Skip to main content

CDK construct to deploy docker image to Amazon ECR

Project description

cdk-ecr-deployment

Release npm version PyPI npm PyPI - Downloads

CDK construct to synchronize single docker image between docker registries.

[!IMPORTANT]

Please use the latest version of this package, which is v4.

(Older versions are no longer supported).

Features

  • Copy image or multi-architecture image index from ECR/external registry to (another) ECR/external registry
  • Copy an archive tarball image from s3 to ECR/external registry

Usage

from aws_cdk.aws_ecr_assets import DockerImageAsset


image = DockerImageAsset(self, "CDKDockerImage",
    directory=path.join(__dirname, "docker")
)

# Copy from cdk docker image asset to another ECR.
ecrdeploy.ECRDeployment(self, "DeployDockerImage1",
    src=ecrdeploy.DockerImageName(image.image_uri),
    dest=ecrdeploy.DockerImageName(f"{cdk.Aws.ACCOUNT_ID}.dkr.ecr.us-west-2.amazonaws.com/my-nginx:latest")
)

# Copy from docker registry to ECR.
ecrdeploy.ECRDeployment(self, "DeployDockerImage2",
    src=ecrdeploy.DockerImageName("nginx:latest"),
    dest=ecrdeploy.DockerImageName(f"{cdk.Aws.ACCOUNT_ID}.dkr.ecr.us-west-2.amazonaws.com/my-nginx2:latest")
)

# Copy from private docker registry to ECR.
# The format of secret in aws secrets manager must be either:
# - plain text in format <username>:<password>
# - json in format {"username":"<username>","password":"<password>"}
ecrdeploy.ECRDeployment(self, "DeployDockerImage3",
    src=ecrdeploy.DockerImageName("javacs3/nginx:latest", "username:password"),
    # src: new ecrdeploy.DockerImageName('javacs3/nginx:latest', 'aws-secrets-manager-secret-name'),
    # src: new ecrdeploy.DockerImageName('javacs3/nginx:latest', 'arn:aws:secretsmanager:us-west-2:000000000000:secret:id'),
    dest=ecrdeploy.DockerImageName(f"{cdk.Aws.ACCOUNT_ID}.dkr.ecr.us-west-2.amazonaws.com/my-nginx3:latest")
).add_to_principal_policy(iam.PolicyStatement(
    effect=iam.Effect.ALLOW,
    actions=["secretsmanager:GetSecretValue"
    ],
    resources=["*"]
))

# Copy multi-architecture image index (manifest) with all architectures.
ecrdeploy.ECRDeployment(self, "DeployDockerImage4",
    src=ecrdeploy.DockerImageName("public.ecr.aws/nginx/nginx:latest"),
    dest=ecrdeploy.DockerImageName(f"{cdk.Aws.ACCOUNT_ID}.dkr.ecr.us-west-2.amazonaws.com/my-nginx4:manifest"),
    copy_image_index=True,
    arch_image_tags={
        "amd64": "my-nginx-amd64",
        "arm64": "my-nginx-arm64"
    }
)

# Copy image to a public ECR registry.
# The required ecr-public and sts permissions are automatically attached
# when the destination is a public.ecr.aws URI.
ecrdeploy.ECRDeployment(self, "DeployDockerImage5",
    src=ecrdeploy.DockerImageName(f"{cdk.Aws.ACCOUNT_ID}.dkr.ecr.us-west-2.amazonaws.com/my-nginx:latest"),
    dest=ecrdeploy.DockerImageName("public.ecr.aws/your-alias/your-repo:latest"),
    copy_image_index=True,
    arch_image_tags={
        "amd64": "latest-amd64",
        "arm64": "latest-arm64"
    }
)

Examples: examples/

The examples/ directory contains a runnable CDK app per scenario (local image asset, specific architecture, multi-arch index, retry config, S3 archive, and private-registry credentials). See examples/README.md.

After cloning the repository, install dependencies and run a full build:

yarn install --immutable
yarn build

Then synth or deploy any example:

npx cdk synth --app "npx ts-node examples/docker-image-asset.ts"
npx cdk deploy --app "npx ts-node examples/docker-image-asset.ts"

The private-registry-credentials example needs a Secret in AWS Secrets Manager with your DockerHub credentials (note: secrets incur a cost):

aws secretsmanager create-secret --name DockerHubCredentials --secret-string "username:access-token"
export DOCKERHUB_SECRET_ARN="<ARN>"

If your secret is encrypted, you might have to adjust the example to also grant decrypt permissions.

API

Tech Details & Contributions

The core of this project relies on containers/image (published as the Go module go.podman.io/image/v5) which is used by Skopeo. Please take a look at those projects before contributing.

To support a new docker image source (like docker tarball in s3), you need to implement image transport interface. You could take a look at docker-archive transport for a good start.

Any error in the custom resource provider will show up in the CloudFormation error log as Invalid PhysicalResourceId, because of this: https://github.com/aws/aws-lambda-go/issues/107. You need to go into the CloudWatch Log Group to find the real error.

Project details


Release history Release notifications | RSS feed

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cdk_ecr_deployment-4.2.20.tar.gz (22.7 MB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

cdk_ecr_deployment-4.2.20-py3-none-any.whl (22.7 MB view details)

Uploaded Python 3

File details

Details for the file cdk_ecr_deployment-4.2.20.tar.gz.

File metadata

  • Download URL: cdk_ecr_deployment-4.2.20.tar.gz
  • Upload date:
  • Size: 22.7 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.14.6

File hashes

Hashes for cdk_ecr_deployment-4.2.20.tar.gz
Algorithm Hash digest
SHA256 99a13acccc75e1f0ad733801c6bb39d15a54c66daba9f471771c4984e23e59f9
MD5 d82b00c1d4539bcae57f701d3b06b952
BLAKE2b-256 9b127c8d06f62d81c1bb8cdf807e722b85476eef835e900a43121486c66ebf28

See more details on using hashes here.

Provenance

The following attestation bundles were made for cdk_ecr_deployment-4.2.20.tar.gz:

Publisher: release.yml on cdklabs/cdk-ecr-deployment

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file cdk_ecr_deployment-4.2.20-py3-none-any.whl.

File metadata

File hashes

Hashes for cdk_ecr_deployment-4.2.20-py3-none-any.whl
Algorithm Hash digest
SHA256 ceb6d0a806d5a9255254f14d99185ac556cfae7e313ac75aaccbfaf10b30e224
MD5 ef3333a3cf9542f9319958fe208c5076
BLAKE2b-256 26441037248548d8827f9e1294e8fa2e35f6a698eb9d3a3c6c1b431290d7d341

See more details on using hashes here.

Provenance

The following attestation bundles were made for cdk_ecr_deployment-4.2.20-py3-none-any.whl:

Publisher: release.yml on cdklabs/cdk-ecr-deployment

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page