Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ecr: grant methods cause circular references in generated templates #2473

Closed
otterley opened this issue May 3, 2019 · 1 comment · Fixed by #3220 or MechanicalRock/tech-radar#14 · May be fixed by MechanicalRock/cdk-constructs#5, MechanicalRock/cdk-constructs#6 or MechanicalRock/cdk-constructs#7
Closed

ecr: grant methods cause circular references in generated templates #2473

otterley opened this issue May 3, 2019 · 1 comment · Fixed by #3220 or MechanicalRock/tech-radar#14 · May be fixed by MechanicalRock/cdk-constructs#5, MechanicalRock/cdk-constructs#6 or MechanicalRock/cdk-constructs#7
Labels
@aws-cdk/aws-ecs Related to Amazon Elastic Container bug This issue is a bug.

Comments

@otterley
Copy link
Contributor

otterley commented May 3, 2019

The grant* methods on the ecr.Repository class incorrectly add self-references to the repository's policies, leading to a circular reference error.

Example code:

const repo = new ecr.Repository(this, 'TestHarnessRepo', {
    repositoryName: props.repoName,
});
repo.grantPull(principal);

Rendered template (in relevant part):

TestHarnessRepoAA7E9724:
    Type: AWS::ECR::Repository
    Properties:
      RepositoryName: codebuild-inspec-test-harness
      RepositoryPolicyText:
        Statement:
          - Action:
              - ecr:BatchCheckLayerAvailability
              - ecr:GetDownloadUrlForLayer
              - ecr:BatchGetImage
            Effect: Allow
            Principal:
              Service:
                Fn::Join:
                  - ""
                  - - codebuild.
                    - Ref: AWS::URLSuffix
            Resource:
              Fn::GetAtt:
                - TestHarnessRepoAA7E9724 # !!!! this is the problem
                - Arn

ECR repository policies do not require resources to be defined (or they can be set to *) -- see the documentation for examples.
@otterley otterley added the bug This issue is a bug. label May 3, 2019
@otterley otterley changed the title ecr: grant methods cause circular references in generate template ecr: grant methods cause circular references in generated templates May 3, 2019
@otterley
Copy link
Contributor Author

otterley commented May 3, 2019

A workaround for the moment is to use the addToResourcePolicy method on the repo instead.

@RomainMuller RomainMuller added the @aws-cdk/aws-ecs Related to Amazon Elastic Container label Jun 26, 2019
rix0rrr added a commit that referenced this issue Jul 5, 2019
@rix0rrr
fix(ecr): repository grant uses correct resource ARN
9356f07 
When granting to a cross-account principal the repository would
use a self-reference to obtain the right ARN to use in its own
resource policy, which can obviously never work.

The solution is to use a '*' resource ARN.

Fixes #2473.
@rix0rrr rix0rrr mentioned this issue Jul 5, 2019
Merged
eladb pushed a commit that referenced this issue Jul 7, 2019
@rix0rrr
fix(ecr): repository grant uses correct resource ARN (#3220)
cc2275c 
When granting to a cross-account principal the repository would
use a self-reference to obtain the right ARN to use in its own
resource policy, which can obviously never work.

The solution is to use a '*' resource ARN.

Fixes #2473.
This was referenced Aug 22, 2019
Open
Open
Open
Open
Open
This was referenced Dec 12, 2019
Closed
Closed
Closed
Merged
Closed
Open
Open
Open
Open
Open
Open
Open
Open
This was referenced Jan 20, 2020
Closed
Closed
This was referenced Sep 24, 2024
Open
Open
This was referenced Sep 24, 2024
Open
Open
Open
Open
Open
Open
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-ecs Related to Amazon Elastic Container bug This issue is a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(ecr): repository grant uses correct resource ARN aws/aws-cdk
[Snyk] Upgrade @aws-cdk/aws-iam from 0.22.0 to 0.39.0 MechanicalRock/tech-radar
[Snyk] Upgrade @aws-cdk/aws-codebuild from 0.24.1 to 0.39.0 MechanicalRock/cdk-constructs
[Snyk] Upgrade @aws-cdk/aws-codepipeline from 0.24.1 to 0.39.0 MechanicalRock/cdk-constructs
[Snyk] Upgrade @aws-cdk/aws-s3 from 0.24.1 to 0.39.0 MechanicalRock/cdk-constructs
[Snyk] Upgrade @aws-cdk/aws-cloudfront from 0.15.2 to 0.39.0 MechanicalRock/cdk-products
[Snyk] Upgrade @aws-cdk/aws-codebuild from 0.15.2 to 0.39.0 MechanicalRock/cdk-products
[Snyk] Upgrade @aws-cdk/aws-codecommit from 0.15.2 to 0.39.0 MechanicalRock/cdk-products
[Snyk] Upgrade @aws-cdk/aws-codepipeline from 0.15.2 to 0.39.0 MechanicalRock/cdk-products
[Snyk] Upgrade @aws-cdk/aws-cloudformation from 0.0.0 to 0.39.0 NOUIY/aws-solutions-constructs
2 participants
@otterley @RomainMuller