Hi folks. I’m giving Pulumi a spin for a new project. The project is pretty simple. • Docker image running a FastAPI REST API • AWS App Runner My Pulumi program looks like this:

import pulumi
import pulumi_aws as aws
import pulumi_awsx as awsx


repo = awsx.ecr.Repository("ecr-repository")

image = awsx.ecr.Image(
    "image",
    repository_url=repo.url,
    path="../",
    env={"DOCKER_DEFAULT_PLATFORM": "linux/amd64"},  # attempt 2: running on M2 chip
    extra_options=["--platform", "linux/amd64"],  # attempt 1: running on M2 chip
)

service = aws.apprunner.Service(
    "myservice",
    service_name="myservice",
    source_configuration=aws.apprunner.ServiceSourceConfigurationArgs(
        auto_deployments_enabled=False,
        image_repository=aws.apprunner.ServiceSourceConfigurationImageRepositoryArgs(
            image_configuration=aws.apprunner.ServiceSourceConfigurationImageRepositoryImageConfigurationArgs(
                port="8000",
            ),
            image_identifier=image.image_uri,
            image_repository_type="ECR_PUBLIC",
        ),
    ),
)
pulumi.export("service", service.service_url)

This stack builds and pushes my docker image but fails to create the AppRunner service:

aws:apprunner:Service (myservice):
    error: 1 error occurred:
    	* creating urn:pulumi:dev::infrastructure::aws:apprunner/service:Service::myservice: 1 error occurred:
    	* error waiting for App Runner Service (arn:aws:apprunner:us-east-1:11111111111:service/myservice/111111111111111111111111) creation: unexpected state 'CREATE_FAILED', wanted target 'RUNNING'. last error: %!s(<nil>)

  pulumi:pulumi:Stack (infrastructure-dev):
    error: update failed

There’s not much to work off here. My App Runner console does give me these logs:

11-22-2022 12:16:30 PM [AppRunner] Failed to pull your application image. Be sure you configure your service with a valid access role to your ECR repository.
11-22-2022 12:14:13 PM [AppRunner] Starting to pull your application image.

My impression was that

awsx

is managing the needed roles/policies for the image. Is that correct, or is there more to do here?

awsx.ecr.Image

creates an ECR repository and uploads an image to it. you still need to provide a policy that allows access to that ECR

Thanks @billowy-army-68599 - creating a role/policy worked!

@astonishing-dress-81433 is this a pet project? I'm curious about production experience with CI/CD and App Runner because I have the same tech stack with exception it is built on top of ECS because when I needed it App Runner did not support VPC traffic so I could not connect DB.

Not a pet project but not a full production project either, closer to a proof of concept. We may graduate to a different hosting solution once we get a little further down the line but for now, Apprunner seems to be working. (We connect to a mongodb database from our app)