Add ecr.RegistryImage resource for pushing existing images to ECR

awsx/ecr/auth.ts

@@ -0,0 +1,61 @@
+// Copyright 2016-2024, Pulumi Corporation.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import * as aws from "@pulumi/aws";
+import * as pulumi from "@pulumi/pulumi";
+
+export interface CredentialArgs {
+  registryUrl: string;
+  registryId?: string;
+}
+
+export interface DockerCredentials {
+  address: string;
+  username: string;
+  password: string;
+}
+
+export function getDockerCredentials(
+  args: CredentialArgs,
+  opts: pulumi.InvokeOutputOptions,
+): pulumi.Output<DockerCredentials> {
+  // add protocol to help parse the url
+
+  let registryId: string;
+  if (args.registryId) {
+    registryId = args.registryId;
+  } else {
+    const registryUrl = args.registryUrl?.startsWith("https://")
+      ? args.registryUrl
+      : "https://" + args.registryUrl;
+    const parsedUrl = new URL(registryUrl);
+    // the registry id is the AWS account id. It's the first part of the hostname
+    registryId = parsedUrl.hostname.split(".")[0];
+  }
+
+  const ecrCredentials = aws.ecr.getCredentialsOutput({ registryId: registryId }, opts);
+
+  return ecrCredentials.apply((creds) => {
+    const decodedCredentials = Buffer.from(creds.authorizationToken, "base64").toString();
+    const [username, password] = decodedCredentials.split(":");
+    if (!password || !username) {
+      throw new Error("Invalid credentials");
+    }
+    return {
+      address: creds.proxyEndpoint,
+      username: username,
+      password: password,
+    };
+  });
+}

awsx/ecr/image.ts

@@ -17,6 +17,7 @@ import * as docker from "@pulumi/docker-build";
 import * as pulumi from "@pulumi/pulumi";
 import * as schema from "../schema-types";
 import * as utils from "../utils";
+import { getDockerCredentials } from "./auth";
 
 export class Image extends schema.Image {
   constructor(name: string, args: schema.ImageArgs, opts: pulumi.ComponentResourceOptions = {}) {
@@ -32,9 +33,6 @@ export function computeImageFromAsset(
 ) {
   const { repositoryUrl, registryId: inputRegistryId, imageTag, ...dockerInputs } = args ?? {};
 
-  const url = new URL("https://" + repositoryUrl); // Add protocol to help it parse
-  const registryId = inputRegistryId ?? url.hostname.split(".")[0];
-
   pulumi.log.debug(`Building container image at '${JSON.stringify(dockerInputs)}'`, parent);
 
   const imageName = args.imageName
@@ -50,24 +48,11 @@ export function computeImageFromAsset(
   // the unique image name we pushed to.  The name will change if the image changes ensuring
   // the TaskDefinition get's replaced IFF the built image changes.
 
-  const ecrCredentials = aws.ecr.getCredentialsOutput(
-    { registryId: registryId },
-    { parent, async: true },
+  const registryCredentials = getDockerCredentials(
+    { registryUrl: repositoryUrl, registryId: inputRegistryId },
+    { parent },
   );
 
-  const registryCredentials = ecrCredentials.authorizationToken.apply((authorizationToken) => {
-    const decodedCredentials = Buffer.from(authorizationToken, "base64").toString();
-    const [username, password] = decodedCredentials.split(":");
-    if (!password || !username) {
-      throw new Error("Invalid credentials");
-    }
-    return {
-      address: ecrCredentials.proxyEndpoint,
-      username: username,
-      password: password,
-    };
-  });
-
   let cacheFrom: docker.types.input.CacheFromArgs[] = [];
   if (dockerInputs.cacheFrom !== undefined) {
     cacheFrom = dockerInputs.cacheFrom.map((c) => {

awsx/ecr/index.ts

@@ -14,3 +14,4 @@
 
 export * from "./repository";
 export * from "./image";
+export * from "./registryImage";

awsx/ecr/registryImage.ts

@@ -0,0 +1,65 @@
+// Copyright 2016-2024, Pulumi Corporation.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import * as docker from "@pulumi/docker";
+import * as pulumi from "@pulumi/pulumi";
+import * as schema from "../schema-types";
+import { getDockerCredentials } from "./auth";
+
+export class RegistryImage extends schema.RegistryImage {
+  constructor(
+    name: string,
+    args: schema.RegistryImageArgs,
+    opts?: pulumi.ComponentResourceOptions,
+  ) {
+    super(name, args, opts);
+
+    const creds = pulumi
+      .output(args.repositoryUrl)
+      .apply((url) => getDockerCredentials({ registryUrl: url }, { parent: this }));
+    const provider = new docker.Provider(name, {
+      registryAuth: [creds],
+    });
+
+    // tag the source image in the form of <repositoryUrl>:<tag>
+    // we explicitly look up the source image in order to trigger a push whenever the source image changes
+    const sourceImage = docker.getRemoteImageOutput(
+      { name: args.sourceImage },
+      { parent: this, provider },
+    );
+    const tagName = args.tag ? args.tag : "latest";
+    const tag = new docker.Tag(
+      name,
+      {
+        sourceImage: sourceImage.id,
+        targetImage: pulumi.interpolate`${args.repositoryUrl}:${tagName}`,
+      },
+      { parent: this, provider },
+    );
+
+    this.image = new docker.RegistryImage(
+      name,
+      {
+        ...args,
+        name: tag.targetImage,
+        triggers: {
+          ...args.triggers,
+          // trigger a push whenever the source image changes
+          "@pulumi/awsx/internal/sourceImage": sourceImage.id,
+        },
+      },
+      { parent: this, provider },
+    );
+  }
+}

awsx/package.json

@@ -25,6 +25,7 @@
   "//": "Pulumi sub-provider dependencies must be pinned at an exact version because we extract this value to generate the correct dependency in the schema",
   "dependencies": {
     "@pulumi/aws": "6.65.0",
+    "@pulumi/docker": "4.5.8",
     "@pulumi/docker-build": "0.0.8",
     "@pulumi/pulumi": "3.144.1",
     "@types/aws-lambda": "^8.10.23",

awsx/resources.ts

@@ -15,8 +15,7 @@
 import * as pulumi from "@pulumi/pulumi";
 import { Trail } from "./cloudtrail";
 import * as ec2 from "./ec2";
-import { Repository } from "./ecr";
-import { Image } from "./ecr/image";
+import { Image, RegistryImage, Repository } from "./ecr";
 import * as ecs from "./ecs";
 import * as lb from "./lb";
 import * as schemaTypes from "./schema-types";
@@ -34,6 +33,7 @@ const resources: schemaTypes.ResourceConstructor = {
   "awsx:ec2:DefaultVpc": (...args) => new ec2.DefaultVpc(...args),
   "awsx:ecr:Repository": (...args) => new Repository(...args),
   "awsx:ecr:Image": (...args) => new Image(...args),
+  "awsx:ecr:RegistryImage": (...args) => new RegistryImage(...args),
 };
 
 export function construct(

awsx/schema-types.ts

@@ -10,6 +10,7 @@ export type ResourceConstructor = {
     readonly "awsx:ec2:DefaultVpc": ConstructComponent<DefaultVpc>;
     readonly "awsx:ec2:Vpc": ConstructComponent<Vpc>;
     readonly "awsx:ecr:Image": ConstructComponent<Image>;
+    readonly "awsx:ecr:RegistryImage": ConstructComponent<RegistryImage>;
     readonly "awsx:ecr:Repository": ConstructComponent<Repository>;
     readonly "awsx:ecs:EC2Service": ConstructComponent<EC2Service>;
     readonly "awsx:ecs:EC2TaskDefinition": ConstructComponent<EC2TaskDefinition>;
@@ -118,6 +119,20 @@ export interface ImageArgs {
     readonly repositoryUrl: pulumi.Input<string>;
     readonly target?: pulumi.Input<string>;
 }
+export abstract class RegistryImage<TData = any> extends (pulumi.ComponentResource)<TData> {
+    public image!: unknown | pulumi.Output<unknown>;
+    constructor(name: string, args: pulumi.Inputs, opts: pulumi.ComponentResourceOptions = {}) {
+        super("awsx:ecr:RegistryImage", name, opts.urn ? { image: undefined } : { name, args, opts }, opts);
+    }
+}
+export interface RegistryImageArgs {
+    readonly insecureSkipVerify?: pulumi.Input<boolean>;
+    readonly keepRemotely?: pulumi.Input<boolean>;
+    readonly repositoryUrl: pulumi.Input<string>;
+    readonly sourceImage: pulumi.Input<string>;
+    readonly tag?: pulumi.Input<string>;
+    readonly triggers?: pulumi.Input<Record<string, pulumi.Input<string>>>;
+}
 export abstract class Repository<TData = any> extends (pulumi.ComponentResource)<TData> {
     public lifecyclePolicy?: aws.ecr.LifecyclePolicy | pulumi.Output<aws.ecr.LifecyclePolicy>;
     public repository!: aws.ecr.Repository | pulumi.Output<aws.ecr.Repository>;

awsx/yarn.lock

@@ -1678,6 +1678,14 @@
   dependencies:
     "@pulumi/pulumi" "^3.136.0"
 
+"@pulumi/[email protected]":
+  version "4.5.8"
+  resolved "https://registry.yarnpkg.com/@pulumi/docker/-/docker-4.5.8.tgz#55cefdebcee55eedf0674352ab7f6b8101420c30"
+  integrity sha512-h5ZfsXTt5GaqenOmleNAJT/zXLErYXYMftgFNbTS4Z1n1gQXwBewxZ/p7nEqKZkh0JjZZuoDlRN1+lkosM5W6w==
+  dependencies:
+    "@pulumi/pulumi" "^3.142.0"
+    semver "^5.4.0"
+
 "@pulumi/[email protected]", "@pulumi/pulumi@^3.136.0", "@pulumi/pulumi@^3.142.0":
   version "3.144.1"
   resolved "https://registry.yarnpkg.com/@pulumi/pulumi/-/pulumi-3.144.1.tgz#96b3c54879f7bc5857ba38ac389e2b7262e44f9e"

examples/examples_nodejs_test.go

@@ -27,6 +27,7 @@ import (
 
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/service/ecr"
+	ecrTypes "github.com/aws/aws-sdk-go-v2/service/ecr/types"
 	"github.com/pulumi/providertest/pulumitest"
 	"github.com/pulumi/providertest/pulumitest/optnewstack"
 	"github.com/pulumi/providertest/pulumitest/opttest"
@@ -406,20 +407,8 @@ func TestDockerUpgrade(t *testing.T) {
 
 	t.Logf("Verifying images in ECR repository %q", repoName)
 	client := createEcrClient(t)
-	describeImagesInput := &ecr.DescribeImagesInput{
-		RepositoryName: aws.String(repoName),
-	}
-
-	var describeImagesOutput *ecr.DescribeImagesOutput
-	var err error
-	for retries := 0; retries < 10; retries++ {
-		describeImagesOutput, err = client.DescribeImages(context.TODO(), describeImagesInput)
-		require.NoError(t, err, "failed to describe images")
-		if len(describeImagesOutput.ImageDetails) >= 2 {
-			break
-		}
-		time.Sleep(5 * time.Second)
-	}
+	describeImagesOutput, err := getEcrImageDetails(t, client, repoName, 2)
+	require.NoError(t, err, "failed to describe images")
 	require.NotEmpty(t, describeImagesOutput.ImageDetails, "image details should not be empty")
 	require.Len(t, describeImagesOutput.ImageDetails, 2, "should have 2 images")
 
@@ -449,6 +438,103 @@ func TestDockerUpgrade(t *testing.T) {
 	assert.Truef(t, foundUpdated, "updated image digest %q should exist in ECR", updatedDigest)
 }
 
+func TestEcrRegistryImage(t *testing.T) {
+	t.Parallel()
+	cwd := getCwd(t)
+	options := []opttest.Option{
+		opttest.LocalProviderPath("awsx", filepath.Join(cwd, "..", "bin")),
+		opttest.YarnLink("@pulumi/awsx"),
+	}
+	pt := pulumitest.NewPulumiTest(t, filepath.Join(cwd, "ts-ecr-registry-image"), options...)
+
+	pt.SetConfig(t, "message", "Hello Pulumi!")
+
+	t.Log("Running `pulumi preview` with message=Hello Pulumi!")
+	previewResult := pt.Preview(t)
+	t.Logf("Preview:\n%s", previewResult.StdOut)
+
+	t.Log("Running `pulumi up` with message=Hello Pulumi!")
+	upResult := pt.Up(t)
+	t.Logf("Up:\n%s", upResult.StdOut)
+
+	require.Contains(t, upResult.Outputs, "repositoryName", "repositoryName should be in the outputs")
+	repoName := upResult.Outputs["repositoryName"].Value.(string)
+	require.NotEmpty(t, repoName, "repositoryName should not be empty")
+
+	client := createEcrClient(t)
+	describeImagesOutput, err := getEcrImageDetails(t, client, repoName, 1)
+	require.NoError(t, err, "failed to describe images")
+	require.NotEmpty(t, describeImagesOutput.ImageDetails, "image details should not be empty")
+	require.Len(t, describeImagesOutput.ImageDetails, 1, "should have 1 image")
+
+	firstImage := describeImagesOutput.ImageDetails[0]
+	tags := firstImage.ImageTags
+	require.Len(t, tags, 3, "image should have 3 tags")
+	require.Contains(t, tags, "test", "test tag should be in the image tags")
+	require.Contains(t, tags, "v1.0.0", "v1.0.0 tag should be in the image tags")
+	require.Contains(t, tags, "latest", "latest tag should be in the image tags")
+
+	// This should produce a new image
+	pt.SetConfig(t, "message", "Hello Pulumi! (Again...)")
+
+	t.Log("Running `pulumi preview` with message=Hello Pulumi! (Again...)")
+	previewResult = pt.Preview(t)
+	t.Logf("Preview:\n%s", previewResult.StdOut)
+
+	t.Log("Running `pulumi up` with message=Hello Pulumi! (Again...)")
+	upResult = pt.Up(t)
+	t.Logf("Up:\n%s", upResult.StdOut)
+
+	describeImagesOutput, err = getEcrImageDetails(t, client, repoName, 2)
+	require.NoError(t, err, "failed to describe images")
+	require.NotEmpty(t, describeImagesOutput.ImageDetails, "image details should not be empty")
+	require.Len(t, describeImagesOutput.ImageDetails, 2, "should have 2 images")
+
+	var newImage *ecrTypes.ImageDetail
+	var oldImage *ecrTypes.ImageDetail
+	for _, img := range describeImagesOutput.ImageDetails {
+		if *img.ImageDigest != *firstImage.ImageDigest {
+			newImage = &img
+		} else {
+			oldImage = &img
+		}
+	}
+
+	require.NotNil(t, newImage, "new image should not be nil")
+	require.NotNil(t, oldImage, "old image should still exist after the new image was pushed")
+
+	// The tags should've been moved to the new image
+	require.Len(t, newImage.ImageTags, 3, "new image should have 3 tags")
+	require.Contains(t, newImage.ImageTags, "test", "the new image should have the test tag")
+	require.Contains(t, newImage.ImageTags, "v1.0.0", "the new image should have the v1.0.0 tag")
+	require.Contains(t, newImage.ImageTags, "latest", "the new image should have the latest tag")
+
+	require.Empty(t, oldImage.ImageTags, "old image should have no tags after the new image was pushed")
+}
+
+func getEcrImageDetails(t *testing.T, client *ecr.Client, repositoryName string, expectedImages int) (*ecr.DescribeImagesOutput, error) {
+	describeImagesInput := &ecr.DescribeImagesInput{
+		RepositoryName: aws.String(repositoryName),
+	}
+
+	var describeImagesOutput *ecr.DescribeImagesOutput
+	var err error
+	maxRetries := 4
+	for retries := 0; retries < maxRetries; retries++ {
+		err = nil
+		describeImagesOutput, err = client.DescribeImages(context.TODO(), describeImagesInput)
+		if err != nil {
+			t.Logf("failed to describe images: %v", err)
+			continue
+		}
+		if len(describeImagesOutput.ImageDetails) >= expectedImages {
+			break
+		}
+		time.Sleep(5 * time.Second)
+	}
+	return describeImagesOutput, err
+}
+
 func getNodeJSBaseOptions(t *testing.T) integration.ProgramTestOptions {
 	base := getBaseOptions(t)
 	nodeBase := base.With(integration.ProgramTestOptions{

examples/ts-ecr-registry-image/Pulumi.yaml

@@ -0,0 +1,3 @@
+name: ecr-registry-image
+runtime: nodejs
+description: An example of pushing a local image to an ECR registry.

examples/ts-ecr-registry-image/README.md

@@ -0,0 +1,5 @@
+# Pushing a local image to an ECR registry
+
+This example demonstrates how to push a local image to an ECR registry using the `awsx.ecr.RegistryImage` component.
+The example builds a simple nginx image for demonstration purposes and pushes it to an ECR registry, demonstrating the
+use of the `sourceImage` and `tag` properties.

examples/ts-ecr-registry-image/app/Dockerfile

@@ -0,0 +1,4 @@
+FROM nginx
+ARG message
+RUN echo "<h1>${message}</h1>" > \
+    /usr/share/nginx/html/index.html