fix: Use Amazon Linux 2 provided runtime

.projenrc.ts

@@ -13,7 +13,7 @@ const project = new CdklabsConstructLibrary({
   cdkVersion: '2.0.0',
   cdkVersionPinning: false,
   defaultReleaseBranch: 'main',
-  majorVersion: 2,
+  majorVersion: 3,
   enablePRAutoMerge: true,
   name: 'cdk-ecr-deployment',
   projenrcTs: true,
@@ -75,16 +75,16 @@ project.release?.addJobs({
       {
         name: 'Build lambda',
         run: [
-          'docker build -t cdk-ecr-deployment-lambda --build-arg _GOPROXY="https://goproxy.io|https://goproxy.cn|direct" lambda',
-          'docker run -v $PWD/lambda:/out cdk-ecr-deployment-lambda cp /asset/main /out',
-          'echo $(sha256sum lambda/main | awk \'{ print $1 }\') > lambda/main.sha256',
+          'docker build -t cdk-ecr-deployment-lambda --build-arg GOPROXY="https://goproxy.io|https://goproxy.cn|direct" lambda',
+          'docker run -v $PWD/lambda:/out cdk-ecr-deployment-lambda cp /asset/bootstrap /out',
+          'echo $(sha256sum lambda/bootstrap | awk \'{ print $1 }\') > lambda/bootstrap.sha256',
         ].join(' && '),
       },
       {
         name: 'Release lambda',
         // For some reason, need '--clobber' otherwise we always get errors that these files already exist. They're probably
         // uploaded elsewhere but TBH I don't know where so just add this flag to make it not fail.
-        run: 'gh release upload --clobber -R $GITHUB_REPOSITORY v$(cat .repo/dist/version.txt) lambda/main lambda/main.sha256 ',
+        run: 'gh release upload --clobber -R $GITHUB_REPOSITORY v$(cat .repo/dist/version.txt) lambda/bootstrap lambda/bootstrap.sha256 ',
         env: {
           GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}',
           GITHUB_REPOSITORY: '${{ github.repository }}',

lambda/.dockerignore

@@ -4,6 +4,6 @@ node_modules
 coverage
 test-reports
 **/*.md
-main
-main.sha256
+bootstrap
+bootstrap.sha256
 cdk.out

lambda/Dockerfile

@@ -1,28 +1,16 @@
 # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
-ARG buildImage=public.ecr.aws/sam/build-go1.x:latest
-
-FROM ${buildImage}
+ARG buildImage=golang:1
+FROM ${buildImage} as build
 
 USER root
 
-RUN yum -y install \
-    gpgme-devel \
-    btrfs-progs-devel \
-    device-mapper-devel \
-    libassuan-devel \
-    libudev-devel
-
-# In https://github.com/aws/aws-sam-build-images/blob/0a39eebc0d1d462afbe155d4e6a4cbcb12888847/build-image-src/Dockerfile-go1x#L29
-# already defined GOPROXY env.
-# To avoid naming conflict which will lead to weird error like https://github.com/laradock/laradock/issues/2618
-# , use the following name instead
-ARG _GOPROXY
+ARG GOPROXY
 
 ENV GOOS=linux \
     GOARCH=amd64 \
     GO111MODULE=on \
-    GOPROXY="${_GOPROXY}"
+    GOPROXY="${GOPROXY}"
 
 WORKDIR /ws
 
@@ -35,6 +23,4 @@ RUN go env
 COPY . /ws
 
 RUN mkdir -p /asset/ && \
-    make OUTPUT=/asset/main && \
-    file /asset/main && \
-    ls -lh /asset/main
+    make OUTPUT=/asset/bootstrap

lambda/Makefile

@@ -18,7 +18,7 @@ ifeq ($(GOOS), linux)
   endif
 endif
 
-BUILDTAGS := exclude_graphdriver_devicemapper exclude_graphdriver_btrfs containers_image_openpgp
+BUILDTAGS := exclude_graphdriver_devicemapper exclude_graphdriver_btrfs containers_image_openpgp lambda.norpc
 OUTPUT ?= cdk-ecr-deployment-handler
 
 all: test lambda

lambda/install.js

@@ -52,8 +52,8 @@ async function download(url, dest, agent) {
     agent.https = process.env.HTTPS_PROXY ? new HttpsProxyAgent({proxy: process.env.HTTPS_PROXY}): undefined;
     agent.http = process.env.HTTP_PROXY ? new HttpProxyAgent({proxy: process.env.HTTP_PROXY}): undefined;
 
-    await download(`${rootUrl}/releases/download/v${version}/main`, bin, agent);
-    const expectedIntegrity = (await got(`${rootUrl}/releases/download/v${version}/main.sha256`, { agent })).body.trim();
+    await download(`${rootUrl}/releases/download/v${version}/bootstrap`, bin, agent);
+    const expectedIntegrity = (await got(`${rootUrl}/releases/download/v${version}/bootstrap.sha256`, { agent })).body.trim();
     const integrity = await sha256sum(bin);
 
     if (integrity !== expectedIntegrity) {

src/index.ts

@@ -139,9 +139,9 @@ export class ECRDeployment extends Construct {
     const memoryLimit = props.memoryLimit ?? 512;
     this.handler = new lambda.SingletonFunction(this, 'CustomResourceHandler', {
       uuid: this.renderSingletonUuid(memoryLimit),
-      code: getCode(props.buildImage ?? 'public.ecr.aws/sam/build-go1.x:latest'),
-      runtime: lambda.Runtime.GO_1_X,
-      handler: 'main',
+      code: getCode(props.buildImage ?? 'golang:1'),
+      runtime: lambda.Runtime.PROVIDED_AL2023,
+      handler: 'bootstrap',
       environment: props.environment,
       lambdaPurpose: 'Custom::CDKECRDeployment',
       timeout: Duration.minutes(15),

test/lambda/Dockerfile

@@ -1,27 +1,16 @@
 # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
-
-FROM public.ecr.aws/sam/build-go1.x:latest
+ARG buildImage=golang:1
+FROM ${buildImage} as build
 
 USER root
 
-RUN yum -y install \
-    gpgme-devel \
-    btrfs-progs-devel \
-    device-mapper-devel \
-    libassuan-devel \
-    libudev-devel
-
-# In https://github.com/aws/aws-sam-build-images/blob/0a39eebc0d1d462afbe155d4e6a4cbcb12888847/build-image-src/Dockerfile-go1x#L29
-# already defined GOPROXY env.
-# To avoid naming conflict which will lead to weird error like https://github.com/laradock/laradock/issues/2618
-# , use the following name instead
-ARG _GOPROXY
+ARG GOPROXY
 
 ENV GOOS=linux \
     GOARCH=amd64 \
     GO111MODULE=on \
-    GOPROXY="${_GOPROXY}"
+    GOPROXY="${GOPROXY}"
 
 ADD . /opt/awscli
 

test/lambda/test.sh

@@ -21,4 +21,4 @@ cp -vf ${scriptdir}/* $PWD
 
 # this will run our tests inside the right environment
 docker version
-docker build --progress plain --build-arg _GOPROXY="https://goproxy.io|https://goproxy.cn|direct" .
+docker build --progress plain --build-arg GOPROXY="https://goproxy.io|https://goproxy.cn|direct" .