• Update CHANGELOG to reflect current default value

Author: Bob Strahan

CHANGELOG.md

@@ -13,8 +13,8 @@ SPDX-License-Identifier: MIT-0
   - **Solution**: Enhanced CodeBuild custom resource to verify ECR image availability before completing, including:
     - Verification that all required Lambda images exist in ECR repository
     - Check that image scanning is complete (repository has `ScanOnPush: true`)
-  - **New Parameter**: Added `EnablePattern2ECRImageScanning` parameter (default: true) to allow users to disable ECR vulnerability scanning if experiencing deployment issues
-    - Recommended: Keep enabled (true) for production to maintain security posture
+  - **New Parameter**: Added `EnablePattern2ECRImageScanning` parameter (current default: false) to allow users to enable/disable ECR vulnerability scanning if experiencing deployment issues
+    - Recommended: Set enabled (true) for production to maintain security posture
     - Optional: Disable (false) only as temporary workaround for deployment reliability
 
 ## [0.4.1]

patterns/pattern-2/template.yaml

@@ -327,6 +327,7 @@ Resources:
                 Action:
                   - ecr:ListImages
                   - ecr:BatchDeleteImage
+                  - ecr:DescribeImages
                 Resource:
                   - !GetAtt Pattern2ECRRepository.Arn
           # Used by custom resource helper poller

src/lambda/start_codebuild/index.py

@@ -117,18 +117,30 @@ def _verify_ecr_images_available(ecr_uri: str, image_version: str) -> bool:
                 LOGGER.info("image %s verified (scan status: %s)", image_tag, scan_status)
 
             except ClientError as error:
-                if error.response["Error"]["Code"] == "ImageNotFoundException":
+                error_code = error.response["Error"]["Code"]
+                
+                # Retriable condition - image just doesn't exist yet, keep polling
+                if error_code == "ImageNotFoundException":
                     LOGGER.warning("image %s not found: %s", image_tag, error)
-                    return False
-                LOGGER.error("error checking image %s: %s", image_tag, error)
-                raise
+                    return False  # Continue polling
+                
+                # Fatal errors - permissions, validation, repository not found, etc.
+                # Fail immediately instead of polling forever
+                LOGGER.error(
+                    "fatal error checking image %s (error code: %s): %s",
+                    image_tag,
+                    error_code,
+                    error
+                )
+                raise  # Fail custom resource immediately
 
         LOGGER.info("all %d required images are available in ECR", len(required_images))
         return True
 
     except Exception as exception:  # pylint: disable=broad-except
-        LOGGER.error("error verifying ECR images: %s", exception)
-        return False
+        # Any non-ClientError exception is unexpected and fatal
+        LOGGER.error("unexpected fatal error verifying ECR images: %s", exception)
+        raise  # Fail custom resource immediately instead of polling forever
 
 
 @HELPER.poll_create

template.yaml

@@ -330,7 +330,7 @@ Parameters:
 
   EnablePattern2ECRImageScanning:
     Type: String
-    Default: "true"
+    Default: "false"
     AllowedValues:
       - "true"
       - "false"