Linking AWS App Runner to private resources in Amazon ECR
TypeScriptTo link AWS App Runner to private resources in Amazon Elastic Container Registry (Amazon ECR), you will create an App Runner service that pulls a container image from a private ECR repository. AWS App Runner is a service that provides a fast, simple, and secure way to deploy applications, while Amazon ECR is a Docker container registry that allows you to store, manage, and deploy container images.
Here's how to accomplish this with Pulumi using TypeScript:
- Create an Amazon ECR Repository: This is where your container images will be stored.
- Push your container image to the Amazon ECR Repository: Before creating an App Runner service, you need to have your container image in ECR.
- Set up an IAM Role and Policies: App Runner needs permissions to access ECR to pull the image.
- Create an App Runner Service: This will define the service that runs your container.
Below is the Pulumi program written in TypeScript that demonstrates these steps:
import * as pulumi from "@pulumi/pulumi"; import * as aws from "@pulumi/aws"; // Create an Amazon ECR Repository where your container images will be stored. const ecrRepo = new aws.ecr.Repository("myapp-ecr-repo", { imageScanningConfiguration: { scanOnPush: true, }, imageTagMutability: "MUTABLE", }); // The output that provides the repository URL to be used in your workflow // to push images to your repository. export const repositoryUrl = ecrRepo.repositoryUrl; // Create an IAM role for AWS App Runner to assume. const appRunnerRole = new aws.iam.Role("apprunner-role", { assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({ Service: "build.apprunner.amazonaws.com", }), }); // Attaching a policy to the role created above that enables access to ECR. const accessPolicy = new aws.iam.RolePolicyAttachment("apprunner-access-policy", { role: appRunnerRole, policyArn: aws.iam.ManagedPolicies.AmazonEC2ContainerRegistryReadOnly, }); // Create AWS App Runner Service. This requires configuring a source // for the service to identify the ECR repository and the image to use. const appRunnerService = new aws.apprunner.Service("myapp-apprunner-service", { sourceConfiguration: { imageRepository: { // Provide the address of previously created ECR repository imageIdentifier: ecrRepo.repositoryUrl.apply(url => `${url}:latest`), imageRepositoryType: "ECR", imageConfiguration: { port: "80" }, }, authenticationConfiguration: { accessRoleArn: appRunnerRole.arn, }, }, }); // The App Runner service URL where the application will be accessed. export const serviceUrl = appRunnerService.serviceUrl;
How Does This Program Work?
-
ECR Repository (
aws.ecr.Repository
): This resource is where docker images are stored. We've also enabled image scanning on push, which allows for the automated scanning of images for vulnerabilities when they are pushed to the repository (seeimageScanningConfiguration
). -
IAM Role (
aws.iam.Role
): This role is assumed by AWS App Runner, allowing the service to interact with other AWS services on your behalf. The trust policy allows thebuild.apprunner.amazonaws.com
service to assume this role. -
IAM Policy Attachment (
aws.iam.RolePolicyAttachment
): By attaching theAmazonEC2ContainerRegistryReadOnly
managed policy, we grant our role access to ECR repositories in a read-only capacity, which is necessary for pulling images. -
App Runner Service (
aws.apprunner.Service
): This resource is used to create and manage an AWS App Runner service. In thesourceConfiguration
field, we specify theimageRepository
configuration, providing the ECR image URL (imageIdentifier
) and specifying the repository type as ECR.
What Next?
Before running this Pulumi program, you'll need to:
- Ensure you have Pulumi installed and AWS configured with the necessary credentials.
- Build and push your Docker image to the ECR repository. You will use the
repositoryUrl
output for this process. - Once you've pushed your image, you can run this Pulumi program to create the App Runner service.
- Access your application using the
serviceUrl
which is exported at the end of the program.
When you execute this Pulumi program, it will provision the required resources in AWS for your application to run. You can then visit the
serviceUrl
provided in the output to access your application.