From 910481c5a2ee4f2b04bc02bff52d1e5df57ba84c Mon Sep 17 00:00:00 2001 From: Rico Huijbers Date: Thu, 17 Mar 2022 17:02:20 +0100 Subject: [PATCH 1/2] fix(bootstrap): rebootstrap breaks container Functions Container Functions automatically add a policy to an ECR repository to allow Lambda to pull from it; however, when the ECR repository is rebootstrapped and has changed, the policy might be overwritten. Add the policy to the bootstrap stack, so we don't have to rely on Lambda to add it and it will survive rebootstraps. This introduces version 11 of the bootstrap stack. You do not need to upgrade to this version unless you are affected by this issue. Fixes #18473. --- .../lib/api/bootstrap/bootstrap-template.yaml | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml b/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml index b7871900b3a46..3b1041c562a3a 100644 --- a/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml +++ b/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml @@ -209,6 +209,20 @@ Resources: - HasCustomContainerAssetsRepositoryName - Fn::Sub: "${ContainerAssetsRepositoryName}" - Fn::Sub: cdk-${Qualifier}-container-assets-${AWS::AccountId}-${AWS::Region} + RepositoryPolicyText: + Version: "2008-10-17" + Statement: + # Necessary for Lambda container images + # https://docs.aws.amazon.com/lambda/latest/dg/configuration-images.html#configuration-images-permissions + - Sid: LambdaECRImageRetrievalPolicy + Effect: Allow + Principal: { Service: "lambda.amazonaws.com" } + Action: + - ecr:BatchGetImage + - ecr:GetDownloadUrlForLayer + Condition: + StringLike: + "aws:sourceArn": { "Fn::Sub": "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:*" } FilePublishingRole: Type: AWS::IAM::Role Properties: @@ -493,7 +507,7 @@ Resources: Type: String Name: Fn::Sub: '/cdk-bootstrap/${Qualifier}/version' - Value: '10' + Value: '11' Outputs: BucketName: Description: The name of the S3 bucket owned by the CDK toolkit stack From f672dad2b4357f81a9f4e56cf4f03cfd33150dda Mon Sep 17 00:00:00 2001 From: Rico Huijbers Date: Thu, 17 Mar 2022 18:01:43 +0100 Subject: [PATCH 2/2] Update packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml Co-authored-by: Romain Marcadier --- packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml b/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml index 3b1041c562a3a..15d7a22f1edfd 100644 --- a/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml +++ b/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml @@ -210,7 +210,7 @@ Resources: - Fn::Sub: "${ContainerAssetsRepositoryName}" - Fn::Sub: cdk-${Qualifier}-container-assets-${AWS::AccountId}-${AWS::Region} RepositoryPolicyText: - Version: "2008-10-17" + Version: "2012-10-17" Statement: # Necessary for Lambda container images # https://docs.aws.amazon.com/lambda/latest/dg/configuration-images.html#configuration-images-permissions