From 04237038fe66fa9cbbe967f693cd5a805cec5fb8 Mon Sep 17 00:00:00 2001
From: Daisuke <nakada0907@outlook.com>
Date: Sun, 4 Jan 2026 14:08:45 +0900
Subject: [PATCH] feat: support ECR image digest for deterministic Lambda
 deployments

- Add ImageDigest parameter with conditional logic
- Enable AutoPublishAlias for function versioning
- Improve deployment reproducibility
---
 infra/cfn/template-lambda-function.yaml | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/infra/cfn/template-lambda-function.yaml b/infra/cfn/template-lambda-function.yaml
index 4ba2527..280563a 100644
--- a/infra/cfn/template-lambda-function.yaml
+++ b/infra/cfn/template-lambda-function.yaml
@@ -22,6 +22,14 @@ Parameters:
     Default: main
     Description: Git repository branch
 
+  ImageDigest:
+    Type: String
+    Default: ""
+    Description: "ECR image digest (e.g., sha256:abc123...). If empty, uses 'latest' tag. Use digest for deterministic deployments."
+
+Conditions:
+  UseDigest: !Not [!Equals [!Ref ImageDigest, ""]]
+
 Resources:
 
   MyLambdaRole:
@@ -71,15 +79,20 @@ Resources:
     Properties:
       FunctionName: blog-deployment-webhook-handler
       PackageType: Image
-      ImageUri:
-        !Join
-          - ":"
-          - - !ImportValue BlogDeployment-RepositoryUri
-            - "latest"
+      ImageUri: !If
+        - UseDigest
+        - !Sub
+          - "${RepoUri}@${Digest}"
+          - RepoUri: !ImportValue BlogDeployment-RepositoryUri
+            Digest: !Ref ImageDigest
+        - !Sub
+          - "${RepoUri}:latest"
+          - RepoUri: !ImportValue BlogDeployment-RepositoryUri
       Timeout: 300
       MemorySize: 512
       Architectures:
         - arm64
+      AutoPublishAlias: live
       Environment:
         Variables:
           REPO_URL: !Ref RepoURL