CDK construct to deploy docker image to Amazon ECR
Project description
cdk-ecr-deployment
CDK construct to synchronize single docker image between docker registries.
[!IMPORTANT]
Please use the latest version of this package, which is
v4.(Older versions are no longer supported).
Features
- Copy image or multi-architecture image index from ECR/external registry to (another) ECR/external registry
- Copy an archive tarball image from s3 to ECR/external registry
Usage
from aws_cdk.aws_ecr_assets import DockerImageAsset
image = DockerImageAsset(self, "CDKDockerImage",
directory=path.join(__dirname, "docker")
)
# Copy from cdk docker image asset to another ECR.
ecrdeploy.ECRDeployment(self, "DeployDockerImage1",
src=ecrdeploy.DockerImageName(image.image_uri),
dest=ecrdeploy.DockerImageName(f"{cdk.Aws.ACCOUNT_ID}.dkr.ecr.us-west-2.amazonaws.com/my-nginx:latest")
)
# Copy from docker registry to ECR.
ecrdeploy.ECRDeployment(self, "DeployDockerImage2",
src=ecrdeploy.DockerImageName("nginx:latest"),
dest=ecrdeploy.DockerImageName(f"{cdk.Aws.ACCOUNT_ID}.dkr.ecr.us-west-2.amazonaws.com/my-nginx2:latest")
)
# Copy from private docker registry to ECR.
# The format of secret in aws secrets manager must be either:
# - plain text in format <username>:<password>
# - json in format {"username":"<username>","password":"<password>"}
ecrdeploy.ECRDeployment(self, "DeployDockerImage3",
src=ecrdeploy.DockerImageName("javacs3/nginx:latest", "username:password"),
# src: new ecrdeploy.DockerImageName('javacs3/nginx:latest', 'aws-secrets-manager-secret-name'),
# src: new ecrdeploy.DockerImageName('javacs3/nginx:latest', 'arn:aws:secretsmanager:us-west-2:000000000000:secret:id'),
dest=ecrdeploy.DockerImageName(f"{cdk.Aws.ACCOUNT_ID}.dkr.ecr.us-west-2.amazonaws.com/my-nginx3:latest")
).add_to_principal_policy(iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=["secretsmanager:GetSecretValue"
],
resources=["*"]
))
# Copy multi-architecture image index (manifest) with all architectures.
ecrdeploy.ECRDeployment(self, "DeployDockerImage4",
src=ecrdeploy.DockerImageName("public.ecr.aws/nginx/nginx:latest"),
dest=ecrdeploy.DockerImageName(f"{cdk.Aws.ACCOUNT_ID}.dkr.ecr.us-west-2.amazonaws.com/my-nginx4:manifest"),
copy_image_index=True,
arch_image_tags={
"amd64": "my-nginx-amd64",
"arm64": "my-nginx-arm64"
}
)
# Copy image to a public ECR registry.
# The required ecr-public and sts permissions are automatically attached
# when the destination is a public.ecr.aws URI.
ecrdeploy.ECRDeployment(self, "DeployDockerImage5",
src=ecrdeploy.DockerImageName(f"{cdk.Aws.ACCOUNT_ID}.dkr.ecr.us-west-2.amazonaws.com/my-nginx:latest"),
dest=ecrdeploy.DockerImageName("public.ecr.aws/your-alias/your-repo:latest"),
copy_image_index=True,
arch_image_tags={
"amd64": "latest-amd64",
"arm64": "latest-arm64"
}
)
Examples: examples/
The examples/ directory contains a runnable CDK app per scenario (local image asset, specific architecture, multi-arch index, retry config, S3 archive, and private-registry credentials). See examples/README.md.
After cloning the repository, install dependencies and run a full build:
yarn install --immutable
yarn build
Then synth or deploy any example:
npx cdk synth --app "npx ts-node examples/docker-image-asset.ts"
npx cdk deploy --app "npx ts-node examples/docker-image-asset.ts"
The private-registry-credentials example needs a Secret in AWS Secrets Manager with your DockerHub credentials (note: secrets incur a cost):
aws secretsmanager create-secret --name DockerHubCredentials --secret-string "username:access-token"
export DOCKERHUB_SECRET_ARN="<ARN>"
If your secret is encrypted, you might have to adjust the example to also grant decrypt permissions.
API
Tech Details & Contributions
The core of this project relies on containers/image (published as the Go module go.podman.io/image/v5) which is used by Skopeo.
Please take a look at those projects before contributing.
To support a new docker image source (like docker tarball in s3), you need to implement image transport interface. You could take a look at docker-archive transport for a good start.
Any error in the custom resource provider will show up in the CloudFormation error log as Invalid PhysicalResourceId, because of this: https://github.com/aws/aws-lambda-go/issues/107. You need to go into the CloudWatch Log Group to find the real error.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file cdk_ecr_deployment-4.2.27.tar.gz.
File metadata
- Download URL: cdk_ecr_deployment-4.2.27.tar.gz
- Upload date:
- Size: 22.8 MB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.14.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6139cd8b4ece7a71181c706169e4d76588226c6a18b62f240472c1b5f96961c4
|
|
| MD5 |
4b4b09d60e5031aeba6a8b023ae9c00b
|
|
| BLAKE2b-256 |
ed6b9bb49b28e42dafb3d663256ab91977012a4b92dd4e1131641f9ac542f848
|
Provenance
The following attestation bundles were made for cdk_ecr_deployment-4.2.27.tar.gz:
Publisher:
release.yml on cdklabs/cdk-ecr-deployment
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
cdk_ecr_deployment-4.2.27.tar.gz -
Subject digest:
6139cd8b4ece7a71181c706169e4d76588226c6a18b62f240472c1b5f96961c4 - Sigstore transparency entry: 2102755329
- Sigstore integration time:
-
Permalink:
cdklabs/cdk-ecr-deployment@773d402deff62af930fd75926ced539f3aafbb88 -
Branch / Tag:
refs/heads/main - Owner: https://github.com/cdklabs
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@773d402deff62af930fd75926ced539f3aafbb88 -
Trigger Event:
push
-
Statement type:
File details
Details for the file cdk_ecr_deployment-4.2.27-py3-none-any.whl.
File metadata
- Download URL: cdk_ecr_deployment-4.2.27-py3-none-any.whl
- Upload date:
- Size: 22.8 MB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.14.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
622353d3104e1b4ba5dae37721da4cc948dc979d5b45413b92cbc26146059de1
|
|
| MD5 |
3638b7daabce1006d60cdba03d8c3123
|
|
| BLAKE2b-256 |
5ec9978625e5d53d05a84e8f7625245c567915231f832ddb02e98aa1706fb3a1
|
Provenance
The following attestation bundles were made for cdk_ecr_deployment-4.2.27-py3-none-any.whl:
Publisher:
release.yml on cdklabs/cdk-ecr-deployment
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
cdk_ecr_deployment-4.2.27-py3-none-any.whl -
Subject digest:
622353d3104e1b4ba5dae37721da4cc948dc979d5b45413b92cbc26146059de1 - Sigstore transparency entry: 2102755142
- Sigstore integration time:
-
Permalink:
cdklabs/cdk-ecr-deployment@773d402deff62af930fd75926ced539f3aafbb88 -
Branch / Tag:
refs/heads/main - Owner: https://github.com/cdklabs
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@773d402deff62af930fd75926ced539f3aafbb88 -
Trigger Event:
push
-
Statement type: