Skip to content

fix(cdk-assets): re-tag docker image for multi-destination publishes#1591

Draft
calabrla wants to merge 3 commits into
aws:mainfrom
calabrla:fix/multi-region-docker-asset-tagging
Draft

fix(cdk-assets): re-tag docker image for multi-destination publishes#1591
calabrla wants to merge 3 commits into
aws:mainfrom
calabrla:fix/multi-region-docker-asset-tagging

Conversation

@calabrla
Copy link
Copy Markdown

@calabrla calabrla commented Jun 3, 2026
edited
Loading

Summary

  • Fixes multi-region container image deployments failing with "An image does not exist locally with the tag" for the second+ destination
  • When WorkGraphBuilder deduplicates the asset-build node for same-source assets, only one destination gets docker tag'd during build() — subsequent publish() calls for other destinations fail because the local tag doesn't exist
  • Adds a lightweight docker inspect + docker images --filter + docker tag fallback in publish() to ensure the image is tagged locally before pushing

Root Cause

WorkGraphBuilder.addAsset() creates one asset-build node per unique source (assetId + genericSource hash). When the same image is deployed to multiple regions, only the first destination's handler gets build() called by the graph executor. The other destinations only receive publishEntry(), which calls docker push on a URI that was never tagged locally.

Test plan

  • New test: publish re-tags image when local tag is missing for a destination — verifies full build+publish flow with multi-dest manifest
  • New test: publish re-tags from existing image when build was not called for destination — simulates the graph executor scenario (buildAssets: false)
  • Manual verification: deployed same container image to ca-central-1 and eu-west-2 simultaneously — both regions succeeded

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions Bot added the p2 label Jun 3, 2026
@aws-cdk-automation aws-cdk-automation requested a review from a team June 3, 2026 19:13
auto-merge was automatically disabled June 3, 2026 19:24

Head branch was pushed to by a user without write access

@calabrla calabrla force-pushed the fix/multi-region-docker-asset-tagging branch from 5a68328 to e25181f Compare June 3, 2026 19:24
mrgrain
mrgrain requested changes Jun 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@mrgrain mrgrain left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, but we will need an integration test for this

@calabrla
fix(cdk-assets): re-tag docker image for multi-destination publishes
a9ff382 
When the same container image asset is published to multiple destinations
(e.g. multi-region deployments), the WorkGraphBuilder deduplicates the
asset-build node so that build() only runs for one destination. This
means docker.tag() is only called for the first destination's ECR URI.

When publish() subsequently runs for other destinations, docker push
fails with "An image does not exist locally with the tag" because the
local tag was never created for those repositories.

This fix adds a check in publish() that verifies the destination imageUri
exists locally before pushing. If it doesn't, it finds an existing local
image with the same imageTag (content hash) and re-tags it for the
current destination. This is a lightweight docker tag operation that
avoids any rebuild.

Fixes multi-region container image deployments failing on second+ region.
@calabrla calabrla force-pushed the fix/multi-region-docker-asset-tagging branch from e25181f to a9ff382 Compare June 4, 2026 17:15
@calabrla calabrla force-pushed the fix/multi-region-docker-asset-tagging branch from e3a681b to a9ff382 Compare June 4, 2026 17:39
@calabrla
test(cdk-assets): add integ tests for multi-destination docker asset …
7c9c43a 
…publishing

Add two integration tests that validate the fix for publishing the same
docker image asset to multiple destinations:

1. Same-region multi-dest: Deploys two stacks with the same docker image
   source to the same region. The work graph deduplicates the build node,
   exercising the re-tag path in publish().

2. Cross-region: Deploys the same docker image to two different regions,
   requiring bootstrap of a secondary region. The secondary region is
   derived from the AWS_REGIONS pool to guarantee it differs from the
   primary. Gated by CDK_SECONDARY_REGION env var to avoid affecting
   other tests.
@calabrla calabrla force-pushed the fix/multi-region-docker-asset-tagging branch from 3ae1af2 to 7c9c43a Compare June 5, 2026 11:17
@calabrla calabrla marked this pull request as draft June 5, 2026 11:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrgrain mrgrain mrgrain requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

p2

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@calabrla @mrgrain