Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(ecr): (false positive policytext errors from Python since #24401) #25028

Closed
michael-k opened this issue Apr 11, 2023 · 3 comments · Fixed by #25041
Closed

(ecr): (false positive policytext errors from Python since #24401) #25028

michael-k opened this issue Apr 11, 2023 · 3 comments · Fixed by #25041
Labels
@aws-cdk/aws-ecr Related to Amazon Elastic Container Registry bug This issue is a bug. effort/small Small work item – less than a day of effort p1

Comments

@michael-k
Copy link
Contributor

michael-k commented Apr 11, 2023
edited
Loading

Describe the bug

#24401 introduced a warning when an ECR resource policy contains resources. When adding a resource policy from Python (haven't tried other programming languages) without resources, the warning is triggered nevertheless.

Expected Behavior

No warning.

Current Behavior

False-positive warning:

[Warning at /cdk-ecr-resource-policy/Repository] ECR resource policy does not allow resource statements.

Reproduction Steps

A sample repository is here: https://github.com/michael-k/cdk-ecr-resource-policy

The warning can be seen in the GitHub Actions output here: https://github.com/michael-k/cdk-ecr-resource-policy/actions/runs/4668379710/jobs/8265393358#step:10:13

Sample code:

from aws_cdk import Stack, aws_ecr as ecr, aws_iam as iam
from constructs import Construct


class CdkEcrResourcePolicyStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)

        repository = ecr.Repository(
            self,
            "Repository",
        )

        repository.add_to_resource_policy(
            iam.PolicyStatement(
                sid="AllowPullFromOtherAccounts",
                actions=[
                    "ecr:BatchCheckLayerAvailability",
                    "ecr:BatchGetImage",
                    "ecr:GetDownloadUrlForLayer",
                ],
                principals=[
                    iam.AccountPrincipal("111122223333"),
                    iam.AccountPrincipal("123456789012"),
                ],
                effect=iam.Effect.ALLOW,
            )
        )

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.73.0 (build 43e681e)

Framework Version

2.73.0

Node.js Version

16

OS

Linux

Language

Python

Language Version

3.10.11

Other information

Synthesized CloudFormation template:

Resources:
  Repository22E53BBD:
    Type: AWS::ECR::Repository
    Properties:
      RepositoryPolicyText:
        Statement:
          - Action:
              - ecr:BatchCheckLayerAvailability
              - ecr:BatchGetImage
              - ecr:GetDownloadUrlForLayer
            Effect: Allow
            Principal:
              AWS:
                - Fn::Join:
                    - ""
                    - - "arn:"
                      - Ref: AWS::Partition
                      - :iam::111122223333:root
                - Fn::Join:
                    - ""
                    - - "arn:"
                      - Ref: AWS::Partition
                      - :iam::123456789012:root
            Sid: AllowPullFromOtherAccounts
        Version: "2012-10-17"
    UpdateReplacePolicy: Retain
    DeletionPolicy: Retain
    Metadata:
      aws:cdk:path: cdk-ecr-resource-policy/Repository/Resource
Parameters:
  BootstrapVersion:
    Type: AWS::SSM::Parameter::Value<String>
    Default: /cdk-bootstrap/hnb659fds/version
    Description: Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]
Rules:
  CheckBootstrapVersion:
    Assertions:
      - Assert:
          Fn::Not:
            - Fn::Contains:
                - - "1"
                  - "2"
                  - "3"
                  - "4"
                  - "5"
                - Ref: BootstrapVersion
        AssertDescription: CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.
@michael-k michael-k added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Apr 11, 2023
@github-actions github-actions bot added the @aws-cdk/aws-ecr Related to Amazon Elastic Container Registry label Apr 11, 2023
@peterwoodworth
Copy link
Contributor

This checks out. Thanks for reporting!

PolicyStatement.resources always returns an array, which is truthy. This check needs to be adjusted, and we need to add a test that verifies the warning doesn't throw when it's not supposed to

@peterwoodworth peterwoodworth added p1 effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Apr 12, 2023
@peterwoodworth peterwoodworth mentioned this issue Apr 12, 2023
Merged
@scarytom
Copy link
Contributor

I can confirm that this issue also affects the Java SDK.

@mergify mergify bot closed this as completed in #25041 Apr 12, 2023
mergify bot pushed a commit that referenced this issue Apr 12, 2023
@peterwoodworth
fix: ecr policy warning always throws (#25041)
c0c3d19 
A change recently added a warning when the policy added to a Repository resource policy. Check length of array instead of existence of array

Closes #25028 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-ecr Related to Amazon Elastic Container Registry bug This issue is a bug. effort/small Small work item – less than a day of effort p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: ecr policy warning always throws aws/aws-cdk
3 participants
@scarytom @michael-k @peterwoodworth