(ecr): setting imageScanOnPush to false doesn't update Repository after first being set to true

[peterwoodworth]

What is the problem?

Setting imageScanOnPush to false sets the property on the underlying CfnRepository to undefined

aws-cdk/packages/@aws-cdk/aws-ecr/lib/repository.ts

Lines 484 to 491 in dd5e12d

	const resource = new CfnRepository(this, 'Resource', {
	repositoryName: this.physicalName,
	// It says "Text", but they actually mean "Object".
	repositoryPolicyText: Lazy.any({ produce: () => this.policyDocument }),
	lifecyclePolicy: Lazy.any({ produce: () => this.renderLifecyclePolicy() }),
	imageScanningConfiguration: !props.imageScanOnPush ? undefined : {
	scanOnPush: true,
	},

This is fine when creating the Repository because the default setting is to set this to false. However, it appears this is only the default setting for creating the repository - not the default setting for updating the repository.

Reproduction Steps

First create a new ECR Repository with imageScanOnPush set to true

 const repo = new Repository(this, 'repo', {
   imageScanOnPush: true
 })

Then update that setting to false and deploy

What did you expect to happen?

ScanOnPush to be set to false in AWS console

What actually happened?

ScanOnPush is still set to true

CDK CLI Version

2.2.0

Framework Version

No response

Node.js Version

16.0.0

OS

Mac

Language

Typescript

Language Version

No response

Other information

No response

[peterwoodworth]

If you want to set this property to false after first having it set to true, use an escape hatch to set scanOnPush to false on the underlying CfnRepository.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.