From 28650be77e7d0a45e0f1d989881f86687f716704 Mon Sep 17 00:00:00 2001
From: Niranjan Jayakar <nija@amazon.com>
Date: Mon, 4 Oct 2021 14:57:55 +0100
Subject: [PATCH 1/2] fix(lambda): docker image function fails when
 insightsVersion is specified

Lambda insights is configured as a set of layers that are then
auto-added to the lambda function when the `insightsVersion` property is
specified.

However, Lambda functions deployed as container images cannot contain
layers. Instead, the user is expected to bring a container image with
the Insights agent pre-installed.

Update the CDK code, so that the layer is not added for Lambda functions
that use container images.

fixes #16642
---
 packages/@aws-cdk/aws-lambda/lib/function.ts | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/packages/@aws-cdk/aws-lambda/lib/function.ts b/packages/@aws-cdk/aws-lambda/lib/function.ts
index 9cd67a478f003..d1fb32852ef16 100644
--- a/packages/@aws-cdk/aws-lambda/lib/function.ts
+++ b/packages/@aws-cdk/aws-lambda/lib/function.ts
@@ -219,6 +219,10 @@ export interface FunctionOptions extends EventInvokeConfigOptions {
    * Specify the version of CloudWatch Lambda insights to use for monitoring
    * @see https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Lambda-Insights.html
    *
+   * When used with `DockerImageFunction` or `DockerImageCode`, the Docker image should have
+   * the Lambda insights agent installed.
+   * @see https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Lambda-Insights-Getting-Started-docker.html
+   *
    * @default - No Lambda Insights
    */
   readonly insightsVersion?: LambdaInsightsVersion;
@@ -759,9 +763,7 @@ export class Function extends FunctionBase {
     }
 
     // Configure Lambda insights
-    if (props.insightsVersion !== undefined) {
-      this.configureLambdaInsights(props.insightsVersion);
-    }
+    this.configureLambdaInsights(props);
   }
 
   /**
@@ -884,8 +886,15 @@ Environment variables can be marked for removal when used in Lambda@Edge by sett
    *
    * https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Lambda-Insights-extension-versions.html
    */
-  private configureLambdaInsights(insightsVersion: LambdaInsightsVersion): void {
-    this.addLayers(LayerVersion.fromLayerVersionArn(this, 'LambdaInsightsLayer', insightsVersion.layerVersionArn));
+  private configureLambdaInsights(props: FunctionProps): void {
+    if (props.insightsVersion === undefined) {
+      return;
+    }
+    if (props.runtime !== Runtime.FROM_IMAGE) {
+      // Layers cannot be added to Lambda container images. The image should have the insights agent installed.
+      // See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Lambda-Insights-Getting-Started-docker.html
+      this.addLayers(LayerVersion.fromLayerVersionArn(this, 'LambdaInsightsLayer', props.insightsVersion.layerVersionArn));
+    }
     this.role?.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('CloudWatchLambdaInsightsExecutionRolePolicy'));
   }
 

From 03a0bc689b9e5b109f8eecc74a1f4d6ab12e7655 Mon Sep 17 00:00:00 2001
From: Niranjan Jayakar <nija@amazon.com>
Date: Tue, 5 Oct 2021 11:28:24 +0100
Subject: [PATCH 2/2] add tests

---
 .../aws-lambda/test/lambda-insights.test.ts   | 40 +++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/packages/@aws-cdk/aws-lambda/test/lambda-insights.test.ts b/packages/@aws-cdk/aws-lambda/test/lambda-insights.test.ts
index 990c0c7fb7405..762df158da6f4 100644
--- a/packages/@aws-cdk/aws-lambda/test/lambda-insights.test.ts
+++ b/packages/@aws-cdk/aws-lambda/test/lambda-insights.test.ts
@@ -1,5 +1,6 @@
 import '@aws-cdk/assert-internal/jest';
 import { MatchStyle } from '@aws-cdk/assert-internal';
+import * as ecr from '@aws-cdk/aws-ecr';
 import * as cdk from '@aws-cdk/core';
 import * as lambda from '../lib';
 
@@ -313,4 +314,43 @@ describe('lambda-insights', () => {
     // On synthesis it should not throw an error
     expect(() => app.synth()).not.toThrow();
   });
+
+  test('insights layer is skipped for container images and the role is updated', () => {
+    const stack = new cdk.Stack();
+    new lambda.DockerImageFunction(stack, 'MyFunction', {
+      code: lambda.DockerImageCode.fromEcr(ecr.Repository.fromRepositoryArn(stack, 'MyRepo',
+        'arn:aws:ecr:us-east-1:0123456789:repository/MyRepo')),
+      insightsVersion: lambda.LambdaInsightsVersion.VERSION_1_0_98_0,
+    });
+
+    expect(stack).toCountResources('AWS::Lambda::LayerVersion', 0);
+
+    expect(stack).toHaveResourceLike('AWS::IAM::Role', {
+      'AssumeRolePolicyDocument': {
+        'Statement': [
+          {
+            'Action': 'sts:AssumeRole',
+            'Principal': {
+              'Service': 'lambda.amazonaws.com',
+            },
+          },
+        ],
+      },
+      'ManagedPolicyArns': [
+        { },
+        {
+          'Fn::Join': [
+            '',
+            [
+              'arn:',
+              {
+                'Ref': 'AWS::Partition',
+              },
+              ':iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy',
+            ],
+          ],
+        },
+      ],
+    });
+  });
 });