cdk-ecr-deployment not compatible with CdkPipelines

[ahammond]

trafficstars

I have a pipelined repo which deployed just fine... until I add cdk-ecr-deployment. Then the build stage fails because the CodeBuild doesn't have support for docker. Because... why would it?

Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
--
194 | FAIL test/baseline.test.ts

I tried adding docker support, but that's non-trivial since CdkPipelines already has opinions about how it should be running the build phase.

My workaround for now is to deprecated cdk-ecr-deployment to only manual bootstrapping. The choice of golang for the lambda continues to be unfortunate.

[wchaws]

@ahammond Did u enable privilege mode? https://docs.aws.amazon.com/cdk/api/v1/docs/pipelines-readme.html#using-docker-in-the-pipeline

[ahammond]

@wchaws Yes:

 export class GitHubPipeline extends pipelines.CodePipeline {
    constructor(scope: Construct, id: Namer, props: GitHubPipelineStackProps) {
      // https://www.antstack.io/blog/cdk-pipelines-with-github-source-and-codestar-connection/
      const connectionArn =
        'arn:aws:codestar-connections:us-east-1:123412341234:connection/this-is-actually-a-guid'; // obfuscated account and guid

      const input = pipelines.CodePipelineSource.connection(props.repoString, props.branch ?? 'main', {
        connectionArn,
      });
      // We need to add auth for GitHub Packages. That requires our ALL_PACKAGE_READ_TOKEN
      const partialBuildSpec = aws_codebuild.BuildSpec.fromObject({
        env: {
          'secrets-manager': {
            // key: secret-id:json-key:version-stage:version-id
            ALL_PACKAGE_READ_TOKEN: 'CdkPipelineSecrets:ALL_PACKAGE_READ_TOKEN',
          },
        },
        privilegedMode: true, // necessary, but not sufficient to enable Docker. What else?
      });

      const synthParams = {
        input,
        env: {
          CI: 'true', // emulate GitHub Actions
        },
        partialBuildSpec,
        rolePolicyStatements: [
          new aws_iam.PolicyStatement({
            sid: 'CdkPipelineSecretsAccess',
            actions: ['Describe*', 'List*', 'GetResourcePolicy', 'GetSecretValue'].map((a) => `secretsmanager:${a}`),
            resources: [`arn:aws:secretsmanager:us-east-1:123412341234:secret:CdkPipelineSecrets*`], // obfuscated account
          }),
          new aws_iam.PolicyStatement({
            sid: 'ConnectionAccess',
            actions: ['codestar-connections:UseConnection'],
            resources: [connectionArn],
          }),
        ],
        installCommands: [
          [
            'cat > .npmrc <<EOF',
            '//npm.pkg.github.com/:_authToken=${ALL_PACKAGE_READ_TOKEN}',
            '@time-loop:registry=https://npm.pkg.github.com/',
            'EOF',
          ].join('\n'),
          'yarn install --frozen-lockfile',
        ],
        commands: ['yarn build', 'npx cdk synth'],
      };

      const synth = new pipelines.CodeBuildStep('SynthStep', merge(synthParams, props.synthParams ?? {}));

      super(scope, id.pascal, {
        crossAccountKeys: true,
        dockerEnabledForSelfMutation: true, // necessary, but not sufficient to enable Docker. What else?
        pipelineName: id.pascal,
        selfMutation: !props.disableSelfMutation,
        synth,
      });
    }
  }

is how we're declaring the pipeline. I tried hunting around the AWS console to confirm that it's running in Privileged mode, but don't see anything. So... I think so?

[ahammond]

It's using the aws/codebuild/standard:5.0 base image.

[Hi-Fi]

For us this worked fine with CDK pipelines, probably with privileged enabled in synth step.

Have you tried setting env variable FORCE_PREBUILT_LAMBDA to 1 so that building would not be needed? Even that image should have golang available.

I think usage of Golang for lambda simplifies things quite a lot, but I think that's another discussion.