UNPKG

cdk-ecr-deployment

Version:

CDK construct to deploy docker image to Amazon ECR

github.com/cdklabs/cdk-ecr-deployment

cdklabs/cdk-ecr-deployment

110 lines (81 loc) 4.72 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
# cdk-ecr-deployment [![Release](https://github.com/cdklabs/cdk-ecr-deployment/actions/workflows/release.yml/badge.svg)](https://github.com/cdklabs/cdk-ecr-deployment/actions/workflows/release.yml) [![npm version](https://img.shields.io/npm/v/cdk-ecr-deployment)](https://www.npmjs.com/package/cdk-ecr-deployment) [![PyPI](https://img.shields.io/pypi/v/cdk-ecr-deployment)](https://pypi.org/project/cdk-ecr-deployment) [![npm](https://img.shields.io/npm/dw/cdk-ecr-deployment?label=npm%20downloads)](https://www.npmjs.com/package/cdk-ecr-deployment) [![PyPI - Downloads](https://img.shields.io/pypi/dw/cdk-ecr-deployment?label=pypi%20downloads)](https://pypi.org/project/cdk-ecr-deployment) CDK construct to synchronize single docker image between docker registries. > [!IMPORTANT] > > Please use the latest version of this package, which is `v4`. > > (Older versions are no longer supported). ## Features - Copy image from ECR/external registry to (another) ECR/external registry - Copy an archive tarball image from s3 to ECR/external registry ## Examples ```ts import { DockerImageAsset } from 'aws-cdk-lib/aws-ecr-assets'; const image = new DockerImageAsset(this, 'CDKDockerImage', { directory: path.join(__dirname, 'docker'), }); // Copy from cdk docker image asset to another ECR. new ecrdeploy.ECRDeployment(this, 'DeployDockerImage1', { src: new ecrdeploy.DockerImageName(image.imageUri), dest: new ecrdeploy.DockerImageName(`${cdk.Aws.ACCOUNT_ID}.dkr.ecr.us-west-2.amazonaws.com/my-nginx:latest`), }); // Copy from docker registry to ECR. new ecrdeploy.ECRDeployment(this, 'DeployDockerImage2', { src: new ecrdeploy.DockerImageName('nginx:latest'), dest: new ecrdeploy.DockerImageName(`${cdk.Aws.ACCOUNT_ID}.dkr.ecr.us-west-2.amazonaws.com/my-nginx2:latest`), }); // Copy from private docker registry to ECR. // The format of secret in aws secrets manager must be either: // - plain text in format <username>:<password> // - json in format {"username":"<username>","password":"<password>"} new ecrdeploy.ECRDeployment(this, 'DeployDockerImage3', { src: new ecrdeploy.DockerImageName('javacs3/nginx:latest', 'username:password'), // src: new ecrdeploy.DockerImageName('javacs3/nginx:latest', 'aws-secrets-manager-secret-name'), // src: new ecrdeploy.DockerImageName('javacs3/nginx:latest', 'arn:aws:secretsmanager:us-west-2:000000000000:secret:id'), dest: new ecrdeploy.DockerImageName(`${cdk.Aws.ACCOUNT_ID}.dkr.ecr.us-west-2.amazonaws.com/my-nginx3:latest`), }).addToPrincipalPolicy(new iam.PolicyStatement({ effect: iam.Effect.ALLOW, actions: [ 'secretsmanager:GetSecretValue', ], resources: ['*'], })); ``` ## Sample: [test/example.ecr-deployment.ts](./test/example.ecr-deployment.ts) After cloning the repository, install dependencies and run a full build: ```console yarn --frozen-lockfile --check-files yarn build ``` Then run the example like this: ```shell # Run the following command to try the sample. npx cdk deploy -a "npx ts-node -P tsconfig.dev.json --prefer-ts-exts test/example.ecr-deployment.ts" ``` To run the DockerHub example you will first need to setup a Secret in AWS Secrets Manager to provide DockerHub credentials. Replace `username:access-token` with your credentials. **Please note that Secrets will occur a cost.** ```console aws secretsmanager create-secret --name DockerHubCredentials --secret-string "username:access-token" ``` From the output, copy the ARN of your new secret and export it as env variable ```console export DOCKERHUB_SECRET_ARN="<ARN>" ``` Finally run: ```shell # Run the following command to try the sample. npx cdk deploy -a "npx ts-node -P tsconfig.dev.json --prefer-ts-exts test/dockerhub-example.ecr-deployment.ts" ``` If your Secret is encrypted, you might have to adjust the example to also grant decrypt permissions. ## [API](./API.md) ## Tech Details & Contribution The core of this project relies on [containers/image](https://github.com/containers/image) which is used by [Skopeo](https://github.com/containers/skopeo). Please take a look at those projects before contribution. To support a new docker image source(like docker tarball in s3), you need to implement [image transport interface](https://github.com/containers/image/blob/master/types/types.go). You could take a look at [docker-archive](https://github.com/containers/image/blob/ccb87a8d0f45cf28846e307eb0ec2b9d38a458c2/docker/archive/transport.go) transport for a good start. Any error in the custom resource provider will show up in the CloudFormation error log as `Invalid PhysicalResourceId`, because of this: <https://github.com/aws/aws-lambda-go/issues/107>. You need to go into the CloudWatch Log Group to find the real error.