lambda.DockerImageCode.fromEcr: imageTagOrDigest field cannot recognize digests supplied as CfnParameter #31860

chrislciaba · 2024-10-23T00:44:09Z

Describe the bug

Since imageTagOrDigest supplied in the props for lambda.DockerImageCode.fromEcr can contain either an image tag or digest, if the value isn't explicitly known (in my example it's a CfnParameter) it defaults to it being a tag. There appears to be no workaround for this at the moment

Regression Issue

Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

The following cloudformation code should be produced

"Code": {
     "ImageUri": {
      "Fn::Join": [
       "",
       [
        {
         "Fn::Select": [
          4,
          {
           "Fn::Split": [
            ":",
            {
             "Ref": "EcrRepoArn"
            }
           ]
          }
         ]
        },
        ".dkr.ecr.",
        {
         "Fn::Select": [
          3,
          {
           "Fn::Split": [
            ":",
            {
             "Ref": "EcrRepoArn"
            }
           ]
          }
         ]
        },
        ".",
        {
         "Ref": "AWS::URLSuffix"
        },
        "/",
        {
         "Ref": "EcrRepoName"
        },
        "@",
        {
         "Ref": "ImageDigest"
        }
       ]
      ]
     }
    },

Current Behavior

The following code is produced. Notice the : splitting the image tag

"Code": {
     "ImageUri": {
      "Fn::Join": [
       "",
       [
        {
         "Fn::Select": [
          4,
          {
           "Fn::Split": [
            ":",
            {
             "Ref": "EcrRepoArn"
            }
           ]
          }
         ]
        },
        ".dkr.ecr.",
        {
         "Fn::Select": [
          3,
          {
           "Fn::Split": [
            ":",
            {
             "Ref": "EcrRepoArn"
            }
           ]
          }
         ]
        },
        ".",
        {
         "Ref": "AWS::URLSuffix"
        },
        "/",
        {
         "Ref": "EcrRepoName"
        },
        ":",
        {
         "Ref": "ImageDigest"
        }
       ]
      ]
     }
    },

Reproduction Steps

The following code produces an ECR URI with a : separating the image digest from the URL instead of an @. This causes a deployment failure in cloudformation due to a validation error on the lambda side

const imageDigest = new cdk.CfnParameter(this, 'ImageDigest', {
      type: 'String',
      description: 'The image digest',
      default: 'sha256:...',
    });

    const lambdaFunction = new lambda.DockerImageFunction(this, `${lambdaPrefix}`, {
      code: lambda.DockerImageCode.fromEcr(
        ecr.Repository.fromRepositoryAttributes(this, 'RepoCrossAccount', {
          repositoryArn: ecrRepoArn.valueAsString,
          repositoryName: ecrRepoName.valueAsString,
        }), {
          tagOrDigest:  imageDigest.valueAsString,
        }
      ),
    });

Possible Solution

Partition the imageTagOrDigest field into two separate fields or add a type tag

Additional Information/Context

No response

CDK CLI Version

2.162.1

Framework Version

No response

Node.js Version

v22.4.1

OS

MacOS 14.6.1

Language

TypeScript

Language Version

No response

Other information

No response

The text was updated successfully, but these errors were encountered:

pahud · 2024-10-23T01:54:05Z

I think it's because repositoryUriForTagOrDigest() is not handling unresolved tokens well.

aws-cdk/packages/aws-cdk-lib/aws-lambda/lib/code.ts

Line 513 in d1d179f

    
           imageUri: this.repository.repositoryUriForTagOrDigest(this.props?.tagOrDigest ?? this.props?.tag ?? 'latest'),

Specifically this func

aws-cdk/packages/aws-cdk-lib/aws-ecr/lib/repository.ts

Lines 226 to 232 in d1d179f

    
           public repositoryUriForTagOrDigest(tagOrDigest?: string): string { 
        
             if (tagOrDigest?.startsWith('sha256:')) { 
        
               return this.repositoryUriForDigest(tagOrDigest); 
        
             } else { 
        
               return this.repositoryUriForTag(tagOrDigest); 
        
             } 
        
           }

Making this a p1 and we probably need a PR to better handle unresolved tokens.

github-actions · 2024-11-08T19:07:32Z

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

github-actions · 2024-11-08T19:07:33Z

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

…aws#32053) ### Issue # (if applicable) Closes aws#31860. ### Reason for this change Currently customers can pass one property `tagOrDigest` and if the customers pass a CFN parameter, CDK could not know if it is a tag or digest, and so the generated URI is not correct. Now the same parameter can supports Tokens, and it will generate a CFN condition to check if the value of this token is digest or tag, and then update the uri based on the condition output. ### Description of changes Check if the input is a Token, and so instead of determining if its value is a tag or digest in synth time, we create a CFN condition to do this check in CFN, and then determine how to build the repo uri. ### Description of how you validated changes Added unit test cases, and integration test cases with assertions. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

chrislciaba added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 23, 2024

github-actions bot added the @aws-cdk/aws-lambda Related to AWS Lambda label Oct 23, 2024

pahud self-assigned this Oct 23, 2024

pahud added p1 effort/small Small work item – less than a day of effort labels Oct 23, 2024

pahud removed their assignment Oct 23, 2024

pahud removed the needs-triage This issue or PR still needs to be triaged. label Oct 23, 2024

moelasmar self-assigned this Oct 24, 2024

This was referenced Oct 28, 2024

Weekly issue metrics report #31914

Closed

Monthly issue metrics report #31971

Closed

moelasmar mentioned this issue Nov 7, 2024

fix(ecr): allow creating repository uri to use tokens like cfn params #32053

Merged

1 task

mergify bot closed this as completed in #32053 Nov 8, 2024

mergify bot closed this as completed in 5648199 Nov 8, 2024

github-actions bot locked as resolved and limited conversation to collaborators Nov 8, 2024

moelasmar reopened this Nov 22, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

lambda.DockerImageCode.fromEcr: imageTagOrDigest field cannot recognize digests supplied as CfnParameter #31860

lambda.DockerImageCode.fromEcr: imageTagOrDigest field cannot recognize digests supplied as CfnParameter #31860

chrislciaba commented Oct 23, 2024

pahud commented Oct 23, 2024

github-actions bot commented Nov 8, 2024

github-actions bot commented Nov 8, 2024