fix(bootstrap): rebootstrap breaks container Functions

Container Functions automatically add a policy to an ECR repository to allow Lambda to pull from it; however, when the ECR repository is rebootstrapped and has changed, the policy might be overwritten. Add the policy to the bootstrap stack, so we don't have to rely on Lambda to add it and it will survive rebootstraps. This introduces version 11 of the bootstrap stack. You do not need to upgrade to this version unless you are affected by this issue. Fixes #18473.
aws · Mar 17, 2022 · 910481c · 910481c
1 parent 16d293d
commit 910481c
Showing 1 changed file with 15 additions and 1 deletion.
diff --git a/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml b/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml
@@ -209,6 +209,20 @@ Resources:
           - HasCustomContainerAssetsRepositoryName
           - Fn::Sub: "${ContainerAssetsRepositoryName}"
           - Fn::Sub: cdk-${Qualifier}-container-assets-${AWS::AccountId}-${AWS::Region}
+      RepositoryPolicyText:
+        Version: "2008-10-17"
+        Statement:
+          # Necessary for Lambda container images
+          # https://docs.aws.amazon.com/lambda/latest/dg/configuration-images.html#configuration-images-permissions
+          - Sid: LambdaECRImageRetrievalPolicy
+            Effect: Allow
+            Principal: { Service: "lambda.amazonaws.com" }
+            Action:
+              - ecr:BatchGetImage
+              - ecr:GetDownloadUrlForLayer
+            Condition:
+              StringLike:
+                "aws:sourceArn": { "Fn::Sub": "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:*" }
   FilePublishingRole:
     Type: AWS::IAM::Role
     Properties:
@@ -493,7 +507,7 @@ Resources:
       Type: String
       Name:
         Fn::Sub: '/cdk-bootstrap/${Qualifier}/version'
-      Value: '10'
+      Value: '11'
 Outputs:
   BucketName:
     Description: The name of the S3 bucket owned by the CDK toolkit stack