Introduce spec.code.sha256 field to help with s3 code changes (#88)

**Issue #**
[#1550](aws-controllers-k8s/community#1550)

**Description**
This PR adds the feature to update the `Spec.Code.S3` variables. The issue arises as Lambda API does not keep record of `Spec.Code` variables, because of which ACK is not being able to compare the changes in the state for `Spec.Code` (ex: change in `Spec.Code.S3Key`) and thus fails to recognize the changes.

Thus we have added a new field `Spec.Code.SHA256`, the user has to manually calculate the SHA256 for their code, they can do this by running this command `sha256sum filename.zip |cut -f1 -d\ | xxd -r -p | base64`. This field will then be compared with current SHA256 taken from `Status.CodeSHA256` and will determine if the update has been made for deployment package. 

**Acknowledgment**
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Author: Vandita2020

apis/v1alpha1/ack-generate-metadata.yaml

@@ -7,7 +7,7 @@ api_directory_checksum: c67645b15db39980ba51ff6303c34c5aafc55a9e
 api_version: v1alpha1
 aws_sdk_go_version: v1.44.181
 generator_config_info:
-  file_checksum: f0fa26f0d3c577f5800eb183e0ec1cea865a75ee
+  file_checksum: 4038e6b669d1d6966f8e729a3ed323bf03593680
   original_file_name: generator.yaml
 last_modification:
   reason: API generation

apis/v1alpha1/generator.yaml

@@ -38,6 +38,13 @@ resources:
         - path: Status.State
           in: [ "Active" ]
     fields:
+      Code.SHA256:
+        type: string
+        compare:
+          is_ignored: true
+        set:
+        - ignore: "to"
+          method: Create
       Code.S3Bucket:
         references:
           resource: Bucket
@@ -72,7 +79,7 @@ resources:
           path: ReservedConcurrentExecutions
       Code:
         compare:
-          is_ignored: true
+          is_ignored: false
         set:
           - ignore: true
             operation: ReadOne

apis/v1alpha1/types.go

@@ -70,6 +70,8 @@ spec:
                     type: string
                   s3ObjectVersion:
                     type: string
+                  sha256:
+                    type: string
                   zipFile:
                     format: byte
                     type: string

apis/v1alpha1/zz_generated.deepcopy.go

@@ -38,6 +38,13 @@ resources:
         - path: Status.State
           in: [ "Active" ]
     fields:
+      Code.SHA256:
+        type: string
+        compare:
+          is_ignored: true
+        set:
+        - ignore: "to"
+          method: Create
       Code.S3Bucket:
         references:
           resource: Bucket
@@ -72,7 +79,7 @@ resources:
           path: ReservedConcurrentExecutions
       Code:
         compare:
-          is_ignored: true
+          is_ignored: false
         set:
           - ignore: true
             operation: ReadOne

config/crd/bases/lambda.services.k8s.aws_functions.yaml

@@ -70,6 +70,8 @@ spec:
                     type: string
                   s3ObjectVersion:
                     type: string
+                  sha256:
+                    type: string
                   zipFile:
                     format: byte
                     type: string

generator.yaml

@@ -102,25 +102,15 @@ func (rm *resourceManager) customUpdateFunction(
 			}
 		}
 	}
-	if delta.DifferentAt("Spec.Architectures") {
-		err = rm.updateFunctionArchitectures(ctx, desired, latest)
-		if err != nil {
-			return nil, err
-		}
-	}
 
 	// Only try to update Spec.Code or Spec.Configuration at once. It is
 	// not correct to sequentially call UpdateFunctionConfiguration and
 	// UpdateFunctionCode because both of them can put the function in a
 	// Pending state.
 	switch {
-	case delta.DifferentAt("Spec.Code"):
-		err = rm.updateFunctionCode(ctx, desired, delta)
+	case delta.DifferentAt("Spec.Code.ImageURI") || delta.DifferentAt("Spec.Code.SHA256") || delta.DifferentAt("Spec.Architectures"):
+		err = rm.updateFunctionCode(ctx, desired, delta, latest)
 		if err != nil {
-			// If the source image is not available, we get an error like this:
-			// "InvalidParameterValueException: Source image 1234567890.dkr.ecr.us-east-2.amazonaws.com/my-lambda:my-tag does not exist. Provide a valid source image."
-			// Because this may be recoverable (i.e. the image may be pushed once a build completes),
-			// we requeue the function for reconciliation after one minute.
 			if strings.Contains(err.Error(), "Provide a valid source image.") {
 				return nil, requeueWaitWhileSourceImageDoesNotExist
 			} else {
@@ -131,6 +121,7 @@ func (rm *resourceManager) customUpdateFunction(
 		"Spec.Code",
 		"Spec.Tags",
 		"Spec.ReservedConcurrentExecutions",
+		"Spec.FunctionEventInvokeConfig",
 		"Spec.CodeSigningConfigARN"):
 		err = rm.updateFunctionConfiguration(ctx, desired, delta)
 		if err != nil {
@@ -377,16 +368,17 @@ func (rm *resourceManager) updateFunctionTags(
 	return nil
 }
 
-// updateFunctionArchitectures calls UpdateFunctionCode to update architecture for lambda
+// updateFunctionsCode calls UpdateFunctionCode to update a specific lambda
 // function code.
-func (rm *resourceManager) updateFunctionArchitectures(
+func (rm *resourceManager) updateFunctionCode(
 	ctx context.Context,
 	desired *resource,
+	delta *ackcompare.Delta,
 	latest *resource,
 ) error {
 	var err error
 	rlog := ackrtlog.FromContext(ctx)
-	exit := rlog.Trace("rm.updateFunctionArchitectures")
+	exit := rlog.Trace("rm.updateFunctionCode")
 	defer exit(err)
 
 	dspec := desired.ko.Spec
@@ -400,60 +392,30 @@ func (rm *resourceManager) updateFunctionArchitectures(
 		input.Architectures = nil
 	}
 
-	if latest.ko.Spec.Code != nil {
-		if latest.ko.Spec.PackageType != nil && *latest.ko.Spec.PackageType == "Image" {
-			input.ImageUri = latest.ko.Spec.Code.ImageURI
-		} else if latest.ko.Spec.PackageType != nil && *latest.ko.Spec.PackageType == "Zip" {
-			input.S3Bucket = latest.ko.Spec.Code.S3Bucket
-			input.S3Key = latest.ko.Spec.Code.S3Key
-		}
-	}
-
-	_, err = rm.sdkapi.UpdateFunctionCodeWithContext(ctx, input)
-	rm.metrics.RecordAPICall("UPDATE", "UpdateFunctionArchitectures", err)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-// updateFunctionsCode calls UpdateFunctionCode to update a specific lambda
-// function code.
-func (rm *resourceManager) updateFunctionCode(
-	ctx context.Context,
-	desired *resource,
-	delta *ackcompare.Delta,
-) error {
-	var err error
-	rlog := ackrtlog.FromContext(ctx)
-	exit := rlog.Trace("rm.updateFunctionCode")
-	defer exit(err)
-
-	if delta.DifferentAt("Spec.Code.S3Key") &&
-		!delta.DifferentAt("Spec.Code.S3Bucket") &&
-		!delta.DifferentAt("Spec.Code.S3ObjectVersion") &&
-		!delta.DifferentAt("Spec.Code.ImageURI") {
-		log := ackrtlog.FromContext(ctx)
-		log.Info("updating code.s3Key field is not currently supported.")
-		return nil
-	}
-
-	dspec := desired.ko.Spec
-	input := &svcsdk.UpdateFunctionCodeInput{
-		FunctionName: aws.String(*dspec.Name),
-	}
-
 	if dspec.Code != nil {
-		switch {
-		case dspec.Code.ImageURI != nil:
-			input.ImageUri = dspec.Code.ImageURI
-		case dspec.Code.S3Bucket != nil,
-			dspec.Code.S3Key != nil,
-			dspec.Code.S3ObjectVersion != nil:
-			input.S3Bucket = dspec.Code.S3Bucket
-			input.S3Key = dspec.Code.S3Key
-			input.S3ObjectVersion = dspec.Code.S3ObjectVersion
+		if delta.DifferentAt("Spec.Code.SHA256") && dspec.Code.SHA256 != nil {
+			if dspec.Code.S3Key != nil {
+				input.S3Key = aws.String(*dspec.Code.S3Key)
+			}
+			if dspec.Code.S3Bucket != nil {
+				input.S3Bucket = aws.String(*dspec.Code.S3Bucket)
+			}
+			if dspec.Code.S3ObjectVersion != nil {
+				input.S3ObjectVersion = aws.String(*dspec.Code.S3ObjectVersion)
+			}
+		} else if delta.DifferentAt("Spec.Code.ImageURI") && dspec.Code.ImageURI != nil {
+			if dspec.Code.ImageURI != nil {
+				input.ImageUri = aws.String(*dspec.Code.ImageURI)
+			}
+
+		} else { // We need to pass the latest code to Update API call,
+			//if there is change in architecture and no change in Code
+			if latest.ko.Spec.PackageType != nil && *latest.ko.Spec.PackageType == "Image" {
+				input.ImageUri = latest.ko.Spec.Code.ImageURI
+			} else if latest.ko.Spec.PackageType != nil && *latest.ko.Spec.PackageType == "Zip" {
+				input.S3Bucket = latest.ko.Spec.Code.S3Bucket
+				input.S3Key = latest.ko.Spec.Code.S3Key
+			}
 		}
 	}
 
@@ -501,36 +463,27 @@ func customPreCompare(
 	a *resource,
 	b *resource,
 ) {
+	// No need to compare difference in S3 Key/Bucket/ObjectVersion. As in sdkFind() there is a copy 'ko := r.ko.DeepCopy()'
+	// of S3 Key/Bucket/ObjectVersion passed. This 'ko' then stores the values of latest S3 fields which API returns
+	// and compares it with desired field values. Since the API doesn't return values of S3 fields, it doesn't
+	// notice any changes between desired and latest, hence fails to recognize the update in the values.
+
+	// To solve this we created a new field 'Code.SHA256' to store the hash value of deployment package. Any change
+	// in hash value refers to change in S3 Key/Bucket/ObjectVersion and controller can recognize the change in
+	// desired and latest value of 'Code.SHA256' and hence calls the update function.
+
 	if ackcompare.HasNilDifference(a.ko.Spec.Code, b.ko.Spec.Code) {
 		delta.Add("Spec.Code", a.ko.Spec.Code, b.ko.Spec.Code)
 	} else if a.ko.Spec.Code != nil && b.ko.Spec.Code != nil {
-		if ackcompare.HasNilDifference(a.ko.Spec.Code.ImageURI, b.ko.Spec.Code.ImageURI) {
-			delta.Add("Spec.Code.ImageURI", a.ko.Spec.Code.ImageURI, b.ko.Spec.Code.ImageURI)
-		} else if a.ko.Spec.Code.ImageURI != nil && b.ko.Spec.Code.ImageURI != nil {
-			if *a.ko.Spec.Code.ImageURI != *b.ko.Spec.Code.ImageURI {
-				delta.Add("Spec.Code.ImageURI", a.ko.Spec.Code.ImageURI, b.ko.Spec.Code.ImageURI)
-			}
-		}
-		//TODO(hialylmh) handle Spec.Code.S3bucket changes
-		//  if ackcompare.HasNilDifference(a.ko.Spec.Code.S3Bucket, b.ko.Spec.Code.S3Bucket) {
-		//  	delta.Add("Spec.Code.S3Bucket", a.ko.Spec.Code.S3Bucket, b.ko.Spec.Code.S3Bucket)
-		//  } else if a.ko.Spec.Code.S3Bucket != nil && b.ko.Spec.Code.S3Bucket != nil {
-		//  	if *a.ko.Spec.Code.S3Bucket != *b.ko.Spec.Code.S3Bucket {
-		//  		delta.Add("Spec.Code.S3Bucket", a.ko.Spec.Code.S3Bucket, b.ko.Spec.Code.S3Bucket)
-		//  	}
-		//  }
-		if ackcompare.HasNilDifference(a.ko.Spec.Code.S3Key, b.ko.Spec.Code.S3Key) {
-			delta.Add("Spec.Code.S3Key", a.ko.Spec.Code.S3Key, b.ko.Spec.Code.S3Key)
-		} else if a.ko.Spec.Code.S3Key != nil && b.ko.Spec.Code.S3Key != nil {
-			if *a.ko.Spec.Code.S3Key != *b.ko.Spec.Code.S3Key {
-				delta.Add("Spec.Code.S3Key", a.ko.Spec.Code.S3Key, b.ko.Spec.Code.S3Key)
-			}
-		}
-		if ackcompare.HasNilDifference(a.ko.Spec.Code.S3ObjectVersion, b.ko.Spec.Code.S3ObjectVersion) {
-			delta.Add("Spec.Code.S3ObjectVersion", a.ko.Spec.Code.S3ObjectVersion, b.ko.Spec.Code.S3ObjectVersion)
-		} else if a.ko.Spec.Code.S3ObjectVersion != nil && b.ko.Spec.Code.S3ObjectVersion != nil {
-			if *a.ko.Spec.Code.S3ObjectVersion != *b.ko.Spec.Code.S3ObjectVersion {
-				delta.Add("Spec.Code.S3ObjectVersion", a.ko.Spec.Code.S3ObjectVersion, b.ko.Spec.Code.S3ObjectVersion)
+		if a.ko.Spec.PackageType != nil && *a.ko.Spec.PackageType == "Zip" {
+			if a.ko.Spec.Code.SHA256 != nil {
+				if ackcompare.HasNilDifference(a.ko.Spec.Code.SHA256, b.ko.Status.CodeSHA256) {
+					delta.Add("Spec.Code.SHA256", a.ko.Spec.Code.SHA256, b.ko.Status.CodeSHA256)
+				} else if a.ko.Spec.Code.SHA256 != nil && b.ko.Status.CodeSHA256 != nil {
+					if *a.ko.Spec.Code.SHA256 != *b.ko.Status.CodeSHA256 {
+						delta.Add("Spec.Code.SHA256", a.ko.Spec.Code.SHA256, b.ko.Status.CodeSHA256)
+					}
+				}
 			}
 		}
 	}

helm/crds/lambda.services.k8s.aws_functions.yaml

@@ -0,0 +1,19 @@
+apiVersion: lambda.services.k8s.aws/v1alpha1
+kind: Function
+metadata:
+  name: $FUNCTION_NAME
+  annotations:
+    services.k8s.aws/region: $AWS_REGION
+spec:
+  name: $FUNCTION_NAME
+  architectures: [$ARCHITECTURES]
+  code:
+    s3Bucket: $BUCKET_NAME
+    s3Key: $LAMBDA_FILE_NAME
+    sha256: $HASH
+  role: $LAMBDA_ROLE
+  runtime: python3.9
+  handler: main
+  description: function created by ACK lambda-controller e2e tests
+  reservedConcurrentExecutions: $RESERVED_CONCURRENT_EXECUTIONS
+  codeSigningConfigARN: "$CODE_SIGNING_CONFIG_ARN"

pkg/resource/function/delta.go

@@ -0,0 +1,2 @@
+if __name__ == "__main__":
+    print("Updated Hello ACK!")

pkg/resource/function/hooks.go

@@ -44,6 +44,11 @@
 LAMBDA_FUNCTION_FILE_PATH = f"./resources/lambda_function/{LAMBDA_FUNCTION_FILE}"
 LAMBDA_FUNCTION_FILE_PATH_ZIP = f"./resources/lambda_function/{LAMBDA_FUNCTION_FILE_ZIP}"
 
+LAMBDA_FUNCTION_UPDATED_FILE = "updated_main.py"
+LAMBDA_FUNCTION_UPDATED_FILE_ZIP = "updated_main.zip"
+LAMBDA_FUNCTION_UPDATED_FILE_PATH = f"./resources/lambda_function/{LAMBDA_FUNCTION_UPDATED_FILE}"
+LAMBDA_FUNCTION_UPDATED_FILE_PATH_ZIP = f"./resources/lambda_function/{LAMBDA_FUNCTION_UPDATED_FILE_ZIP}" 
+
 AWS_SIGNING_PLATFORM_ID = "AWSLambda-SHA384-ECDSA"
 
 def zip_function_file(src: str, dst: str):
@@ -139,6 +144,12 @@ def service_bootstrap() -> Resources:
             LAMBDA_FUNCTION_FILE_PATH_ZIP,
             resources.FunctionsBucket.name,
         )
+
+        zip_function_file(LAMBDA_FUNCTION_UPDATED_FILE_PATH, LAMBDA_FUNCTION_UPDATED_FILE_PATH_ZIP)
+        upload_function_to_bucket(
+            LAMBDA_FUNCTION_UPDATED_FILE_PATH_ZIP,
+            resources.FunctionsBucket.name,
+        )
     except BootstrapFailureException as ex:
         exit(254)
     return resources