From 33a2233af5d835aa6eb960a905a874a67776face Mon Sep 17 00:00:00 2001
From: Giacomo Marciani <mgiacomo@amazon.com>
Date: Fri, 15 Nov 2024 12:27:37 +0100
Subject: [PATCH] [BugFix] Explicitly set the policy for ECR private repo to
 prevent policy removal on stack update, which is potentially impacting the
 PCUI Lambda function.

---
 infrastructure/parallelcluster-ui.yaml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/infrastructure/parallelcluster-ui.yaml b/infrastructure/parallelcluster-ui.yaml
index 7abb3337..1b9bea93 100644
--- a/infrastructure/parallelcluster-ui.yaml
+++ b/infrastructure/parallelcluster-ui.yaml
@@ -562,6 +562,30 @@ Resources:
       RepositoryName: !Sub
         - 'parallelcluster-ui-${StackIdSuffix}'
         - { StackIdSuffix: !Select [2, !Split ['/', !Ref 'AWS::StackId']] }
+      RepositoryPolicyText:
+        Version: 2012-10-17
+        Statement:
+          - Sid: ReadEcrImages
+            Effect: Allow
+            Principal:
+              Service: !Sub lambda.${AWS::URLSuffix}
+            Action:
+              - ecr:BatchGetImage
+              - ecr:GetDownloadUrlForLayer
+            Condition:
+              StringLike:
+                aws:SourceArn: !Sub arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:*
+          - Sid: ReadWriteEcrPolicy
+            Effect: Allow
+            Principal:
+              Service: !Sub lambda.${AWS::URLSuffix}
+            Action:
+              - ecr:DeleteRepositoryPolicy
+              - ecr:GetRepositoryPolicy
+              - ecr:SetRepositoryPolicy
+            Condition:
+              StringLike:
+                aws:SourceArn: !Sub arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:*
 
   ImageBuilderInstanceRole:
     Type: AWS::IAM::Role