feat(lambda): enable RuntimeManagementConfig (#23891)

Introducing AWS Lambda runtime management controls
https://aws.amazon.com/jp/blogs/compute/introducing-aws-lambda-runtime-management-controls/

This setting achieves the following set values.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html#cfn-lambda-functionruntimemanagementconfig

I have not been able to test this CFn as it does not seem to be supported by cdk. It's only a design.

Closes #23890.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

packages/@aws-cdk/aws-lambda/README.md

@@ -1042,3 +1042,28 @@ new lambda.Function(this, 'Function', {
   code: lambda.Code.fromAsset(path.join(__dirname, 'lambda-handler')),
 });
 ```
+
+## Runtime updates
+
+Lambda runtime management controls help reduce the risk of impact to your workloads in the rare event of a runtime version incompatibility.
+For more information, see [Runtime management controls](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-update.html#runtime-management-controls)
+
+```ts
+new Function(stack, 'Lambda', {
+  runtimeManagementMode: RuntimeManagementMode.AUTO,
+  runtime: lambda.Runtime.NODEJS_18_X,
+  handler: 'index.handler',
+  code: lambda.Code.fromAsset(path.join(__dirname, 'lambda-handler')),
+});
+```
+
+If you want to set the "Manual" setting, using the ARN of the runtime version as the argument.
+
+```ts
+new Function(stack, 'Lambda', {
+  runtimeManagementMode: RuntimeManagementMode.manual('runtimeVersion-arn'),
+  runtime: lambda.Runtime.NODEJS_18_X,
+  handler: 'index.handler',
+  code: lambda.Code.fromAsset(path.join(__dirname, 'lambda-handler')),
+});
+```

packages/@aws-cdk/aws-lambda/lib/adot-layers.ts

@@ -1,10 +1,10 @@
 import { RegionInfo } from '@aws-cdk/region-info';
 import { IConstruct } from 'constructs';
+import { Architecture } from './architecture';
+import { IFunction } from './function-base';
 import { Stack } from '../../core/lib/stack';
 import { Token } from '../../core/lib/token';
 import { FactName } from '../../region-info/lib/fact';
-import { Architecture } from './architecture';
-import { IFunction } from './function-base';
 
 /**
  * The type of ADOT Lambda layer

packages/@aws-cdk/aws-lambda/lib/function.ts

@@ -26,6 +26,7 @@ import { CfnFunction } from './lambda.generated';
 import { LayerVersion, ILayerVersion } from './layers';
 import { LogRetentionRetryOptions } from './log-retention';
 import { Runtime } from './runtime';
+import { RuntimeManagementMode } from './runtime-management';
 import { addAlias } from './util';
 
 /**
@@ -359,6 +360,12 @@ export interface FunctionOptions extends EventInvokeConfigOptions {
    * @default Architecture.X86_64
    */
   readonly architecture?: Architecture;
+
+  /**
+   * Sets the runtime management configuration for a function's version.
+   * @default Auto
+   */
+  readonly runtimeManagementMode?: RuntimeManagementMode;
 }
 
 export interface FunctionProps extends FunctionOptions {
@@ -814,6 +821,7 @@ export class Function extends FunctionBase {
       fileSystemConfigs,
       codeSigningConfigArn: props.codeSigningConfig?.codeSigningConfigArn,
       architectures: this._architecture ? [this._architecture.name] : undefined,
+      runtimeManagementConfig: props.runtimeManagementMode?.runtimeManagementConfig,
     });
 
     if ((props.tracing !== undefined) || (props.adotInstrumentation !== undefined)) {

packages/@aws-cdk/aws-lambda/lib/index.ts

@@ -23,6 +23,7 @@ export * from './lambda-insights';
 export * from './log-retention';
 export * from './architecture';
 export * from './function-url';
+export * from './runtime-management';
 
 // AWS::Lambda CloudFormation Resources:
 export * from './lambda.generated';

packages/@aws-cdk/aws-lambda/lib/runtime-management.ts

@@ -0,0 +1,47 @@
+import { CfnFunction } from './lambda.generated';
+
+/**
+ * Specify the runtime update mode.
+ */
+export class RuntimeManagementMode {
+  /**
+   * Automatically update to the most recent and secure runtime version using Two-phase runtime version rollout.
+   * We recommend this mode for most customers so that you always benefit from runtime updates.
+   */
+  public static readonly AUTO = new RuntimeManagementMode('Auto');
+  /**
+   * When you update your function, Lambda updates the runtime of your function to the most recent and secure runtime version.
+   * This approach synchronizes runtime updates with function deployments,
+   * giving you control over when Lambda applies runtime updates.
+   * With this mode, you can detect and mitigate rare runtime update incompatibilities early.
+   * When using this mode, you must regularly update your functions to keep their runtime up to date.
+   */
+  public static readonly FUNCTION_UPDATE = new RuntimeManagementMode('Function update');
+  /**
+   * You specify a runtime version in your function configuration.
+   * The function uses this runtime version indefinitely.
+   * In the rare case in which a new runtime version is incompatible with an existing function,
+   * you can use this mode to roll back your function to an earlier runtime version.
+   */
+  public static manual(arn: string): RuntimeManagementMode {
+    return new RuntimeManagementMode('Manual', arn);
+  }
+
+  /**
+   * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-function-runtimemanagementconfig.html
+   */
+  readonly runtimeManagementConfig: CfnFunction.RuntimeManagementConfigProperty;
+
+  protected constructor(public readonly mode: string, public readonly arn?: string) {
+    if (arn) {
+      this.runtimeManagementConfig = {
+        runtimeVersionArn: arn,
+        updateRuntimeOn: mode,
+      };
+    } else {
+      this.runtimeManagementConfig = {
+        updateRuntimeOn: mode,
+      };
+    }
+  }
+}

packages/@aws-cdk/aws-lambda/package.json

@@ -190,7 +190,9 @@
       "props-physical-name:@aws-cdk/aws-lambda.EventInvokeConfigProps",
       "props-physical-name:@aws-cdk/aws-lambda.CodeSigningConfigProps",
       "props-physical-name:@aws-cdk/aws-lambda.FunctionUrlProps",
-      "from-method:@aws-cdk/aws-lambda.FunctionUrl"
+      "from-method:@aws-cdk/aws-lambda.FunctionUrl",
+      "docs-public-apis:@aws-cdk/aws-lambda.RuntimeManagementMode.mode",
+      "docs-public-apis:@aws-cdk/aws-lambda.RuntimeManagementMode.arn"
     ]
   },
   "stability": "stable",

packages/@aws-cdk/aws-lambda/test/integ.runtime-management.js.snapshot/aws-cdk-lambda-runtime-management.assets.json

@@ -0,0 +1,19 @@
+{
+  "version": "29.0.0",
+  "files": {
+    "45968e77d38b164ece946e2a09ba83ed011953b9ee4b075f276fd124c61df607": {
+      "source": {
+        "path": "aws-cdk-lambda-runtime-management.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "45968e77d38b164ece946e2a09ba83ed011953b9ee4b075f276fd124c61df607.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}

packages/@aws-cdk/aws-lambda/test/integ.runtime-management.js.snapshot/aws-cdk-lambda-runtime-management.template.json

@@ -0,0 +1,91 @@
+{
+ "Resources": {
+  "LambdaServiceRoleA8ED4D3B": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "lambda.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "ManagedPolicyArns": [
+     {
+      "Fn::Join": [
+       "",
+       [
+        "arn:",
+        {
+         "Ref": "AWS::Partition"
+        },
+        ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+       ]
+      ]
+     }
+    ]
+   }
+  },
+  "LambdaD247545B": {
+   "Type": "AWS::Lambda::Function",
+   "Properties": {
+    "Code": {
+     "ZipFile": "foo"
+    },
+    "Role": {
+     "Fn::GetAtt": [
+      "LambdaServiceRoleA8ED4D3B",
+      "Arn"
+     ]
+    },
+    "Handler": "index.handler",
+    "Runtime": "nodejs18.x",
+    "RuntimeManagementConfig": {
+     "UpdateRuntimeOn": "Auto"
+    }
+   },
+   "DependsOn": [
+    "LambdaServiceRoleA8ED4D3B"
+   ]
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}

packages/@aws-cdk/aws-lambda/test/integ.runtime-management.js.snapshot/cdk.out

@@ -0,0 +1 @@
+{"version":"29.0.0"}

packages/@aws-cdk/aws-lambda/test/integ.runtime-management.js.snapshot/integ.json

@@ -0,0 +1,12 @@
+{
+  "version": "29.0.0",
+  "testCases": {
+    "lambda-runtime-management/DefaultTest": {
+      "stacks": [
+        "aws-cdk-lambda-runtime-management"
+      ],
+      "assertionStack": "lambda-runtime-management/DefaultTest/DeployAssert",
+      "assertionStackName": "lambdaruntimemanagementDefaultTestDeployAssertDE680AF3"
+    }
+  }
+}

packages/@aws-cdk/aws-lambda/test/integ.runtime-management.js.snapshot/lambdaruntimemanagementDefaultTestDeployAssertDE680AF3.assets.json

@@ -0,0 +1,19 @@
+{
+  "version": "29.0.0",
+  "files": {
+    "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
+      "source": {
+        "path": "lambdaruntimemanagementDefaultTestDeployAssertDE680AF3.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}

packages/@aws-cdk/aws-lambda/test/integ.runtime-management.js.snapshot/lambdaruntimemanagementDefaultTestDeployAssertDE680AF3.template.json

@@ -0,0 +1,36 @@
+{
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}