(bootstrap): Allow to enable tag immutability in ECR repos

[Hi-Fi]

Description

Currently when CDK bootstrap is running, it created ECR repositories to bootstrapped (target) account. That ECR repository has Tag immutability disabled (actually not set which defaults to MUTABLE).

https://github.com/aws/aws-cdk/blob/master/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml#L203-L211
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecr-repository.html#cfn-ecr-repository-imagetagmutability

Use Case

Security requirements require that deployed images are immutable, so it would be easy to prove if tag immutability would be possible to enable when bootstrapping.

Proposed Solution

Flag in bootstrapping to mark created ECR repo Tag immutability to Enabled.

  ContainerAssetsRepository:
    Type: AWS::ECR::Repository
    Properties:
      ImageScanningConfiguration:
        ScanOnPush: true
      ImageTagMutability: <MUTABLE/IMMUTABLE according flag, default to MUTABLE>
      RepositoryName:
        Fn::If:
          - HasCustomContainerAssetsRepositoryName
          - Fn::Sub: "${ContainerAssetsRepositoryName}"
          - Fn::Sub: cdk-${Qualifier}-container-assets-${AWS::AccountId}-${AWS::Region}

Other information

No response

Acknowledge

• I may be able to implement this feature request
• This feature might incur a breaking change

[rix0rrr]

We will not add a flag. I think this should be a safe default. Is this a new feature? Is this likely to not be available in all AWS Regions yet?

[Hi-Fi]

New since July 2019 (https://aws.amazon.com/about-aws/whats-new/2019/07/amazon-ecr-now-supports-immutable-image-tags/). At least there's no mention about specific regions.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.