ECR Repository Manually Added Policy Removed After CloudFormation Update

[vandem9]

Name of the resource

AWS::ECR::Repository

Resource Name

No response

Issue Description

When a policy is manually added to an Amazon ECR repository, it is unexpectedly removed after making an unrelated update to the repository through AWS CloudFormation (for example changing a tag value). This issue does not occur with other AWS services (e.g., S3), where manually added policies remain intact after similar CloudFormation updates.

Expected Behavior

The manually added policy on the ECR repository should remain intact after unrelated updates through CloudFormation, similar to the behaviour observed with other AWS resources like S3 buckets.

Observed Behavior

The manually added policy on the ECR repository is removed after an unrelated update through CloudFormation.

This issue may lead to unintended access control changes, affecting the security and compliance of the ECR repository. Users relying on manual policies for specific access control requirements might find their settings reverted unexpectedly, potentially leading to unauthorized access or broken workflows.

Test Cases

Steps to Reproduce:

1. Create an ECR repository using AWS CloudFormation without specifying a policy in the template.

2. Manually add a policy to the ECR repository through the AWS Management Console or AWS CLI.

3. Check the CloudFormation stack drift status, which shows no drift.

4. Trigger a change on the ECR repository using CloudFormation, such as changing a tag value. This change does not involve the repository's policy.

5. Review the CloudFormation change set, which indicates that only the tag value is changing.

6. Execute the CloudFormation stack update.

7. After the update is complete, check the ECR repository and observe that the manually added policy has been removed.

Cloudformation template with ecr repository and no policy

Creation of cloudformation stack complete

Manually add policy to ecr repository

Check cloudformation stack for drift

Make a change in the cloudformation template (different tag value)

Check the changeset

Cloudformation update complete

ECR repository policy gone

Other Details

No response

[jinsanz]

This is the expected resource update behavior. When you change a AWS::ECR::Repository resource, it will trigger an update to the entire resource. If the repositoryPolicy is empty, then ECR will delete any existing repositoryPolicy. If the repositoryPolicy is non-empty, then ECR will set to the new repositoryPolicy. It's generally good practice to not manually change a resource that's managed by CFN, since CFN does not know the resource has changed, and hence the change set diff will not be accurate.

[vandem9]

@jinsanz

This is the expected resource update behavior. When you change a AWS::ECR::Repository resource, it will trigger an update to the entire resource. If the repositoryPolicy is empty, then ECR will delete any existing repositoryPolicy. If the repositoryPolicy is non-empty, then ECR will set to the new repositoryPolicy. It's generally good practice to not manually change a resource that's managed by CFN, since CFN does not know the resource has changed, and hence the change set diff will not be accurate.

Shouldn't this at least be visible in Cloudformation drift detection that a policy has been added to the ECR?

[jinsanz]

ECR repository resource currently does not support drift detection https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import-supported-resources.html?icmpid=docs_cfn_console

There's a Github issue open for it https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/1673