fix: Use Amazon Linux 2 provided runtime (#424)

* Use AL2023 Lambda runtime

As the Go runtime is deprecated.
As part of this change, the compiled Go binary main is renamed
to bootstrap, as that is the name that the AL2023 Lambda runtime
expects.
We now build using the standard Go Docker image, as the AWS Lambda
Go image is deprecated.
It's important to note that the Dockerfile in the lambda/ folder
is not used as part of the runtime at all. It's only function is
to produce the /asset/bootstrap binary that is then uploaded to
Lambda and used with the AL2023 runtime. This was the case before
this change, except it used to produce /asset/main to use with
the GO runtime.

* Rename _GOPROXY to GOPROXY

Now we're no longer building using the AWS build image, there's
no conflict with that image if we use GOPROXY.

* Fix Release lambda Github step

The rename from main to bootstrap was missed from this step.

* Use golang:1 as the build Go image

So we're tracking the latest 1.x Go version, like we were when
we were using public.ecr.aws/sam/build-go1.x:latest.

* Update major version

Update the major version to 3, as changing the base build image
is a breaking change. Run `npx projen`.

* Update readme

* update tasks.json

---------

Co-authored-by: Parker Scanlon <[email protected]>

.projenrc.ts

@@ -13,7 +13,7 @@ const project = new CdklabsConstructLibrary({
   cdkVersion: '2.0.0',
   cdkVersionPinning: false,
   defaultReleaseBranch: 'main',
-  majorVersion: 2,
+  majorVersion: 3,
   enablePRAutoMerge: true,
   name: 'cdk-ecr-deployment',
   projenrcTs: true,
@@ -75,16 +75,16 @@ project.release?.addJobs({
       {
         name: 'Build lambda',
         run: [
-          'docker build -t cdk-ecr-deployment-lambda --build-arg _GOPROXY="https://goproxy.io|https://goproxy.cn|direct" lambda',
-          'docker run -v $PWD/lambda:/out cdk-ecr-deployment-lambda cp /asset/main /out',
-          'echo $(sha256sum lambda/main | awk \'{ print $1 }\') > lambda/main.sha256',
+          'docker build -t cdk-ecr-deployment-lambda --build-arg GOPROXY="https://goproxy.io|https://goproxy.cn|direct" lambda',
+          'docker run -v $PWD/lambda:/out cdk-ecr-deployment-lambda cp /asset/bootstrap /out',
+          'echo $(sha256sum lambda/bootstrap | awk \'{ print $1 }\') > lambda/bootstrap.sha256',
         ].join(' && '),
       },
       {
         name: 'Release lambda',
         // For some reason, need '--clobber' otherwise we always get errors that these files already exist. They're probably
         // uploaded elsewhere but TBH I don't know where so just add this flag to make it not fail.
-        run: 'gh release upload --clobber -R $GITHUB_REPOSITORY v$(cat .repo/dist/version.txt) lambda/main lambda/main.sha256 ',
+        run: 'gh release upload --clobber -R $GITHUB_REPOSITORY v$(cat .repo/dist/version.txt) lambda/bootstrap lambda/bootstrap.sha256 ',
         env: {
           GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}',
           GITHUB_REPOSITORY: '${{ github.repository }}',

README.md

@@ -26,7 +26,7 @@ Enable flags: `true`, `1`. e.g. `export CI=1`
 
 ⚠️ If you want to force using prebuilt lambda in CI environment to reduce build time. Try `export FORCE_PREBUILT_LAMBDA=1`.
 
-⚠️ The above flags are only available in cdk-ecr-deployment 2.x.
+⚠️ The above flags are only available in cdk-ecr-deployment 2.x and 3.x.
 
 ## Examples
 

lambda/.dockerignore

@@ -4,6 +4,6 @@ node_modules
 coverage
 test-reports
 **/*.md
-main
-main.sha256
+bootstrap
+bootstrap.sha256
 cdk.out

lambda/Dockerfile

@@ -1,28 +1,16 @@
 # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
-ARG buildImage=public.ecr.aws/sam/build-go1.x:latest
-
-FROM ${buildImage}
+ARG buildImage=golang:1
+FROM ${buildImage} as build
 
 USER root
 
-RUN yum -y install \
-    gpgme-devel \
-    btrfs-progs-devel \
-    device-mapper-devel \
-    libassuan-devel \
-    libudev-devel
-
-# In https://github.com/aws/aws-sam-build-images/blob/0a39eebc0d1d462afbe155d4e6a4cbcb12888847/build-image-src/Dockerfile-go1x#L29
-# already defined GOPROXY env.
-# To avoid naming conflict which will lead to weird error like https://github.com/laradock/laradock/issues/2618
-# , use the following name instead
-ARG _GOPROXY
+ARG GOPROXY
 
 ENV GOOS=linux \
     GOARCH=amd64 \
     GO111MODULE=on \
-    GOPROXY="${_GOPROXY}"
+    GOPROXY="${GOPROXY}"
 
 WORKDIR /ws
 
@@ -35,6 +23,4 @@ RUN go env
 COPY . /ws
 
 RUN mkdir -p /asset/ && \
-    make OUTPUT=/asset/main && \
-    file /asset/main && \
-    ls -lh /asset/main
+    make OUTPUT=/asset/bootstrap

lambda/Makefile

@@ -18,7 +18,7 @@ ifeq ($(GOOS), linux)
   endif
 endif
 
-BUILDTAGS := exclude_graphdriver_devicemapper exclude_graphdriver_btrfs containers_image_openpgp
+BUILDTAGS := exclude_graphdriver_devicemapper exclude_graphdriver_btrfs containers_image_openpgp lambda.norpc
 OUTPUT ?= cdk-ecr-deployment-handler
 
 all: test lambda

lambda/install.js

@@ -52,8 +52,8 @@ async function download(url, dest, agent) {
     agent.https = process.env.HTTPS_PROXY ? new HttpsProxyAgent({proxy: process.env.HTTPS_PROXY}): undefined;
     agent.http = process.env.HTTP_PROXY ? new HttpProxyAgent({proxy: process.env.HTTP_PROXY}): undefined;
 
-    await download(`${rootUrl}/releases/download/v${version}/main`, bin, agent);
-    const expectedIntegrity = (await got(`${rootUrl}/releases/download/v${version}/main.sha256`, { agent })).body.trim();
+    await download(`${rootUrl}/releases/download/v${version}/bootstrap`, bin, agent);
+    const expectedIntegrity = (await got(`${rootUrl}/releases/download/v${version}/bootstrap.sha256`, { agent })).body.trim();
     const integrity = await sha256sum(bin);
 
     if (integrity !== expectedIntegrity) {

src/index.ts

@@ -139,9 +139,9 @@ export class ECRDeployment extends Construct {
     const memoryLimit = props.memoryLimit ?? 512;
     this.handler = new lambda.SingletonFunction(this, 'CustomResourceHandler', {
       uuid: this.renderSingletonUuid(memoryLimit),
-      code: getCode(props.buildImage ?? 'public.ecr.aws/sam/build-go1.x:latest'),
-      runtime: lambda.Runtime.GO_1_X,
-      handler: 'main',
+      code: getCode(props.buildImage ?? 'golang:1'),
+      runtime: lambda.Runtime.PROVIDED_AL2023,
+      handler: 'bootstrap',
       environment: props.environment,
       lambdaPurpose: 'Custom::CDKECRDeployment',
       timeout: Duration.minutes(15),

test/lambda/Dockerfile

@@ -1,27 +1,16 @@
 # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
-
-FROM public.ecr.aws/sam/build-go1.x:latest
+ARG buildImage=golang:1
+FROM ${buildImage} as build
 
 USER root
 
-RUN yum -y install \
-    gpgme-devel \
-    btrfs-progs-devel \
-    device-mapper-devel \
-    libassuan-devel \
-    libudev-devel
-
-# In https://github.com/aws/aws-sam-build-images/blob/0a39eebc0d1d462afbe155d4e6a4cbcb12888847/build-image-src/Dockerfile-go1x#L29
-# already defined GOPROXY env.
-# To avoid naming conflict which will lead to weird error like https://github.com/laradock/laradock/issues/2618
-# , use the following name instead
-ARG _GOPROXY
+ARG GOPROXY
 
 ENV GOOS=linux \
     GOARCH=amd64 \
     GO111MODULE=on \
-    GOPROXY="${_GOPROXY}"
+    GOPROXY="${GOPROXY}"
 
 ADD . /opt/awscli
 

test/lambda/test.sh

@@ -21,4 +21,4 @@ cp -vf ${scriptdir}/* $PWD
 
 # this will run our tests inside the right environment
 docker version
-docker build --progress plain --build-arg _GOPROXY="https://goproxy.io|https://goproxy.cn|direct" .
+docker build --progress plain --build-arg GOPROXY="https://goproxy.io|https://goproxy.cn|direct" .