Add ecr.RegistryImage resource for pushing existing images to ECR

awsx/ecr/auth.test.ts

@@ -0,0 +1,88 @@
+// Copyright 2016-2025, Pulumi Corporation.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import * as pulumi from "@pulumi/pulumi";
+
+pulumi.runtime.setMocks(
+  {
+    newResource: function (args: pulumi.runtime.MockResourceArgs): { id: string; state: any } {
+      return {
+        id: args.inputs.name + "_id",
+        state: args.inputs,
+      };
+    },
+    call: function (
+      args: pulumi.runtime.MockCallArgs,
+    ): pulumi.runtime.MockCallResult | Promise<pulumi.runtime.MockCallResult> {
+      return {
+        authorizationToken: Buffer.from("AWS:password").toString("base64"),
+        proxyEndpoint: `https://${args.inputs.registryId}.dkr.ecr.us-west-2.amazonaws.com`,
+      };
+    },
+  },
+  "project",
+  "stack",
+  false, // Sets the flag `dryRun`, which indicates if pulumi is running in preview mode.
+);
+
+describe("getDockerCredentials", () => {
+  let auth: typeof import("./auth");
+
+  beforeAll(async function () {
+    auth = await import("./auth");
+  });
+
+  it("should return Docker credentials when valid repositoryUrl is provided", async () => {
+    const args = { repositoryUrl: "https://123456789012.dkr.ecr.us-west-2.amazonaws.com" };
+    const opts = {};
+
+    const result = await promisify(auth.getDockerCredentials(args, opts));
+
+    expect(result).toEqual({
+      address: "https://123456789012.dkr.ecr.us-west-2.amazonaws.com",
+      username: "AWS",
+      password: "password",
+    });
+  });
+
+  it("should use registryId if provided", async () => {
+    const args = {
+      repositoryUrl: "123456789012.dkr.ecr.us-west-2.amazonaws.com",
+      registryId: "987654321098",
+    };
+    const opts = {};
+
+    const result = await promisify(auth.getDockerCredentials(args, opts));
+
+    expect(result).toEqual({
+      address: `https://${args.registryId}.dkr.ecr.us-west-2.amazonaws.com`,
+      username: "AWS",
+      password: "password",
+    });
+  });
+
+  it("should throw an error if the repositoryUrl is not a valid URL", async () => {
+    const args = { repositoryUrl: "foo:bar" };
+    const opts = {};
+
+    expect(() => {
+      auth.getDockerCredentials(args, opts);
+    }).toThrow("Repository URL is not a valid URL.");
+  });
+});
+
+function promisify<T>(output: pulumi.Output<T> | undefined): Promise<T> {
+  expect(output).toBeDefined();
+  return new Promise((resolve) => output!.apply(resolve));
+}

awsx/ecr/auth.ts

@@ -0,0 +1,111 @@
+// Copyright 2016-2025, Pulumi Corporation.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import * as aws from "@pulumi/aws";
+import * as pulumi from "@pulumi/pulumi";
+
+/**
+ * Arguments for fetching ECR registry credentials.
+ */
+export interface CredentialArgs {
+  /**
+   * The URL of the ECR registry to get credentials for.
+   * Can be provided with or without the https:// protocol prefix.
+   */
+  repositoryUrl: string;
+
+  /**
+   * Optional registry ID (AWS account ID) to get credentials for.
+   * If not provided, will be parsed from the registry URL.
+   */
+  registryId?: string;
+}
+
+/**
+ * Docker registry credentials for authenticating with an ECR registry.
+ */
+export interface DockerCredentials {
+  /**
+   * The address of the ECR registry.
+   */
+  address: string;
+
+  /**
+   * The username to authenticate with. For ECR this is typically "AWS".
+   */
+  username: string;
+
+  /**
+   * The password to authenticate with. For ECR this is a temporary token.
+   */
+  password: string;
+}
+
+/**
+ * Fetches Docker registry credentials for authenticating with an ECR registry.
+ *
+ * @param args Arguments for fetching ECR registry credentials
+ * @param opts InvokeOutputOptions to use for the credential lookup
+ * @returns Docker registry credentials including address, username and password
+ */
+export function getDockerCredentials(
+  args: CredentialArgs,
+  opts: pulumi.InvokeOutputOptions,
+): pulumi.Output<DockerCredentials> {
+  let registryId: string;
+  if (args.registryId) {
+    registryId = args.registryId;
+  } else {
+    // add protocol to help parse the url
+    const repositoryUrl = args.repositoryUrl?.startsWith("https://")
+      ? args.repositoryUrl
+      : "https://" + args.repositoryUrl;
+
+    let parsedUrl: URL;
+    try {
+      parsedUrl = new URL(repositoryUrl);
+    } catch (e) {
+      throw new pulumi.InputPropertyError({
+        reason: `Repository URL is not a valid URL.`,
+        propertyPath: "repositoryUrl",
+      });
+    }
+
+    const hostnameParts = parsedUrl.hostname.split(".");
+    if (hostnameParts.length < 1) {
+      throw new pulumi.InputPropertyError({
+        reason: `Could not parse registry ID from Repository URL. It should be in the format of <account-id>.dkr.ecr.<region>.amazonaws.com`,
+        propertyPath: "repositoryUrl",
+      });
+    }
+
+    // the registry id is the AWS account id. It's the first part of the hostname
+    registryId = hostnameParts[0];
+  }
+
+  const ecrCredentials = aws.ecr.getCredentialsOutput({ registryId: registryId }, opts);
+
+  return ecrCredentials.apply((creds) => {
+    const decodedCredentials = Buffer.from(creds.authorizationToken, "base64").toString();
+    const [username, password] = decodedCredentials.split(":");
+    if (!password || !username) {
+      throw new Error("Invalid credentials");
+    }
+    return {
+      address: creds.proxyEndpoint,
+      username: username,
+      password: password,
+    };
+  });
+}

awsx/ecr/image.ts

@@ -17,6 +17,7 @@ import * as docker from "@pulumi/docker-build";
 import * as pulumi from "@pulumi/pulumi";
 import * as schema from "../schema-types";
 import * as utils from "../utils";
+import { getDockerCredentials } from "./auth";
 
 export class Image extends schema.Image {
   constructor(name: string, args: schema.ImageArgs, opts: pulumi.ComponentResourceOptions = {}) {
@@ -32,9 +33,6 @@ export function computeImageFromAsset(
 ) {
   const { repositoryUrl, registryId: inputRegistryId, imageTag, ...dockerInputs } = args ?? {};
 
-  const url = new URL("https://" + repositoryUrl); // Add protocol to help it parse
-  const registryId = inputRegistryId ?? url.hostname.split(".")[0];
-
   pulumi.log.debug(`Building container image at '${JSON.stringify(dockerInputs)}'`, parent);
 
   const imageName = args.imageName
@@ -50,24 +48,11 @@ export function computeImageFromAsset(
   // the unique image name we pushed to.  The name will change if the image changes ensuring
   // the TaskDefinition get's replaced IFF the built image changes.
 
-  const ecrCredentials = aws.ecr.getCredentialsOutput(
-    { registryId: registryId },
-    { parent, async: true },
+  const registryCredentials = getDockerCredentials(
+    { repositoryUrl: repositoryUrl, registryId: inputRegistryId },
+    { parent },
   );
 
-  const registryCredentials = ecrCredentials.authorizationToken.apply((authorizationToken) => {
-    const decodedCredentials = Buffer.from(authorizationToken, "base64").toString();
-    const [username, password] = decodedCredentials.split(":");
-    if (!password || !username) {
-      throw new Error("Invalid credentials");
-    }
-    return {
-      address: ecrCredentials.proxyEndpoint,
-      username: username,
-      password: password,
-    };
-  });
-
   let cacheFrom: docker.types.input.CacheFromArgs[] = [];
   if (dockerInputs.cacheFrom !== undefined) {
     cacheFrom = dockerInputs.cacheFrom.map((c) => {

awsx/ecr/index.ts

@@ -14,3 +14,4 @@
 
 export * from "./repository";
 export * from "./image";
+export * from "./registryImage";

awsx/ecr/registryImage.ts

@@ -0,0 +1,65 @@
+// Copyright 2016-2024, Pulumi Corporation.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import * as docker from "@pulumi/docker";
+import * as pulumi from "@pulumi/pulumi";
+import * as schema from "../schema-types";
+import { getDockerCredentials } from "./auth";
+
+export class RegistryImage extends schema.RegistryImage {
+  constructor(
+    name: string,
+    args: schema.RegistryImageArgs,
+    opts?: pulumi.ComponentResourceOptions,
+  ) {
+    super(name, args, opts);
+
+    const creds = pulumi
+      .output(args.repositoryUrl)
+      .apply((url) => getDockerCredentials({ repositoryUrl: url }, { parent: this }));
+    const provider = new docker.Provider(name, {
+      registryAuth: [creds],
+    });
+
+    // tag the source image in the form of <repositoryUrl>:<tag>
+    // we explicitly look up the source image in order to trigger a push whenever the source image changes
+    const sourceImage = docker.getRemoteImageOutput(
+      { name: args.sourceImage },
+      { parent: this, provider },
+    );
+    const tagName = args.tag ? args.tag : "latest";
+    const tag = new docker.Tag(
+      name,
+      {
+        sourceImage: sourceImage.id,
+        targetImage: pulumi.interpolate`${args.repositoryUrl}:${tagName}`,
+      },
+      { parent: this, provider },
+    );
+
+    this.image = new docker.RegistryImage(
+      name,
+      {
+        ...args,
+        name: tag.targetImage,
+        triggers: {
+          ...args.triggers,
+          // trigger a push whenever the source image changes
+          "@pulumi/awsx/internal/sourceImage": sourceImage.id,
+        },
+      },
+      { parent: this, provider },
+    );
+  }
+}

awsx/package.json

@@ -25,10 +25,11 @@
   "//": "Pulumi sub-provider dependencies must be pinned at an exact version because we extract this value to generate the correct dependency in the schema",
   "dependencies": {
     "@pulumi/aws": "6.66.2",
+    "@pulumi/docker": "4.6.0",
     "@pulumi/docker-build": "0.0.8",
     "@pulumi/pulumi": "3.144.1",
     "@types/aws-lambda": "^8.10.23",
-    "docker-classic": "npm:@pulumi/docker@4.5.8",
+    "docker-classic": "npm:@pulumi/docker@4.6.0",
     "ip-address": "^8.1.0",
     "mime": "^3.0.0",
     "netmask": "^2.0.2"

awsx/resources.ts

@@ -15,8 +15,7 @@
 import * as pulumi from "@pulumi/pulumi";
 import { Trail } from "./cloudtrail";
 import * as ec2 from "./ec2";
-import { Repository } from "./ecr";
-import { Image } from "./ecr/image";
+import { Image, RegistryImage, Repository } from "./ecr";
 import * as ecs from "./ecs";
 import * as lb from "./lb";
 import * as schemaTypes from "./schema-types";
@@ -34,6 +33,7 @@ const resources: schemaTypes.ResourceConstructor = {
   "awsx:ec2:DefaultVpc": (...args) => new ec2.DefaultVpc(...args),
   "awsx:ecr:Repository": (...args) => new Repository(...args),
   "awsx:ecr:Image": (...args) => new Image(...args),
+  "awsx:ecr:RegistryImage": (...args) => new RegistryImage(...args),
 };
 
 export function construct(

awsx/schema-types.ts

@@ -10,6 +10,7 @@ export type ResourceConstructor = {
     readonly "awsx:ec2:DefaultVpc": ConstructComponent<DefaultVpc>;
     readonly "awsx:ec2:Vpc": ConstructComponent<Vpc>;
     readonly "awsx:ecr:Image": ConstructComponent<Image>;
+    readonly "awsx:ecr:RegistryImage": ConstructComponent<RegistryImage>;
     readonly "awsx:ecr:Repository": ConstructComponent<Repository>;
     readonly "awsx:ecs:EC2Service": ConstructComponent<EC2Service>;
     readonly "awsx:ecs:EC2TaskDefinition": ConstructComponent<EC2TaskDefinition>;
@@ -23,6 +24,7 @@ export type Functions = {
     "awsx:ec2:getDefaultVpc": (inputs: getDefaultVpcInputs) => Promise<getDefaultVpcOutputs>;
 };
 import * as aws from "@pulumi/aws";
+import * as docker from "@pulumi/docker";
 export abstract class Trail<TData = any> extends (pulumi.ComponentResource)<TData> {
     public bucket?: aws.s3.Bucket | pulumi.Output<aws.s3.Bucket>;
     public logGroup?: aws.cloudwatch.LogGroup | pulumi.Output<aws.cloudwatch.LogGroup>;
@@ -118,6 +120,20 @@ export interface ImageArgs {
     readonly repositoryUrl: pulumi.Input<string>;
     readonly target?: pulumi.Input<string>;
 }
+export abstract class RegistryImage<TData = any> extends (pulumi.ComponentResource)<TData> {
+    public image!: docker.RegistryImage | pulumi.Output<docker.RegistryImage>;
+    constructor(name: string, args: pulumi.Inputs, opts: pulumi.ComponentResourceOptions = {}) {
+        super("awsx:ecr:RegistryImage", name, opts.urn ? { image: undefined } : { name, args, opts }, opts);
+    }
+}
+export interface RegistryImageArgs {
+    readonly insecureSkipVerify?: pulumi.Input<boolean>;
+    readonly keepRemotely?: pulumi.Input<boolean>;
+    readonly repositoryUrl: pulumi.Input<string>;
+    readonly sourceImage: pulumi.Input<string>;
+    readonly tag?: pulumi.Input<string>;
+    readonly triggers?: pulumi.Input<Record<string, pulumi.Input<string>>>;
+}
 export abstract class Repository<TData = any> extends (pulumi.ComponentResource)<TData> {
     public lifecyclePolicy?: aws.ecr.LifecyclePolicy | pulumi.Output<aws.ecr.LifecyclePolicy>;
     public repository!: aws.ecr.Repository | pulumi.Output<aws.ecr.Repository>;