(aws-ecr-assets): DockerImageAsset.repository is not really a repository (e.g. grants result in a no-op)

[JFox]

When adding pull permissions as stated in the docs, the result is a no-op

Reproduction Steps

const myAsset = new DockerImageAsset(this, "MyAsset", {
  directory: path.join(process.cwd(), "docker", "my-asset"),
});
myAsset.repository.addToResourcePolicy(
  new PolicyStatement({
    principals: [
      new AccountPrincipal("123123123"),
      new AccountPrincipal("78667867"),
    ],
    actions: [
      "ecr:GetDownloadUrlForLayer",
      "ecr:BatchCheckLayerAvailability",
      "ecr:BatchGetImage",
    ],
  }),
);

What did you expect to happen?

ECR repo's permissions policy gets updated according to the code

What actually happened?

Nothing

Environment

• **CDK CLI Version :1.86.0
• **Framework Version: 1.86.0
• **Node.js Version: v13.8.0
• **OS :MacOS Catalina
• **Language (Version): TypeScript (3.9.6)

---

This is 🐛 Bug Report

[eladb]

@JFox thanks for describing your use case.

I believe this use case can be addressed using the proposed ECR deployment feature, which will allow you to define a separate ECR repository (which you can fully control) and deploy docker image assets to it. If that's the case, please +1 that issue so we can prioritize it (copy @ericzbeard).

The new bootstrapping mechanism (which will be the default in 2.0), all docker image assets will use the same ECR repository, which is created during cdk bootstrap. To that end, it won't be possible to modify the asset repository's permissions directly, which is why addToResourcePolicy doesn't work in this case.

I think we should remove the repository property from DockerImageAsset because it may send the wrong signal about what you can do with that repository (like granting permissions).

[JFox]

Thanks for the clarification. I may add that the grants and permissions reference to the assets repository are removed as well.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[eladb]

Reopening this to track the deprecation of the repository property from DockerImageAsset.