Prevent the controller from calling GetFunctionCodeSigningConfig when a functions packageType is Image

Functions code signing config should only be called when a function is
created using an s3bucket and a key. Functions created using a container
image cannot get a code signing configuration.

Author: a-hilaly

apis/v1alpha1/ack-generate-metadata.yaml

@@ -1,13 +1,13 @@
 ack_generate_info:
-  build_date: "2022-04-27T16:40:07Z"
+  build_date: "2022-05-06T16:31:27Z"
   build_hash: 141cb9db73f881228ea20e572de3ba9df19d5b6f
   go_version: go1.18.1
   version: v0.18.4-4-g141cb9d-dirty
-api_directory_checksum: 7c4e0f8971a8ab06389e98b21c00eddad87366f3
+api_directory_checksum: a704674d4df0400198d5a11035a2099240bccf80
 api_version: v1alpha1
 aws_sdk_go_version: v1.42.0
 generator_config_info:
-  file_checksum: c48a2acfc8da0b28ee9b81745b9af773d10c7f71
+  file_checksum: 64116ddc3a8abec393a5e08aaff75b6a7d848ad0
   original_file_name: generator.yaml
 last_modification:
   reason: API generation

apis/v1alpha1/generator.yaml

@@ -6,6 +6,9 @@ ignore:
     # EventSourceMapping
 resources:
   Function:
+    exceptions:
+      terminal_codes:
+        - InvalidParameterValueException
     fields:
       Name:
         is_primary_key: true

generator.yaml

@@ -6,6 +6,9 @@ ignore:
     # EventSourceMapping
 resources:
   Function:
+    exceptions:
+      terminal_codes:
+        - InvalidParameterValueException
     fields:
       Name:
         is_primary_key: true

go.mod

@@ -13,6 +13,8 @@ require (
 	sigs.k8s.io/controller-runtime v0.11.0
 )
 
+replace github.com/aws-controllers-k8s/runtime => ../runtime
+
 require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cenkalti/backoff/v4 v4.1.2 // indirect

pkg/resource/function/hooks.go

@@ -18,12 +18,15 @@ import (
 	"errors"
 	"time"
 
-	svcapitypes "github.com/aws-controllers-k8s/lambda-controller/apis/v1alpha1"
 	ackcompare "github.com/aws-controllers-k8s/runtime/pkg/compare"
+	ackrtcondition "github.com/aws-controllers-k8s/runtime/pkg/condition"
 	ackrequeue "github.com/aws-controllers-k8s/runtime/pkg/requeue"
 	ackrtlog "github.com/aws-controllers-k8s/runtime/pkg/runtime/log"
 	"github.com/aws/aws-sdk-go/aws"
 	svcsdk "github.com/aws/aws-sdk-go/service/lambda"
+	corev1 "k8s.io/api/core/v1"
+
+	svcapitypes "github.com/aws-controllers-k8s/lambda-controller/apis/v1alpha1"
 )
 
 var (
@@ -500,17 +503,27 @@ func (rm *resourceManager) setResourceAdditionalFields(
 	}
 	ko.Spec.ReservedConcurrentExecutions = getFunctionConcurrencyOutput.ReservedConcurrentExecutions
 
-	var getFunctionCodeSigningConfigOutput *svcsdk.GetFunctionCodeSigningConfigOutput
-	getFunctionCodeSigningConfigOutput, err = rm.sdkapi.GetFunctionCodeSigningConfigWithContext(
-		ctx,
-		&svcsdk.GetFunctionCodeSigningConfigInput{
-			FunctionName: ko.Spec.Name,
-		},
-	)
-	rm.metrics.RecordAPICall("GET", "GetFunctionCodeSigningConfig", err)
-	if err != nil {
-		return err
+	if ko.Spec.PackageType != nil && *ko.Spec.PackageType == "Zip" {
+		var getFunctionCodeSigningConfigOutput *svcsdk.GetFunctionCodeSigningConfigOutput
+		getFunctionCodeSigningConfigOutput, err = rm.sdkapi.GetFunctionCodeSigningConfigWithContext(
+			ctx,
+			&svcsdk.GetFunctionCodeSigningConfigInput{
+				FunctionName: ko.Spec.Name,
+			},
+		)
+		rm.metrics.RecordAPICall("GET", "GetFunctionCodeSigningConfig", err)
+		if err != nil {
+			return err
+		}
+		ko.Spec.CodeSigningConfigARN = getFunctionCodeSigningConfigOutput.CodeSigningConfigArn
+	}
+	if ko.Spec.PackageType != nil && *ko.Spec.PackageType == "Image" && ko.Spec.CodeSigningConfigARN != nil {
+		ackrtcondition.SetTerminal(
+			&resource{ko},
+			corev1.ConditionTrue,
+			aws.String("Cannot set function code signing config when package type is Image"),
+			nil,
+		)
 	}
-	ko.Spec.CodeSigningConfigARN = getFunctionCodeSigningConfigOutput.CodeSigningConfigArn
 	return nil
 }

pkg/resource/function/sdk.go

@@ -0,0 +1,13 @@
+apiVersion: lambda.services.k8s.aws/v1alpha1
+kind: Function
+metadata:
+  name: $FUNCTION_NAME
+  annotations:
+    services.k8s.aws/region: $AWS_REGION
+spec:
+  name: $FUNCTION_NAME
+  code:
+    imageURI: $IMAGE_URL
+  role: $LAMBDA_ROLE
+  description: function created by ACK lambda-controller e2e tests
+  packageType: Image

test/e2e/resources/function_package_type_image.yaml

@@ -0,0 +1,5 @@
+FROM public.ecr.aws/lambda/python:3.8
+
+COPY main.py main.py
+
+CMD [ "main.handler" ]

test/e2e/resources/lambda_function/Dockerfile

@@ -0,0 +1,17 @@
+AWS_REGION ?= "us-west-2"
+ECR_REPOSITORY ?= ack-e2e-testing-lambda-controller
+IMAGE_TAG ?= v1
+
+AWS_ACCOUNT_ID ?= $(shell aws sts get-caller-identity --query "Account" --output text)
+IMAGE_URL ?= $(AWS_ACCOUNT_ID).dkr.ecr.us-west-2.amazonaws.com/$(ECR_REPOSITORY):$(IMAGE_TAG)
+
+build-image:
+	docker build -t $(IMAGE_URL) .
+
+publish-image:
+	docker push $(IMAGE_URL)
+
+create-ecr-repository:
+	aws ecr create-repository --region $(AWS_REGION) --repository-name $(ECR_REPOSITORY) >/dev/null
+
+all: build-image publish-image

test/e2e/resources/lambda_function/Makefile

@@ -21,7 +21,7 @@
 from typing import Dict, Tuple
 
 from acktest.resources import random_suffix_name
-from acktest.aws.identity import get_region
+from acktest.aws.identity import get_region, get_account_id
 from acktest.k8s import resource as k8s
 from e2e import service_marker, CRD_GROUP, CRD_VERSION, load_lambda_resource
 from e2e.replacement_values import REPLACEMENT_VALUES
@@ -33,6 +33,12 @@
 UPDATE_WAIT_AFTER_SECONDS = 25
 DELETE_WAIT_AFTER_SECONDS = 25
 
+
+def get_testing_image_url():
+    aws_region = get_region()
+    account_id = get_account_id()
+    return f"{account_id}.dkr.ecr.{aws_region}.amazonaws.com/ack-e2e-testing-lambda-controller:v1"
+
 @pytest.fixture(scope="module")
 def lambda_client():
     return boto3.client("lambda")
@@ -313,3 +319,112 @@ def test_function_code_signing_config(self, lambda_client, code_signing_config):
         # Check Lambda function doesn't exist
         exists = self.function_exists(lambda_client, resource_name)
         assert not exists
+
+    def test_function_package_type_image(self, lambda_client, code_signing_config):
+        resource_name = random_suffix_name("lambda-function", 24)
+
+        resources = get_bootstrap_resources()
+
+        replacements = REPLACEMENT_VALUES.copy()
+        replacements["FUNCTION_NAME"] = resource_name
+        replacements["LAMBDA_ROLE"] = resources.LambdaBasicRoleARN
+        replacements["AWS_REGION"] = get_region()
+        replacements["IMAGE_URL"] = get_testing_image_url()
+
+        # Load Lambda CR
+        resource_data = load_lambda_resource(
+            "function_package_type_image",
+            additional_replacements=replacements,
+        )
+        logging.debug(resource_data)
+
+        # Create k8s resource
+        ref = k8s.CustomResourceReference(
+            CRD_GROUP, CRD_VERSION, RESOURCE_PLURAL,
+            resource_name, namespace="default",
+        )
+        k8s.create_custom_resource(ref, resource_data)
+        cr = k8s.wait_resource_consumed_by_controller(ref)
+
+        assert cr is not None
+        assert k8s.get_resource_exists(ref)
+
+        time.sleep(CREATE_WAIT_AFTER_SECONDS)
+
+        cr = k8s.wait_resource_consumed_by_controller(ref)
+
+        # Check Lambda function exists
+        exists = self.function_exists(lambda_client, resource_name)
+        assert exists
+
+        # Delete k8s resource
+        _, deleted = k8s.delete_custom_resource(ref)
+        assert deleted is True
+
+        time.sleep(DELETE_WAIT_AFTER_SECONDS)
+
+        # Check Lambda function doesn't exist
+        exists = self.function_exists(lambda_client, resource_name)
+        assert not exists
+
+    def test_function_package_type_image_with_signing_config(self, lambda_client, code_signing_config):
+        resource_name = random_suffix_name("lambda-function", 24)
+
+        resources = get_bootstrap_resources()
+
+        replacements = REPLACEMENT_VALUES.copy()
+        replacements["FUNCTION_NAME"] = resource_name
+        replacements["LAMBDA_ROLE"] = resources.LambdaBasicRoleARN
+        replacements["AWS_REGION"] = get_region()
+        replacements["IMAGE_URL"] = get_testing_image_url()
+
+        # Load Lambda CR
+        resource_data = load_lambda_resource(
+            "function_package_type_image",
+            additional_replacements=replacements,
+        )
+        logging.debug(resource_data)
+
+        # Create k8s resource
+        ref = k8s.CustomResourceReference(
+            CRD_GROUP, CRD_VERSION, RESOURCE_PLURAL,
+            resource_name, namespace="default",
+        )
+        k8s.create_custom_resource(ref, resource_data)
+        cr = k8s.wait_resource_consumed_by_controller(ref)
+
+        assert cr is not None
+        assert k8s.get_resource_exists(ref)
+
+        time.sleep(CREATE_WAIT_AFTER_SECONDS)
+
+        cr = k8s.wait_resource_consumed_by_controller(ref)
+
+        # Check Lambda function exists
+        exists = self.function_exists(lambda_client, resource_name)
+        assert exists
+
+        # Add signing configuration
+        cr["spec"]["codeSigningConfigARN"] = "random-csc"
+        k8s.patch_custom_resource(ref, cr)
+
+        time.sleep(UPDATE_WAIT_AFTER_SECONDS)
+
+        cr = k8s.wait_resource_consumed_by_controller(ref)
+        # assert condition
+        assert k8s.assert_condition_state_message(
+            ref,
+            "ACK.Terminal",
+            "True",
+            "Cannot set function code signing config when package type is Image",
+        )
+
+        # Delete k8s resource
+        _, deleted = k8s.delete_custom_resource(ref)
+        assert deleted is True
+
+        time.sleep(DELETE_WAIT_AFTER_SECONDS)
+
+        # Check Lambda function doesn't exist
+        exists = self.function_exists(lambda_client, resource_name)
+        assert not exists