Support functions CodeSigningConfig updates (#15)

Issue #, if available:

This patch essentially adds support for updating `CodeSigningConfig` for
lambda functions. This patch also fixes a bug where the controller
tries to update a function that is in a Pending state - the fix is done
by re-queuing whenever a `Status.State` is 'Pending'. Along the way, this
this patch also fixes few existing issues with the current e2e tests.

Description of changes:
- Requeue whenever `Function.Status.State` is `Pending`
- Do not try to update function code if only `code.s3Key` is modified
- Add a hook to prevent the create code path from trying to delete the
code signing config when it's given as an empty string
- Fixes a bug where created dynamodb tables were not deleted
- Fixes a bug where the cr used in the e2e tests were not completely up
to date and need to be refetched

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Author: a-hilaly

apis/v1alpha1/ack-generate-metadata.yaml

@@ -1,13 +1,13 @@
 ack_generate_info:
-  build_date: "2021-11-23T23:35:17Z"
-  build_hash: dca757058c55b80b4eb20f62f55829981a70f7de
+  build_date: "2021-12-20T13:43:11Z"
+  build_hash: 6f17f51682dc0d16c36aa456fd22855ce9282fbc
   go_version: go1.16.4
   version: v0.15.2
 api_directory_checksum: a3c5e80eca3fc5591e8a0a2763d048f2ed4a6ddd
 api_version: v1alpha1
 aws_sdk_go_version: v1.40.28
 generator_config_info:
-  file_checksum: 47d63e3b8348d4f33111e6a3cbd6eca2412e9b46
+  file_checksum: f04b298afa1fd7fd3980226d52412de9ca1523d4
   original_file_name: generator.yaml
 last_modification:
   reason: API generation

apis/v1alpha1/generator.yaml

@@ -35,6 +35,8 @@ resources:
         code: customPreCompare(delta, a, b)
       sdk_read_one_post_set_output:
         template_path: hooks/function/sdk_read_one_post_set_output.go.tpl
+      sdk_create_post_build_request:
+        template_path: hooks/function/sdk_create_post_build_request.go.tpl
     update_operation:
       custom_method_name: customUpdateFunction
   Alias:

generator.yaml

@@ -35,6 +35,8 @@ resources:
         code: customPreCompare(delta, a, b)
       sdk_read_one_post_set_output:
         template_path: hooks/function/sdk_read_one_post_set_output.go.tpl
+      sdk_create_post_build_request:
+        template_path: hooks/function/sdk_create_post_build_request.go.tpl
     update_operation:
       custom_method_name: customUpdateFunction
   Alias:

helm/templates/deployment.yaml

@@ -75,3 +75,12 @@ spec:
           value: {{ join "," .Values.resourceTags | quote }}
       terminationGracePeriodSeconds: 10
       nodeSelector: {{ toYaml .Values.deployment.nodeSelector | nindent 8 }}
+      {{ if .Values.deployment.tolerations -}}
+      tolerations: {{ toYaml .Values.deployment.tolerations | nindent 8 }}
+      {{ end -}}
+      {{ if .Values.deployment.affinity -}}
+      affinity: {{ toYaml .Values.deployment.affinity | nindent 8 }}
+      {{ end -}}
+      {{ if .Values.deployment.priorityClassName -}}
+      priorityClassName: {{ .Values.deployment.priorityClassName -}}
+      {{ end -}}

helm/values.yaml

@@ -15,9 +15,20 @@ deployment:
   annotations: {}
   labels: {}
   containerPort: 8080
+  # Which nodeSelector to set?
+  # See: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
   nodeSelector:
     kubernetes.io/os: linux
-
+  # Which tolerations to set?
+  # See: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
+  tolerations: {}
+  # What affinity to set?
+  # See: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
+  affinity: {}
+  # Which priorityClassName to set?
+  # See: https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#pod-priority
+  priorityClassName:
+  
 metrics:
   service:
     # Set to true to automatically create a Kubernetes Service resource for the

pkg/resource/function/hooks.go

@@ -15,14 +15,38 @@ package function
 
 import (
 	"context"
+	"errors"
+	"time"
 
 	svcapitypes "github.com/aws-controllers-k8s/lambda-controller/apis/v1alpha1"
 	ackcompare "github.com/aws-controllers-k8s/runtime/pkg/compare"
+	ackrequeue "github.com/aws-controllers-k8s/runtime/pkg/requeue"
 	ackrtlog "github.com/aws-controllers-k8s/runtime/pkg/runtime/log"
 	"github.com/aws/aws-sdk-go/aws"
 	svcsdk "github.com/aws/aws-sdk-go/service/lambda"
 )
 
+var (
+	ErrFunctionPending = errors.New("Function in 'Pending' state, cannot be modified or deleted")
+)
+
+var (
+	requeueWaitWhilePending = ackrequeue.NeededAfter(
+		ErrFunctionPending,
+		5*time.Second,
+	)
+)
+
+// isFunctionPending returns true if the supplied Lambda Function is in a pending
+// state
+func isFunctionPending(r *resource) bool {
+	if r.ko.Status.State == nil {
+		return false
+	}
+	state := *r.ko.Status.State
+	return state == string(svcapitypes.State_Pending)
+}
+
 // customUpdateFunction patches each of the resource properties in the backend AWS
 // service API and returns a new resource with updated fields.
 func (rm *resourceManager) customUpdateFunction(
@@ -36,8 +60,12 @@ func (rm *resourceManager) customUpdateFunction(
 	exit := rlog.Trace("rm.customUpdateFunction")
 	defer exit(err)
 
+	if isFunctionPending(desired) {
+		return nil, requeueWaitWhilePending
+	}
+
 	if delta.DifferentAt("Spec.Code") {
-		err = rm.updateFunctionCode(ctx, desired)
+		err = rm.updateFunctionCode(ctx, desired, delta)
 		if err != nil {
 			return nil, err
 		}
@@ -70,6 +98,12 @@ func (rm *resourceManager) customUpdateFunction(
 			return nil, err
 		}
 	}
+	if delta.DifferentAt("Spec.CodeSigningConfigARN") {
+		err = rm.updateFunctionCodeSigningConfig(ctx, desired)
+		if err != nil {
+			return nil, err
+		}
+	}
 
 	readOneLatest, err := rm.ReadOne(ctx, desired)
 	if err != nil {
@@ -247,12 +281,22 @@ func (rm *resourceManager) updateFunctionTags(
 func (rm *resourceManager) updateFunctionCode(
 	ctx context.Context,
 	desired *resource,
+	delta *ackcompare.Delta,
 ) error {
 	var err error
 	rlog := ackrtlog.FromContext(ctx)
 	exit := rlog.Trace("rm.updateFunctionCode")
 	defer exit(err)
 
+	if delta.DifferentAt("Spec.Code.S3Key") &&
+		!delta.DifferentAt("Spec.Code.S3Bucket") &&
+		!delta.DifferentAt("Spec.Code.S3ObjectVersion") &&
+		!delta.DifferentAt("Spec.Code.ImageURI") {
+		log := ackrtlog.FromContext(ctx)
+		log.Info("updating code.s3Key field is not currently supported.")
+		return nil
+	}
+
 	dspec := desired.ko.Spec
 	input := &svcsdk.UpdateFunctionCodeInput{
 		FunctionName: aws.String(*dspec.Name),
@@ -265,10 +309,6 @@ func (rm *resourceManager) updateFunctionCode(
 		case dspec.Code.S3Bucket != nil,
 			dspec.Code.S3Key != nil,
 			dspec.Code.S3ObjectVersion != nil:
-
-			log := ackrtlog.FromContext(ctx)
-			log.Debug("updating code.s3Bucket field is not currently supported.")
-
 			input.S3Bucket = dspec.Code.S3Bucket
 			input.S3Key = dspec.Code.S3Key
 			input.S3ObjectVersion = dspec.Code.S3ObjectVersion
@@ -384,6 +424,59 @@ func (rm *resourceManager) updateFunctionConcurrency(
 	return nil
 }
 
+// updateFunctionCodeSigningConfig calls PutFunctionCodeSigningConfig to update
+// it code signing configuration
+func (rm *resourceManager) updateFunctionCodeSigningConfig(
+	ctx context.Context,
+	desired *resource,
+) error {
+	var err error
+	rlog := ackrtlog.FromContext(ctx)
+	exit := rlog.Trace("rm.updateFunctionCodeSigningConfig")
+	defer exit(err)
+
+	if desired.ko.Spec.CodeSigningConfigARN == nil || *desired.ko.Spec.CodeSigningConfigARN == "" {
+		return rm.deleteFunctionCodeSigningConfig(ctx, desired)
+	}
+
+	dspec := desired.ko.Spec
+	input := &svcsdk.PutFunctionCodeSigningConfigInput{
+		FunctionName:         aws.String(*dspec.Name),
+		CodeSigningConfigArn: aws.String(*dspec.CodeSigningConfigARN),
+	}
+
+	_, err = rm.sdkapi.PutFunctionCodeSigningConfigWithContext(ctx, input)
+	rm.metrics.RecordAPICall("UPDATE", "PutFunctionCodeSigningConfig", err)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// deleteFunctionCodeSigningConfig calls deleteFunctionCodeSigningConfig to update
+// it code signing configuration
+func (rm *resourceManager) deleteFunctionCodeSigningConfig(
+	ctx context.Context,
+	desired *resource,
+) error {
+	var err error
+	rlog := ackrtlog.FromContext(ctx)
+	exit := rlog.Trace("rm.deleteFunctionCodeSigningConfig")
+	defer exit(err)
+
+	dspec := desired.ko.Spec
+	input := &svcsdk.DeleteFunctionCodeSigningConfigInput{
+		FunctionName: aws.String(*dspec.Name),
+	}
+
+	_, err = rm.sdkapi.DeleteFunctionCodeSigningConfigWithContext(ctx, input)
+	rm.metrics.RecordAPICall("UPDATE", "DeleteFunctionCodeSigningConfig", err)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
 // setResourceAdditionalFields will describe the fields that are not return by
 // GetFunctionConcurrency calls
 func (rm *resourceManager) setResourceAdditionalFields(
@@ -406,5 +499,18 @@ func (rm *resourceManager) setResourceAdditionalFields(
 		return err
 	}
 	ko.Spec.ReservedConcurrentExecutions = getFunctionConcurrencyOutput.ReservedConcurrentExecutions
+
+	var getFunctionCodeSigningConfigOutput *svcsdk.GetFunctionCodeSigningConfigOutput
+	getFunctionCodeSigningConfigOutput, err = rm.sdkapi.GetFunctionCodeSigningConfigWithContext(
+		ctx,
+		&svcsdk.GetFunctionCodeSigningConfigInput{
+			FunctionName: ko.Spec.Name,
+		},
+	)
+	rm.metrics.RecordAPICall("GET", "GetFunctionCodeSigningConfig", err)
+	if err != nil {
+		return err
+	}
+	ko.Spec.CodeSigningConfigARN = getFunctionCodeSigningConfigOutput.CodeSigningConfigArn
 	return nil
 }

pkg/resource/function/sdk.go

@@ -0,0 +1,3 @@
+	if desired.ko.Spec.CodeSigningConfigARN != nil && *desired.ko.Spec.CodeSigningConfigARN == "" {
+		input.CodeSigningConfigArn = nil
+	}

templates/hooks/function/sdk_create_post_build_request.go.tpl

@@ -13,4 +13,5 @@ spec:
   runtime: python3.9
   handler: main
   description: function created by ACK lambda-controller e2e tests
-  reservedConcurrentExecutions: $RESERVED_CONCURRENT_EXECUTIONS
+  reservedConcurrentExecutions: $RESERVED_CONCURRENT_EXECUTIONS
+  codeSigningConfigARN: "$CODE_SIGNING_CONFIG_ARN"

test/e2e/resources/function.yaml

@@ -76,15 +76,15 @@ def clean_up_and_delete_bucket(bucket_name: str):
 
 def delete_sqs_queue(queue_url: str) -> str:
     region = get_region()
-    sqs_client = boto3.resource('sqs', region_name=region)
-    sqs_client.meta.client.delete_queue(
+    sqs_client = boto3.client('sqs', region_name=region)
+    sqs_client.delete_queue(
         QueueUrl=queue_url,
     )
     logging.info(f"Deleted SQS queue {queue_url}")
 
 def delete_dynamodb_table(table_name: str) -> str:
     region = get_region()
-    ddb_client = boto3.resource('dynamodb', region_name=region)
+    ddb_client = boto3.client('dynamodb', region_name=region)
     ddb_client.delete_table(
         TableName=table_name,
     )