feat(lambda-python): support setting environment vars for bundling (#…

…18635)

While using the Python Lambda with Code Artifact, discovered that Code Artifact was still inaccessible because bundling occurs at _run_ time, which can only access env vars, not build args.

This is not a security issue because bundled output doesn't contain any of the secret values.

**Note:** Without this, using Code Artifact (or any other private packaging for Python Lambdas) is currently broken.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

packages/@aws-cdk/aws-lambda-python/README.md

@@ -167,9 +167,34 @@ new lambda.PythonFunction(this, 'function', {
   entry,
   runtime: Runtime.PYTHON_3_8,
   bundling: {
-    buildArgs: { PIP_INDEX_URL: indexUrl },
+    environment: { PIP_INDEX_URL: indexUrl },
   },
 });
 ```
 
-This type of an example should work for `pip` and `poetry` based dependencies, but will not work for `pipenv`.
+The index URL or the token are only used during bundling and thus not included in the final asset. Setting only environment variable for `PIP_INDEX_URL` or `PIP_EXTRA_INDEX_URL` should work for accesing private Python repositories with `pip`, `pipenv` and `poetry` based dependencies.
+
+If you also want to use the Code Artifact repo for building the base Docker image for bundling, use `buildArgs`. However, note that setting custom build args for bundling will force the base bundling image to be rebuilt every time (i.e. skip the Docker cache). Build args can be customized as:
+
+```ts
+import { execSync } from 'child_process';
+
+const entry = '/path/to/function';
+const image = DockerImage.fromBuild(entry);
+
+const domain = 'my-domain';
+const domainOwner = '111122223333';
+const repoName = 'my_repo';
+const region = 'us-east-1';
+const codeArtifactAuthToken = execSync(`aws codeartifact get-authorization-token --domain ${domain} --domain-owner ${domainOwner} --query authorizationToken --output text`).toString().trim();
+
+const indexUrl = `https://aws:${codeArtifactAuthToken}@${domain}-${domainOwner}.d.codeartifact.${region}.amazonaws.com/pypi/${repoName}/simple/`;
+
+new lambda.PythonFunction(this, 'function', {
+  entry,
+  runtime: Runtime.PYTHON_3_8,
+  bundling: {
+    buildArgs: { PIP_INDEX_URL: indexUrl },
+  },
+});
+```

packages/@aws-cdk/aws-lambda-python/lib/bundling.ts

@@ -51,6 +51,7 @@ export class Bundling implements CdkBundlingOptions {
 
   public readonly image: DockerImage;
   public readonly command: string[];
+  public readonly environment?: { [key: string]: string };
 
   constructor(props: BundlingProps) {
     const {
@@ -78,6 +79,7 @@ export class Bundling implements CdkBundlingOptions {
     });
     this.image = image ?? defaultImage;
     this.command = ['bash', '-c', chain(bundlingCommands)];
+    this.environment = props.environment;
   }
 
   private createBundlingCommand(options: BundlingCommandOptions): string[] {

packages/@aws-cdk/aws-lambda-python/lib/types.ts

@@ -30,6 +30,13 @@ export interface BundlingOptions {
    */
   readonly buildArgs?: { [key: string]: string };
 
+  /**
+   * Environment variables defined when bundling runs.
+   *
+   * @default - no environment variables are defined.
+   */
+  readonly environment?: { [key: string]: string; };
+
   /**
    * Determines how asset hash is calculated. Assets will get rebuild and
    * uploaded only if their hash has changed.

packages/@aws-cdk/aws-lambda-python/test/bundling.test.ts

@@ -229,3 +229,22 @@ test('Bundling with custom build args', () => {
     }),
   }));
 });
+
+test('Bundling with custom environment vars`', () => {
+  const entry = path.join(__dirname, 'lambda-handler');
+  Bundling.bundle({
+    entry: entry,
+    runtime: Runtime.PYTHON_3_7,
+    environment: {
+      KEY: 'value',
+    },
+  });
+
+  expect(Code.fromAsset).toHaveBeenCalledWith(entry, expect.objectContaining({
+    bundling: expect.objectContaining({
+      environment: {
+        KEY: 'value',
+      },
+    }),
+  }));
+});