feat(ecr): add imageTagMutability prop (#10557)

ap00rv · web-flow · commit c4dc3bce0279 · 2021-03-09T18:58:52.000Z
This property allows setting tag mutability on ECR repositoes. Tag mutability is useful to ensure image integrity and can prevent supply chain attacks. Closes #4640 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/@aws-cdk/aws-ecr/README.md b/packages/@aws-cdk/aws-ecr/README.md
@@ -74,6 +74,14 @@ ecr.PublicGalleryAuthorizationToken.grantRead(user);
 
 This user can then proceed to login to the registry using one of the [authentication methods](https://docs.aws.amazon.com/AmazonECR/latest/public/public-registries.html#public-registry-auth).
 
+### Image tag immutability
+
+You can set tag immutability on images in our repository using the `imageTagMutability` construct prop.
+
+```ts
+new ecr.Repository(stack, 'Repo', { imageTagMutability: ecr.TagMutability.IMMUTABLE });
+```
+
 ## Automatically clean up repositories
 
 You can set life cycle rules to automatically clean up old images from your
diff --git a/packages/@aws-cdk/aws-ecr/lib/repository.ts b/packages/@aws-cdk/aws-ecr/lib/repository.ts
@@ -354,6 +354,13 @@ export interface RepositoryProps {
    *  @default false
    */
   readonly imageScanOnPush?: boolean;
+
+  /**
+   * The tag mutability setting for the repository. If this parameter is omitted, the default setting of MUTABLE will be used which will allow image tags to be overwritten.
+   *
+   *  @default TagMutability.MUTABLE
+   */
+  readonly imageTagMutability?: TagMutability;
 }
 
 export interface RepositoryAttributes {
@@ -452,6 +459,7 @@ export class Repository extends RepositoryBase {
       imageScanningConfiguration: !props.imageScanOnPush ? undefined : {
         ScanOnPush: true,
       },
+      imageTagMutability: props.imageTagMutability || undefined,
     });
 
     resource.applyRemovalPolicy(props.removalPolicy);
@@ -610,3 +618,19 @@ const enum CountType {
    */
   SINCE_IMAGE_PUSHED = 'sinceImagePushed',
 }
+
+/**
+ * The tag mutability setting for your repository.
+ */
+export enum TagMutability {
+  /**
+   * allow image tags to be overwritten.
+   */
+  MUTABLE = 'MUTABLE',
+
+  /**
+   * all image tags within the repository will be immutable which will prevent them from being overwritten.
+   */
+  IMMUTABLE = 'IMMUTABLE',
+
+}
diff --git a/packages/@aws-cdk/aws-ecr/package.json b/packages/@aws-cdk/aws-ecr/package.json
@@ -103,6 +103,7 @@
       "import:@aws-cdk/aws-ecr.Repository",
       "construct-base-is-private:@aws-cdk/aws-ecr.RepositoryBase",
       "docs-public-apis:@aws-cdk/aws-ecr.Repository.fromRepositoryArn",
+      "docs-public-apis:@aws-cdk/aws-ecr.Repository.imageTagMutability",
       "docs-public-apis:@aws-cdk/aws-ecr.Repository.fromRepositoryName",
       "props-default-doc:@aws-cdk/aws-ecr.LifecycleRule.maxImageAge",
       "props-default-doc:@aws-cdk/aws-ecr.LifecycleRule.maxImageCount",
diff --git a/packages/@aws-cdk/aws-ecr/test/test.repository.ts b/packages/@aws-cdk/aws-ecr/test/test.repository.ts
@@ -63,6 +63,20 @@ export = {
     test.done();
   },
 
+
+  'image tag mutability can be set'(test: Test) {
+    // GIVEN
+    const stack = new cdk.Stack();
+    new ecr.Repository(stack, 'Repo', { imageTagMutability: ecr.TagMutability.IMMUTABLE });
+
+    // THEN
+    expect(stack).to(haveResource('AWS::ECR::Repository', {
+      ImageTagMutability: 'IMMUTABLE',
+    }));
+
+    test.done();
+  },
+
   'add day-based lifecycle policy'(test: Test) {
     // GIVEN
     const stack = new cdk.Stack();
