update lambda runtime config (#43)

* update lambda runtime config

aws_function_pkg/main.go

@@ -92,7 +92,7 @@ func HandleRequest(context context.Context, cloudWatchEvent events.CloudwatchLog
 
 func shouldHandleEvent(recordMessage RecordMessage) bool {
 	return (strings.Contains(recordMessage.EventName, "CreateFunction") || strings.Contains(recordMessage.EventName, "UpdateFunctionCode")) &&
-		"FunctionClarityLambdaVerifier" != recordMessage.ResponseElements.FunctionName && "" != recordMessage.ResponseElements.FunctionName
+		clients.FunctionClarityLambdaVerierName != recordMessage.ResponseElements.FunctionName && "" != recordMessage.ResponseElements.FunctionName
 }
 
 func handleFunctionEvent(recordMessage RecordMessage, tagKeysFilter []string, regionsFilter []string, ctx context.Context) {
@@ -113,7 +113,7 @@ func handleFunctionEvent(recordMessage RecordMessage, tagKeysFilter []string, re
 }
 
 func initConfig() error {
-	envConfig := os.Getenv("CONFIGURATION")
+	envConfig := os.Getenv(clients.ConfigEnvVariableName)
 	log.Printf("config: %s", envConfig)
 	decodedConfig, err := base64.StdEncoding.DecodeString(envConfig)
 	if err != nil {

cmd/function-clarity/cli/aws/aws.go

@@ -183,3 +183,77 @@ func AwsDeploy() *cobra.Command {
 	}
 	return cmd
 }
+
+func AwsUpdateFuncConfig() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "aws",
+		Short: "update verifier function runtime configuration",
+		Long: "update verifier function runtime configuration, the following configurations can be updated:\n" +
+			"- included functions tags\n" +
+			"- included functions regions\n" +
+			"- sns topic arn\n" +
+			"- action",
+		Args: cobra.NoArgs,
+		PreRunE: func(cmd *cobra.Command, args []string) error {
+			if err := viper.BindPFlag("accessKey", cmd.Flags().Lookup("aws-access-key")); err != nil {
+				return fmt.Errorf("error binding accessKey: %w", err)
+			}
+			if err := viper.BindPFlag("secretKey", cmd.Flags().Lookup("aws-secret-key")); err != nil {
+				return fmt.Errorf("error binding secretKey: %w", err)
+			}
+			if err := viper.BindPFlag("region", cmd.Flags().Lookup("region")); err != nil {
+				return fmt.Errorf("error binding region: %w", err)
+			}
+			if err := viper.BindPFlag("action", cmd.Flags().Lookup("action")); err != nil {
+				return fmt.Errorf("error binding action: %w", err)
+			}
+			if err := viper.BindPFlag("includedfunctagkeys", cmd.Flags().Lookup("included-func-tags")); err != nil {
+				return fmt.Errorf("error binding action: %w", err)
+			}
+			if err := viper.BindPFlag("includedfuncregions", cmd.Flags().Lookup("included-func-regions")); err != nil {
+				return fmt.Errorf("error binding action: %w", err)
+			}
+			if err := viper.BindPFlag("snsTopicArn", cmd.Flags().Lookup("sns-topic-arn")); err != nil {
+				return fmt.Errorf("error binding snsTopicArn: %w", err)
+			}
+			return nil
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			awsClient := clients.NewAwsClientInit(viper.GetString("accesskey"), viper.GetString("secretkey"), viper.GetString("region"))
+			includedFuncTagKeysStringArray := viper.GetStringSlice("includedfunctagkeys")
+			includedFuncTagKeys := &includedFuncTagKeysStringArray
+			if !viper.IsSet("includedfunctagkeys") && !cmd.Flags().Lookup("included-func-tags").Changed {
+				includedFuncTagKeys = nil
+			}
+			actionString := viper.GetString("action")
+			action := &actionString
+			if !viper.IsSet("action") && !cmd.Flags().Lookup("action").Changed {
+				action = nil
+			}
+			includedFuncRegionsStringArray := viper.GetStringSlice("includedfuncregions")
+			includedFuncRegions := &includedFuncRegionsStringArray
+			if !viper.IsSet("includedfuncregions") && !cmd.Flags().Lookup("included-func-regions").Changed {
+				includedFuncRegions = nil
+			}
+			topicString := viper.GetString("snsTopicArn")
+			topic := &topicString
+			if !viper.IsSet("snsTopicArn") && !cmd.Flags().Lookup("sns-topic-arn").Changed {
+				topic = nil
+			}
+			return awsClient.UpdateVerifierFucConfig(action, includedFuncTagKeys,
+				includedFuncRegions, topic)
+		},
+	}
+	initAwsUpdateConfigFlags(cmd)
+	return cmd
+}
+
+func initAwsUpdateConfigFlags(cmd *cobra.Command) {
+	cmd.Flags().String("aws-access-key", "", "aws access key")
+	cmd.Flags().String("aws-secret-key", "", "aws secret key")
+	cmd.Flags().String("region", "", "aws region where function clarity is deployed")
+	cmd.Flags().String("action", "", "action to perform upon validation result")
+	cmd.Flags().StringSlice("included-func-tags", []string{}, "function tags to include when verifying")
+	cmd.Flags().StringSlice("included-func-regions", []string{}, "function regions to include when verifying")
+	cmd.Flags().String("sns-topic-arn", "", "SNS topic ARN for notifications")
+}

cmd/function-clarity/cli/commands.go

@@ -34,6 +34,7 @@ func New() *cobra.Command {
 	cmd.AddCommand(cli.ImportKeyPair())
 	cmd.AddCommand(Init())
 	cmd.AddCommand(Deploy())
+	cmd.AddCommand(UpdateFuncConfig())
 	cobra.OnInitialize(options.CobraInit)
 	return cmd
 }

cmd/function-clarity/cli/updateFuncConfig.go

@@ -0,0 +1,30 @@
+// Copyright © 2022 Cisco Systems, Inc. and its affiliates.
+// All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cli
+
+import (
+	"github.com/openclarity/function-clarity/cmd/function-clarity/cli/aws"
+	"github.com/spf13/cobra"
+)
+
+func UpdateFuncConfig() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "update-func-config",
+		Short: "Update verifier function runtime settings",
+	}
+	cmd.AddCommand(aws.AwsUpdateFuncConfig())
+	return cmd
+}

pkg/clients/AwsClient.go

@@ -32,6 +32,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/cloudtrail"
 	"github.com/aws/aws-sdk-go-v2/service/ecr"
 	"github.com/aws/aws-sdk-go-v2/service/lambda"
+	lambdaTypes "github.com/aws/aws-sdk-go-v2/service/lambda/types"
 	"github.com/aws/aws-sdk-go-v2/service/s3"
 	s3types "github.com/aws/aws-sdk-go-v2/service/s3/types"
 	"github.com/aws/aws-sdk-go-v2/service/sns"
@@ -51,6 +52,7 @@ import (
 )
 
 const FunctionClarityBucketName = "functionclarity"
+const FunctionClarityLambdaVerierName = "FunctionClarityLambdaVerifier"
 
 type AwsClient struct {
 	accessKey    string
@@ -314,7 +316,7 @@ func (o *AwsClient) DeleteConcurrencyLevel(funcIdentifier string) error {
 }
 
 func (o *AwsClient) GetConcurrencyLevel(funcIdentifier string) (*int32, error) {
-	cfg := o.getConfig()
+	cfg := o.getConfigForLambda()
 	lambdaClient := lambda.NewFromConfig(*cfg)
 	input := &lambda.GetFunctionConcurrencyInput{
 		FunctionName: &funcIdentifier,
@@ -469,6 +471,54 @@ func (o *AwsClient) DeployFunctionClarity(trailName string, keyPath string, depl
 	return nil
 }
 
+func (o *AwsClient) UpdateVerifierFucConfig(action *string, includedFuncTagKeys *[]string, includedFuncRegions *[]string, topic *string) error {
+	cfg := o.getConfig()
+	lambdaClient := lambda.NewFromConfig(*cfg)
+	input := &lambda.GetFunctionConfigurationInput{
+		FunctionName: aws.String(FunctionClarityLambdaVerierName),
+	}
+	functionConfiguration, err := lambdaClient.GetFunctionConfiguration(context.TODO(), input)
+	if err != nil {
+		return fmt.Errorf("failed to update configuration: %w", err)
+	}
+	funcConfigEnvEncoded := functionConfiguration.Environment.Variables[ConfigEnvVariableName]
+	funcConfigEnvDecoded, err := b64.StdEncoding.DecodeString(funcConfigEnvEncoded)
+	if err != nil {
+		return fmt.Errorf("failed to update configuration: %w", err)
+	}
+	config := i.AWSInput{}
+	err = yaml.Unmarshal(funcConfigEnvDecoded, &config)
+	if err != nil {
+		return fmt.Errorf("failed to update configuration: %w", err)
+	}
+	if action != nil {
+		config.Action = *action
+	}
+	if includedFuncTagKeys != nil {
+		config.IncludedFuncTagKeys = *includedFuncTagKeys
+	}
+	if includedFuncRegions != nil {
+		config.IncludedFuncRegions = *includedFuncRegions
+	}
+	if topic != nil {
+		config.SnsTopicArn = *topic
+	}
+	var environment = lambdaTypes.Environment{}
+	configMarshal, err := yaml.Marshal(config)
+	if err != nil {
+		return fmt.Errorf("failed to update configuration: %w", err)
+	}
+	configEncoded := b64.StdEncoding.EncodeToString(configMarshal)
+	environment.Variables = functionConfiguration.Environment.Variables
+	environment.Variables[ConfigEnvVariableName] = configEncoded
+	updateFunctionEnvInput := lambda.UpdateFunctionConfigurationInput{FunctionName: aws.String(FunctionClarityLambdaVerierName), Environment: &environment}
+	_, err = lambdaClient.UpdateFunctionConfiguration(context.TODO(), &updateFunctionEnvInput)
+	if err != nil {
+		return fmt.Errorf("failed to update configuration: %w", err)
+	}
+	return nil
+}
+
 func (o *AwsClient) FillNotificationDetails(notification *Notification, functionIdentifier string) error {
 	if err := o.convertToArnIfNeeded(&functionIdentifier); err != nil {
 		return fmt.Errorf("failed to fill notification details: %w", err)

pkg/clients/Client.go

@@ -23,6 +23,8 @@ type Notification struct {
 	Region             string
 }
 
+const ConfigEnvVariableName = "CONFIGURATION"
+
 type Client interface {
 	ResolvePackageType(funcIdentifier string) (string, error)
 	GetFuncCode(funcIdentifier string) (string, error)