From 67103d9b82aa80f06aa5612d6ca067b1acfb8f24 Mon Sep 17 00:00:00 2001
From: Romain Marcadier <rmuller@amazon.fr>
Date: Wed, 7 Dec 2022 15:15:51 +0100
Subject: [PATCH] feat(lambda-go): allow configuration of GOPROXY (#23257)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

> This is a back port of #23171 to AWS CDK v1.x, motivated by impact of the same issue on v1.

We used to require direct Go package access, because Go proxies may be blocked by corporate network policies (and wouldn't you know it, it actually is at our particular workplace 🙃).

This produces a good bit of instability in our CI builds though, as `gopkg.in` website which is used to reference some of our transitive dependencies is regularly experiencing downtime.

Make Go proxies configurable and switch them back on in CI builds.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---
 packages/@aws-cdk/aws-lambda-go/README.md     | 13 +++++++++++
 .../@aws-cdk/aws-lambda-go/lib/bundling.ts    |  6 ++++-
 .../@aws-cdk/aws-lambda-go/lib/function.ts    |  5 +++++
 packages/@aws-cdk/aws-lambda-go/lib/types.ts  | 22 +++++++++++++++++++
 .../lib/runner/snapshot-test-runner.ts        |  7 +++++-
 .../integ-runner/lib/workers/common.ts        |  2 +-
 .../cli/sam_cdk_integ_app/lib/test-stack.js   |  4 ++++
 7 files changed, 56 insertions(+), 3 deletions(-)

diff --git a/packages/@aws-cdk/aws-lambda-go/README.md b/packages/@aws-cdk/aws-lambda-go/README.md
index e4de2d1641113..b24e72268534c 100644
--- a/packages/@aws-cdk/aws-lambda-go/README.md
+++ b/packages/@aws-cdk/aws-lambda-go/README.md
@@ -170,6 +170,19 @@ new lambda.GoFunction(this, 'handler', {
 });
 ```
 
+By default this construct doesn't use any Go module proxies. This is contrary to
+a standard Go installation, which would use the Google proxy by default. To
+recreate that behavior, do the following:
+
+```ts
+new lambda.GoFunction(this, 'GoFunction', {
+  entry: 'app/cmd/api',
+  bundling: {
+    goProxies: [lambda.GoFunction.GOOGLE_GOPROXY, 'direct'],
+  },
+});
+```
+
 ## Command hooks
 
 It is  possible to run additional commands by specifying the `commandHooks` prop:
diff --git a/packages/@aws-cdk/aws-lambda-go/lib/bundling.ts b/packages/@aws-cdk/aws-lambda-go/lib/bundling.ts
index afc233479ef3b..d30c753df7839 100644
--- a/packages/@aws-cdk/aws-lambda-go/lib/bundling.ts
+++ b/packages/@aws-cdk/aws-lambda-go/lib/bundling.ts
@@ -106,7 +106,7 @@ export class Bundling implements cdk.BundlingOptions {
 
     const cgoEnabled = props.cgoEnabled ? '1' : '0';
 
-    const environment = {
+    const environment: Record<string, string> = {
       CGO_ENABLED: cgoEnabled,
       GO111MODULE: 'on',
       GOARCH: props.architecture.dockerPlatform.split('/')[1],
@@ -114,6 +114,10 @@ export class Bundling implements cdk.BundlingOptions {
       ...props.environment,
     };
 
+    if (props.goProxies) {
+      environment.GOPROXY = props.goProxies.join(',');
+    }
+
     // Docker bundling
     const shouldBuildImage = props.forcedDockerBundling || !Bundling.runsLocally;
     this.image = shouldBuildImage
diff --git a/packages/@aws-cdk/aws-lambda-go/lib/function.ts b/packages/@aws-cdk/aws-lambda-go/lib/function.ts
index 4c7220ee27dce..ada12836d0833 100644
--- a/packages/@aws-cdk/aws-lambda-go/lib/function.ts
+++ b/packages/@aws-cdk/aws-lambda-go/lib/function.ts
@@ -74,6 +74,11 @@ export interface GoFunctionProps extends lambda.FunctionOptions {
  * A Golang Lambda function
  */
 export class GoFunction extends lambda.Function {
+  /**
+   * The address of the Google Go proxy
+   */
+  public static readonly GOOGLE_GOPROXY = 'https://proxy.golang.org';
+
   constructor(scope: Construct, id: string, props: GoFunctionProps) {
     if (props.runtime && (props.runtime.family !== lambda.RuntimeFamily.GO && props.runtime.family != lambda.RuntimeFamily.OTHER)) {
       throw new Error('Only `go` and `provided` runtimes are supported.');
diff --git a/packages/@aws-cdk/aws-lambda-go/lib/types.ts b/packages/@aws-cdk/aws-lambda-go/lib/types.ts
index 28e058e1a685e..9efa41b074ab7 100644
--- a/packages/@aws-cdk/aws-lambda-go/lib/types.ts
+++ b/packages/@aws-cdk/aws-lambda-go/lib/types.ts
@@ -96,6 +96,28 @@ export interface BundlingOptions {
    * @default - false
    */
   readonly cgoEnabled?: boolean;
+
+  /**
+   * What Go proxies to use to fetch the packages involved in the build
+   *
+   * Pass a list of proxy addresses in order, and/or the string `'direct'` to
+   * attempt direct access.
+   *
+   * By default this construct uses no proxies, but a standard Go install would
+   * use the Google proxy by default. To recreate that behavior, do the following:
+   *
+   * ```ts
+   * new lambda.GoFunction(this, 'GoFunction', {
+   *   entry: 'app/cmd/api',
+   *   bundling: {
+   *     goProxies: [lambda.GoFunction.GOOGLE_GOPROXY, 'direct'],
+   *   },
+   * });
+   * ```
+   *
+   * @default - Direct access
+   */
+  readonly goProxies?: string[];
 }
 
 /**
diff --git a/packages/@aws-cdk/integ-runner/lib/runner/snapshot-test-runner.ts b/packages/@aws-cdk/integ-runner/lib/runner/snapshot-test-runner.ts
index 956d392cbea2a..b94c4dafe08c9 100644
--- a/packages/@aws-cdk/integ-runner/lib/runner/snapshot-test-runner.ts
+++ b/packages/@aws-cdk/integ-runner/lib/runner/snapshot-test-runner.ts
@@ -165,9 +165,11 @@ export class IntegSnapshotRunner extends IntegRunner {
         // if we are not verifying asset hashes then remove the specific
         // asset hashes from the templates so they are not part of the diff
         // comparison
+        let verifiedAssetHashes = true;
         if (!this.actualTestSuite.getOptionsForStack(templateId)?.diffAssets) {
           actualTemplate = canonicalizeTemplate(actualTemplate);
           expectedTemplate = canonicalizeTemplate(expectedTemplate);
+          verifiedAssetHashes = false;
         }
         const templateDiff = diffTemplate(expectedTemplate, actualTemplate);
         if (!templateDiff.isEmpty) {
@@ -206,7 +208,10 @@ export class IntegSnapshotRunner extends IntegRunner {
           formatDifferences(writable, templateDiff);
           failures.push({
             reason: DiagnosticReason.SNAPSHOT_FAILED,
-            message: writable.data,
+            message: [
+              verifiedAssetHashes ? '(asset hashes were verified)' : '(asset hashes were ignored)',
+              writable.data,
+            ].join('\n'),
             testName: this.testName,
           });
         }
diff --git a/packages/@aws-cdk/integ-runner/lib/workers/common.ts b/packages/@aws-cdk/integ-runner/lib/workers/common.ts
index 0ceb3bfa5786e..4b9841ee10f7f 100644
--- a/packages/@aws-cdk/integ-runner/lib/workers/common.ts
+++ b/packages/@aws-cdk/integ-runner/lib/workers/common.ts
@@ -300,4 +300,4 @@ export function printLaggards(testNames: Set<string>) {
   ];
 
   logger.print(chalk.grey(parts.filter(x => x).join(' ')));
-}
\ No newline at end of file
+}
diff --git a/packages/aws-cdk/test/integ/cli/sam_cdk_integ_app/lib/test-stack.js b/packages/aws-cdk/test/integ/cli/sam_cdk_integ_app/lib/test-stack.js
index 5294bc0e2b5f8..9df6588f83bd3 100644
--- a/packages/aws-cdk/test/integ/cli/sam_cdk_integ_app/lib/test-stack.js
+++ b/packages/aws-cdk/test/integ/cli/sam_cdk_integ_app/lib/test-stack.js
@@ -20,6 +20,8 @@ if (process.env.PACKAGE_LAYOUT_VERSION === '1') {
   var { RetentionDays } = require('aws-cdk-lib/aws-logs');
 }
 
+const isRunningOnCodeBuild = !!process.env.CODEBUILD_BUILD_ID;
+
 class CDKSupportDemoRootStack extends Stack{
   constructor(scope, id, props) {
     super(scope, id, props);
@@ -99,6 +101,8 @@ class CDKSupportDemoRootStack extends Stack{
       entry: './src/go/GoFunctionConstruct',
       bundling: {
         forcedDockerBundling: true,
+        // Only use Google proxy in the CI tests, as it is blocked on workstations
+        goProxies: isRunningOnCodeBuild ? [GoFunction.GOOGLE_GOPROXY, 'direct'] : undefined,
       },
     });