Skip to content

Commit

Permalink
feat(ecr): add imageTagMutability prop (#10557)
Browse files Browse the repository at this point in the history
This property allows setting tag mutability on ECR repositoes. Tag mutability is useful to ensure image integrity and can prevent supply chain attacks.

Closes #4640


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
ap00rv authored Mar 9, 2021
1 parent 6c3d407 commit c4dc3bc
Show file tree
Hide file tree
Showing 4 changed files with 47 additions and 0 deletions.
8 changes: 8 additions & 0 deletions packages/@aws-cdk/aws-ecr/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,14 @@ ecr.PublicGalleryAuthorizationToken.grantRead(user);

This user can then proceed to login to the registry using one of the [authentication methods](https://docs.aws.amazon.com/AmazonECR/latest/public/public-registries.html#public-registry-auth).

### Image tag immutability

You can set tag immutability on images in our repository using the `imageTagMutability` construct prop.

```ts
new ecr.Repository(stack, 'Repo', { imageTagMutability: ecr.TagMutability.IMMUTABLE });
```

## Automatically clean up repositories

You can set life cycle rules to automatically clean up old images from your
Expand Down
24 changes: 24 additions & 0 deletions packages/@aws-cdk/aws-ecr/lib/repository.ts
Original file line number Diff line number Diff line change
Expand Up @@ -354,6 +354,13 @@ export interface RepositoryProps {
* @default false
*/
readonly imageScanOnPush?: boolean;

/**
* The tag mutability setting for the repository. If this parameter is omitted, the default setting of MUTABLE will be used which will allow image tags to be overwritten.
*
* @default TagMutability.MUTABLE
*/
readonly imageTagMutability?: TagMutability;
}

export interface RepositoryAttributes {
Expand Down Expand Up @@ -452,6 +459,7 @@ export class Repository extends RepositoryBase {
imageScanningConfiguration: !props.imageScanOnPush ? undefined : {
ScanOnPush: true,
},
imageTagMutability: props.imageTagMutability || undefined,
});

resource.applyRemovalPolicy(props.removalPolicy);
Expand Down Expand Up @@ -610,3 +618,19 @@ const enum CountType {
*/
SINCE_IMAGE_PUSHED = 'sinceImagePushed',
}

/**
* The tag mutability setting for your repository.
*/
export enum TagMutability {
/**
* allow image tags to be overwritten.
*/
MUTABLE = 'MUTABLE',

/**
* all image tags within the repository will be immutable which will prevent them from being overwritten.
*/
IMMUTABLE = 'IMMUTABLE',

}
1 change: 1 addition & 0 deletions packages/@aws-cdk/aws-ecr/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,7 @@
"import:@aws-cdk/aws-ecr.Repository",
"construct-base-is-private:@aws-cdk/aws-ecr.RepositoryBase",
"docs-public-apis:@aws-cdk/aws-ecr.Repository.fromRepositoryArn",
"docs-public-apis:@aws-cdk/aws-ecr.Repository.imageTagMutability",
"docs-public-apis:@aws-cdk/aws-ecr.Repository.fromRepositoryName",
"props-default-doc:@aws-cdk/aws-ecr.LifecycleRule.maxImageAge",
"props-default-doc:@aws-cdk/aws-ecr.LifecycleRule.maxImageCount",
Expand Down
14 changes: 14 additions & 0 deletions packages/@aws-cdk/aws-ecr/test/test.repository.ts
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,20 @@ export = {
test.done();
},


'image tag mutability can be set'(test: Test) {
// GIVEN
const stack = new cdk.Stack();
new ecr.Repository(stack, 'Repo', { imageTagMutability: ecr.TagMutability.IMMUTABLE });

// THEN
expect(stack).to(haveResource('AWS::ECR::Repository', {
ImageTagMutability: 'IMMUTABLE',
}));

test.done();
},

'add day-based lifecycle policy'(test: Test) {
// GIVEN
const stack = new cdk.Stack();
Expand Down

0 comments on commit c4dc3bc

Please sign in to comment.