Merge pull request #1 from JayJamieson/feat/upgrade-deploy-artifact-to-container-image

Updated lambda terraform to use container image deployment artifact

Author: JayJamieson

.gitignore

@@ -18,4 +18,9 @@ bin/main.local
 function.zip
 bootstrap
 
-.idea
+.idea
+infrastructure/.terraform
+infrastructure/.terraform.lock.hcl
+infrastructure/.terraform/providers/registry.terraform.io/hashicorp/aws/5.13.1/linux_amd64/terraform-provider-aws_v5.13.1_x5
+infrastructure/terraform.tfstate
+infrastructure/terraform.tfstate.backup

Dockerfile

@@ -1,15 +1,17 @@
-FROM amazonlinux:2.0.20230727.0
+FROM golang:1.22 AS build
 
-RUN yum install -y tar xz gzip gcc
+WORKDIR /project
 
-RUN curl -L -o golang.tar.gz https://go.dev/dl/go1.21.0.linux-amd64.tar.gz
+COPY go.mod go.sum ./
+RUN go mod download -x
 
-RUN rm -rf /usr/local/go && tar -C /usr/local -xzf golang.tar.gz
+COPY handlers/ handlers/
+COPY main.go .
 
-WORKDIR /project
+RUN CGO_ENABLED=0 go build -tags lambda.norpc -o main main.go
 
-COPY go.mod go.sum ./
-RUN /usr/local/go/bin/go mod download -x
+FROM public.ecr.aws/lambda/provided:al2
+
+COPY --from=build /project/main ./main
 
-RUN /usr/local/go/bin/go install github.com/mattn/go-sqlite3
-ENV PATH="${PATH}:/usr/local/go/bin"
+ENTRYPOINT [ "./main" ]

README.md

@@ -2,49 +2,56 @@
 
 **AWS has [deprecated go1.x](https://aws.amazon.com/blogs/compute/migrating-aws-lambda-functions-from-the-go1-x-runtime-to-the-custom-runtime-on-amazon-linux-2/) runtime.**
 
-This repository contains example lambda handler integration with API gateway. Terraform is used to deploy infrastructure including DNS, SSL Certificates.
+This repository contains example lambda handler integration with API Gateway. Terraform is used to deploy infrastructure including DNS, SSL Certificates.
 
 ## Requirements
 
-- go 1.20
+- go 1.22
 - zip
 - docker
 - terraform
 - aws cli
+- jq
 
-## Setup (optional)
+## Setup (Optional)
 
-### Docker
+For now an existing AWS ECR is required to exist already or created using `./create_ecr.sh`. Unfortunately it's not possible yet to create an ECR, build and push an image, then reference the image_uri needed for Lambda resource.
 
-Although not require specifically to run go in lambdas, can be useful to avoid compatibility issues
-when using cgo bindings or third party libraries using cgo such as sqlite3.
+If you an existing ECR you can run `./create_ecr.sh` with the `--auth-only` flag to skip creating a new ECR. This will pull credentials and inject into Docker engine.
 
-- build docker container for building lambda function binary fully compatible with aws lambda runtime
-- `docker build -t lambda-build .`
+```shell
+Usage: ./create-ecr.sh --repo-name NAME --region REGION --account-id ID [--auth-only]
+  --repo-name    ECR repository name         (required)
+  --region       AWS region                  (required)
+  --account-id   AWS account ID              (required)
+  --auth-only    Only login Docker to ECR and exit
+```
 
 ## Build
 
-AWS `provided.al2` requires executables to be named bootstrap.
+The deploy artifact is a container image instead of a zip file with the built binary. AWS has optimized container images for Lambda and results in faster cold starts.
 
-- `GOARCH=amd64 GOOS=linux go build -tags lambda.norpc -o ./infrastructure/bootstrap main.go`
-  - `provided.al2` provide a single process architecture and allow running without RPC dependency using `-tags lambda.norpc`
-  - Build without RPC using `GOARCH=amd64 GOOS=linux go build -tags lambda.norpc -o ./infrastructure/bootstrap main.go`
+To build an image and tag using `tag --points-at HEAD --sort=-version:refname` run `./build_image.sh`. This script will built a Lambda compatible container image and push to the configured AWS ECR. This script expects `./create_ecr.sh` to have run or at the minimum run with `--auth-only` for an existing ECR to get login credentials for Docker engine.
 
-- `go build -o ./bin/main.local ./cmd/handler/main.go` for locally running lambda handler as a cli application.
-  - requires manually providing event data from file or hard coded into the main.go file
-  - it can be very easy to write a cli interface to read event from path or stdin or wrap in a http server
+```shell
+Usage: ./build_image.sh --account-id ID --region REGION --repo-name NAME [--tag TAG]
+  --account-id   AWS account ID       (required)
+  --region       AWS region           (required)
+  --repo-name    ECR repository name  (required)
+  --tag          Image tag override; if omitted, use latest Git tag on HEAD
+```
 
 ## Deploy
 
 Create a `terraform.tfvars` file inside infrastructure folder and fill out required variables.
 
-- Manually deploy function code changes with cli `aws lambda update-function-code --function-name go-lambda --zip-file fileb://bootstrap.zip`
 - Use terraform to deploy infrastructure changes and function changes `terraform apply --auto-approve`
-  - `main.aws_lambda_function.go_lambda.source_code_hash = filebase64sha256("bootstrap.zip")` will ensure new builds to redeploy with infrastructure changes.
+
+To enable auto container image builds set `with_docker_build` to `true`. This will run the `./build_image.sh` script and output the image URI for use in the Lambda resource. Default is disabled.
 
 ## Optional
 
-Currently, the lambda handler takes in any request method and path. For full utilization of api gateway proxy functionality you can make use of <https://github.com/awslabs/aws-lambda-go-api-proxy> to run a standard Go http server and adapt api gateway requests to Go requests and vice versa Go responses to api gateway responses
+Currently, the lambda handler takes in any request method and path. For full utilization of API Gateway proxy functionality you can make use of <https://github.com/awslabs/aws-lambda-go-api-proxy> to run a standard Go http server and adapt API Gateway requests to Go requests and vice versa Go responses to API Gateway responses
 
 - Be aware to write lambda aware handlers using the adapters.
 - Optimize for fast startups

build.sh

@@ -0,0 +1,78 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+
+GREEN="\e[32m"
+RED="\e[31m"
+YELLOW="\e[33m"
+NC="\e[0m"
+
+trap 'echo -e "${RED}Error on line ${LINENO}. Aborting.${NC}" >&2; exit 1' ERR
+
+usage() {
+  cat <<EOF >&2
+Usage: $0 --account-id ID --region REGION --repo-name NAME [--tag TAG]
+  --account-id   AWS account ID       (required)
+  --region       AWS region           (required)
+  --repo-name    ECR repository name  (required)
+  --tag          Image tag override; if omitted, use latest Git tag on HEAD
+EOF
+  exit 1
+}
+
+ACCOUNT_ID=""
+REGION=""
+REPO_NAME=""
+TAG=""
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --account-id) ACCOUNT_ID="$2"; shift 2 ;;
+    --region)      REGION="$2";     shift 2 ;;
+    --repo-name)   REPO_NAME="$2";   shift 2 ;;
+    --tag)         TAG="$2";        shift 2 ;;
+    -h|--help)     usage ;;
+    *) echo -e "${RED}Unknown option: $1${NC}" >&2; usage ;;
+  esac
+done
+
+[[ -n "$ACCOUNT_ID" && -n "$REGION" && -n "$REPO_NAME" ]] || usage
+
+if [[ -n "$TAG" ]]; then
+  IMAGE_TAG="$TAG"
+  echo -e "${YELLOW}Using override tag: ${IMAGE_TAG}${NC}" >&2
+else
+  IMAGE_TAG=$(git tag --points-at HEAD --sort=-version:refname | head -n1 || true)
+  if [[ -z "$IMAGE_TAG" ]]; then
+    echo -e "${YELLOW}No tag found on HEAD; falling back to commit hash${NC}" >&2
+    IMAGE_TAG=$(git rev-parse --short HEAD)
+  else
+    echo -e "${GREEN}Found Git tag on HEAD: ${IMAGE_TAG}${NC}" >&2
+  fi
+fi
+
+IMAGE_REPO="${ACCOUNT_ID}.dkr.ecr.${REGION}.amazonaws.com/${REPO_NAME}"
+IMAGE_URI="${IMAGE_REPO}:${IMAGE_TAG}"
+
+echo -e "${YELLOW}Building Docker image as ${IMAGE_REPO}:${IMAGE_TAG}…${NC}" >&2
+docker buildx build \
+  --platform linux/amd64 \
+  --provenance=false \
+  -t "${IMAGE_REPO}" \
+  . >&2
+echo -e "${GREEN}Build succeeded.${NC}" >&2
+
+echo -e "${YELLOW}Tagging image…${NC}" >&2
+docker tag "${IMAGE_REPO}" "${IMAGE_URI}" >&2
+docker tag "${IMAGE_REPO}" "${IMAGE_REPO}:latest" >&2
+echo -e "${GREEN}Tagging succeeded.${NC}" >&2
+
+echo -e "${YELLOW}Pushing ${IMAGE_URI}…${NC}" >&2
+docker push "${IMAGE_URI}" >&2
+echo -e "${GREEN}Pushed ${IMAGE_URI}.${NC}" >&2
+
+echo -e "${YELLOW}Pushing latest tag…${NC}" >&2
+docker push "${IMAGE_REPO}:latest" >&2
+echo -e "${GREEN}Pushed latest tag.${NC}" >&2
+
+jq -n --arg uri "$IMAGE_URI" '{"image_uri":$uri}'

build_image.sh

@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+
+GREEN="\e[32m"
+RED="\e[31m"
+YELLOW="\e[33m"
+NC="\e[0m"
+
+trap 'echo -e "${RED}Error on line ${LINENO}. Aborting.${NC}" >&2; exit 1' ERR
+
+usage() {
+  cat <<EOF >&2
+Usage: $0 --repo-name NAME --region REGION --account-id ID [--auth-only]
+  --repo-name    ECR repository name         (required)
+  --region       AWS region                  (required)
+  --account-id   AWS account ID              (required)
+  --auth-only    Only login Docker to ECR and exit
+EOF
+  exit 1
+}
+
+REPO_NAME=""
+REGION=""
+ACCOUNT_ID=""
+AUTH_ONLY=false
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --repo-name)  REPO_NAME="$2";   shift 2 ;;
+    --region)     REGION="$2";      shift 2 ;;
+    --account-id) ACCOUNT_ID="$2";  shift 2 ;;
+    --auth-only)  AUTH_ONLY=true;   shift    ;;
+    -h|--help)    usage ;;
+    *) echo -e "${RED}Unknown option: $1${NC}" >&2; usage ;;
+  esac
+done
+
+[[ -n "$REPO_NAME" && -n "$REGION" && -n "$ACCOUNT_ID" ]] || usage
+
+ECR_URI="${ACCOUNT_ID}.dkr.ecr.${REGION}.amazonaws.com"
+
+echo -e "${YELLOW}Logging in to ECR registry ${ECR_URI}…${NC}" >&2
+aws ecr get-login-password --region "$REGION" \
+  | docker login --username AWS --password-stdin "${ECR_URI}" \
+  && echo -e "${GREEN}Docker login succeeded.${NC}" >&2
+
+if $AUTH_ONLY; then
+  echo -e "${YELLOW}Auth-only flag set; exiting after login.${NC}" >&2
+  exit 0
+fi
+
+echo -e "${YELLOW}Creating ECR repository '${REPO_NAME}'…${NC}" >&2
+CREATE_OUTPUT=$(aws ecr create-repository \
+  --repository-name "$REPO_NAME" \
+  --region "$REGION" \
+  --image-scanning-configuration scanOnPush=false \
+  --image-tag-mutability MUTABLE)
+echo -e "${GREEN}Repository creation succeeded.${NC}" >&2
+
+REPO_URI=$(echo "$CREATE_OUTPUT" | jq -r '.repository.repositoryUri')
+echo -e "Repository URI: $REPO_URI" >&2
+
+printf '%s\n' "$REPO_URI"

create-ecr.sh

@@ -1,5 +1,5 @@
 module github.com/JayJamieson/go-lambda
 
-go 1.21
+go 1.22
 
-require github.com/aws/aws-lambda-go v1.41.0
+require github.com/aws/aws-lambda-go v1.48.0

go.mod

@@ -1,6 +1,12 @@
 github.com/aws/aws-lambda-go v1.41.0 h1:l/5fyVb6Ud9uYd411xdHZzSf2n86TakxzpvIoz7l+3Y=
 github.com/aws/aws-lambda-go v1.41.0/go.mod h1:jwFe2KmMsHmffA1X2R09hH6lFzJQxzI8qK17ewzbQMM=
+github.com/aws/aws-lambda-go v1.48.0 h1:1aZUYsrJu0yo5fC4z+Rba1KhNImXcJcvHu763BxoyIo=
+github.com/aws/aws-lambda-go v1.48.0/go.mod h1:dpMpZgvWx5vuQJfBt0zqBha60q7Dd7RfgJv23DymV8A=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/testify v1.7.2 h1:4jaiDzPyXQvSd7D0EjG45355tLlV3VOECpq10pLC+8s=
+github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=