Fix bug in updating repository for services with non-CloudFormation-compatible names.

When a new AppConfig is published with additional services, multiple
parts of a workflow kick off.

1. Settings Service fires an event to the Onboarding service to update
   the stack.

2. Onboarding service updates the core stack with the updated AppConfig
   (updating created infrastructure for configured services).

3. As part of the update-stack kicked off by the Onboarding service, the
   app-services-ecr-macro kicks in to alter the template according to
   that new AppConfig because CloudFormation executes the template
   update.

4. core-stack-listener function automatically listens to updates on that
   stack, waiting for ECR repositories to be marked as CREATE_COMPLETE.
   When that happens, core-stack-listener pulls the service name from
   that resource and fires an event to Settings to update
   the configured ECR repository for that service.

Before this commit, there was a bug in the interaction between the
core-stack-listener and the app-services-ecr-macro. The
core-stack-listener was expecting the CloudFormation resource name of
the ECR repository to represent the real service name as stored in the
Settings service, while the app-services-ecr-macro had made changes to
that same name to ensure the resource matched CloudFormation
restrictions ([a-zA-Z0-9]+). The Settings service only enforces that
service names conform to SSM ParameterStore restrictions ([a-zA-Z0-9\.-_]+).

Luckily, the app-services-ecr-macro was already creating a Tag for the
ECR resource containing the service name. So this commit alters the
core-stack-listener to:

1. have permissions to list tags for ECR resources matching the
   repository name patterns that will be created by the core stack

2. resolves the service name for a given repository by reading the tag,
   rather than the resource name (falling back to resource name if no
   tag was found) before sending the event to Settings

In manual testing this has been shown to fix the issue.

Author: PoeppingT

functions/core-stack-listener/pom.xml

@@ -33,7 +33,7 @@ limitations under the License.
     </licenses>
 
     <properties>
-        <checkstyle.maxAllowedViolations>50</checkstyle.maxAllowedViolations>
+        <checkstyle.maxAllowedViolations>0</checkstyle.maxAllowedViolations>
     </properties>
 
     <build>
@@ -126,6 +126,21 @@ limitations under the License.
                 </exclusion>
             </exclusions>
         </dependency>
+        <dependency>
+            <groupId>software.amazon.awssdk</groupId>
+            <artifactId>ecr</artifactId>
+            <version>${aws.java.sdk.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>software.amazon.awssdk</groupId>
+                    <artifactId>netty-nio-client</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>software.amazon.awssdk</groupId>
+                    <artifactId>apache-client</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
     </dependencies>
 
 </project>

functions/core-stack-listener/src/main/java/com/amazon/aws/partners/saasfactory/saasboost/CoreStackListener.java

@@ -23,7 +23,12 @@
 import org.slf4j.LoggerFactory;
 import software.amazon.awssdk.core.exception.SdkServiceException;
 import software.amazon.awssdk.services.cloudformation.CloudFormationClient;
-import software.amazon.awssdk.services.cloudformation.model.*;
+import software.amazon.awssdk.services.cloudformation.model.ListStackResourcesResponse;
+import software.amazon.awssdk.services.cloudformation.model.ResourceStatus;
+import software.amazon.awssdk.services.cloudformation.model.StackResourceSummary;
+import software.amazon.awssdk.services.ecr.EcrClient;
+import software.amazon.awssdk.services.ecr.model.ListTagsForResourceResponse;
+import software.amazon.awssdk.services.ecr.model.Tag;
 import software.amazon.awssdk.services.eventbridge.EventBridgeClient;
 
 import java.util.*;
@@ -40,6 +45,7 @@ public class CoreStackListener implements RequestHandler<SNSEvent, Object> {
             Arrays.asList("CREATE_COMPLETE", "UPDATE_COMPLETE"));
     private final CloudFormationClient cfn;
     private final EventBridgeClient eventBridge;
+    private final EcrClient ecr;
 
     public CoreStackListener() {
         final long startTimeMillis = System.currentTimeMillis();
@@ -51,13 +57,20 @@ public CoreStackListener() {
         }
         this.cfn = Utils.sdkClient(CloudFormationClient.builder(), CloudFormationClient.SERVICE_NAME);
         this.eventBridge = Utils.sdkClient(EventBridgeClient.builder(), EventBridgeClient.SERVICE_NAME);
+        this.ecr = Utils.sdkClient(EcrClient.builder(), EcrClient.SERVICE_NAME);
         LOGGER.info("Constructor init: {}", System.currentTimeMillis() - startTimeMillis);
     }
 
     @Override
     public Object handleRequest(SNSEvent event, Context context) {
         LOGGER.info(Utils.toJson(event));
 
+        // ARN: arn:<partition>:<service>:<region>:<accountId>:<itemType>/<itemName>
+        final String[] thisLambdaArn = context.getInvokedFunctionArn().split(":");
+        final String partition = thisLambdaArn[1];
+        final String region = thisLambdaArn[3];
+        final String accountId = thisLambdaArn[4];
+
         List<SNSEvent.SNSRecord> records = event.getRecords();
         SNSEvent.SNS sns = records.get(0).getSNS();
         String message = sns.getMessage();
@@ -81,18 +94,34 @@ public Object handleRequest(SNSEvent event, Context context) {
                 Map<String, Object> appConfig = new HashMap<>();
                 Map<String, Object> services = new HashMap<>();
                 for (StackResourceSummary resource : resources.stackResourceSummaries()) {
-//                    LOGGER.debug("Processing resource {} {} {} {}", resource.resourceType(),
-//                            resource.resourceStatusAsString(), resource.logicalResourceId(),
-//                            resource.physicalResourceId());
-                    if ("CREATE_COMPLETE".equals(resource.resourceStatusAsString())
-                            && "AWS::ECR::Repository".equals(resource.resourceType())) {
+                    // LOGGER.debug("Processing resource {} {} {} {}", resource.resourceType(),
+                    //         resource.resourceStatusAsString(), resource.logicalResourceId(),
+                    //         resource.physicalResourceId());
+                    // TODO or UPDATE_COMPLETE?
+                    if (ResourceStatus.CREATE_COMPLETE == resource.resourceStatus()
+                            && AwsResource.ECR_REPO.getResourceType().equals(resource.resourceType())) {
                         String ecrRepo = resource.physicalResourceId();
+                        String ecrResourceArn = AwsResource.ECR_REPO.formatArn(partition, region, accountId, ecrRepo);
+                        ListTagsForResourceResponse response = ecr.listTagsForResource(request -> request
+                                .resourceArn(ecrResourceArn));
                         String serviceName = resource.logicalResourceId();
-                        LOGGER.info("Publishing appConfig update event for ECR repository {} {}", serviceName,
+                        String serviceNameContext = "Read from Template";
+                        if (response.hasTags()) {
+                            for (Tag tag : response.tags()) {
+                                if (tag.key().equalsIgnoreCase("Name")) {
+                                    serviceName = tag.value();
+                                    serviceNameContext = "Read from Tag";
+                                }
+                            }
+                        }
+
+                        LOGGER.info("Publishing appConfig update event for ECR repository {}({}) {}",
+                                serviceName,
+                                serviceNameContext,
                                 ecrRepo);
                         services.put(serviceName, Map.of("containerRepo", ecrRepo));
-                    } else if ("CREATE_COMPLETE".equals(resource.resourceStatusAsString())
-                            || "UPDATE_COMPLETE".equals(resource.resourceStatusAsString())) {
+                    } else if (ResourceStatus.CREATE_COMPLETE.equals(resource.resourceStatus())
+                            || ResourceStatus.UPDATE_COMPLETE.equals(resource.resourceStatus())) {
                         if ("AWS::Route53::HostedZone".equals(resource.resourceType())) {
                             // When CloudFormation stack first completes, the Settings Service won't even exist yet.
                             String hostedZoneId = resource.physicalResourceId();

resources/saas-boost.yaml

@@ -534,6 +534,11 @@ Resources:
                   - events:PutEvents
                 Resource:
                   - !Sub arn:aws:events:${AWS::Region}:${AWS::AccountId}:event-bus/${SaaSBoostEventBus}
+              - Effect: Allow
+                Action:
+                  - ecr:ListTagsForResource
+                Resource:
+                  - !Sub arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/sb-${Environment}-core-*
   CoreStackListenerLogs:
     Type: AWS::Logs::LogGroup
     Properties: