As a DevOps engineer, you create an AWS CodePipeline to build a Docker image and deploy the application to AWS ECS. The build stage is implemented using AWS CodeBuild where the Docker image is built and tagged. In the CodeBuild post_build phase, the Docker image is pushed to the ECR repository. You create the buildspec.yml file as follows:

Answer options:

A.The docker image with $IMAGE_TAG should be pushed in the post_build phase.
B.CodeBuild can automatically log in to ECR if the IAM role has the ECR read access. There is no need to execute “aws ecr get-login-password”.
C.The docker push command should be put in the build stage as the post_build stage is only used for resource cleanup.
D.“aws ecr get-login-password” only retrieves a token to log in to ECR. You need to execute the printed command to log in to the registry with Docker.
E.Before docker push, you also need to do “aws ecr get-login-password” in the post_build stage.

Correct Answer – A, D
Refer to https://aws.amazon.com/blogs/devops/build-a-continuous-delivery-pipeline-for-your-container-images-with-amazon-ecr-as-source/ for how to use Amazon ECR as a source for a continuous delivery pipeline.
Option A is CORRECT: Because in the build stage, the image is tagged with $REPOSITORY_URI:$IMAGE_TAG. It should be pushed to ECR in the post_build stage.
Option B is incorrect: Because CodeBuild needs to log in to ECR with aws ecr get-login-password.
Option C is incorrect: Because the post_build stage is suitable for pushing docker images to ECR.
Option D is CORRECT: Because aws ecr get-login-password prints a docker login command with the authorization token. You still need to execute the printed command. The easiest way is using “$(aws ecr get-login-password --region $AWS_DEFAULT_REGION --no-include-email)”.
Option E is incorrect: After logging into ECR, the session is valid for 12 hours. You do not need to re-login.