aws_lambda: Edit DockerImageFunction ImageUri #29177
Labels
@aws-cdk/aws-lambda
Related to AWS Lambda
@aws-cdk/core
Related to core CDK functionality
bug
This issue is a bug.
effort/medium
Medium work item – several days of effort
p1
Describe the bug
I am trying to use a container registry located in a different account.
I have set image_assets_repository_name and image_asset_publishing_role_arn setting appropriately when instantiating my DefaultStackSynthesizer and have the appropriate permissions in place.
When performing a cdk deploy to account A (with account A credentials), the image is successfully created and pushed to ECR in Account B. However the cloudformation update fails as it cannot find the image. Upon investigation, I noticed in the synthesized template that the ImageUri value is prefixed with Account A details:
"ImageUri": { "Fn::Sub": "ACCOUNT-A.dkr.ecr.eu-west-1.${AWS::URLSuffix}/cdk-Qualifier-container-assets-ACCOUNT-B-eu-west-1:f3193b7321a34e0685a8fb9982ce250e2e6d8b45458d55b7c5c42132a7fe60ef" }
So Cloudformation is trying to find a repository and image that does not exist in account A
Expected Behavior
It makes sense to default to the account that is passed via the
env
dict but ImageUri in the resolved template should be configurable.Current Behavior
ImageUri is always prefixed with the account details of the account that is passed in the
env
dict.Reproduction Steps
Possible Solution
Make the ImageUri account-prefix configurable via an option in the DefaultSynthesizer
Additional Information/Context
Details taken from #29091
I eventually came to a workaround.
I could find no way to change the account number for the ImageUri field. Looks like it takes it from the account details passed in the env dict when instantiating the stack.
The only way around this was to use the lower level CfnFunction resource instead of DockerImageFunction. I created the docker asset separately and constructed the desired imageUri field. In the future this could be included in an internal construct or synthesizer but for now it is a reasonable approach
CDK CLI Version
2.126.0
Framework Version
No response
Node.js Version
v20.10.0
OS
Ubuntu 22.04.4 LTS
Language
Python
Language Version
3.12
Other information
You may notice in my DefaultSynthesizer that it is not required to specify the
file_asset_publishing_role_arn
. The file asset publishing role created as part of bootstrapping ACCOUNT-A has permission to write to the S3 Bucket in ACCOUNT-B.However, I must include the image_asset_publishing_role_arn as without it my workaround fails when performing a cdk deploy:
pipeline: fail: No ECR repository named 'cdk-MyQualifier-container-assets-ACCOUNT-B-eu-west-1' in account ACCOUNT-A. Is this account bootstrapped?
The text was updated successfully, but these errors were encountered: