https://pulumi.com logo
Powered by
Title
r

rapid-kite-35

11/08/2022, 7:51 PM
I'm using ecr and am trying to push a docker image to it. It seems using 
awsx
it handles authentication whereas if I use the 
docker
package it doesn't. However it also seems with 
awsx
I can't set a custom tag. So my question is if either there is a way to set a tag using 
awsx
or alternatively how to easily auth against ecr using the 
docker
package instead?
m

millions-furniture-75402

11/08/2022, 9:26 PM
Maybe the new version of awsx will address this, but it looks like there is an outstanding bug https://github.com/pulumi/pulumi-awsx/issues/585 For your last question, maybe you can do something with this example https://www.pulumi.com/registry/packages/docker/api-docs/image/#imageregistry
Actually, you might be able to do something with 
extraOptions
to pass 
--tag
https://docs.docker.com/engine/reference/commandline/image_build/ has a 
--tag
flag https://github.com/pulumi/pulumi-awsx/blob/master/awsx-classic/ecr/repository.ts#L51 -- takes a 
docker.DockerBuild
https://www.pulumi.com/registry/packages/docker/api-docs/image/#dockerbuild (untested): 
const containerRepository = new awsx.ecr.Repository(`${appName}-image`, {
  repository: new aws.ecr.Repository(`${appName}-image`, {
    imageScanningConfiguration: {
      scanOnPush: true,
    },
    imageTagMutability: "MUTABLE",
  }),
});

const applicationImage = containerRepository.buildAndPushImage({
  env: {
    DOCKER_BUILDKIT: "1",
  },
  extraOptions: ["--tag", "name:1.0.1"],
});
r

rapid-kite-35

11/09/2022, 8:45 AM
That sadly doesn't work, presumably because 
pulumi-docker
overwrites the -t tag here: https://github.com/pulumi/pulumi-docker/blob/fa0159258e220cefa6a93d1e1f77676641721365/sdk/nodejs/docker.ts#L470 It uses the image name but if you pass in a 
DockerBuild
it generates the image name of the signature with no apparent way to overwrite it ( https://github.com/pulumi/pulumi-awsx/blob/master/awsx-classic/ecs/image.ts#L169 ) But I think I can get the credentials the same way 
awsx-classic
does and pass it directly to 
pulumi-docker
and hopefully that works. Odd though how difficult it is to tag an image...
This is what I ended up with, seems unnecessary complex so if there are better ways I'm open to suggestions: 
const credentials = aws.ecr.getCredentialsOutput({
    registryId: repo.registryId
})

const transformCredentials = (creds: pulumi.Output<aws.ecr.GetCredentialsResult>): pulumi.Output<docker.ImageRegistry> => {
    return creds.apply(c => {
        const decodedCredentials = Buffer.from(c.authorizationToken, "base64").toString();
        const [username, password] = decodedCredentials.split(":");
        if (!password || !username) {
            throw new Error("Invalid credentials");
        }
        return {
            server: c.proxyEndpoint,
            username: username,
            password: password,
        } as docker.ImageRegistry
    })
}

const image = new docker.Image(customImage, {
  build: {
    context: '../',
    args: buildArgs
  },
  registry: transformCredentials(credentials),
  imageName: pulumi.interpolate`${imageName}:${env}`,
});
m

millions-furniture-75402

11/09/2022, 1:31 PM
That's pretty unfortunate how the buildArgs are constructed from the DockerBuild.
Shouldn't extra options get added to the end of the args anyway? Since docker 1.1.0 you can pass many 
--tag
flags. https://github.com/pulumi/pulumi-docker/blob/fa0159258e220cefa6a93d1e1f77676641721365/sdk/nodejs/docker.ts#L465-L467
#awsJoin Slack
Powered by