Closed vandem9 closed 3 months ago
This is the expected resource update behavior. When you change a AWS::ECR::Repository resource, it will trigger an update to the entire resource. If the repositoryPolicy is empty, then ECR will delete any existing repositoryPolicy. If the repositoryPolicy is non-empty, then ECR will set to the new repositoryPolicy. It's generally good practice to not manually change a resource that's managed by CFN, since CFN does not know the resource has changed, and hence the change set diff will not be accurate.
@jinsanz
This is the expected resource update behavior. When you change a AWS::ECR::Repository resource, it will trigger an update to the entire resource. If the repositoryPolicy is empty, then ECR will delete any existing repositoryPolicy. If the repositoryPolicy is non-empty, then ECR will set to the new repositoryPolicy. It's generally good practice to not manually change a resource that's managed by CFN, since CFN does not know the resource has changed, and hence the change set diff will not be accurate.
Shouldn't this at least be visible in Cloudformation drift detection that a policy has been added to the ECR?
ECR repository resource currently does not support drift detection https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import-supported-resources.html?icmpid=docs_cfn_console
There's a Github issue open for it https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/1673
Name of the resource
AWS::ECR::Repository
Resource Name
No response
Issue Description
When a policy is manually added to an Amazon ECR repository, it is unexpectedly removed after making an unrelated update to the repository through AWS CloudFormation (for example changing a tag value). This issue does not occur with other AWS services (e.g., S3), where manually added policies remain intact after similar CloudFormation updates.
Expected Behavior
The manually added policy on the ECR repository should remain intact after unrelated updates through CloudFormation, similar to the behaviour observed with other AWS resources like S3 buckets.
Observed Behavior
The manually added policy on the ECR repository is removed after an unrelated update through CloudFormation.
This issue may lead to unintended access control changes, affecting the security and compliance of the ECR repository. Users relying on manual policies for specific access control requirements might find their settings reverted unexpectedly, potentially leading to unauthorized access or broken workflows.
Test Cases
Steps to Reproduce:
Create an ECR repository using AWS CloudFormation without specifying a policy in the template.
Manually add a policy to the ECR repository through the AWS Management Console or AWS CLI.
Check the CloudFormation stack drift status, which shows no drift.
Trigger a change on the ECR repository using CloudFormation, such as changing a tag value. This change does not involve the repository's policy.
Review the CloudFormation change set, which indicates that only the tag value is changing.
Execute the CloudFormation stack update.
After the update is complete, check the ECR repository and observe that the manually added policy has been removed.
Cloudformation template with ecr repository and no policy
Creation of cloudformation stack complete
Manually add policy to ecr repository
Check cloudformation stack for drift
Make a change in the cloudformation template (different tag value)
Check the changeset
Cloudformation update complete
ECR repository policy gone
Other Details
No response