Merge pull request #17180 from hashicorp/b-lambda-function-data-sourc…

…e-container-img d/aws_lambda_function: prevent read error when fetching code signing config for "Image" package type
hashicorp · Jan 21, 2021 · 5c88a0e · 5c88a0e
2 parents f28b7ab + 1abeba0
commit 5c88a0e
Show file tree

Hide file tree

Showing 3 changed files with 69 additions and 13 deletions.
diff --git a/aws/data_source_aws_lambda_function.go b/aws/data_source_aws_lambda_function.go
@@ -313,23 +313,26 @@ func dataSourceAwsLambdaFunctionRead(d *schema.ResourceData, meta interface{}) e
 		return nil
 	}
 
-	// Get Code Signing Config Output
-	// If code signing config output exists, set it to that value, otherwise set it empty.
-	codeSigningConfigInput := &lambda.GetFunctionCodeSigningConfigInput{
-		FunctionName: aws.String(d.Get("function_name").(string)),
-	}
+	// Get Code Signing Config Output.
+	// Code Signing is only supported on zip packaged lambda functions.
+	var codeSigningConfigArn string
 
-	getCodeSigningConfigOutput, err := conn.GetFunctionCodeSigningConfig(codeSigningConfigInput)
-	if err != nil {
-		return fmt.Errorf("error getting Lambda Function (%s) Code Signing Config: %w", aws.StringValue(function.FunctionName), err)
-	}
+	if aws.StringValue(function.PackageType) == lambda.PackageTypeZip {
+		codeSigningConfigInput := &lambda.GetFunctionCodeSigningConfigInput{
+			FunctionName: function.FunctionName,
+		}
+		getCodeSigningConfigOutput, err := conn.GetFunctionCodeSigningConfig(codeSigningConfigInput)
+		if err != nil {
+			return fmt.Errorf("error getting Lambda Function (%s) Code Signing Config: %w", aws.StringValue(function.FunctionName), err)
+		}
 
-	if getCodeSigningConfigOutput == nil || getCodeSigningConfigOutput.CodeSigningConfigArn == nil {
-		d.Set("code_signing_config_arn", "")
-	} else {
-		d.Set("code_signing_config_arn", getCodeSigningConfigOutput.CodeSigningConfigArn)
+		if getCodeSigningConfigOutput != nil {
+			codeSigningConfigArn = aws.StringValue(getCodeSigningConfigOutput.CodeSigningConfigArn)
+		}
 	}
 
+	d.Set("code_signing_config_arn", codeSigningConfigArn)
+
 	d.SetId(aws.StringValue(function.FunctionName))
 
 	return nil

diff --git a/aws/data_source_aws_lambda_function_test.go b/aws/data_source_aws_lambda_function_test.go
@@ -2,6 +2,7 @@ package aws
 
 import (
 	"fmt"
+	"os"
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
@@ -180,6 +181,27 @@ func TestAccDataSourceAWSLambdaFunction_fileSystemConfig(t *testing.T) {
 	})
 }
 
+func TestAccDataSourceAWSLambdaFunction_imageConfig(t *testing.T) {
+	rName := acctest.RandomWithPrefix("tf-acc-test")
+	dataSourceName := "data.aws_lambda_function.test"
+	resourceName := "aws_lambda_function.test"
+
+	imageLatestID := os.Getenv("AWS_LAMBDA_IMAGE_LATEST_ID")
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t); testAccDataSourceLambdaImagePreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccDataSourceAWSLambdaFunctionConfigImageConfig(rName, imageLatestID),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrPair(dataSourceName, "code_signing_config_arn", resourceName, "code_signing_config_arn"),
+				),
+			},
+		},
+	})
+}
+
 func testAccDataSourceAWSLambdaFunctionConfigBase(rName string) string {
 	return fmt.Sprintf(`
 resource "aws_iam_role" "lambda" {
@@ -495,3 +517,31 @@ data "aws_lambda_function" "test" {
 }
 `, rName)
 }
+
+func testAccDataSourceAWSLambdaFunctionConfigImageConfig(rName, imageID string) string {
+	return composeConfig(
+		testAccDataSourceAWSLambdaFunctionConfigBase(rName),
+		fmt.Sprintf(`
+resource "aws_lambda_function" "test" {
+  image_uri     = %q
+  function_name = %q
+  role          = aws_iam_role.lambda.arn
+  package_type  = "Image"
+  image_config {
+    entry_point       = ["/bootstrap-with-handler"]
+    command           = ["app.lambda_handler"]
+    working_directory = "/var/task"
+  }
+}
+
+data "aws_lambda_function" "test" {
+  function_name = aws_lambda_function.test.function_name
+}
+`, imageID, rName))
+}
+
+func testAccDataSourceLambdaImagePreCheck(t *testing.T) {
+	if os.Getenv("AWS_LAMBDA_IMAGE_LATEST_ID") == "" {
+		t.Skip("AWS_LAMBDA_IMAGE_LATEST_ID env var must be set for Lambda Function Data Source Image Support acceptance tests.")
+	}
+}
diff --git a/docs/MAINTAINING.md b/docs/MAINTAINING.md
@@ -404,6 +404,9 @@ Environment variables (beyond standard AWS Go SDK ones) used by acceptance testi
 | `AWS_EC2_EIP_PUBLIC_IPV4_POOL` | Identifier for EC2 Public IPv4 Pool for EC2 EIP testing. |
 | `AWS_GUARDDUTY_MEMBER_ACCOUNT_ID` | Identifier of AWS Account for GuardDuty Member testing. **DEPRECATED:** Should be replaced with standard alternate account handling for tests. |
 | `AWS_GUARDDUTY_MEMBER_EMAIL` | Email address for GuardDuty Member testing. **DEPRECATED:** It may be possible to use a placeholder email address instead. |
+| `AWS_LAMBDA_IMAGE_LATEST_ID` | ECR repository image URI (tagged as `latest`) for Lambda container image acceptance tests.
+| `AWS_LAMBDA_IMAGE_V1_ID` | ECR repository image URI (tagged as `v1`) for Lambda container image acceptance tests.
+| `AWS_LAMBDA_IMAGE_V2_ID` | ECR repository image URI (tagged as `v2`) for Lambda container image acceptance tests.
 | `DX_CONNECTION_ID` | Identifier for Direct Connect Connection testing. |
 | `DX_VIRTUAL_INTERFACE_ID` | Identifier for Direct Connect Virtual Interface testing. |
 | `EC2_SECURITY_GROUP_RULES_PER_GROUP_LIMIT` | EC2 Quota for Rules per Security Group. Defaults to 50. **DEPRECATED:** Can be augmented or replaced with Service Quotas lookup. |