From 2de17eee8f81eab7ce8369f8fe9668702a9aa891 Mon Sep 17 00:00:00 2001 From: peterwoodworth Date: Thu, 17 Mar 2022 16:50:55 -0700 Subject: [PATCH] fix(ecr): setting imageScanningConfiguration to false does nothing on existing repository --- .../aws-batch/test/integ.batch.expected.json | 15 +++++++++++++-- .../test/integ.ecr.lit.expected.json | 5 +++++ .../test/integ.pipeline-ecr-source.expected.json | 5 +++++ .../test/integ.pipeline-ecs-deploy.expected.json | 5 +++++ ...pipeline-ecs-separate-source.lit.expected.json | 5 +++++ packages/@aws-cdk/aws-ecr/lib/repository.ts | 4 +--- .../aws-ecr/test/integ.basic.expected.json | 3 +++ packages/@aws-cdk/aws-ecr/test/repository.test.ts | 5 +++++ .../aws-ecs/test/ec2/ec2-task-definition.test.ts | 9 ++++++++- .../external/external-task-definition.test.ts | 9 ++++++++- 10 files changed, 58 insertions(+), 7 deletions(-) diff --git a/packages/@aws-cdk/aws-batch/test/integ.batch.expected.json b/packages/@aws-cdk/aws-batch/test/integ.batch.expected.json index 7624200d45321..299b04e3f66db 100644 --- a/packages/@aws-cdk/aws-batch/test/integ.batch.expected.json +++ b/packages/@aws-cdk/aws-batch/test/integ.batch.expected.json @@ -1665,6 +1665,11 @@ }, "batchjobrepo4C508C51": { "Type": "AWS::ECR::Repository", + "Properties": { + "ImageScanningConfiguration": { + "ScanOnPush": false + } + }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain" }, @@ -1725,8 +1730,14 @@ "Privileged": false, "ReadonlyRootFilesystem": false, "ResourceRequirements": [ - { "Type": "VCPU", "Value": "1" }, - { "Type": "MEMORY", "Value": "4" } + { + "Type": "VCPU", + "Value": "1" + }, + { + "Type": "MEMORY", + "Value": "4" + } ] }, "PlatformCapabilities": [ diff --git a/packages/@aws-cdk/aws-codebuild/test/integ.ecr.lit.expected.json b/packages/@aws-cdk/aws-codebuild/test/integ.ecr.lit.expected.json index fdae4323ed9cd..3c34c2d44082c 100644 --- a/packages/@aws-cdk/aws-codebuild/test/integ.ecr.lit.expected.json +++ b/packages/@aws-cdk/aws-codebuild/test/integ.ecr.lit.expected.json @@ -2,6 +2,11 @@ "Resources": { "MyRepoF4F48043": { "Type": "AWS::ECR::Repository", + "Properties": { + "ImageScanningConfiguration": { + "ScanOnPush": false + } + }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain" }, diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-ecr-source.expected.json b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-ecr-source.expected.json index 4720701233397..0a621dda819f1 100644 --- a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-ecr-source.expected.json +++ b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-ecr-source.expected.json @@ -356,6 +356,11 @@ }, "MyEcrRepo767466D0": { "Type": "AWS::ECR::Repository", + "Properties": { + "ImageScanningConfiguration": { + "ScanOnPush": false + } + }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" }, diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-ecs-deploy.expected.json b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-ecs-deploy.expected.json index 725008ba28aa8..1e2a16d9d0825 100644 --- a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-ecs-deploy.expected.json +++ b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-ecs-deploy.expected.json @@ -201,6 +201,11 @@ }, "EcrRepoBB83A592": { "Type": "AWS::ECR::Repository", + "Properties": { + "ImageScanningConfiguration": { + "ScanOnPush": false + } + }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain" }, diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-ecs-separate-source.lit.expected.json b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-ecs-separate-source.lit.expected.json index a728e17a69655..391acf442e961 100644 --- a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-ecs-separate-source.lit.expected.json +++ b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-ecs-separate-source.lit.expected.json @@ -3,6 +3,11 @@ "Resources": { "EcsDeployRepositoryE7A569C0": { "Type": "AWS::ECR::Repository", + "Properties": { + "ImageScanningConfiguration": { + "ScanOnPush": false + } + }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain" }, diff --git a/packages/@aws-cdk/aws-ecr/lib/repository.ts b/packages/@aws-cdk/aws-ecr/lib/repository.ts index 3d4e44c0776a9..f73c8990dd95f 100644 --- a/packages/@aws-cdk/aws-ecr/lib/repository.ts +++ b/packages/@aws-cdk/aws-ecr/lib/repository.ts @@ -508,9 +508,7 @@ export class Repository extends RepositoryBase { // It says "Text", but they actually mean "Object". repositoryPolicyText: Lazy.any({ produce: () => this.policyDocument }), lifecyclePolicy: Lazy.any({ produce: () => this.renderLifecyclePolicy() }), - imageScanningConfiguration: !props.imageScanOnPush ? undefined : { - scanOnPush: true, - }, + imageScanningConfiguration: props.imageScanOnPush ? { scanOnPush: true } : { scanOnPush: false }, imageTagMutability: props.imageTagMutability || undefined, encryptionConfiguration: this.parseEncryption(props), }); diff --git a/packages/@aws-cdk/aws-ecr/test/integ.basic.expected.json b/packages/@aws-cdk/aws-ecr/test/integ.basic.expected.json index 7fa399898aa8e..09075cee64a01 100644 --- a/packages/@aws-cdk/aws-ecr/test/integ.basic.expected.json +++ b/packages/@aws-cdk/aws-ecr/test/integ.basic.expected.json @@ -3,6 +3,9 @@ "Repo02AC86CF": { "Type": "AWS::ECR::Repository", "Properties": { + "ImageScanningConfiguration": { + "ScanOnPush": false + }, "LifecyclePolicy": { "LifecyclePolicyText": "{\"rules\":[{\"rulePriority\":1,\"selection\":{\"tagStatus\":\"any\",\"countType\":\"imageCountMoreThan\",\"countNumber\":5},\"action\":{\"type\":\"expire\"}}]}" } diff --git a/packages/@aws-cdk/aws-ecr/test/repository.test.ts b/packages/@aws-cdk/aws-ecr/test/repository.test.ts index 232ad400cdff6..108be6e06d065 100644 --- a/packages/@aws-cdk/aws-ecr/test/repository.test.ts +++ b/packages/@aws-cdk/aws-ecr/test/repository.test.ts @@ -20,6 +20,11 @@ describe('repository', () => { Resources: { Repo02AC86CF: { Type: 'AWS::ECR::Repository', + Properties: { + ImageScanningConfiguration: { + ScanOnPush: false, + }, + }, DeletionPolicy: 'Retain', UpdateReplacePolicy: 'Retain', }, diff --git a/packages/@aws-cdk/aws-ecs/test/ec2/ec2-task-definition.test.ts b/packages/@aws-cdk/aws-ecs/test/ec2/ec2-task-definition.test.ts index eeb20435d2cab..e28e91d9cf715 100644 --- a/packages/@aws-cdk/aws-ecs/test/ec2/ec2-task-definition.test.ts +++ b/packages/@aws-cdk/aws-ecs/test/ec2/ec2-task-definition.test.ts @@ -465,6 +465,9 @@ describe('ec2 task definition', () => { // THEN Template.fromStack(stack).hasResourceProperties('AWS::ECR::Repository', { + ImageScanningConfiguration: { + ScanOnPush: false, + }, LifecyclePolicy: { // eslint-disable-next-line max-len LifecyclePolicyText: '{"rules":[{"rulePriority":10,"selection":{"tagStatus":"tagged","tagPrefixList":["abc"],"countType":"imageCountMoreThan","countNumber":1},"action":{"type":"expire"}}]}', @@ -687,7 +690,11 @@ describe('ec2 task definition', () => { }); // THEN - Template.fromStack(stack).hasResourceProperties('AWS::ECR::Repository', {}); + Template.fromStack(stack).hasResourceProperties('AWS::ECR::Repository', { + ImageScanningConfiguration: { + ScanOnPush: false, + }, + }); }); diff --git a/packages/@aws-cdk/aws-ecs/test/external/external-task-definition.test.ts b/packages/@aws-cdk/aws-ecs/test/external/external-task-definition.test.ts index 756569d405d6d..496f82f953caa 100644 --- a/packages/@aws-cdk/aws-ecs/test/external/external-task-definition.test.ts +++ b/packages/@aws-cdk/aws-ecs/test/external/external-task-definition.test.ts @@ -356,6 +356,9 @@ describe('external task definition', () => { // THEN Template.fromStack(stack).hasResourceProperties('AWS::ECR::Repository', { + ImageScanningConfiguration: { + ScanOnPush: false, + }, LifecyclePolicy: { // eslint-disable-next-line max-len LifecyclePolicyText: '{"rules":[{"rulePriority":10,"selection":{"tagStatus":"tagged","tagPrefixList":["abc"],"countType":"imageCountMoreThan","countNumber":1},"action":{"type":"expire"}}]}', @@ -587,7 +590,11 @@ describe('external task definition', () => { }); // THEN - Template.fromStack(stack).hasResourceProperties('AWS::ECR::Repository', {}); + Template.fromStack(stack).hasResourceProperties('AWS::ECR::Repository', { + ImageScanningConfiguration: { + ScanOnPush: false, + }, + }); });