Skip to main content

CDK construct to deploy docker image to Amazon ECR

Project description

cdk-ecr-deployment

Release npm version PyPI npm PyPI - Downloads

CDK construct to synchronize single docker image between docker registries.

[!IMPORTANT]

Please use the latest version of this package, which is v4.

(Older versions are no longer supported).

Features

  • Copy image or multi-architecture image index from ECR/external registry to (another) ECR/external registry
  • Copy an archive tarball image from s3 to ECR/external registry

Usage

from aws_cdk.aws_ecr_assets import DockerImageAsset


image = DockerImageAsset(self, "CDKDockerImage",
    directory=path.join(__dirname, "docker")
)

# Copy from cdk docker image asset to another ECR.
ecrdeploy.ECRDeployment(self, "DeployDockerImage1",
    src=ecrdeploy.DockerImageName(image.image_uri),
    dest=ecrdeploy.DockerImageName(f"{cdk.Aws.ACCOUNT_ID}.dkr.ecr.us-west-2.amazonaws.com/my-nginx:latest")
)

# Copy from docker registry to ECR.
ecrdeploy.ECRDeployment(self, "DeployDockerImage2",
    src=ecrdeploy.DockerImageName("nginx:latest"),
    dest=ecrdeploy.DockerImageName(f"{cdk.Aws.ACCOUNT_ID}.dkr.ecr.us-west-2.amazonaws.com/my-nginx2:latest")
)

# Copy from private docker registry to ECR.
# The format of secret in aws secrets manager must be either:
# - plain text in format <username>:<password>
# - json in format {"username":"<username>","password":"<password>"}
ecrdeploy.ECRDeployment(self, "DeployDockerImage3",
    src=ecrdeploy.DockerImageName("javacs3/nginx:latest", "username:password"),
    # src: new ecrdeploy.DockerImageName('javacs3/nginx:latest', 'aws-secrets-manager-secret-name'),
    # src: new ecrdeploy.DockerImageName('javacs3/nginx:latest', 'arn:aws:secretsmanager:us-west-2:000000000000:secret:id'),
    dest=ecrdeploy.DockerImageName(f"{cdk.Aws.ACCOUNT_ID}.dkr.ecr.us-west-2.amazonaws.com/my-nginx3:latest")
).add_to_principal_policy(iam.PolicyStatement(
    effect=iam.Effect.ALLOW,
    actions=["secretsmanager:GetSecretValue"
    ],
    resources=["*"]
))

# Copy multi-architecture image index (manifest) with all architectures.
ecrdeploy.ECRDeployment(self, "DeployDockerImage4",
    src=ecrdeploy.DockerImageName("public.ecr.aws/nginx/nginx:latest"),
    dest=ecrdeploy.DockerImageName(f"{cdk.Aws.ACCOUNT_ID}.dkr.ecr.us-west-2.amazonaws.com/my-nginx4:manifest"),
    copy_image_index=True,
    arch_image_tags={
        "amd64": "my-nginx-amd64",
        "arm64": "my-nginx-arm64"
    }
)

# Copy image to a public ECR registry.
# The required ecr-public and sts permissions are automatically attached
# when the destination is a public.ecr.aws URI.
ecrdeploy.ECRDeployment(self, "DeployDockerImage5",
    src=ecrdeploy.DockerImageName(f"{cdk.Aws.ACCOUNT_ID}.dkr.ecr.us-west-2.amazonaws.com/my-nginx:latest"),
    dest=ecrdeploy.DockerImageName("public.ecr.aws/your-alias/your-repo:latest"),
    copy_image_index=True,
    arch_image_tags={
        "amd64": "latest-amd64",
        "arm64": "latest-arm64"
    }
)

Examples: examples/

The examples/ directory contains a runnable CDK app per scenario (local image asset, specific architecture, multi-arch index, retry config, S3 archive, and private-registry credentials). See examples/README.md.

After cloning the repository, install dependencies and run a full build:

yarn install --immutable
yarn build

Then synth or deploy any example:

npx cdk synth --app "npx ts-node examples/docker-image-asset.ts"
npx cdk deploy --app "npx ts-node examples/docker-image-asset.ts"

The private-registry-credentials example needs a Secret in AWS Secrets Manager with your DockerHub credentials (note: secrets incur a cost):

aws secretsmanager create-secret --name DockerHubCredentials --secret-string "username:access-token"
export DOCKERHUB_SECRET_ARN="<ARN>"

If your secret is encrypted, you might have to adjust the example to also grant decrypt permissions.

API

Tech Details & Contributions

The core of this project relies on containers/image (published as the Go module go.podman.io/image/v5) which is used by Skopeo. Please take a look at those projects before contributing.

To support a new docker image source (like docker tarball in s3), you need to implement image transport interface. You could take a look at docker-archive transport for a good start.

Any error in the custom resource provider will show up in the CloudFormation error log as Invalid PhysicalResourceId, because of this: https://github.com/aws/aws-lambda-go/issues/107. You need to go into the CloudWatch Log Group to find the real error.

Project details


Release history Release notifications | RSS feed

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cdk_ecr_deployment-4.2.30.tar.gz (22.6 MB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

cdk_ecr_deployment-4.2.30-py3-none-any.whl (22.6 MB view details)

Uploaded Python 3

File details

Details for the file cdk_ecr_deployment-4.2.30.tar.gz.

File metadata

  • Download URL: cdk_ecr_deployment-4.2.30.tar.gz
  • Upload date:
  • Size: 22.6 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.14.6

File hashes

Hashes for cdk_ecr_deployment-4.2.30.tar.gz
Algorithm Hash digest
SHA256 e9b1f8aea9aeae5c46309c936eb1950c640a6e54862f43d10d4d99d1ef320738
MD5 becdf1f551f795148b8a66168b222578
BLAKE2b-256 07de12c1fa94037854e473dfb730d312d877d4db09815a94e7f8b47022a6974a

See more details on using hashes here.

Provenance

The following attestation bundles were made for cdk_ecr_deployment-4.2.30.tar.gz:

Publisher: release.yml on cdklabs/cdk-ecr-deployment

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file cdk_ecr_deployment-4.2.30-py3-none-any.whl.

File metadata

File hashes

Hashes for cdk_ecr_deployment-4.2.30-py3-none-any.whl
Algorithm Hash digest
SHA256 4f685baf1aaa8a6be1fcbfbe91d6d5a70bf22d57531066def0b12e3290bb32b0
MD5 eaeb07f13c861760435aa9d7d62aca6f
BLAKE2b-256 e85d5e5af7e5a1e02b0492cfb223f036c6391bd76c736a7d271da52a7bafc566

See more details on using hashes here.

Provenance

The following attestation bundles were made for cdk_ecr_deployment-4.2.30-py3-none-any.whl:

Publisher: release.yml on cdklabs/cdk-ecr-deployment

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page