Open blimmer opened 5 months ago
I was able to find another workaround inside a custom Construct I'm exposing, CachedDockerImageAsset
.
I found that after the first DockerImageAsset
is initialized, the imageRole
is created on the staging stack. These are all private properties, so I had to use as any
s to make TS happy, but this works:
function ensureAccessToCacheRepo(scope: Construct, repo: IRepository) {
const appStagingSynthesizerStack = (scope as any)?.synthesizer?.stagingStack;
if (!appStagingSynthesizerStack) {
throw new Error(
"The CachedDockerImageAsset must be used with the @aws-cdk/app-staging-synthesizer-alpha synthesizer"
);
}
const imageRole = appStagingSynthesizerStack.imageRole as Role;
if (!imageRole) {
throw new Error("The app synthesizer didn't create the image role like we expected...");
}
repo.grantPullPush(imageRole);
}
It'd be great if imageRole
were not private
- that'd be a great start!
That is a possibility that I looked into, but it's not quite what I was looking for. I like the fact that the default setup creates the role that only allows publishing to the specific ECR repos per-asset.
If I passed my own role, I'd need to recreate the same logic the default app staging synthesizer already has (granting push/pull to the ECR repos it auto-creates). Image if I set up the custom role, then another developer who's unfamiliar with the customization creates a new DockerImageAsset
. They'd encounter errors that could be confusing to debug because they have the find the existing custom role I created.
Being able to simply call .grant
on the role is a much better solution, at least for my workflow. What do you think?
Describe the feature
I'd like to be able to grant the auto-generated image publishing role additional permissions.
Use Case
I want to add registry caching to my
DockerImageAsset
builds. I have a separate ECR repo calleddocker-image-cache
with a lifecycle policy specifically designed for storing cache layers.However, the Docker
AppStagingSynthesizer
image role doesn't, by default, allow working with other ECR repos for security. For example, theimageRole
it creates (cdk-my-app-image-role-us-west-2
) looks like this:So the cache step fails:
Proposed Solution
It'd be nice to provide some API to access the imageRole that's auto-generated. Then, I'd like to call
.grantPullPush(imageRole)
on the other ECR repo.Other Information
I can work around this by creating a role that allows access to the cache repo:
Then referencing it in the defaultStackSynthesizer:
However, I will eventually run into a quota issue because each app staging synthesizer attaches a managed policy that grants access to work with its specific ECR repos.
I also tried to dig into the staging stack to find the role resource and append another PolicyStatement. However, I think the role is lazily created, so I'm not sure how to grab it through L1 constructs (e.g.,
this.synthesizer.stagingStack
).I also considered saving the cache in the same ECR repo, however, it pushes a lot of extra layers (with mode
max
for caching), so the "expire any 10 images" lifecycle rule will cause problems.Acknowledgements
CDK version used
2.135.0 (build d46c474)
Environment details (OS name and version, etc.)
MacOS Sonoma