diff --git a/packages/@aws-cdk/aws-ecr/README.md b/packages/@aws-cdk/aws-ecr/README.md index 6adb791ba7f76..03172cac6ff82 100644 --- a/packages/@aws-cdk/aws-ecr/README.md +++ b/packages/@aws-cdk/aws-ecr/README.md @@ -74,6 +74,14 @@ ecr.PublicGalleryAuthorizationToken.grantRead(user); This user can then proceed to login to the registry using one of the [authentication methods](https://docs.aws.amazon.com/AmazonECR/latest/public/public-registries.html#public-registry-auth). +### Image tag immutability + +You can set tag immutability on images in our repository using the `imageTagMutability` construct prop. + +```ts +new ecr.Repository(stack, 'Repo', { imageTagMutability: ecr.TagMutability.IMMUTABLE }); +``` + ## Automatically clean up repositories You can set life cycle rules to automatically clean up old images from your diff --git a/packages/@aws-cdk/aws-ecr/lib/repository.ts b/packages/@aws-cdk/aws-ecr/lib/repository.ts index 20f110c206428..3734db8176d36 100644 --- a/packages/@aws-cdk/aws-ecr/lib/repository.ts +++ b/packages/@aws-cdk/aws-ecr/lib/repository.ts @@ -354,6 +354,13 @@ export interface RepositoryProps { * @default false */ readonly imageScanOnPush?: boolean; + + /** + * The tag mutability setting for the repository. If this parameter is omitted, the default setting of MUTABLE will be used which will allow image tags to be overwritten. + * + * @default TagMutability.MUTABLE + */ + readonly imageTagMutability?: TagMutability; } export interface RepositoryAttributes { @@ -452,6 +459,7 @@ export class Repository extends RepositoryBase { imageScanningConfiguration: !props.imageScanOnPush ? undefined : { ScanOnPush: true, }, + imageTagMutability: props.imageTagMutability || undefined, }); resource.applyRemovalPolicy(props.removalPolicy); @@ -610,3 +618,19 @@ const enum CountType { */ SINCE_IMAGE_PUSHED = 'sinceImagePushed', } + +/** + * The tag mutability setting for your repository. + */ +export enum TagMutability { + /** + * allow image tags to be overwritten. + */ + MUTABLE = 'MUTABLE', + + /** + * all image tags within the repository will be immutable which will prevent them from being overwritten. + */ + IMMUTABLE = 'IMMUTABLE', + +} diff --git a/packages/@aws-cdk/aws-ecr/package.json b/packages/@aws-cdk/aws-ecr/package.json index 95a78ae04c522..bc3671a7c5585 100644 --- a/packages/@aws-cdk/aws-ecr/package.json +++ b/packages/@aws-cdk/aws-ecr/package.json @@ -103,6 +103,7 @@ "import:@aws-cdk/aws-ecr.Repository", "construct-base-is-private:@aws-cdk/aws-ecr.RepositoryBase", "docs-public-apis:@aws-cdk/aws-ecr.Repository.fromRepositoryArn", + "docs-public-apis:@aws-cdk/aws-ecr.Repository.imageTagMutability", "docs-public-apis:@aws-cdk/aws-ecr.Repository.fromRepositoryName", "props-default-doc:@aws-cdk/aws-ecr.LifecycleRule.maxImageAge", "props-default-doc:@aws-cdk/aws-ecr.LifecycleRule.maxImageCount", diff --git a/packages/@aws-cdk/aws-ecr/test/test.repository.ts b/packages/@aws-cdk/aws-ecr/test/test.repository.ts index 8c8094be287e9..fe020462f7716 100644 --- a/packages/@aws-cdk/aws-ecr/test/test.repository.ts +++ b/packages/@aws-cdk/aws-ecr/test/test.repository.ts @@ -63,6 +63,20 @@ export = { test.done(); }, + + 'image tag mutability can be set'(test: Test) { + // GIVEN + const stack = new cdk.Stack(); + new ecr.Repository(stack, 'Repo', { imageTagMutability: ecr.TagMutability.IMMUTABLE }); + + // THEN + expect(stack).to(haveResource('AWS::ECR::Repository', { + ImageTagMutability: 'IMMUTABLE', + })); + + test.done(); + }, + 'add day-based lifecycle policy'(test: Test) { // GIVEN const stack = new cdk.Stack();