https://pulumi.com logo
Title
f

flat-insurance-25294

02/16/2021, 9:13 PM
Is it possible to reference a specific image created on a different stack? We want the production stack to pick the latest image created on staging stacks ECR and push it to production ECR instead of building from scratch.
l

little-cartoon-10569

02/16/2021, 9:37 PM
Absolutely. StackReferences are described here: https://www.pulumi.com/docs/intro/concepts/stack/#stackreferences
f

flat-insurance-25294

02/16/2021, 10:03 PM
@little-cartoon-10569 As usual, thanks! But I don’t think the “fetch image and push” part is supported right now
I don’t know maybe, maybe it’s idiotic, looking for best practices here between staging/prod when it comes to actual images. I thought not rebuilding and using the latest (approved) from staging was a great idea, but would also need to keep a history, so it wouldn’t just use the image, it would literally push it to the prod-stack ECR and then use it.
l

little-cartoon-10569

02/16/2021, 10:21 PM
Are they the same AWS account? Shouldn't need to push/pull...
f

flat-insurance-25294

02/16/2021, 10:21 PM
Yep
Well separate ECR Repos
We create a separate Repo per stack and environment.
l

little-cartoon-10569

02/16/2021, 10:25 PM
Hmm... maybe a single registry with tagged images would work better? I can't see a way to easily promote images between registries...
f

flat-insurance-25294

02/16/2021, 10:26 PM
Nah because Staging and Prod have separate IAM groups. People with just staging rights shouldn’t be able to touch Prod resources.
l

little-cartoon-10569

02/16/2021, 10:28 PM
They'd be able to touch prod images, in theory, but not prod resources.. I think?
f

flat-insurance-25294

02/16/2021, 10:29 PM
No
l

little-cartoon-10569

02/16/2021, 10:29 PM
But also, only reviewed code should get to the pipeline, and only the pipeline can update staging or prod...
f

flat-insurance-25294

02/16/2021, 10:29 PM
Exactly.
So that’s what we got now.
l

little-cartoon-10569

02/16/2021, 10:29 PM
So you're safe.
f

flat-insurance-25294

02/16/2021, 10:30 PM
It’s more about… moving an image from staging-ECR to prod-ECR once it has been deployed to prod for book-keeping. Because right now, I am just manually typing in the image name from approved staging tagged commits for production deployment and pushing the master branch.
l

little-cartoon-10569

02/16/2021, 10:30 PM
You can use a single registry, if you want to. It would make things easier. An alternative would be to push all images to all registries, which would work just as well, but use more storage
f

flat-insurance-25294

02/16/2021, 10:32 PM
I think I found it
Depending on what
serviceImage
is this might work https://www.pulumi.com/docs/reference/pkg/aws/ecr/getimage/
Nah, single registry is out of the question, everything is isolated between environments. This is an exception.
I mean, whenever we push a branch the entire infrastructure is pushed, we want this because we do on-premise stuff as well.
The only exception is images. And only between staging<->prod and that’s because someone mentioned it’s poor practice to rebuild an image after it has been approved.
I think I found a way anyway. We can reference the repo from staging. And copy it over to production (for book keping) via CLI commands. Since we got the name of the image, can just pop that one inside the PodSpec as well. Though I’m actually preferring k8 to fetch it from the prod-ecr directly.
👍 1