	`20`	`"packaging": "file"`
`21`	`21`	`},`
`22`	`22`	`"destinations": {`
`23`	`23`	`"current_account-current_region": {`
`24`	`24`	`"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",`
`25`		`- "objectKey": "32b456cdb8ff646c98c4580ff6d88bd51e84e33af74af927bb882158a53a0d21.json",`
	`25`	`+ "objectKey": "adb4722adf5406a51ec51892647c61e7ac61ba38b845cd1163397018822e542e.json",`
`26`	`26`	`"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"`
`27`	`27`	`}`
`28`	`28`	`}`