This message was deleted.
# aws
s
This message was deleted.
l
Absolutely. StackReferences are described here: https://www.pulumi.com/docs/intro/concepts/stack/#stackreferences
f
@little-cartoon-10569 As usual, thanks! But I don’t think the “fetch image and push” part is supported right now
I don’t know maybe, maybe it’s idiotic, looking for best practices here between staging/prod when it comes to actual images. I thought not rebuilding and using the latest (approved) from staging was a great idea, but would also need to keep a history, so it wouldn’t just use the image, it would literally push it to the prod-stack ECR and then use it.
l
Are they the same AWS account? Shouldn't need to push/pull...
f
Yep
Well separate ECR Repos
We create a separate Repo per stack and environment.
l
Hmm... maybe a single registry with tagged images would work better? I can't see a way to easily promote images between registries...
f
Nah because Staging and Prod have separate IAM groups. People with just staging rights shouldn’t be able to touch Prod resources.
l
They'd be able to touch prod images, in theory, but not prod resources.. I think?
f
No
l
But also, only reviewed code should get to the pipeline, and only the pipeline can update staging or prod...
f
Exactly.
So that’s what we got now.
l
So you're safe.
f
It’s more about… moving an image from staging-ECR to prod-ECR once it has been deployed to prod for book-keeping. Because right now, I am just manually typing in the image name from approved staging tagged commits for production deployment and pushing the master branch.
l
You can use a single registry, if you want to. It would make things easier. An alternative would be to push all images to all registries, which would work just as well, but use more storage
f
I think I found it
Depending on what
serviceImage
is this might work https://www.pulumi.com/docs/reference/pkg/aws/ecr/getimage/
Nah, single registry is out of the question, everything is isolated between environments. This is an exception.
I mean, whenever we push a branch the entire infrastructure is pushed, we want this because we do on-premise stuff as well.
The only exception is images. And only between staging<->prod and that’s because someone mentioned it’s poor practice to rebuild an image after it has been approved.
I think I found a way anyway. We can reference the repo from staging. And copy it over to production (for book keping) via CLI commands. Since we got the name of the image, can just pop that one inside the PodSpec as well. Though I’m actually preferring k8 to fetch it from the prod-ecr directly.
👍 1