cdk-ecr-deployment icon indicating copy to clipboard operation
cdk-ecr-deployment copied to clipboard
verified publisher icon cdklabs

Enable an option to return image sha256 digest

Open pscheri opened this issue 1 year ago • 2 comments

Due to the new software version consistency feature released for Amazon ECS services (https://aws.amazon.com/blogs/containers/announcing-software-version-consistency-for-amazon-ecs-services/) it would be great for ECRDeployment to return the sha256 digest of the uploaded image.

This way it would be easier to create consistent tasks definitions in CDK, pointing to imageUri@digest rather than imageUri:Tag

Version tested: cdk-ecr-deployment==3.0.150

pscheri avatar Dec 19 '24 09:12 pscheri

Thanks for the suggestion @pscheri

I'm not entirely sure I'm following your request though. ECRDeployment currently doesn't return anything as far as I can tell!?

Could you share some (pseudo) code of what you are currently doing and what you would like to do in future?

mrgrain avatar Mar 13 '25 13:03 mrgrain

Hi @mrgrain, Sorry the delay, afaik as you said, the construct doesn't return anything at the moment. Idea would be as follow:

ecr_deployed = ECRDeployment(
	scope=scope,
	id=f'ecr-deployment-{ecr_d_id}',
	src=S3ArchiveName(s3_image),
	dest=DockerImageName(ecr_repository.repository_uri),
)

image = f'{ecr_repository.repository_uri}@{ecr_deployed.digest}'

task_def = ecs.TaskDefinition(
	scope,
	f'task-definition-{task_d_id}',
	**task_def_props
)

task_def.add_container(
	id=task_d_id,
	image=ecs.ContainerImage.from_registry(image),
	environment=variables,
	version_consistency=ecs.VersionConsistency.ENABLED,
)

According to Doc for .add_container: https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ecs/TaskDefinition.html image (ContainerImage) – The image used to start a container. This string is passed directly to the Docker daemon. Images in the Docker Hub registry are available by default. Other repositories are specified with either repository-url/image:tag or repository-url/image@digest. TODO: Update these to specify using classes of IContainerImage

I would rather use ecs.ContainerImage.from_ecr_repository(repository, tag=None) than ecs.ContainerImage.from_registry(name, *, credentials=None), but looks like the former only supports tags at the moment, and not digests (but haven't test it yet).

Let me know if that make sense. Thanks.

pscheri avatar Apr 11 '25 08:04 pscheri