feat: support ECR image digest for deterministic Lambda deployments

- Add ImageDigest parameter with conditional logic - Enable AutoPublishAlias for function versioning - Improve deployment reproducibility
2026-01-04 14:08:45 +09:00 · 2026-01-04 14:08:45 +09:00 · 04237038fe
commit 04237038fe
parent 235218f11c
1 changed files with 18 additions and 5 deletions
--- a/infra/cfn/template-lambda-function.yaml
+++ b/infra/cfn/template-lambda-function.yaml
@ -22,6 +22,14 @@ Parameters:
    Default: main
    Description: Git repository branch

+  ImageDigest:
+    Type: String
+    Default: ""
+    Description: "ECR image digest (e.g., sha256:abc123...). If empty, uses 'latest' tag. Use digest for deterministic deployments."
+
+Conditions:
+  UseDigest: !Not [!Equals [!Ref ImageDigest, ""]]
+
 Resources:

  MyLambdaRole:
@ -71,15 +79,20 @@ Resources:
    Properties:
      FunctionName: blog-deployment-webhook-handler
      PackageType: Image
-      ImageUri:
-        !Join
-          - ":"
-          - - !ImportValue BlogDeployment-RepositoryUri
-            - "latest"
+      ImageUri: !If
+        - UseDigest
+        - !Sub
+          - "${RepoUri}@${Digest}"
+          - RepoUri: !ImportValue BlogDeployment-RepositoryUri
+            Digest: !Ref ImageDigest
+        - !Sub
+          - "${RepoUri}:latest"
+          - RepoUri: !ImportValue BlogDeployment-RepositoryUri
      Timeout: 300
      MemorySize: 512
      Architectures:
        - arm64
+      AutoPublishAlias: live
      Environment:
        Variables:
          REPO_URL: !Ref RepoURL