New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
docker images: cannot use tokens in buildArgs - improve validation and errors #3981
Comments
The |
So how would the above be rewritten to actually work? You must agree that the symmetry of the above is misleading and unintuitive, as both the above are assets: one a lambda, the other one an ECR image. Conceptually, the difference is very slight. Yet, CDK handles these cases differently. |
Can you detail your use case? How about using |
There is no TaskDefinition here; you're assuming the use case involves ECS. The ECR container is used by a fleet of EC2 spot instances. |
To my mind, CDK is simply wrong here. The two examples above are structurally almost identical, and I see no reason why both examples shouldn't evaluate their args in a similar way. Are you saying the current behaviour is intentional? If so, how should the code be written to resolve the args as expected? |
Why does your image needs your queue arn at build time? |
For various security reasons the ARN can't be passed in at run-time. But isn't that really beside the point? What I'm wondering about is the asymmetry of the behaviour in the above two cases. Is it intentional, and if so, isn't it misleading? And, again if so, how should it be rewritten to work? |
There's no real asymmetry. Both aren't assets. A Lambda function is a resource, its code is an asset (zipped and uploaded to S3 before CF deploy). You would face the same problem if you'd want your code to be aware of a deploy time queue arn. You cannot compare |
A hospital and an office complex are structurally almost identical but you'd be advised against coming to work with a broken leg and expecting it to feel better when you leave. A Docker container and a Lambda Function are rather different, even though they share a similar API. A Docker image needs to be built before it can be used, a Lambda function does not. It makes sense that building/deploying a Docker Image would involve more steps than building/deploying a Lambda Function. I would argue that building a Docker Image is closer to building an EC2 AMI than it is to packaging a Lambda Function. |
I agree with @PeterBengtson that this is confusing, without knowing better, I would expect this to also work. But, sadly, there is not much we can do in this particular case besides a runtime error (which I think would at least reduce some of the grief). Building on @jogold's suggestion, maybe you can export a QUEUE_URL environment in a user-data script in your EC2 instance instead of baking it into the build image? Tokens are pretty magical. They allow us to treat late-bound values as first class in all programming languages, and in many cases, they "Just Work" and users don't need to understand their details. In some (hopefully edge cases), their magic "leaks" and we need to be more explicit about validation and user education. I am repurposing this issue to improve the error message in case tokens are used for |
Since `buildArgs` are used before deployment, if tokens are used, we will fail quickly with a nice message. Fixes #3981
Since `buildArgs` are used before deployment, if tokens are used, we will fail quickly with a nice message. Fixes #3981
See #3989 |
Thanks, Elad, for clarifying the situation. I will forward your response to the developer who wrote the code in question. As a workaround, I had already advised him to store the URL in Parameter Store instead. A better error message would have reduced the confusion, so it's good it's forthcoming. Thanks. |
* feat(ecr-assets): fail if tokens are used in buildArgs Since `buildArgs` are used before deployment, if tokens are used, we will fail quickly with a nice message. Fixes #3981 * do not import Token, since its not used
Hey peops, i hit this issue today, but it makes no sense why i can't use the references in this instance. If this is just the wrong way to code this please let me know. I'm creating an ECR repo, then trying to use DockerImageAsset to get an image into the repo. The above exception was the direct cause of the following exception: Traceback (most recent call last): |
馃悰 Bug Report
What is the problem?
We all know that this works as intended:
The SQS queue ARN token is evaluated as expected and its final value used.
The following, however, does not work:
In the last example, the token is never expanded.
Environment
The text was updated successfully, but these errors were encountered: