From cdfa970cc3e9e507714999d42a472334720215bc Mon Sep 17 00:00:00 2001
From: Torben <8199725+tenjaa@users.noreply.github.com>
Date: Tue, 28 Mar 2023 23:26:32 +0200
Subject: [PATCH] fix(bootstrap): ECR repository produces Security Hub finding
 [ECR.3] because of missing lifecycle policy (#24735)

After enabling AWS Foundational Security Best Practices v1.0.0 in the security hub,
I am always frustrated when I see failed checks.

Similar to https://github.com/aws/aws-cdk/pull/24175 I would like to see a lifecycle rule that does not do much but at least per default resolves the finding.

I know that there is an RFC for garbage collection in the works but this is a simple immediate fix.

_This is heavily inspired by https://github.com/aws/aws-cdk/pull/24175_

Closes https://github.com/aws/aws-cdk/issues/24723.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---
 .../lib/api/bootstrap/bootstrap-template.yaml | 20 ++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml b/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml
index 1f61cc6dbcfa6..4d8a4d1dcce64 100644
--- a/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml
+++ b/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml
@@ -235,6 +235,24 @@ Resources:
     Type: AWS::ECR::Repository
     Properties:
       ImageTagMutability: IMMUTABLE
+      # Untagged images should never exist but Security Hub wants this rule to exist
+      LifecyclePolicy:
+        LifecyclePolicyText: |
+          {
+            "rules": [
+              {
+                "rulePriority": 1,
+                "description": "Untagged images should not exist, but expire any older than one year",
+                "selection": {
+                  "tagStatus": "untagged",
+                  "countType": "sinceImagePushed",
+                  "countUnit": "days",
+                  "countNumber": 365
+                },
+                "action": { "type": "expire" }
+              }
+            ]
+          }
       RepositoryName:
         Fn::If:
           - HasCustomContainerAssetsRepositoryName
@@ -615,7 +633,7 @@ Resources:
       Type: String
       Name:
         Fn::Sub: '/cdk-bootstrap/${Qualifier}/version'
-      Value: '16'
+      Value: '17'
 Outputs:
   BucketName:
     Description: The name of the S3 bucket owned by the CDK toolkit stack