AWS CodePipeline for Docker Image Building and Deployment
Question
As a DevOps engineer, you create an AWS CodePipeline to build a Docker image and deploy the application to AWS ECS.
The build stage is implemented using AWS CodeBuild where the Docker image is built and tagged.
In the CodeBuild post_build phase, the Docker image is pushed to the ECR repository.
You create the buildspec.yml file as follows:
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D. E.Correct Answer - A, D.
Refer to https://aws.amazon.com/blogs/devops/build-a-continuous-delivery-pipeline-for-your-container-images-with-amazon-ecr-as-source/ for how to use Amazon ECR as a source for a continuous delivery pipeline.
Option A is CORRECT: Because in the build stage, the image is tagged with $REPOSITORY_URI:$IMAGE_TAG.
It should be pushed to ECR in the post_build stage.
Option B is incorrect: Because CodeBuild needs to log in to ECR with aws ecr get-login-password.
Option C is incorrect: Because the post_build stage is suitable for pushing docker images to ECR.
Option D is CORRECT: Because aws ecr get-login-password prints a docker login command with the authorization token.
You still need to execute the printed command.
The easiest way is using “$(aws ecr get-login-password --region $AWS_DEFAULT_REGION --no-include-email)”.
Option E is incorrect: After logging into ECR, the session is valid for 12 hours.
You do not need to re-login.
Sure, I'll provide a detailed explanation for each option:
A. The docker image with $IMAGE_TAG should be pushed in the post_build phase. This option is correct. In the CodeBuild post_build phase, the Docker image is pushed to the ECR repository. The $IMAGE_TAG variable is used to tag the Docker image, which is built in the build phase. So, this option is valid.
B. CodeBuild can automatically log in to ECR if the IAM role has the ECR read access. There is no need to execute “aws ecr get-login-password”. This option is partially correct. CodeBuild can automatically log in to ECR if the IAM role has the ECR read access. However, you still need to execute the "aws ecr get-login-password" command to get the authorization token required for Docker to push the image to ECR.
C. The docker push command should be put in the build stage as the post_build stage is only used for resource cleanup. This option is incorrect. The post_build phase is used to execute additional commands after the build stage is completed. In this case, the Docker image should be pushed to the ECR repository in the post_build phase.
D. “aws ecr get-login-password” only retrieves a token to log in to ECR. You need to execute the printed command to log in to the registry with Docker. This option is partially correct. "aws ecr get-login-password" command retrieves an authorization token to authenticate Docker to the ECR registry. However, the output of the command is a Docker login command that you need to execute to log in to the registry.
E. Before docker push, you also need to do “aws ecr get-login-password” in the post_build stage. This option is correct. The "aws ecr get-login-password" command needs to be executed to retrieve the authorization token required for Docker to push the image to ECR. The command should be executed in the post_build phase before executing the Docker push command.
So, the correct answers are A and E.
