Update to version v1.1.1

CHANGELOG.md

@@ -5,6 +5,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.1.1] - 2021-03-19
+
+### Updated
+
+- AWS ECR image scan on push property's name from `scanOnPush` to `ScanOnPush` for image scanning based on the recently updated property name in AWS CloudFormation.
+- AWS ECR repository's name in the IAM policy's resource name from `<repository-name>*` to `*<repository-name>*` to accommodate recent repository name being prefixed with AWS CloudFormation stack name.
+
 ## [1.1.0] - 2021-01-26
 
 ### Added

source/lambdas/pipeline_orchestration/index.py

@@ -391,7 +391,7 @@ def get_template_parameters(event):
             "Bad request format. Pipeline type not supported. Check documentation for API & config formats."
         )
 
-    return (provisioned_pipeline_stack_name, template_parameters)
+    return (provisioned_pipeline_stack_name.lower(), template_parameters)
 
 
 def get_required_keys(event):

source/lambdas/pipeline_orchestration/tests/fixtures/orchestrator_fixtures.py

@@ -386,8 +386,8 @@ def cf_client_params(api_byom_event, template_parameters_realtime_builtin):
         "OnFailure": "DO_NOTHING",
         "Parameters": template_parameters,
         "RoleARN": "arn:aws:role:region:account:action",
-        "StackName": "teststack-testmodel-BYOMPipelineReatimeBuiltIn",
-        "Tags": [{"Key": "stack_name", "Value": "teststack-testmodel-BYOMPipelineReatimeBuiltIn"}],
+        "StackName": "teststack-testmodel-byompipelinereatimebuiltin",
+        "Tags": [{"Key": "stack_name", "Value": "teststack-testmodel-byompipelinereatimebuiltin"}],
         "TemplateURL": "https://testurl/blueprints/byom/byom_realtime_builtin_container.yaml",
     }
     return cf_params

source/lib/aws_mlops_stack.py

@@ -94,7 +94,7 @@ def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
             expression=core.Fn.condition_equals(existing_bucket.value_as_string.strip(), ""),
         )
         # Constants
-        pipeline_stack_name = "MLOps-pipeline"
+        pipeline_stack_name = "mlops-pipeline"
 
         # CDK Resources setup
         access_logs_bucket = s3.Bucket(
@@ -234,10 +234,12 @@ def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
                         "ecr:DeleteRepository",
                         "ecr:DescribeRepositories",
                     ],
+                    # The * is needed in front of awsmlopsmodels because AWS-ECR CDK adds
+                    # the stack's name in front of the ECR repository's name
                     resources=[
                         (
                             f"arn:{core.Aws.PARTITION}:ecr:{core.Aws.REGION}:"
-                            f"{core.Aws.ACCOUNT_ID}:repository/awsmlopsmodels*"
+                            f"{core.Aws.ACCOUNT_ID}:repository/{pipeline_stack_name}*-awsmlopsmodels*"
                         )
                     ],
                 ),

source/lib/blueprints/byom/pipeline_definitions/build_actions.py

@@ -18,9 +18,7 @@
     aws_codepipeline_actions as codepipeline_actions,
     core,
 )
-from lib.blueprints.byom.pipeline_definitions.helpers import (
-    suppress_pipeline_policy,
-)
+from lib.blueprints.byom.pipeline_definitions.helpers import suppress_pipeline_policy, suppress_ecr_scan_on_push
 
 
 def build_action(scope, source_output):
@@ -34,7 +32,9 @@ def build_action(scope, source_output):
     """
     model_containers = ecr.Repository(scope, "awsmlopsmodels")
     # Enable ECR image scanOnPush
-    model_containers.node.default_child.add_override("Properties.ImageScanningConfiguration.scanOnPush", "true")
+    model_containers.node.default_child.add_override("Properties.ImageScanningConfiguration.ScanOnPush", "true")
+    # ECR scanOnPush property has changed to ScanOnPush, bbut seems cfn_nag still checking for scanOnPush
+    model_containers.node.default_child.cfn_options.metadata = suppress_ecr_scan_on_push()
 
     codebuild_role = iam.Role(scope, "codebuildRole", assumed_by=iam.ServicePrincipal("codebuild.amazonaws.com"))
 

source/lib/blueprints/byom/pipeline_definitions/deploy_actions.py

@@ -106,7 +106,12 @@ def create_model(
             "ecr:DescribeRepositories",
             "ecr:GetDownloadUrlForLayer",
         ],
-        resources=[f"arn:{core.Aws.PARTITION}:ecr:{core.Aws.REGION}:{core.Aws.ACCOUNT_ID}:repository/awsmlopsmodels*"],
+        resources=[
+            (
+                f"arn:{core.Aws.PARTITION}:ecr:{core.Aws.REGION}:{core.Aws.ACCOUNT_ID}"
+                f":repository/mlops-pipeline*-awsmlopsmodels*"
+            )
+        ],
     )
     ecr_token_policy = iam.PolicyStatement(
         actions=["ecr:GetAuthorizationToken"],

source/lib/blueprints/byom/pipeline_definitions/helpers.py

@@ -216,6 +216,22 @@ def suppress_ecr_policy():
     }
 
 
+# The supression is needed because there is a bug in cfn_nag ECR repository rule W79,
+# where the rule still checks for scanOnPush instead of the new property's name ScanOnPush
+# link to the bug  https://github.com/stelligent/cfn_nag/issues/533
+def suppress_ecr_scan_on_push():
+    return {
+        "cfn_nag": {
+            "rules_to_suppress": [
+                {
+                    "id": "W79",
+                    "reason": "scanOnPush is enabled",
+                }
+            ]
+        }
+    }
+
+
 def apply_secure_bucket_policy(bucket):
     bucket.add_to_resource_policy(
         iam.PolicyStatement(