-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(aws-lambda): Allow referencing lambda container image by digest #15333
Comments
Thanks for filing this issue. The
and Marking as a feature request. |
For the specific use-case, you can also do this after you've deployed an updated image to ECR, and it forces the lambda to update its image reference to the latest digest:
In this scenario there are no stack updates to to the lambda container's digest necessary. |
A hacky-feeling workaround for this (using the Java SDK) is to concat the digest manually to the repository, and pass a blank tag (null doesn't work because it results in DockerImageCode.fromEcr(Repository.fromRepositoryArn(this, "unused",
"arn:aws:ecr:ap-southeast-2:11111111:repository/my-repo@sha256:570f120..."),
EcrImageCodeProps.builder().tag("").build()); |
…rywhere (#19799) This generalises the fix of #13299 by creating a `IRepository.repositoryUriForTagOrDigest` function that detects whether something looks like a digest (starts with `sha256:`) or is a tag, and formats the URI with `@` or `:` as appropriate. This function is then used in most places that previously called `repositoryUriForTag`, meaning they can use image digests in addition to tags. The one remain real call is in aws-ecs's `TagParameterContainerImage`. This includes aws-lambda's `EcrImageCode`, and thus closes #15333. ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? * [ ] Did you use `cdk-integ` to deploy the infrastructure and generate the snapshot (i.e. `cdk-integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
…rywhere (aws#19799) This generalises the fix of aws#13299 by creating a `IRepository.repositoryUriForTagOrDigest` function that detects whether something looks like a digest (starts with `sha256:`) or is a tag, and formats the URI with `@` or `:` as appropriate. This function is then used in most places that previously called `repositoryUriForTag`, meaning they can use image digests in addition to tags. The one remain real call is in aws-ecs's `TagParameterContainerImage`. This includes aws-lambda's `EcrImageCode`, and thus closes aws#15333. ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? * [ ] Did you use `cdk-integ` to deploy the infrastructure and generate the snapshot (i.e. `cdk-integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
At the moment it appears
DockerImageCode.fromEcr
type can only accept a tag as a reference to a container version. I think it would be helpful to also be able to reference a digest instead of a tag.Use Case
Deploying a Lambda on a moving tag requires intervention outside the CDK to force the lambda to update its digest. In my workflow, I deploy a new container to latest, and get a digest from that update. I would like to just specify that digest in my lambda container to then force it to update to the latest version.
Proposed Solution
Taking into consideration how this issue was resolved: #5082 . Maybe we should have the ability to create a
DockerImageCode
instance from the fullRepository
URI, so we can sayrepository.repositoryUriForDigest
in addition torepository.repositoryUriForTag
.Another option is to add a
digest
property in the options forDockerImageCode.fromEcr
, however then that opens an invalid state, where you can specify both a tag and digest.One other thought, in line with this comment: #5082 (comment), is to overload the
tag
property for digest, and check if it starts with sha256:.Other
This is a 🚀 Feature Request
The text was updated successfully, but these errors were encountered: