Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws-ecr): repository automatically adds imageScanningConfiguration even when imageScanOnPush is undefined #19918

Closed
tiefps opened this issue Apr 14, 2022 · 4 comments · Fixed by #19940
Closed

(aws-ecr): repository automatically adds imageScanningConfiguration even when imageScanOnPush is undefined #19918

tiefps opened this issue Apr 14, 2022 · 4 comments · Fixed by #19940
Assignees
@madeline-k
Labels
@aws-cdk/aws-ecr Related to Amazon Elastic Container Registry bug This issue is a bug. effort/small Small work item – less than a day of effort p1

Comments

@tiefps
Copy link
Contributor

tiefps commented Apr 14, 2022
edited

Describe the bug

Hi CDK team,

A recent change to Repository started automatically adding ImageScanningConfiguration to the generated CloudFormation for AWS::ECR::Repository even when scanOnPush is undefined. This property is not supported in all regions (e.g. us-iso-east-1) and causes CloudFormation deployments to fail on the unrecognized property.

Line in question:

aws-cdk/packages/@aws-cdk/aws-ecr/lib/repository.ts

Line 537 in d0ace8f

imageScanningConfiguration: props.imageScanOnPush ? { scanOnPush: true } : { scanOnPush: false },

Suggested logic:

imageScanningConfiguration: props.imageScanOnPush === undefined ? undefined : { scanOnPush: props.imageScanOnPush },

The current workaround is to remove that property via escape hatch, however customers only know to do this after the deployment has already failed which is far from ideal.

const cfnRepo = somRepository.node.defaultChild as CfnRepository;
cfnRepo.addPropertyDeletionOverride('ImageScanningConfiguration');

Expected Behavior

ImageScanningConfiguration property is only added to AWS::ECR::Repository when scanOnPush is explicitly defined.

Current Behavior

ImageScanningConfiguration is always added even for unsupported regions.

Reproduction Steps

// Note: imageScanOnPush is not being set
const repo = new Repository(this, 'SomeRepo', {});

Possible Solution

(untested) Change the line to:

imageScanningConfiguration: props.imageScanOnPush === undefined ? undefined : { scanOnPush: props.imageScanOnPush },

Additional Information/Context

No response

CDK CLI Version

2.18.0 (build 75c90fa)

Framework Version

No response

Node.js Version

node-v14.19.1

OS

MacOS

Language

Typescript

Language Version

No response

Other information

No response
@tiefps tiefps added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Apr 14, 2022
@github-actions github-actions bot added the @aws-cdk/aws-ecr Related to Amazon Elastic Container Registry label Apr 14, 2022
@tiefps tiefps changed the title (aws-ecr): repository automatically adds imageScanningConfiguration even when scanOnPush is undefined (aws-ecr): repository automatically adds imageScanningConfiguration even when imageScanOnPush is undefined Apr 14, 2022
@peterwoodworth
Copy link
Contributor

We actually added this line of code because of this bug where setting it to false can do nothing. I hadn't considered that regions might not support this property unfortunately... Or else your proposed fix would've been perfectly fine as well. (How it worked before is if you explicitly set it to false then the property would still be undefined)

I think changing this to your proposed solution would work, or maybe there's something we could do with the region-info package. If we go forward with your proposed solution I don't think there are any downsides, except that we will be removing a property that effectively does nothing from customer templates.

@peterwoodworth peterwoodworth added p1 effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Apr 15, 2022
@peterwoodworth peterwoodworth mentioned this issue Apr 15, 2022
Merged
4 tasks
@tiefps
Copy link
Contributor Author

tiefps commented Apr 16, 2022

I edited my comment to fix the possible solution. My original suggestion wasn't correct.

@peterwoodworth
Copy link
Contributor

You're right, I'll fix that up and add a test to verify functionality works as expected

@mergify mergify bot closed this as completed in #19940 Apr 20, 2022
mergify bot pushed a commit that referenced this issue Apr 20, 2022
@peterwoodworth
fix(ecr): scanOnPush not supported in certain regions (#19940)
2ff3143 
fixes #19918 

----

### All Submissions:

* [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

StevePotter pushed a commit to StevePotter/aws-cdk that referenced this issue Apr 27, 2022
@peterwoodworth
fix(ecr): scanOnPush not supported in certain regions (aws#19940)
3c944c7 
fixes aws#19918 

----

### All Submissions:

* [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@madeline-k madeline-k

Labels
@aws-cdk/aws-ecr Related to Amazon Elastic Container Registry bug This issue is a bug. effort/small Small work item – less than a day of effort p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(ecr): scanOnPush not supported in certain regions aws/aws-cdk
3 participants
@peterwoodworth @tiefps @madeline-k