2

I have a requirement for ECR Cross Account Replication. I have 2 AWS Accounts, Account-A(Source) and Account-B(Destination). Am able to replicate image successfully from Source to Destination and using CodePipeline to create image. When new image is replicated to ECR repo in Destination Account, pipeline should trigger automatically at Destination Account with CloudWatch Eventbridge, but pipeline is not triggering. I have created below Event Rule for same to trigger the pipeline at Destination.

{
  "source": ["aws.ecr"],
  "detail-type": ["ECR Image Action"],
  "detail": {
    "action-type": ["PUSH"],
    "result": ["SUCCESS"],
    "repository-name": ["repo_name"]
  }
}

When I used same Event rule in Source, it was able to trigger pipeline automatically. But after doing cross account replication, pipeline is not triggering in Destination with same event rule.

is there different approach for Cross Account replication to trigger pipeline in Destination account?

Bhargav
  • 41
  • 4
  • 1
    I would check CloudTrail for any events related to the target repository. Perhaps there is a different `action-type` for replicated images than "PUSH". Unfortunately the AWS docs appear to be lacking details related to this. You could also try removing `action-type` and `result` from the EventBridge filter for a bit, to see all the events that get logged. – Mark B Oct 14 '22 at 14:21

1 Answers1

0

ECR Image Actions are not triggered on replication as described in this GitHub issue.

There is a way around it by subscribing to the "ECR Image Scan" event, which is triggered on replication as suggested in the issue above.

Example pattern:

{
  source: ["aws.ecr"],
  detail-type: ["ECR Image Scan"],
  detail: {
    image-tags: ["latest"],
    repository-name: ["image_prefix/image_name"],
    scan-status: ["COMPLETE"]
  }
}
lxngxr
  • 127
  • 1
  • 6