Channels
pulumi-ai
package-authoring
pulumi-cdk
oracle-cloud-infrastructure
learn-pulumi-events
linen
registry
built-with-pulumi
pulumi-cloud
contribex
testingtesting321
hacktoberfest
cloudengineering
yaml
pulumi-crosscode
content-share
finops
multi-language-hackathon
office-hours
workshops
blog-posts
localstack
welcome
gitlab
pulumi-kubernetes-operator
jobs
aws
pulumi-deployments
dotnet
golang
announcements
java
pulumiverse
python
install
getting-started
cloudengineering-support
testingtesting123
hackathon-03-19-2020
typescript
google-cloud
contribute
azure
kubernetes
docs
automation-api
status
general
Title
f
flat-insurance-25294
02/16/2021, 9:13 PMIs it possible to reference a specific image created on a different stack?
We want the production stack to pick the latest image created on staging stacks ECR and push it to production ECR instead of building from scratch.
l
little-cartoon-10569
02/16/2021, 9:37 PMAbsolutely. StackReferences are described here: https://www.pulumi.com/docs/intro/concepts/stack/#stackreferences
f
flat-insurance-25294
02/16/2021, 10:03 PM@little-cartoon-10569 As usual, thanks! But I don’t think the “fetch image and push” part is supported right now
I don’t know maybe, maybe it’s idiotic, looking for best practices here between staging/prod when it comes to actual images.
I thought not rebuilding and using the latest (approved) from staging was a great idea, but would also need to keep a history, so it wouldn’t just use the image, it would literally push it to the prod-stack ECR and then use it.
l
little-cartoon-10569
02/16/2021, 10:21 PMAre they the same AWS account? Shouldn't need to push/pull...
f
flat-insurance-25294
02/16/2021, 10:21 PMYep
Well separate ECR Repos
We create a separate Repo per stack and environment.
l
little-cartoon-10569
02/16/2021, 10:25 PMHmm... maybe a single registry with tagged images would work better? I can't see a way to easily promote images between registries...
f
flat-insurance-25294
02/16/2021, 10:26 PMNah because Staging and Prod have separate IAM groups.
People with just staging rights shouldn’t be able to touch Prod resources.
l
little-cartoon-10569
02/16/2021, 10:28 PMThey'd be able to touch prod images, in theory, but not prod resources.. I think?
f
flat-insurance-25294
02/16/2021, 10:29 PMNo
l
little-cartoon-10569
02/16/2021, 10:29 PMBut also, only reviewed code should get to the pipeline, and only the pipeline can update staging or prod...
f
flat-insurance-25294
02/16/2021, 10:29 PMExactly.
So that’s what we got now.
l
little-cartoon-10569
02/16/2021, 10:29 PMSo you're safe.
f
flat-insurance-25294
02/16/2021, 10:30 PMIt’s more about… moving an image from staging-ECR to prod-ECR once it has been deployed to prod for book-keeping.
Because right now, I am just manually typing in the image name from approved staging tagged commits for production deployment and pushing the master branch.
l
little-cartoon-10569
02/16/2021, 10:30 PMYou can use a single registry, if you want to. It would make things easier. An alternative would be to push all images to all registries, which would work just as well, but use more storage
f
flat-insurance-25294
02/16/2021, 10:32 PMI think I found it
Depending on what
serviceImageNah, single registry is out of the question, everything is isolated between environments.
This is an exception.
I mean, whenever we push a branch the entire infrastructure is pushed, we want this because we do on-premise stuff as well.
The only exception is images.
And only between staging<->prod and that’s because someone mentioned it’s poor practice to rebuild an image after it has been approved.
I think I found a way anyway.
We can reference the repo from staging.
And copy it over to production (for book keping)
via CLI commands.
Since we got the name of the image, can just pop that one inside the PodSpec as well.
Though I’m actually preferring k8 to fetch it from the prod-ecr directly.
👍 1