Adding "ecr:BatchDeleteImage" permission to role-policy-document.yml

[tony-griffin]

Problem context:

On manually triggered builds, the build output contains the following warning (aws account number etc removed):

Warning: Unable to delete previous cache image: DELETE https://123456789876.dkr.ecr.eu-west-1.amazonaws.com/v2/demodjango/application/manifests/sha256:1234567898761234567898761234567898761234567898765f9da: DENIED: User: arn:aws:sts::123456789876:assumed-role/pipeline-demodjango-application-BuildProjectRole-DI123456789876/AWSCodeBuild-123456789876-d4ye-4ahh-best5-123456789876 is not authorized to perform: ecr:BatchDeleteImage on resource: arn:aws:ecr:eu-west-1:123456789876:repository/demodjango/application because no identity-based policy allows the ecr:BatchDeleteImage action

• Role is defined here:
• It’s distracting and time wasting for engineers who are trying to debug problems with the builds
• There may be some minor cost impact with AWS ECR Image scanning the redundant images unnecessarily

User story

As a Service Engineer
When I make changes to my application’s configuration the image is built without errors
So that I can get the application code deployed without delay

Acceptance criteria

Application image build pipelines can delete the cache image

Implementation notes

The CodeBuild IAM role needs permission to perform the ecr:BatchDeleteImage permission so it can delete and replace the cache image on a new build.

Questions

• Is there a reason why the specified role does not currently include a delete permission action?
• Are you open to adding this permission here if a PR was submitted?