Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BugFix] Explicitly set the policy for ECR private repo so prevent policy removal on stack update impacting Lambda function #373

Merged
merged 1 commit into from
Nov 15, 2024
Merged

[BugFix] Explicitly set the policy for ECR private repo so prevent policy removal on stack update impacting Lambda function #373

merged 1 commit into from
Nov 15, 2024

Conversation

gmarciani
Copy link
Collaborator

@gmarciani gmarciani commented Nov 15, 2024
edited
Loading

Description

Explicitly set the policy for ECR private repo so prevent policy removal on stack update impacting Lambda function.
The minimum set of permissions required by Lambda to fetch the code from the repository is:

  • ecr:BatchGetImage
  • ecr:GetDownloadUrlForLayer

However, Lambda sets the policy with the below extra permissions when the policy is not set m(current behavhoir on stack create):

  • ecr:DeleteRepositoryPolicy
  • ecr:GetRepositoryPolicy
  • ecr:SetRepositoryPolicy

So we decided to go with the permissions currently set by Lambda to prevent impacts.
We will restrict the permissions once Lambda will confirm that they are enough.

How Has This Been Tested?

Deployed in personal account and verified that:

  1. ECR repo policy is retained across stack updates
  2. Lambda is fully functional before and after stack updates

References

  1. https://docs.aws.amazon.com/lambda/latest/dg/images-create.html

PR Quality Checklist

  • I added tests to new or existing code
  • I removed hardcoded strings and used react-i18next library (useTranslation hook and/or Trans component), see an example here
  • I made sure no sensitive info gets logged at any time in the codebase (see here) (e.g. no user info or details, no stacktraces, etc.)
  • I made sure that any GitHub issue solved by this PR is correctly linked
  • I checked that infrastructure/update_infrastructure.sh runs without any error
  • I checked that npm run build builds without any error
  • I checked that clusters are listed correctly
  • I checked that a new cluster can be created (config is produced and dry run passes)
  • I checked that login and logout work as expected

In order to increase the likelihood of your contribution being accepted, please make sure you have read both the Contributing Guidelines and the Project Guidelines

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@gmarciani gmarciani changed the title Wip/mgiacomo/2024.12.0/fix update 1115 1 [BugFix] Explicitly set the policy for ECR private repo so prevent policy removal on stack update impacting Lambda function Nov 15, 2024
@gmarciani gmarciani force-pushed the wip/mgiacomo/2024.12.0/fix-update-1115-1 branch 2 times, most recently from 75d2086 to 41983bb Compare November 15, 2024 12:27
@gmarciani
[BugFix] Explicitly set the policy for ECR private repo
a513876 
to prevent policy removal on stack update, which is
potentially impacting the PCUI Lambda function.
@gmarciani gmarciani force-pushed the wip/mgiacomo/2024.12.0/fix-update-1115-1 branch from 41983bb to a513876 Compare November 15, 2024 12:28
@gmarciani gmarciani marked this pull request as ready for review November 15, 2024 12:30
@gmarciani gmarciani merged commit 33a2233 into aws:main Nov 15, 2024
2 checks passed
@gmarciani gmarciani deleted the wip/mgiacomo/2024.12.0/fix-update-1115-1 branch November 21, 2024 11:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hgreebe hgreebe hgreebe approved these changes

Assignees
No one assigned
Labels
release:bugfix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@gmarciani @hgreebe