(aws-lambda): Allow referencing lambda container image by digest #15333

mrvisser · 2021-06-28T22:12:20Z

At the moment it appears DockerImageCode.fromEcr type can only accept a tag as a reference to a container version. I think it would be helpful to also be able to reference a digest instead of a tag.

Use Case

Deploying a Lambda on a moving tag requires intervention outside the CDK to force the lambda to update its digest. In my workflow, I deploy a new container to latest, and get a digest from that update. I would like to just specify that digest in my lambda container to then force it to update to the latest version.

Proposed Solution

Taking into consideration how this issue was resolved: #5082 . Maybe we should have the ability to create a DockerImageCode instance from the full Repository URI, so we can say repository.repositoryUriForDigest in addition to repository.repositoryUriForTag.

Another option is to add a digest property in the options for DockerImageCode.fromEcr, however then that opens an invalid state, where you can specify both a tag and digest.

One other thought, in line with this comment: #5082 (comment), is to overload the tag property for digest, and check if it starts with sha256:.

Other

Resource handler returned message: "Source image 393233896464.dkr.ecr.us-east-2.amazonaws.com/my-image:@sha256:783e6c546ca12437893a8651759f93a642a55d368a238f04bf625859c3bdb25a is not valid. Provide a valid source image. (Service: Lambda, Status
Code: 400, Request ID: 2982d3fc-3741-4a5c-ae6b-e3d7f3b6b076, Extended Request ID: null)" (RequestToken: 3c72609b-e1fa-e34c-f15e-02134f8405d4, HandlerErrorCode: InvalidRequest)

👋 I may be able to implement this feature request
⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request

The text was updated successfully, but these errors were encountered:

nija-at · 2021-07-28T16:46:25Z

Thanks for filing this issue.

The EcrImageCode will need to be updated to use repositoryUriForDigest() here -

aws-cdk/packages/@aws-cdk/aws-lambda/lib/code.ts

Line 460 in 929d6ae

imageUri: this.repository.repositoryUriForTag(this.props?.tag ?? 'latest'),

and EcrImageCodeProps will need to be updated to accept a digest. property.

Marking as a feature request.

mrvisser · 2021-08-31T14:21:36Z

For the specific use-case, you can also do this after you've deployed an updated image to ECR, and it forces the lambda to update its image reference to the latest digest:

aws lambda update-function-code \
  --function-name <function name> \
  --image-uri "$ECR_URL/my-image:prod"

In this scenario there are no stack updates to to the lambda container's digest necessary.

adrian-baker · 2021-09-10T00:24:26Z

A hacky-feeling workaround for this (using the Java SDK) is to concat the digest manually to the repository, and pass a blank tag (null doesn't work because it results in :latest being added).

DockerImageCode.fromEcr(Repository.fromRepositoryArn(this, "unused",
        "arn:aws:ecr:ap-southeast-2:11111111:repository/my-repo@sha256:570f120..."),
    EcrImageCodeProps.builder().tag("").build());

huonw · 2022-04-07T22:27:34Z

In #19799, I generalised the change from #13299 (fixes #5082) and used it in most places, including lambda.

…rywhere (#19799) This generalises the fix of #13299 by creating a `IRepository.repositoryUriForTagOrDigest` function that detects whether something looks like a digest (starts with `sha256:`) or is a tag, and formats the URI with `@` or `:` as appropriate. This function is then used in most places that previously called `repositoryUriForTag`, meaning they can use image digests in addition to tags. The one remain real call is in aws-ecs's `TagParameterContainerImage`. This includes aws-lambda's `EcrImageCode`, and thus closes #15333. ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? * [ ] Did you use `cdk-integ` to deploy the infrastructure and generate the snapshot (i.e. `cdk-integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

github-actions · 2022-04-13T23:27:19Z

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

…rywhere (aws#19799) This generalises the fix of aws#13299 by creating a `IRepository.repositoryUriForTagOrDigest` function that detects whether something looks like a digest (starts with `sha256:`) or is a tag, and formats the URI with `@` or `:` as appropriate. This function is then used in most places that previously called `repositoryUriForTag`, meaning they can use image digests in addition to tags. The one remain real call is in aws-ecs's `TagParameterContainerImage`. This includes aws-lambda's `EcrImageCode`, and thus closes aws#15333. ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? * [ ] Did you use `cdk-integ` to deploy the infrastructure and generate the snapshot (i.e. `cdk-integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

mrvisser added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Jun 28, 2021

github-actions bot assigned nija-at Jun 28, 2021

github-actions bot added the @aws-cdk/aws-lambda Related to AWS Lambda label Jun 28, 2021

nija-at added effort/small Small work item – less than a day of effort good first issue Related to contributions. See CONTRIBUTING.md p2 and removed needs-triage This issue or PR still needs to be triaged. good first issue Related to contributions. See CONTRIBUTING.md labels Jul 28, 2021

nija-at removed their assignment Jul 28, 2021

huonw mentioned this issue Apr 7, 2022

feat(aws-ecr): make it easy to reference image tag or digest, use everywhere #19799

Merged

4 tasks

mergify bot closed this as completed in #19799 Apr 13, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

(aws-lambda): Allow referencing lambda container image by digest #15333

(aws-lambda): Allow referencing lambda container image by digest #15333

mrvisser commented Jun 28, 2021

nija-at commented Jul 28, 2021

mrvisser commented Aug 31, 2021

adrian-baker commented Sep 10, 2021

huonw commented Apr 7, 2022

github-actions bot commented Apr 13, 2022