AVB/bedrock-access-gateway
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
bedrock-access-gateway/scripts/push-to-ecr.sh
Kane Zhu 2c518bbd70 fix(docker): add --provenance=false --sbom=false for Lambda compatibility 
Docker BuildKit (especially with docker-container driver) may create
OCI image manifests with attestations that AWS Lambda does not support.
Lambda requires Docker V2 Schema 2 format without multi-manifest index.

This fix ensures the build script generates Lambda-compatible images
regardless of the user's Docker/BuildKit configuration.

Fixes #206
2025-11-27 18:54:58 +08:00

140 lines
4.9 KiB
Bash
Executable File
Raw Permalink Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# NOTE: The script will try to create the ECR repository if it doesn't exist. Please grant the necessary permissions to the IAM user or role.
# Usage:
# cd scripts
# bash ./push-to-ecr.sh
set -o errexit # exit on first error
set -o nounset # exit on using unset variables
set -o pipefail # exit on any error in a pipeline
# Change to the directory where the script is located
cd "$(dirname "$0")"
# Prompt user for inputs
echo "================================================"
echo "Bedrock Access Gateway - Build and Push to ECR"
echo "================================================"
echo ""
# Get repository name for Lambda version
read -p "Enter ECR repository name for Lambda (default: bedrock-proxy-api): " LAMBDA_REPO
LAMBDA_REPO=${LAMBDA_REPO:-bedrock-proxy-api}
# Get repository name for ECS/Fargate version
read -p "Enter ECR repository name for ECS/Fargate (default: bedrock-proxy-api-ecs): " ECS_REPO
ECS_REPO=${ECS_REPO:-bedrock-proxy-api-ecs}
# Get image tag
read -p "Enter image tag (default: latest): " TAG
TAG=${TAG:-latest}
# Get AWS region
read -p "Enter AWS region (default: us-east-1): " AWS_REGION
AWS_REGION=${AWS_REGION:-us-east-1}
echo ""
echo "Configuration:"
echo " Lambda Repository: $LAMBDA_REPO"
echo " ECS/Fargate Repository: $ECS_REPO"
echo " Image Tag: $TAG"
echo " AWS Region: $AWS_REGION"
echo ""
read -p "Continue with these settings? (y/n): " CONFIRM
if [[ ! "$CONFIRM" =~ ^[Yy]$ ]]; then
echo "Aborted."
exit 1
fi
echo ""
# Acknowledgment about ECR repository creation
echo " NOTICE: This script will automatically create ECR repositories if they don't exist."
echo " The repositories will be created with the following default settings:"
echo " - Image tag mutability: MUTABLE (allows overwriting tags)"
echo " - Image scanning: Disabled"
echo " - Encryption: AES256 (AWS managed encryption)"
echo ""
echo " You can modify these settings later in the AWS ECR Console if needed."
echo " Required IAM permissions: ecr:CreateRepository, ecr:GetAuthorizationToken,"
echo " ecr:BatchCheckLayerAvailability, ecr:InitiateLayerUpload, ecr:UploadLayerPart,"
echo " ecr:CompleteLayerUpload, ecr:PutImage"
echo ""
read -p "Do you acknowledge and want to proceed? (y/n): " ACK_CONFIRM
if [[ ! "$ACK_CONFIRM" =~ ^[Yy]$ ]]; then
echo "Aborted."
exit 1
fi
echo ""
# Define variables
ARCHS=("arm64") # Single architecture for simplicity
build_and_push_image() {
local IMAGE_NAME=$1
local TAG=$2
local DOCKERFILE_PATH=$3
local REGION=$AWS_REGION
local ARCH=${ARCHS[0]}
echo "Building $IMAGE_NAME:$TAG..."
# Build Docker image
# Note: --provenance=false and --sbom=false are required for Lambda compatibility
# Without these flags, Docker BuildKit (especially with docker-container driver) may create
# OCI image manifests with attestations that AWS Lambda does not support.
# Lambda requires Docker V2 Schema 2 format without multi-manifest index.
# See: https://github.com/aws-samples/bedrock-access-gateway/issues/206
docker buildx build \
--platform linux/$ARCH \
--provenance=false \
--sbom=false \
-t $IMAGE_NAME:$TAG \
-f $DOCKERFILE_PATH \
--load \
../src/
# Get the account ID
ACCOUNT_ID=$(aws sts get-caller-identity --region $REGION --query Account --output text)
# Create repository URI
REPOSITORY_URI="${ACCOUNT_ID}.dkr.ecr.${REGION}.amazonaws.com/${IMAGE_NAME}"
echo "Creating ECR repository if it doesn't exist..."
# Create ECR repository if it doesn't exist
aws ecr create-repository --repository-name "${IMAGE_NAME}" --region $REGION || true
echo "Logging in to ECR..."
# Log in to ECR
aws ecr get-login-password --region $REGION | docker login --username AWS --password-stdin $REPOSITORY_URI
echo "Pushing image to ECR..."
# Tag the image for ECR
docker tag $IMAGE_NAME:$TAG $REPOSITORY_URI:$TAG
# Push the image to ECR
docker push $REPOSITORY_URI:$TAG
echo "✅ Successfully pushed $IMAGE_NAME:$TAG to $REPOSITORY_URI"
echo ""
}
echo "Building and pushing Lambda image..."
build_and_push_image "$LAMBDA_REPO" "$TAG" "../src/Dockerfile"
echo "Building and pushing ECS/Fargate image..."
build_and_push_image "$ECS_REPO" "$TAG" "../src/Dockerfile_ecs"
echo "================================================"
echo "✅ All images successfully pushed!"
echo "================================================"
echo ""
echo "Your container image URIs:"
ACCOUNT_ID=$(aws sts get-caller-identity --region $AWS_REGION --query Account --output text)
echo " Lambda: ${ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${LAMBDA_REPO}:${TAG}"
echo " ECS/Fargate: ${ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${ECS_REPO}:${TAG}"
echo ""
echo "Next steps:"
echo " 1. Download the CloudFormation templates from deployment/ folder"
echo " 2. Update the ContainerImageUri parameter with your image URI above"
echo " 3. Deploy the stack via AWS CloudFormation Console"
echo ""
Reference in New Issue View Git Blame Copy Permalink