Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apprunner: After pushing a Docker image to ECR, isn't triggered. #26640

Closed
watany-dev opened this issue Aug 4, 2023 · 6 comments · Fixed by #30630, codu-code/codu#969 or rwlxxvii/containers#185 · May be fixed by NOUIY/aws-solutions-constructs#112 or gitafolabi/kreuzlaker#2
Closed

Apprunner: After pushing a Docker image to ECR, isn't triggered. #26640

watany-dev opened this issue Aug 4, 2023 · 6 comments · Fixed by #30630, codu-code/codu#969 or rwlxxvii/containers#185 · May be fixed by NOUIY/aws-solutions-constructs#112 or gitafolabi/kreuzlaker#2
Labels
@aws-cdk/aws-apprunner Related to the apprunner package bug This issue is a bug. effort/medium Medium work item – several days of effort p2

Comments

@watany-dev
Copy link
Contributor

Describe the bug

Deployed AppRunner using AWS CDK.
The expected behavior is for AppRunner to automatically deploy upon each change to the container image in ECR.

Expected Behavior

After pushing a Docker image to ECR, the AppRunner deployment is triggered.

Current Behavior

However, even after pushing a Docker image to ECR, the AppRunner deployment isn't triggered.

Reproduction Steps

import * as apprunner from '@aws-cdk/aws-apprunner-alpha'
import { Cpu, Memory } from '@aws-cdk/aws-apprunner-alpha'
import * as cdk from 'aws-cdk-lib'
import * as iam from 'aws-cdk-lib/aws-iam'
import { Construct } from 'constructs'
import { EcrStack } from './ecr'

export class AppRunnerStack extends cdk.Stack {
constructor(
scope: Construct,
id: string,
ecrStack: EcrStack,
props?: cdk.StackProps,
) {
super(scope, id, props)

new apprunner.Service(this, 'SampleAppRunnerService', {
  serviceName: 'sample-app',
  cpu: Cpu.ONE_VCPU,
  memory: Memory.TWO_GB,
  autoDeploymentsEnabled: true,
  source: apprunner.Source.fromEcr({
    imageConfiguration: {
      port: 3000,
      startCommand: 'npm run start --workspace=app',
    },
    repository: ecrStack.repository,
    tagOrDigest: 'latest',
  }),
})

}
}

Possible Solution

Cause:

The access role for AppRunner’s service is automatically generated. However, it lacks permission for the ecr:DescribeImages action, preventing it from detecting image changes.

Necessary Permissions:

Actions required for ECR access:

  • ecr:BatchCheckLayerAvailability
  • ecr:GetDownloadUrlForLayer
  • ecr:BatchGetImage
  • ecr:GetAuthorizationToken

Actions that AppRunner needs for ECR access:

  • ecr:GetDownloadUrlForLayer
  • ecr:BatchCheckLayerAvailability
  • ecr:BatchGetImage
  • ecr:DescribeImages
  • ecr:GetAuthorizationToken

Proposed Solution:

  1. Add the ecr:DescribeImages action to the access role of AppRunner's service.
  2. Attach the IAM policy that includes the above actions to AppRunner.
  3. Make the AccessRole public to allow users to access it.

Additional Information/Context

https://zenn.dev/okaharuna/articles/bed7f41498a1b6

CDK CLI Version

2.89.0

Framework Version

No response

Node.js Version

any

OS

any

Language

Typescript

Language Version

No response

Other information

No response
@watany-dev watany-dev added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Aug 4, 2023
@github-actions github-actions bot added the @aws-cdk/aws-apprunner Related to the apprunner package label Aug 4, 2023
@watany-dev watany-dev changed the title (module name): (short issue description) Apprunner: After pushing a Docker image to ECR, isn't triggered. Aug 4, 2023
@watany-dev watany-dev mentioned this issue Aug 4, 2023
Closed
@pahud
Copy link
Contributor

pahud commented Aug 4, 2023

Thanks for report.

I just know this feature today. The automatic deployment based on ECR image update is awesome!

https://docs.aws.amazon.com/apprunner/latest/dg/manage-deploy.html

@pahud pahud added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Aug 4, 2023
@github-actions github-actions bot mentioned this issue Sep 1, 2023
Closed
@pinelibg
Copy link

pinelibg commented Jan 4, 2024

It seems that ecr:DescribeImages action for the ECR repository is missing in the access role.

Reference of the required actions: https://docs.aws.amazon.com/apprunner/latest/dg/security_iam_service-with-iam.html#security_iam_service-with-iam-roles

As a workaround, the following fix worked for me.

(service.node.findChild('AccessRole') as Role).addToPrincipalPolicy(
  new PolicyStatement({
    actions: ['ecr:DescribeImages'],
    resources: [repository.repositoryArn],
  }),
);

@Mickeypeng Mickeypeng mentioned this issue Feb 27, 2024
Closed
1 task
@wired00
Copy link

wired00 commented Mar 9, 2024
edited
Loading

Seeing the same behaviour, looking forward to this fix (ie, the above PR being merged).

  • For now, I simply made a yarn patch-package with the changes specified here 540c12d. After yarn install > cdk deploy etc it seems to work fine.

  • I'm now able to push a new image, App Runner immediately identifies the change and re-deploys. I.e. [AppRunner] Deployment with ID : ****** started. Triggering event : SERVICE_DEPLOY

  • Alternatively, you could simply go into your AppRunner stack, find the IAM role (AWS::IAM::Role) open the role ie, MyAppRunnerStack-appRunnerServiceInstanceRole.... open the attached policy and change from

            "Action": [
                "ecr:GetAuthorizationToken"
            ],

to

            "Action": [
                "ecr:BatchCheckLayerAvailability",
                "ecr:BatchGetImage",
                "ecr:DescribeImages",
                "ecr:GetAuthorizationToken",
                "ecr:GetDownloadUrlForLayer"
            ],

@pinelibg pinelibg mentioned this issue Mar 10, 2024
Closed
1 task
@mazyu36 mazyu36 mentioned this issue Jun 23, 2024
Merged
1 task
@mergify mergify bot closed this as completed in #30630 Jun 25, 2024
@mergify mergify bot closed this as completed in cce10b1 Jun 25, 2024
@github-actions GitHub Actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

1 similar comment
@github-actions GitHub Actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@NiallJoeMaher NiallJoeMaher mentioned this issue Jul 29, 2024
Merged
@NOUIY NOUIY mentioned this issue Aug 1, 2024
Open
@NiallJoeMaher NiallJoeMaher mentioned this issue Aug 12, 2024
Closed
@gitafolabi gitafolabi mentioned this issue Aug 16, 2024
Open
@NOUIY NOUIY mentioned this issue Aug 20, 2024
Open
@NOUIY NOUIY mentioned this issue Sep 5, 2024
Open
This was referenced Sep 5, 2024
Closed
Closed
@rwlxxvii rwlxxvii mentioned this issue Sep 11, 2024
Merged
@Rajeevroushandev
Copy link

Rajeevroushandev commented Oct 4, 2024
edited
Loading

after adding permission ecr:DescribeImages, then also it does not work. app runner does not triggered on ecr image tag update. obviously selected auto deploy. please suggest.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-apprunner Related to the apprunner package bug This issue is a bug. effort/medium Medium work item – several days of effort p2
Projects
None yet
Milestone
No milestone
5 participants
@pahud @wired00 @pinelibg @watany-dev @Rajeevroushandev