feat(lambda-go): allow configuration of GOPROXY (#23257)

> This is a back port of #23171 to AWS CDK v1.x, motivated by impact of the same issue on v1.

We used to require direct Go package access, because Go proxies may be blocked by corporate network policies (and wouldn't you know it, it actually is at our particular workplace 🙃).

This produces a good bit of instability in our CI builds though, as `gopkg.in` website which is used to reference some of our transitive dependencies is regularly experiencing downtime.

Make Go proxies configurable and switch them back on in CI builds.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

packages/@aws-cdk/aws-lambda-go/README.md

@@ -170,6 +170,19 @@ new lambda.GoFunction(this, 'handler', {
 });
 ```
 
+By default this construct doesn't use any Go module proxies. This is contrary to
+a standard Go installation, which would use the Google proxy by default. To
+recreate that behavior, do the following:
+
+```ts
+new lambda.GoFunction(this, 'GoFunction', {
+  entry: 'app/cmd/api',
+  bundling: {
+    goProxies: [lambda.GoFunction.GOOGLE_GOPROXY, 'direct'],
+  },
+});
+```
+
 ## Command hooks
 
 It is  possible to run additional commands by specifying the `commandHooks` prop:

packages/@aws-cdk/aws-lambda-go/lib/bundling.ts

@@ -106,14 +106,18 @@ export class Bundling implements cdk.BundlingOptions {
 
     const cgoEnabled = props.cgoEnabled ? '1' : '0';
 
-    const environment = {
+    const environment: Record<string, string> = {
       CGO_ENABLED: cgoEnabled,
       GO111MODULE: 'on',
       GOARCH: props.architecture.dockerPlatform.split('/')[1],
       GOOS: 'linux',
       ...props.environment,
     };
 
+    if (props.goProxies) {
+      environment.GOPROXY = props.goProxies.join(',');
+    }
+
     // Docker bundling
     const shouldBuildImage = props.forcedDockerBundling || !Bundling.runsLocally;
     this.image = shouldBuildImage

packages/@aws-cdk/aws-lambda-go/lib/function.ts

@@ -74,6 +74,11 @@ export interface GoFunctionProps extends lambda.FunctionOptions {
  * A Golang Lambda function
  */
 export class GoFunction extends lambda.Function {
+  /**
+   * The address of the Google Go proxy
+   */
+  public static readonly GOOGLE_GOPROXY = 'https://proxy.golang.org';
+
   constructor(scope: Construct, id: string, props: GoFunctionProps) {
     if (props.runtime && (props.runtime.family !== lambda.RuntimeFamily.GO && props.runtime.family != lambda.RuntimeFamily.OTHER)) {
       throw new Error('Only `go` and `provided` runtimes are supported.');

packages/@aws-cdk/aws-lambda-go/lib/types.ts

@@ -96,6 +96,28 @@ export interface BundlingOptions {
    * @default - false
    */
   readonly cgoEnabled?: boolean;
+
+  /**
+   * What Go proxies to use to fetch the packages involved in the build
+   *
+   * Pass a list of proxy addresses in order, and/or the string `'direct'` to
+   * attempt direct access.
+   *
+   * By default this construct uses no proxies, but a standard Go install would
+   * use the Google proxy by default. To recreate that behavior, do the following:
+   *
+   * ```ts
+   * new lambda.GoFunction(this, 'GoFunction', {
+   *   entry: 'app/cmd/api',
+   *   bundling: {
+   *     goProxies: [lambda.GoFunction.GOOGLE_GOPROXY, 'direct'],
+   *   },
+   * });
+   * ```
+   *
+   * @default - Direct access
+   */
+  readonly goProxies?: string[];
 }
 
 /**

packages/@aws-cdk/integ-runner/lib/runner/snapshot-test-runner.ts

@@ -165,9 +165,11 @@ export class IntegSnapshotRunner extends IntegRunner {
         // if we are not verifying asset hashes then remove the specific
         // asset hashes from the templates so they are not part of the diff
         // comparison
+        let verifiedAssetHashes = true;
         if (!this.actualTestSuite.getOptionsForStack(templateId)?.diffAssets) {
           actualTemplate = canonicalizeTemplate(actualTemplate);
           expectedTemplate = canonicalizeTemplate(expectedTemplate);
+          verifiedAssetHashes = false;
         }
         const templateDiff = diffTemplate(expectedTemplate, actualTemplate);
         if (!templateDiff.isEmpty) {
@@ -206,7 +208,10 @@ export class IntegSnapshotRunner extends IntegRunner {
           formatDifferences(writable, templateDiff);
           failures.push({
             reason: DiagnosticReason.SNAPSHOT_FAILED,
-            message: writable.data,
+            message: [
+              verifiedAssetHashes ? '(asset hashes were verified)' : '(asset hashes were ignored)',
+              writable.data,
+            ].join('\n'),
             testName: this.testName,
           });
         }

packages/@aws-cdk/integ-runner/lib/workers/common.ts

@@ -300,4 +300,4 @@ export function printLaggards(testNames: Set<string>) {
   ];
 
   logger.print(chalk.grey(parts.filter(x => x).join(' ')));
-}
+}

packages/aws-cdk/test/integ/cli/sam_cdk_integ_app/lib/test-stack.js

@@ -20,6 +20,8 @@ if (process.env.PACKAGE_LAYOUT_VERSION === '1') {
   var { RetentionDays } = require('aws-cdk-lib/aws-logs');
 }
 
+const isRunningOnCodeBuild = !!process.env.CODEBUILD_BUILD_ID;
+
 class CDKSupportDemoRootStack extends Stack{
   constructor(scope, id, props) {
     super(scope, id, props);
@@ -99,6 +101,8 @@ class CDKSupportDemoRootStack extends Stack{
       entry: './src/go/GoFunctionConstruct',
       bundling: {
         forcedDockerBundling: true,
+        // Only use Google proxy in the CI tests, as it is blocked on workstations
+        goProxies: isRunningOnCodeBuild ? [GoFunction.GOOGLE_GOPROXY, 'direct'] : undefined,
       },
     });