[aws-codepipeline-actions] EcrSourceAction with ECR as a source does not trigger pipeline change when the source is updated #10901
Comments
jpSimkins
added
bug
|
Hey @jpSimkins , thanks for reporting the issue. Can you tell me whether you see a Thanks, |
skinny85
added
the
response-requested
|
Hello @skinny85, This is the resource with CDKTestBaseRepositoryPipelineTestCDKTestProjectPipeline3CAA437FSourceEventRuleC4D400A3:
Type: AWS::Events::Rule
Properties:
EventPattern:
source:
- aws.ecr
detail-type:
- AWS API Call via CloudTrail
detail:
requestParameters:
repositoryName:
- Ref: CDKTestBaseRepository90CAC7C5
imageTag:
- latest
eventName:
- PutImage
State: ENABLED
Targets:
- Arn:
Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- ":codepipeline:us-east-1:31120948XXXX:"
- Ref: CDKTestProjectPipeline664B0BF2
Id: Target0
RoleArn:
Fn::GetAtt:
- CDKTestProjectPipelineEventsRoleEBA1D6BA
- Arn
Metadata:
aws:cdk:path: PipelineTest/CDKTestBase/Repository/PipelineTestCDKTestProjectPipeline3CAA437FSourceEventRule/ResourceI notice that eventName has |
Sorry, can you clarify this part? What do you mean exactly by "updates the |
github-actions
bot
removed
the
response-requested
|
Once the testing is done, given this is a base image it needs to be vetted first, I have a manual approval action that will trigger the Basically, I pull the image, add the The Code may help: const codebuildProjectUpdateLatestImage = new PipelineProject(this, 'UpdateLatestTag', {
buildSpec: BuildSpec.fromObject({
version: '0.2',
phases: {
install: {
'runtime-versions': {
python: '3.8',
},
},
pre_build: {
commands: [
'echo Defining variables...',
"BUILD_IMAGE=$(cat imageDetail.json | jq '.ImageURI')",
'echo Removing quotes from string... ',
"BUILD_IMAGE=$(sed -e 's/^\"//' -e 's/\"$//' <<< $BUILD_IMAGE)",
'echo $BUILD_IMAGE',
"REPOSITORY_URL=$(cut -d':' -f1 <<< $BUILD_IMAGE)",
'echo $REPOSITORY_URL',
'echo Logging in to Amazon ECR...',
"aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $(cut -d'/' -f1 <<< $REPOSITORY_URL)",
],
},
build: {
commands: [
'echo Build started on `date`',
'echo Pulling the Docker base image...',
'docker pull $BUILD_IMAGE',
'echo Tagging the Docker image...',
'docker tag $BUILD_IMAGE $REPOSITORY_URL:latest',
],
},
post_build: {
commands: [
'echo Pushing the Docker image...',
'docker push $REPOSITORY_URL:latest',
'echo Build completed on `date`',
],
},
},
}),
description: 'Updates the latest tag for the ECR Repo',
environment: {
buildImage: LinuxBuildImage.AMAZON_LINUX_2_3,
computeType: ComputeType.SMALL,
privileged: true, // Needed to run docker build commands
},
projectName: this._id + '-UpdateLatestTag',
role: this._role,
});
// Stage - Build Update Latest Tag
this._codepipelinePipeline.addStage({
stageName: 'UpdateLatestTag',
actions: [
new CodeBuildAction({
actionName: 'UpdateLatestTag',
project: codebuildProjectUpdateLatestImage,
input: this._artifactBaseBuild,
}),
],
}); |
|
Seems I am also experiencing the same issue, EcrSourceAction is not triggering the build action when the Image is updated. |
MrArnoldPalmer
added
@aws-cdk/aws-codepipeline-actions
and removed
@aws-cdk/aws-ecs
MrArnoldPalmer
changed the title
|
I have the same issue, checked CloudWatch events, and found different events. CDK creates an event that doesn't work CDK created event (it doesn't work): Web console created such event (it works well): My fix for this issue (python): |
|
Did that make the CodePipeline trigger @solovievv ? |
|
@skinny85 Yes, It works well after the fix |
|
I was able to get the base image to trigger the pipeline with Typescript using: const eventRule = new Rule(this, 'base-ecr-rule', {
eventPattern: {
source: ['aws.ecr'],
detail: {
'action-type': ['PUSH'],
'image-tag': ['latest'],
'repository-name': [this._props.projectSourceEcrRepo.repositoryName],
result: ['SUCCESS'],
},
},
});
eventRule.addTarget(new CodePipelineTarget(this._codepipelinePipeline));So far, this seems to work as expected. |
|
same issue here! However, @solovievv workaround fix it. |
skinny85
added
effort/medium
|
Good news: the @solovievv's workaround is not anymore needed. Did AWS fix something in Cloudwatch? |
|
Interesting @luca-ferreri... it definitely seemed like this problem was happening only for some customers (I was never able to reproduce myself, for example). |
|
I am experiencing exactly the same issue in typescript. I'm using cdk 107.0. EventRule generated by the EventRule Created by the workaround of @jpSimkins that does trigger the pipeline |
|
We have exactly the same problem however the workaround suggested @jpSimkins is no working for us. It does create the rule as indicated however the pipeline is not triggered. We have a cross account configuration where We have even tried to create a Rule that includes the |
|
@fasatrix make sure you have CloudTrail configured to deliver these events. |
@skinny85 thanks for the prompt answer.. Do you mean configure CloudTrail to send events from Account A to CloudWatch Logs still in Account A or would I have to send those events from Account A to B like this doc So basically what I am asking here is, will a rule created using |
|
The It should be a stack with a single resource, |
ok that explains. I cannot find this |
|
Can you show me how do you set up your |
It is part of the following function.. const createImageAction = (
imageRepoName: string,
imageTag?: string,
): CreatePipelineActionResponse<Artifact, EcrSourceAction> => {
const imageArtifact = new Artifact(`ImageArtifact-${id}`);
const imageRepository = Repository.fromRepositoryArn(
this,
'ImageRepository',
`arn:aws:ecr:ap-southeast-2:<MyAWSAccount>:repository/${imageRepoName}`,
);
//latest will be taken as the default image tag
const imageSourceAction = new EcrSourceAction({
actionName: `ImageSource-${id}`,
repository: imageRepository,
imageTag: imageTag ?? 'latest',
output: imageArtifact,
role: Role.fromRoleArn(this, 'CentralEcrAccessRole', props.crossAccountEcrRole),
});
return { artifact: imageArtifact, action: imageSourceAction };
}; |
|
Does the Role you use here, with the ARN from |
correct, they are from the same account (which is the account that host ECR) |
@skinny85 it is consistent on our side! Our yaml does not include new CfnEventBusPolicy(this, `EventBusPolicy-${id}`, {
statementId: `EventBusPolicy-${id}`,
statement: {
Effect: 'Allow',
Action: 'events:PutEvents',
Resource: "arn:aws:events:ap-southeast-2:<AccounB>:event-bus/default"
Principal: {
AWS: `arn:aws:iam::<AccountA>:root`,
},
},
});Does it look like it could be a bug to you? |
|
Yes, it's possible it is. Let me try and reproduce to confirm. |
|
I think I understand the problem now. It's actually a different thing than this issue talks about. Let's move the conversation to a dedicated issue I've created: #16245. |
|
Thanks for you support @skinny85. With your guidance I was able to understand how this lib works.. |
…line (#21580) When the ECR source action was initially released, ECR did not yet integrate with EventBridge so it was necessary to use CloudTrail. Since then ECR was updated to integrate with EventBridge so relying on CloudTrail is no longer necessary. This PR changes the event rule that triggers the pipeline to use the `ECR Image Action` instead of the CloudTrail event. This change does lead to the `AWS::Events::Rule` resource being deleted and recreated, but that should not cause any issues since there is no state involved. I tested this by using the integ test and manually validated that pushing an image to the ecr repo triggers the pipeline. The steps are outlined in the `integ.pipeline-ecr-source.ts` file. fix #10901 ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
…line (aws#21580) When the ECR source action was initially released, ECR did not yet integrate with EventBridge so it was necessary to use CloudTrail. Since then ECR was updated to integrate with EventBridge so relying on CloudTrail is no longer necessary. This PR changes the event rule that triggers the pipeline to use the `ECR Image Action` instead of the CloudTrail event. This change does lead to the `AWS::Events::Rule` resource being deleted and recreated, but that should not cause any issues since there is no state involved. I tested this by using the integ test and manually validated that pushing an image to the ecr repo triggers the pipeline. The steps are outlined in the `integ.pipeline-ecr-source.ts` file. fix aws#10901 ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
When creating a code pipeline and using
EcrSourceAction, I would expect when thelatesttag is updated, for this to update the pipeline that is using this as a source. This is how it works when I create this manually but I cannot get the CDK to do this.I am thinking this is a bug because this is not what happens when I build the pipeline manually.
Reproduction Steps
I have a pretty large construct to build our pipeline so I will only post the part I think is relevant to the issue.
This is how I define the source action for the pipeline to use the Repository as a source:
Whenever I update the ECR repo, this does not trigger the pipeline to update at all. Basically, adding this as a source is pointless as the entire purpose is to allow this to update the pipeline when this is changed. Otherwise, I can simply pull the image when the project code is update.
To give a better idea of what I am doing:
latestand the code from the BitBucket branchThe only part of the pipeline not working is the ECR source does not trigger the pipeline to build when it is updated.
What did you expect to happen?
I expected that when I update the ECR source, for it to trigger the pipeline to build as this is what it does when I build this manually.
What actually happened?
When the ECR source is updated, nothing happens. No errors that I could find, simply nothing. Like it is not aware of the connection to the repo. For me to trigger a change, I need to update the code to force the pipeline to trigger
Environment
This is 🐛 Bug Report
The text was updated successfully, but these errors were encountered: