Setup NodeJS Lambda Layer E2E Test (#275)

*Description of changes:*
Setup Node JS Lambda layer E2E tests. Current the data validation steps
are failing due to the known quality issue. This changes are mainly for
`main-build` validation in
https://github.com/aws-observability/aws-otel-js-instrumentation . it
will not trigger any alarm or block anything.

#### Test workflow
*
https://github.com/mxiamxia/aws-otel-js-instrumentation/actions/runs/11190639442/job/31113369923
EMF validation failed as expected due to the known EMF data quality
issue WIP.


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

Author: mxiamxia

.github/workflows/node-lambda-test.yml

@@ -0,0 +1,202 @@
+## Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+## SPDX-License-Identifier: Apache-2.0
+
+# This is a reusable workflow for running the Enablement test for App Signals.
+# It is meant to be called from another workflow.
+# Read more about reusable workflows: https://docs.github.com/en/actions/using-workflows/reusing-workflows#overview
+name: Node Lambda Use Case
+on:
+  workflow_call:
+    inputs:
+      aws-region:
+        required: true
+        type: string
+      caller-workflow-name:
+        required: true
+        type: string
+      staging-instrumentation-name:
+        required: false
+        default: '@aws/aws-distro-opentelemetry-node-autoinstrumentation'
+        type: string
+    outputs:
+      job-started:
+        value: ${{ jobs.node-lambda-default.outputs.job-started }}
+      validation-result:
+        value: ${{ jobs.node-lambda-default.outputs.validation-result }}
+
+permissions:
+  id-token: write
+  contents: read
+
+env:
+  E2E_TEST_AWS_REGION: ${{ inputs.aws-region }}
+  CALLER_WORKFLOW_NAME: ${{ inputs.caller-workflow-name }}
+  E2E_TEST_ACCOUNT_ID: ${{ secrets.APPLICATION_SIGNALS_E2E_TEST_ACCOUNT_ID }}
+  E2E_TEST_ROLE_NAME: ${{ secrets.APPLICATION_SIGNALS_E2E_TEST_ROLE_NAME }}
+  METRIC_NAMESPACE: ApplicationSignals
+  LOG_GROUP_NAME: /aws/application-signals/data
+  TEST_RESOURCES_FOLDER: ${GITHUB_WORKSPACE}
+
+jobs:
+  node-lambda-default:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    outputs:
+      job-started: ${{ steps.job-started.outputs.job-started }}
+      validation-result: ${{ steps.validation-result.outputs.validation-result }}
+    steps:
+      - name: Check if the job started
+        id: job-started
+        run: echo "job-started=true" >> $GITHUB_OUTPUT
+
+      - name: Generate testing id
+        run: echo TESTING_ID="${{ github.job }}-${{ github.run_id }}-${{ github.run_number }}-${{ github.run_attempt }}" >> $GITHUB_ENV
+
+      - uses: actions/checkout@v4
+        with:
+          repository: 'aws-observability/aws-application-signals-test-framework'
+          ref: ${{ env.CALLER_WORKFLOW_NAME == 'main-build' && 'main' || github.ref }}
+          fetch-depth: 0
+
+      # We initialize Gradlew Daemon early on during the workflow because sometimes initialization
+      # fails due to transient issues. If it fails here, then we will try again later before the validators
+      - name: Initiate Gradlew Daemon
+        id: initiate-gradlew
+        uses: ./.github/workflows/actions/execute_and_retry
+        continue-on-error: true
+        with:
+          command: "./gradlew :validator:build"
+          cleanup: "./gradlew clean"
+          max_retry: 3
+          sleep_time: 60
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::${{ env.E2E_TEST_ACCOUNT_ID }}:role/${{ env.E2E_TEST_ROLE_NAME }}
+          aws-region: us-east-1
+
+      - name: Retrieve account
+        uses: aws-actions/aws-secretsmanager-get-secrets@v1
+        with:
+          secret-ids:
+            ACCOUNT_ID, region-account/${{ env.E2E_TEST_AWS_REGION }}
+
+      # If the workflow is running as a canary, then we want to log in to the aws account in the appropriate region
+      - name: Configure AWS Credentials
+        if: ${{ github.event.repository.name == 'aws-application-signals-test-framework' }}
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::${{ env.ACCOUNT_ID }}:role/${{ env.E2E_TEST_ROLE_NAME }}
+          aws-region: ${{ env.E2E_TEST_AWS_REGION }}
+
+      - name: Set Lambda Layer artifact directory path
+        run: echo ARTIFACTS_DIR="${{ github.workspace }}/lambda_artifacts" >> $GITHUB_ENV
+
+      - name: Download Lambda Layer and Function artifacts
+        run: |
+          aws s3 cp s3://adot-autoinstrumentation-node-staging/layer-${{ github.run_id }}.zip ${{ env.ARTIFACTS_DIR }}/layer.zip |
+          aws s3 cp s3://adot-autoinstrumentation-node-staging/function-${{ github.run_id }}.zip ${{ env.ARTIFACTS_DIR }}/function.zip
+
+      - name: Set up terraform
+        uses: ./.github/workflows/actions/execute_and_retry
+        with:
+          command: "wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg"
+          post-command: 'echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
+              && sudo apt update && sudo apt install terraform'
+          sleep_time: 60
+
+      - name: Initiate Terraform
+        uses: ./.github/workflows/actions/execute_and_retry
+        with:
+          command: "cd ${{ env.TEST_RESOURCES_FOLDER }}/terraform/node/lambda/lambda && terraform init && terraform validate"
+          cleanup: "rm -rf .terraform && rm -rf .terraform.lock.hcl"
+          max_retry: 6
+          sleep_time: 60
+
+      - name: Get terraform Lambda function name
+        shell: bash
+        run: |
+          echo TERRAFORM_LAMBDA_FUNCTION_NAME="AdotLambdaNodeJsSampleApp-${{ github.run_id }}"|
+          tee --append $GITHUB_ENV
+      - name: Apply terraform
+        uses: ./.github/workflows/actions/execute_and_retry
+        with:
+          command: 'cd ${{ env.TEST_RESOURCES_FOLDER }}/terraform/node/lambda/lambda && terraform apply -auto-approve 
+          -var="sdk_layer_name=AWSOpenTelemetryDistroJs-${{ github.run_id }}" 
+          -var="function_name=${{env.TERRAFORM_LAMBDA_FUNCTION_NAME}}" -var="layer_artifacts_directory=${{ env.ARTIFACTS_DIR }}"'
+          max_retry: 6
+          sleep_time: 60
+      - name: Extract endpoint
+        id: extract-endpoint
+        shell: bash
+        run: cd ${{ env.TEST_RESOURCES_FOLDER }}/terraform/node/lambda/lambda && echo API_GATEWAY_URL=$(terraform output -raw api-gateway-url) >> $GITHUB_ENV
+      - name: Send request to endpoint
+        shell: bash
+        run: sleep 30s; curl -sS ${{ env.API_GATEWAY_URL }}
+
+      # Validation for pulse telemetry data
+      - name: Validate generated EMF logs
+        id: log-validation
+        run: ./gradlew validator:run --args='-c node/lambda/log-validation.yml
+          --testing-id ${{ env.TESTING_ID }}
+          --endpoint http://${{ env.API_GATEWAY_URL }}
+          --region ${{ inputs.aws-region }}
+          --account-id ${{ env.ACCOUNT_ID }}
+          --metric-namespace ${{ env.METRIC_NAMESPACE }}
+          --log-group ${{ env.LOG_GROUP_NAME }}
+          --service-name ${{ env.TERRAFORM_LAMBDA_FUNCTION_NAME }}
+          --rollup'
+
+      - name: Validate generated metrics
+        id: metric-validation
+        if: (success() || steps.log-validation.outcome == 'failure') && !cancelled()
+        run: ./gradlew validator:run --args='-c node/lambda/metric-validation.yml
+          --testing-id ${{ env.TESTING_ID }}
+          --endpoint http://${{ env.API_GATEWAY_URL }}
+          --region ${{ inputs.aws-region }}
+          --account-id ${{ env.ACCOUNT_ID }}
+          --metric-namespace ${{ env.METRIC_NAMESPACE }}
+          --log-group ${{ env.LOG_GROUP_NAME }}
+          --service-name ${{ env.TERRAFORM_LAMBDA_FUNCTION_NAME }}
+          --rollup'
+
+      - name: Validate generated traces
+        id: trace-validation
+        if: (success() || steps.log-validation.outcome == 'failure' || steps.metric-validation.outcome == 'failure') && !cancelled()
+        run: ./gradlew validator:run --args='-c node/lambda/trace-validation.yml
+          --testing-id ${{ env.TESTING_ID }}
+          --endpoint http://${{ env.API_GATEWAY_URL }}
+          --region ${{ inputs.aws-region }}
+          --account-id ${{ env.ACCOUNT_ID }}
+          --metric-namespace ${{ env.METRIC_NAMESPACE }}
+          --log-group ${{ env.LOG_GROUP_NAME }}
+          --service-name ${{ env.TERRAFORM_LAMBDA_FUNCTION_NAME }}
+          --rollup'
+
+      - name: Refresh AWS Credentials
+        if: ${{ always() && github.event.repository.name == 'aws-application-signals-test-framework' }}
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::${{ env.ACCOUNT_ID }}:role/${{ env.E2E_TEST_ROLE_NAME }}
+          aws-region: ${{ env.E2E_TEST_AWS_REGION }}
+
+      - name: Save test results
+        if: always()
+        id: validation-result
+        run: |
+          if [ "${{ steps.log-validation.outcome }}" = "success" ] && [ "${{ steps.metric-validation.outcome }}" = "success" ] && [ "${{ steps.trace-validation.outcome }}" = "success" ]; then
+            echo "validation-result=success" >> $GITHUB_OUTPUT
+          else
+            echo "validation-result=failure" >> $GITHUB_OUTPUT
+          fi
+
+      # Clean up Procedures
+      - name: Terraform destroy
+        if: always()
+        continue-on-error: true
+        run: |
+          cd ${{ env.TEST_RESOURCES_FOLDER }}/terraform/node/lambda/lambda && terraform destroy -auto-approve \
+          -var="sdk_layer_name=AWSOpenTelemetryDistroJs-${{ github.run_id }}" \
+          -var="function_name=${{env.TERRAFORM_LAMBDA_FUNCTION_NAME}}" \
+          -var="layer_artifacts_directory=${{ env.ARTIFACTS_DIR }}"

terraform/node/lambda/api-gateway-proxy/main.tf

@@ -0,0 +1,67 @@
+resource "aws_api_gateway_rest_api" "lambda_api_proxy" {
+  name = var.name
+}
+
+resource "aws_api_gateway_resource" "lambda_api_proxy" {
+  rest_api_id = aws_api_gateway_rest_api.lambda_api_proxy.id
+  parent_id   = aws_api_gateway_rest_api.lambda_api_proxy.root_resource_id
+  path_part   = "{proxy+}"
+}
+
+resource "aws_api_gateway_method" "lambda_api_proxy" {
+  rest_api_id   = aws_api_gateway_rest_api.lambda_api_proxy.id
+  resource_id   = aws_api_gateway_resource.lambda_api_proxy.id
+  http_method   = "ANY"
+  authorization = "NONE"
+}
+
+resource "aws_api_gateway_integration" "lambda_api" {
+  rest_api_id = aws_api_gateway_rest_api.lambda_api_proxy.id
+  resource_id = aws_api_gateway_method.lambda_api_proxy.resource_id
+  http_method = aws_api_gateway_method.lambda_api_proxy.http_method
+
+  integration_http_method = "POST"
+  type                    = "AWS_PROXY"
+  uri                     = var.function_invoke_arn
+}
+
+resource "aws_api_gateway_method" "lambda_api_proxy_root_nodejs" {
+  rest_api_id   = aws_api_gateway_rest_api.lambda_api_proxy.id
+  resource_id   = aws_api_gateway_rest_api.lambda_api_proxy.root_resource_id
+  http_method   = "ANY"
+  authorization = "NONE"
+}
+
+resource "aws_api_gateway_integration" "lambda_api_root_nodejs" {
+  rest_api_id = aws_api_gateway_rest_api.lambda_api_proxy.id
+  resource_id = aws_api_gateway_method.lambda_api_proxy_root_nodejs.resource_id
+  http_method = aws_api_gateway_method.lambda_api_proxy_root_nodejs.http_method
+
+  integration_http_method = "POST"
+  type                    = "AWS_PROXY"
+  uri                     = var.function_invoke_arn
+}
+
+resource "aws_api_gateway_deployment" "lambda_api_proxy" {
+  depends_on = [
+    aws_api_gateway_integration.lambda_api,
+    aws_api_gateway_integration.lambda_api_root_nodejs,
+  ]
+
+  rest_api_id = aws_api_gateway_rest_api.lambda_api_proxy.id
+}
+
+resource "aws_api_gateway_stage" "test" {
+  stage_name           = "default"
+  rest_api_id          = aws_api_gateway_rest_api.lambda_api_proxy.id
+  deployment_id        = aws_api_gateway_deployment.lambda_api_proxy.id
+  xray_tracing_enabled = var.enable_xray_tracing
+}
+
+resource "aws_lambda_permission" "lambda_api_allow_gateway_nodejs" {
+  action        = "lambda:InvokeFunction"
+  function_name = var.function_name
+  qualifier     = var.function_qualifier
+  principal     = "apigateway.amazonaws.com"
+  source_arn    = "${aws_api_gateway_rest_api.lambda_api_proxy.execution_arn}/*/*"
+}

terraform/node/lambda/api-gateway-proxy/outputs.tf

@@ -0,0 +1,3 @@
+output "api_gateway_url" {
+  value = aws_api_gateway_stage.test.invoke_url
+}

terraform/node/lambda/api-gateway-proxy/variables.tf

@@ -0,0 +1,26 @@
+variable "name" {
+  type        = string
+  description = "Name of API gateway to create"
+}
+
+variable "function_name" {
+  type        = string
+  description = "Name of function to proxy to"
+}
+
+variable "function_qualifier" {
+  type        = string
+  default     = null
+  description = "Qualifier of function to proxy to"
+}
+
+variable "function_invoke_arn" {
+  type        = string
+  description = "Invoke ARN of function to proxy to"
+}
+
+variable "enable_xray_tracing" {
+  type        = bool
+  description = "Whether to enable xray tracing of the API gateway"
+  default     = true
+}

terraform/node/lambda/lambda/lary_arns.tf

@@ -0,0 +1,21 @@
+locals {
+  sdk_layer_arns_amd64 = {
+#     TODO: to be updated
+    "ap-northeast-1" = "arn:aws:lambda:ap-northeast-1:901920570463:layer:aws-otel-nodejs-amd64-ver-1-18-1:4"
+    "ap-northeast-2" = "arn:aws:lambda:ap-northeast-2:901920570463:layer:aws-otel-nodejs-amd64-ver-1-18-1:4"
+    "ap-south-1"     = "arn:aws:lambda:ap-south-1:901920570463:layer:aws-otel-nodejs-amd64-ver-1-18-1:4"
+    "ap-southeast-1" = "arn:aws:lambda:ap-southeast-1:901920570463:layer:aws-otel-nodejs-amd64-ver-1-18-1:4"
+    "ap-southeast-2" = "arn:aws:lambda:ap-southeast-2:901920570463:layer:aws-otel-nodejs-amd64-ver-1-18-1:4"
+    "ca-central-1"   = "arn:aws:lambda:ca-central-1:901920570463:layer:aws-otel-nodejs-amd64-ver-1-18-1:4"
+    "eu-central-1"   = "arn:aws:lambda:eu-central-1:901920570463:layer:aws-otel-nodejs-amd64-ver-1-18-1:4"
+    "eu-north-1"     = "arn:aws:lambda:eu-north-1:901920570463:layer:aws-otel-nodejs-amd64-ver-1-18-1:4"
+    "eu-west-1"      = "arn:aws:lambda:eu-west-1:901920570463:layer:aws-otel-nodejs-amd64-ver-1-18-1:4"
+    "eu-west-2"      = "arn:aws:lambda:eu-west-2:901920570463:layer:aws-otel-nodejs-amd64-ver-1-18-1:4"
+    "eu-west-3"      = "arn:aws:lambda:eu-west-3:901920570463:layer:aws-otel-nodejs-amd64-ver-1-18-1:4"
+    "sa-east-1"      = "arn:aws:lambda:sa-east-1:901920570463:layer:aws-otel-nodejs-amd64-ver-1-18-1:4"
+    "us-east-1"      = "arn:aws:lambda:us-west-1:252610625673:layer:AWSOpenTelemetryDistroJs:1"
+    "us-east-2"      = "arn:aws:lambda:us-east-2:901920570463:layer:aws-otel-nodejs-amd64-ver-1-18-1:4"
+    "us-west-1"      = "arn:aws:lambda:us-west-1:252610625673:layer:AWSOpenTelemetryDistroJs:1"
+    "us-west-2"      = "arn:aws:lambda:us-west-1:252610625673:layer:AWSOpenTelemetryDistroJs:1"
+  }
+}

terraform/node/lambda/lambda/main.tf

@@ -0,0 +1,70 @@
+locals {
+  architecture = var.architecture == "x86_64" ? "amd64" : "arm64"
+}
+resource "aws_lambda_layer_version" "sdk_layer" {
+  count               = var.is_canary ? 0 : 1
+  layer_name          = var.sdk_layer_name
+  filename            = "${var.layer_artifacts_directory}/layer.zip"
+  compatible_runtimes = ["nodejs14.x", "nodejs16.x", "nodejs18.x"]
+  license_info        = "Apache-2.0"
+  source_code_hash    = filebase64sha256("${var.layer_artifacts_directory}/layer.zip")
+#   filename = "${var.kube_directory_path}/config"
+}
+
+module "hello-lambda-function" {
+  source  = "terraform-aws-modules/lambda/aws"
+  version = ">= 2.24.0"
+
+  architectures = compact([var.architecture])
+  function_name = var.function_name
+  handler       = "index.handler"
+  runtime       = var.runtime
+
+  create_package         = false
+  local_existing_package = "${var.layer_artifacts_directory}/function.zip"
+
+  memory_size = 512
+  timeout     = 30
+
+  layers = var.is_canary ? [local.sdk_layer_arns_amd64.us-west-1] : [aws_lambda_layer_version.sdk_layer[0].arn]
+
+  environment_variables = {
+    AWS_LAMBDA_EXEC_WRAPPER     = "/opt/otel-instrument"
+    OTEL_AWS_APPLICATION_SIGNALS_ENABLED = "true"
+    OTEL_METRICS_EXPORTER       = "none"
+  }
+
+  tracing_mode = var.tracing_mode
+
+  attach_policy_statements = true
+  policy_statements = {
+    s3 = {
+      effect = "Allow"
+      actions = [
+        "s3:ListAllMyBuckets"
+      ]
+      resources = [
+        "*"
+      ]
+    }
+  }
+}
+
+module "api-gateway" {
+  source = "../api-gateway-proxy"
+
+  name                = var.function_name
+  function_name       = module.hello-lambda-function.lambda_function_name
+  function_invoke_arn = module.hello-lambda-function.lambda_function_invoke_arn
+  enable_xray_tracing = var.tracing_mode == "Active"
+}
+
+resource "aws_iam_role_policy_attachment" "hello-lambda-cloudwatch" {
+  role       = module.hello-lambda-function.lambda_function_name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+}
+
+resource "aws_iam_role_policy_attachment" "test_xray" {
+  role       = module.hello-lambda-function.lambda_function_name
+  policy_arn = "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess"
+}