chore: add NLB cert validator and custom domain to CFN template (#3166)

This PR:
1. Upload NLB cert validator and custom domain lambda scripts to S3 bucket, if DNS delegation is enabled. This is because if we pass the scripts as code into the CFN template, the two scripts together would make the template too large -> so we need to upload them to s3 and refer to the s3 location instead.
2. Add cert validator custom resource and custom domain custom resource to NLB template, conditionally.
3. Add supporting resources to the custom resource, such as roles to invoke lambda.
4. Removed the outdated script from  #3157.

Preceding PR: #3157 

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the Apache 2.0 License.

Author: Lou1415926

cf-custom-resources/lib/nlb-cert-manager.js

@@ -314,6 +314,7 @@ type uploader interface {
 type customResourcesUploader interface {
 	UploadEnvironmentCustomResources(upload s3.CompressAndUploadFunc) (map[string]string, error)
 	UploadRequestDrivenWebServiceCustomResources(upload s3.CompressAndUploadFunc) (map[string]string, error)
+	UploadNetworkLoadBalancedWebServiceCustomResources(upload s3.CompressAndUploadFunc) (map[string]string, error)
 }
 
 type bucketEmptier interface {

cf-custom-resources/test/nlb-cert-manager-test.js

@@ -575,7 +575,7 @@ func (o *deploySvcOpts) runtimeConfig() (*stack.RuntimeConfig, error) {
 	}, nil
 }
 
-func uploadCustomResources(o *uploadCustomResourcesOpts, appEnvResources *stack.AppRegionalResources) (map[string]string, error) {
+func uploadRDWSCustomResources(o *uploadCustomResourcesOpts, appEnvResources *stack.AppRegionalResources) (map[string]string, error) {
 	s3Client, err := o.newS3Uploader()
 	if err != nil {
 		return nil, err
@@ -591,6 +591,22 @@ func uploadCustomResources(o *uploadCustomResourcesOpts, appEnvResources *stack.
 	return urls, nil
 }
 
+func uploadNLBWSCustomResources(o *uploadCustomResourcesOpts, appEnvResources *stack.AppRegionalResources) (map[string]string, error) {
+	s3Client, err := o.newS3Uploader()
+	if err != nil {
+		return nil, err
+	}
+
+	urls, err := o.uploader.UploadNetworkLoadBalancedWebServiceCustomResources(func(key string, objects ...s3.NamedBinary) (string, error) {
+		return s3Client.ZipAndUpload(appEnvResources.S3Bucket, key, objects...)
+	})
+	if err != nil {
+		return nil, fmt.Errorf("upload custom resources to bucket %s: %w", appEnvResources.S3Bucket, err)
+	}
+
+	return urls, nil
+}
+
 func (o *deploySvcOpts) stackConfiguration() (cloudformation.StackConfiguration, error) {
 	mft, err := o.manifest()
 	if err != nil {
@@ -645,6 +661,17 @@ func (o *deploySvcOpts) stackConfiguration() (cloudformation.StackConfiguration,
 				return nil, err
 			}
 			opts = append(opts, stack.WithNLB(cidrBlocks))
+
+			if o.targetApp.RequiresDNSDelegation() {
+				if err = o.retrieveAppResourcesForEnvRegion(); err != nil {
+					return nil, err
+				}
+				urls, err := uploadNLBWSCustomResources(o.uploadOpts, o.appEnvResources)
+				if err != nil {
+					return nil, err
+				}
+				opts = append(opts, stack.WithNLBCustomResources(urls))
+			}
 		}
 		conf, err = stack.NewLoadBalancedWebService(t, o.targetEnvironment.Name, o.targetEnvironment.App, *rc, opts...)
 	case *manifest.RequestDrivenWebService:
@@ -686,7 +713,7 @@ func (o *deploySvcOpts) stackConfiguration() (cloudformation.StackConfiguration,
 		if err = o.retrieveAppResourcesForEnvRegion(); err != nil {
 			return nil, err
 		}
-		if urls, err = uploadCustomResources(o.uploadOpts, o.appEnvResources); err != nil {
+		if urls, err = uploadRDWSCustomResources(o.uploadOpts, o.appEnvResources); err != nil {
 			return nil, err
 		}
 		conf, err = stack.NewRequestDrivenWebServiceWithAlias(t, o.targetEnvironment.Name, appInfo, *rc, urls)

internal/pkg/cli/interfaces.go

@@ -14,6 +14,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/copilot-cli/internal/pkg/addon"
 	"github.com/aws/copilot-cli/internal/pkg/aws/cloudformation"
+	"github.com/aws/copilot-cli/internal/pkg/aws/ec2"
 	"github.com/aws/copilot-cli/internal/pkg/aws/ecs"
 	"github.com/aws/copilot-cli/internal/pkg/aws/identity"
 	"github.com/aws/copilot-cli/internal/pkg/deploy"
@@ -48,6 +49,7 @@ type deploySvcMocks struct {
 	mockS3Svc              *mocks.Mockuploader
 	mockAddons             *mocks.Mocktemplater
 	mockIdentity           *mocks.MockidentityService
+	mockUploader           *mocks.MockcustomResourcesUploader
 }
 
 type mockWorkloadMft struct {
@@ -827,6 +829,45 @@ func TestSvcDeployOpts_deploySvc(t *testing.T) {
 			},
 			wantErr: fmt.Errorf(`alias "v1.v2.mockDomain" is not supported in hosted zones managed by Copilot`),
 		},
+		"fail to upload NLB custom resource scripts": {
+			inNLB: manifest.NetworkLoadBalancerConfiguration{
+				Port:    aws.String("80"),
+				Aliases: manifest.Alias{String: aws.String("v1.mockDomain")},
+			},
+			inEnvironment: &config.Environment{
+				Name:   mockEnvName,
+				Region: "us-west-2",
+			},
+			inApp: &config.Application{
+				Name:   mockAppName,
+				Domain: "mockDomain",
+			},
+			mock: func(m *deploySvcMocks) {
+				m.mockWs.EXPECT().ReadWorkloadManifest(mockSvcName).Return([]byte{}, nil)
+				m.mockInterpolator.EXPECT().Interpolate("").Return("", nil)
+				m.mockAppVersionGetter.EXPECT().Version().Return("v1.0.0", nil)
+				m.mockEndpointGetter.EXPECT().ServiceDiscoveryEndpoint().Return("mockApp.local", nil)
+				m.mockIdentity.EXPECT().Get().Return(identity.Caller{
+					RootUserARN: "1234",
+				}, nil)
+				m.mockEnvDescriber.EXPECT().Describe().Return(&describe.EnvDescription{
+					EnvironmentVPC: describe.EnvironmentVPC{
+						ID: "mockVPCID",
+					},
+				}, nil)
+				m.mockSubnetLister.EXPECT().ListVPCSubnets("mockVPCID").Return(&ec2.VPCSubnets{
+					Public: []ec2.Subnet{{CIDRBlock: "cidr1"}, {CIDRBlock: "cidr2"}},
+				}, nil)
+				m.mockAppResourcesGetter.EXPECT().GetAppResourcesByRegion(&config.Application{
+					Name:   mockAppName,
+					Domain: "mockDomain",
+				}, "us-west-2").Return(&stack.AppRegionalResources{
+					S3Bucket: "mockBucket",
+				}, nil)
+				m.mockUploader.EXPECT().UploadNetworkLoadBalancedWebServiceCustomResources(gomock.Any()).Return(nil, errors.New("some error"))
+			},
+			wantErr: fmt.Errorf("upload custom resources to bucket mockBucket: some error"),
+		},
 		"error if fail to deploy service": {
 			inEnvironment: &config.Environment{
 				Name:   mockEnvName,
@@ -1043,6 +1084,7 @@ func TestSvcDeployOpts_deploySvc(t *testing.T) {
 				mockEnvDescriber:       mocks.NewMockenvDescriber(ctrl),
 				mockSubnetLister:       mocks.NewMockvpcSubnetLister(ctrl),
 				mockIdentity:           mocks.NewMockidentityService(ctrl),
+				mockUploader:           mocks.NewMockcustomResourcesUploader(ctrl),
 			}
 			tc.mock(m)
 
@@ -1098,6 +1140,12 @@ func TestSvcDeployOpts_deploySvc(t *testing.T) {
 				now: func() time.Time {
 					return mockNowTime
 				},
+				uploadOpts: &uploadCustomResourcesOpts{
+					uploader: m.mockUploader,
+					newS3Uploader: func() (uploader, error) {
+						return nil, nil
+					},
+				},
 			}
 
 			gotErr := opts.deploySvc()
@@ -1152,7 +1200,6 @@ func TestSvcDeployOpts_rdWebServiceStackConfiguration(t *testing.T) {
 				m.mockWorkspace.EXPECT().ReadWorkloadManifest(mockSvcName).Return([]byte{}, nil)
 				m.mockInterpolator.EXPECT().Interpolate("").Return("", nil)
 				m.mockEndpointGetter.EXPECT().ServiceDiscoveryEndpoint().Return("mockApp.local", nil)
-
 			},
 
 			wantErr: errors.New("alias specified when application is not associated with a domain"),

internal/pkg/cli/mocks/mock_interfaces.go

@@ -160,7 +160,7 @@ func newPackageSvcOpts(vars packageSvcVars) (*packageSvcOpts, error) {
 			if err != nil {
 				return nil, fmt.Errorf("get application %s resources from region %s: %w", app.Name, env.Region, err)
 			}
-			urls, err := uploadCustomResources(&uploadCustomResourcesOpts{
+			urls, err := uploadRDWSCustomResources(&uploadCustomResourcesOpts{
 				uploader: template.New(),
 				newS3Uploader: func() (uploader, error) {
 					envRegion := env.Region

internal/pkg/cli/svc_deploy.go

@@ -21,7 +21,6 @@ const (
 	lbWebSvcRulePriorityGeneratorPath = "custom-resources/alb-rule-priority-generator.js"
 	desiredCountGeneratorPath         = "custom-resources/desired-count-delegation.js"
 	envControllerPath                 = "custom-resources/env-controller.js"
-	nlbCertManagerPath                = "custom-resources/nlb-cert-validator-updater.js"
 )
 
 // Parameter logical IDs for a load balanced web service.
@@ -52,9 +51,10 @@ type LoadBalancedWebService struct {
 	// `httpsEnabled` has the same value with `dnsDelegationEnabled`, because we enabled https
 	// automatically the app is associated with a domain. When an ALB is disabled, `httpsEnabled`
 	// should always be false; hence they could have different values at this time.
-	dnsDelegationEnabled   bool
-	publicSubnetCIDRBlocks []string
-	appInfo                deploy.AppInformation
+	dnsDelegationEnabled    bool
+	publicSubnetCIDRBlocks  []string
+	appInfo                 deploy.AppInformation
+	nlbCustomResourceS3URLs map[string]string
 
 	parser loadBalancedWebSvcReadParser
 }
@@ -78,6 +78,13 @@ func WithNLB(cidrBlocks []string) func(s *LoadBalancedWebService) {
 	}
 }
 
+// WithNLBDNSCustomResources includes NLB custom resource URLs in a LoadBalancedWebService.
+func WithNLBCustomResources(urls map[string]string) func(s *LoadBalancedWebService) {
+	return func(s *LoadBalancedWebService) {
+		s.nlbCustomResourceS3URLs = urls
+	}
+}
+
 // WithDNSDelegation enables DNS delegation for a LoadBalancedWebService.
 func WithDNSDelegation(app deploy.AppInformation) func(s *LoadBalancedWebService) {
 	return func(s *LoadBalancedWebService) {
@@ -196,40 +203,42 @@ func (s *LoadBalancedWebService) Template() (string, error) {
 		return "", err
 	}
 	content, err := s.parser.ParseLoadBalancedWebService(template.WorkloadOpts{
-		Variables:                    s.manifest.TaskConfig.Variables,
-		Secrets:                      s.manifest.TaskConfig.Secrets,
-		Aliases:                      aliases,
-		NestedStack:                  addonsOutputs,
-		AddonsExtraParams:            addonsParams,
-		Sidecars:                     sidecars,
-		LogConfig:                    convertLogging(s.manifest.Logging),
-		DockerLabels:                 s.manifest.ImageConfig.Image.DockerLabels,
-		Autoscaling:                  autoscaling,
-		CapacityProviders:            capacityProviders,
-		DesiredCountOnSpot:           desiredCountOnSpot,
-		ExecuteCommand:               convertExecuteCommand(&s.manifest.ExecuteCommand),
-		WorkloadType:                 manifest.LoadBalancedWebServiceType,
-		HealthCheck:                  convertContainerHealthCheck(s.manifest.ImageConfig.HealthCheck),
-		HTTPHealthCheck:              convertHTTPHealthCheck(&s.manifest.HealthCheck),
-		DeregistrationDelay:          deregistrationDelay,
-		AllowedSourceIps:             allowedSourceIPs,
-		RulePriorityLambda:           rulePriorityLambda.String(),
-		DesiredCountLambda:           desiredCountLambda.String(),
-		EnvControllerLambda:          envControllerLambda.String(),
-		NLBCertManagerFunctionLambda: nlbConfig.certManagerLambda,
-		Storage:                      convertStorageOpts(s.manifest.Name, s.manifest.Storage),
-		Network:                      convertNetworkConfig(s.manifest.Network),
-		EntryPoint:                   entrypoint,
-		Command:                      command,
-		DependsOn:                    convertDependsOn(s.manifest.ImageConfig.Image.DependsOn),
-		CredentialsParameter:         aws.StringValue(s.manifest.ImageConfig.Image.Credentials),
-		ServiceDiscoveryEndpoint:     s.rc.ServiceDiscoveryEndpoint,
-		Publish:                      publishers,
-		Platform:                     convertPlatform(s.manifest.Platform),
-		HTTPVersion:                  convertHTTPVersion(s.manifest.ProtocolVersion),
-		NLB:                          nlbConfig.settings,
-		AppDNSName:                   nlbConfig.appDNSName,
-		AppDNSDelegationRole:         nlbConfig.appDNSDelegationRole,
+		Variables:                      s.manifest.TaskConfig.Variables,
+		Secrets:                        s.manifest.TaskConfig.Secrets,
+		Aliases:                        aliases,
+		NestedStack:                    addonsOutputs,
+		AddonsExtraParams:              addonsParams,
+		Sidecars:                       sidecars,
+		LogConfig:                      convertLogging(s.manifest.Logging),
+		DockerLabels:                   s.manifest.ImageConfig.Image.DockerLabels,
+		Autoscaling:                    autoscaling,
+		CapacityProviders:              capacityProviders,
+		DesiredCountOnSpot:             desiredCountOnSpot,
+		ExecuteCommand:                 convertExecuteCommand(&s.manifest.ExecuteCommand),
+		WorkloadType:                   manifest.LoadBalancedWebServiceType,
+		HealthCheck:                    convertContainerHealthCheck(s.manifest.ImageConfig.HealthCheck),
+		HTTPHealthCheck:                convertHTTPHealthCheck(&s.manifest.HealthCheck),
+		DeregistrationDelay:            deregistrationDelay,
+		AllowedSourceIps:               allowedSourceIPs,
+		RulePriorityLambda:             rulePriorityLambda.String(),
+		DesiredCountLambda:             desiredCountLambda.String(),
+		EnvControllerLambda:            envControllerLambda.String(),
+		Storage:                        convertStorageOpts(s.manifest.Name, s.manifest.Storage),
+		Network:                        convertNetworkConfig(s.manifest.Network),
+		EntryPoint:                     entrypoint,
+		Command:                        command,
+		DependsOn:                      convertDependsOn(s.manifest.ImageConfig.Image.DependsOn),
+		CredentialsParameter:           aws.StringValue(s.manifest.ImageConfig.Image.Credentials),
+		ServiceDiscoveryEndpoint:       s.rc.ServiceDiscoveryEndpoint,
+		Publish:                        publishers,
+		Platform:                       convertPlatform(s.manifest.Platform),
+		HTTPVersion:                    convertHTTPVersion(s.manifest.ProtocolVersion),
+		NLB:                            nlbConfig.settings,
+		AppDNSName:                     nlbConfig.appDNSName,
+		AppDNSDelegationRole:           nlbConfig.appDNSDelegationRole,
+		ScriptBucketName:               nlbConfig.bucket,
+		NLBCertValidatorFunctionLambda: nlbConfig.certValidatorLambda,
+		NLBCustomDomainFunctionLambda:  nlbConfig.customDomainLambda,
 	})
 	if err != nil {
 		return "", err

internal/pkg/cli/svc_deploy_test.go

@@ -264,7 +264,9 @@ type networkLoadBalancerConfig struct {
 	// If a domain is associated these values are not empty.
 	appDNSDelegationRole *string
 	appDNSName           *string
-	certManagerLambda    string
+	bucket               *string
+	certValidatorLambda  string
+	customDomainLambda   string
 }
 
 func (s *LoadBalancedWebService) convertNetworkLoadBalancer() (networkLoadBalancerConfig, error) {
@@ -329,11 +331,13 @@ func (s *LoadBalancedWebService) convertNetworkLoadBalancer() (networkLoadBalanc
 		config.appDNSName = dnsName
 		config.appDNSDelegationRole = dnsDelegationRole
 
-		nlbCertManagerLambda, err := s.parser.Read(nlbCertManagerPath)
+		bucket, urls, err := parseS3URLs(s.nlbCustomResourceS3URLs)
 		if err != nil {
-			return networkLoadBalancerConfig{}, fmt.Errorf("read network load balancer certificate manager lambda: %w", err)
+			return networkLoadBalancerConfig{}, err
 		}
-		config.certManagerLambda = nlbCertManagerLambda.String()
+		config.bucket = bucket
+		config.certValidatorLambda = aws.StringValue(urls[template.NLBCertValidatorLambdaFileName])
+		config.customDomainLambda = aws.StringValue(urls[template.NLBCustomDomainLambdaFileName])
 	}
 	return config, nil
 }