CCM-14833: Force Code Deploy for Container Based Lambdas

Author: jamesthompson26-nhs

infrastructure/terraform/modules/lambda/README.md

@@ -20,7 +20,7 @@
 | <a name="input_enable_lambda_insights"></a> [enable\_lambda\_insights](#input\_enable\_lambda\_insights) | Enable the lambda insights layer, this must be disabled for lambda@edge usage | `bool` | `true` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
 | <a name="input_filter_pattern"></a> [filter\_pattern](#input\_filter\_pattern) | Filter pattern to use for the log subscription filter | `string` | `""` | no |
-| <a name="input_force_lambda_code_deploy"></a> [force\_lambda\_code\_deploy](#input\_force\_lambda\_code\_deploy) | If the lambda package in s3 has the same commit id tag as the terraform build branch, the lambda will not update automatically. Set to True if making changes to Lambda code from on the same commit for example during development | `bool` | `false` | no |
+| <a name="input_force_lambda_code_deploy"></a> [force\_lambda\_code\_deploy](#input\_force\_lambda\_code\_deploy) | If true, force code deploy checks for Lambda packages. For Zip, this enables source hash tracking of the package archive. For Image, tagged ECR image URIs are resolved to their current digest so Lambda updates when the tag is repointed. | `bool` | `false` | no |
 | <a name="input_function_code_base_path"></a> [function\_code\_base\_path](#input\_function\_code\_base\_path) | The base path to the sourcecode directories needed for this lambda | `string` | `"./"` | no |
 | <a name="input_function_code_dir"></a> [function\_code\_dir](#input\_function\_code\_dir) | The directory for this lambda | `string` | `null` | no |
 | <a name="input_function_include_common"></a> [function\_include\_common](#input\_function\_include\_common) | Include the 'common' lambda module with this lambda | `bool` | `true` | no |

infrastructure/terraform/modules/lambda/data_ecr_image_lambda.tf

@@ -0,0 +1,6 @@
+data "aws_ecr_image" "lambda" {
+  count = local.resolve_image_to_digest ? 1 : 0
+
+  repository_name = local.image_repository_name
+  image_tag       = local.image_tag
+}

infrastructure/terraform/modules/lambda/lambda_function.tf

@@ -13,7 +13,7 @@ resource "aws_lambda_function" "main" {
   s3_key            = local.package_type == "zip" ? aws_s3_object.lambda[0].key : null
   s3_object_version = local.package_type == "zip" ? aws_s3_object.lambda[0].version_id : null
 
-  image_uri = local.package_type == "image" ? var.image_uri : null
+  image_uri = local.package_type == "image" ? local.effective_image_uri : null
 
   dynamic "image_config" {
     for_each = local.package_type == "image" && var.image_config != null ? [1] : []

infrastructure/terraform/modules/lambda/locals.tf

@@ -3,6 +3,18 @@ locals {
 
   package_type = lower(var.package_type)
 
+  # For Image package types, optionally resolve tag-based URIs to digests
+  # when force_lambda_code_deploy is enabled.
+  image_uri_parts         = split(":", var.image_uri != null ? var.image_uri : "")
+  image_uri_has_digest    = var.image_uri != null ? length(split("@", var.image_uri)) > 1 : false
+  image_uri_has_tag       = var.image_uri != null ? length(local.image_uri_parts) == 2 : false
+  image_repository_uri    = local.image_uri_has_tag ? local.image_uri_parts[0] : null
+  image_tag               = local.image_uri_has_tag ? local.image_uri_parts[1] : null
+  image_repository_parts  = local.image_repository_uri != null ? split("/", local.image_repository_uri) : []
+  image_repository_name   = local.image_repository_uri != null ? join("/", slice(local.image_repository_parts, 1, length(local.image_repository_parts))) : null
+  resolve_image_to_digest = local.package_type == "image" && var.force_lambda_code_deploy && !local.image_uri_has_digest && local.image_uri_has_tag
+  effective_image_uri     = local.resolve_image_to_digest ? "${local.image_repository_uri}@${data.aws_ecr_image.lambda[0].image_digest}" : var.image_uri
+
   # Compound Scope Identifier
   csi = replace(
     format(

infrastructure/terraform/modules/lambda/variables.tf

@@ -198,7 +198,7 @@ variable "function_include_common" {
 
 variable "force_lambda_code_deploy" {
   type        = bool
-  description = "If the lambda package in s3 has the same commit id tag as the terraform build branch, the lambda will not update automatically. Set to True if making changes to Lambda code from on the same commit for example during development"
+  description = "If true, force code deploy checks for Lambda packages. For Zip, this enables source hash tracking of the package archive. For Image, tagged ECR image URIs are resolved to their current digest so Lambda updates when the tag is repointed."
   default     = false
 }