From 49ea26304760801e03dae5479ae03540eaa63f6e Mon Sep 17 00:00:00 2001
From: Rico Huijbers <rix0rrr@gmail.com>
Date: Fri, 18 Mar 2022 13:06:36 +0100
Subject: [PATCH] fix(bootstrap): rebootstrap breaks container Functions
 (#19446)

Container Functions automatically add a policy to an ECR repository to
allow Lambda to pull from it; however, when the ECR repository is
rebootstrapped and has changed, the policy might be overwritten.

Add the policy to the bootstrap stack, so we don't have to rely on
Lambda to add it and it will survive rebootstraps.

This introduces version 11 of the bootstrap stack. You do not need
to upgrade to this version unless you are affected by this issue.

Fixes #18473.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---
 .../lib/api/bootstrap/bootstrap-template.yaml    | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml b/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml
index b7871900b3a46..15d7a22f1edfd 100644
--- a/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml
+++ b/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml
@@ -209,6 +209,20 @@ Resources:
           - HasCustomContainerAssetsRepositoryName
           - Fn::Sub: "${ContainerAssetsRepositoryName}"
           - Fn::Sub: cdk-${Qualifier}-container-assets-${AWS::AccountId}-${AWS::Region}
+      RepositoryPolicyText:
+        Version: "2012-10-17"
+        Statement:
+          # Necessary for Lambda container images
+          # https://docs.aws.amazon.com/lambda/latest/dg/configuration-images.html#configuration-images-permissions
+          - Sid: LambdaECRImageRetrievalPolicy
+            Effect: Allow
+            Principal: { Service: "lambda.amazonaws.com" }
+            Action:
+              - ecr:BatchGetImage
+              - ecr:GetDownloadUrlForLayer
+            Condition:
+              StringLike:
+                "aws:sourceArn": { "Fn::Sub": "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:*" }
   FilePublishingRole:
     Type: AWS::IAM::Role
     Properties:
@@ -493,7 +507,7 @@ Resources:
       Type: String
       Name:
         Fn::Sub: '/cdk-bootstrap/${Qualifier}/version'
-      Value: '10'
+      Value: '11'
 Outputs:
   BucketName:
     Description: The name of the S3 bucket owned by the CDK toolkit stack