(aws-codepipeline-actions): TagParameterContainerImage unusable cross-account
See original GitHub issueUsing TagParameterContainerImage
as a property for a stack in a different account causes a resolution error.
Reproduction Steps
const myPipeline = new MyPipeline(app, 'my-pipeline', {
env: nonprod
}
new MyFargateApp(app, 'my-app', {
env: prod
image: myPipeline.tagParameterContainerImage
}
What did you expect to happen?
Stack my-app
should reference the ECR repo from my-pipeline
.
What actually happened?
Error: Resolution error: Resolution error: Resolution error: Resolution error: Resolution error: Cannot use resource 'my-app/FargateService/TaskDef/ExecutionRole' in a cross-environment fashion, the resource's physical name must be explicit set or use 'PhysicalName.GENERATE_IF_NEEDED'.
Environment
- CDK CLI Version : 1.107.0 (build 52c4434)
- Framework Version: 1.107.0
- Node.js Version: 14.16.0
- OS : WSL2 Ubuntu 20.04.02 LTS on Windows 10 1909
- Language (Version): TypeScript (3.9.9)
Other details
I’m using ApplicationLoadBalancedFargateService
.
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 2 years ago
- Comments:15 (8 by maintainers)
Top Results From Across the Web
Image definitions file reference - AWS CodePipeline
Reference for definitions files used by job workers in container source and deploy actions.
Read more >aws-cdk/aws-codepipeline-actions module
Actions for deploying CloudFormation StackSets to multiple accounts. You can use CloudFormation StackSets to deploy the same CloudFormation template to multiple ...
Read more >Replicate filtered Amazon ECR container images across ...
This pattern describes how to replicate container images that are stored in Amazon ECR across AWS accounts and Regions, based on image tag...
Read more >AWS CodePipeline Actions
This package contains Actions that can be used in a CodePipeline. ... you can use the TagParameterContainerImage class from the ECS module.
Read more >Deploying Lambda functions as container images
Amazon ECR cross-account permissions. A different account in the same region can create a function that uses a container image owned by your...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Hmm, so I think I know what the problem is.
The issue is that, when using
TagParameterContainerImage
across accounts, the execution Role of the Task in the Stack is added to the resource policy of the ECR Repository. However, that Role doesn’t exist at the time the Repository is deployed! (Because it belongs to the service Stack which will only be deployed by the Pipeline) And apparently ECR validates that.Hey @skinny85 thanks, this got me a bit further. I’m now getting another issue where the ECR policy principal is not valid.
Error:
Invalid parameter at 'PolicyText' failed to satisfy constraint: 'Invalid repository policy provided'
Cause: The
Principal
field must contain an asterisk when a full role ARN is used.Solutions:
Synthed CFN:
Working policy:
Other notes:
Statement[0].Principal must match the following: "/\*/" @ Statement[0].Principal
Workaround
If you need this in a new issue I’m happy to spin one up.