[BugFix] Explicitly set the policy for ECR private repo

to prevent policy removal on stack update, which is potentially impacting the PCUI Lambda function.
aws · Nov 15, 2024 · 33a2233 · 33a2233
1 parent 5e935a7
commit 33a2233
Showing 1 changed file with 24 additions and 0 deletions.
diff --git a/infrastructure/parallelcluster-ui.yaml b/infrastructure/parallelcluster-ui.yaml
@@ -562,6 +562,30 @@ Resources:
       RepositoryName: !Sub
         - 'parallelcluster-ui-${StackIdSuffix}'
         - { StackIdSuffix: !Select [2, !Split ['/', !Ref 'AWS::StackId']] }
+      RepositoryPolicyText:
+        Version: 2012-10-17
+        Statement:
+          - Sid: ReadEcrImages
+            Effect: Allow
+            Principal:
+              Service: !Sub lambda.${AWS::URLSuffix}
+            Action:
+              - ecr:BatchGetImage
+              - ecr:GetDownloadUrlForLayer
+            Condition:
+              StringLike:
+                aws:SourceArn: !Sub arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:*
+          - Sid: ReadWriteEcrPolicy
+            Effect: Allow
+            Principal:
+              Service: !Sub lambda.${AWS::URLSuffix}
+            Action:
+              - ecr:DeleteRepositoryPolicy
+              - ecr:GetRepositoryPolicy
+              - ecr:SetRepositoryPolicy
+            Condition:
+              StringLike:
+                aws:SourceArn: !Sub arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:*
 
   ImageBuilderInstanceRole:
     Type: AWS::IAM::Role