fix(aws-lambda): fetch ecs environment variable failure caused by the phase change

[windmgc]

Summary

This PR fixes a bug that the aws-lambda plugin failed to get environment variables in ECS which leads to unable to fetch ECS task role credentials.

This bug is introduced since #8900, in which the moment of the step require "kong.plugins.aws-lambda.iam-ecs-credentials" is changed from happening in package load(init phase) to only in function call(access phase). Since in the Nginx process environment, only those environment variables exposed through the env Nginx config directory can be fetched by os.getenv in Lua code(with an exception that env vars can all be fetched in the init phase, and most of the Kong code that using os.getenv relies on this). So after #8900, fetching ECS environment variables will fail.

Sorry for bringing this bug in, and this also shows that a full integration test with the AWS environment is really needed for this plugin.

Full changelog

• Fix fetch ECS environment variable failure caused by the phase change

Issue reference

Fix FTI-4340

[windmgc]

Manually tested in the following cases:

• EC2 environment, same account lambda invoke
• ECS environment, same account lambda invoke
• EC2 environment, cross account lambda invoke
• ECS environment, cross account lambda invoke

I will try to add another test case to test ECS environment variable fetching

[windmgc]

Test added.

[chan-vince]

Sorry for the ignorance here, but I think I need this fix but in Kong Konnect.
I've installed the lambda plugin but I cannot see what version of the plugin it uses? Or when a fix to a plugin like this is pushed to master, when it gets added to Konnect?
Thanks

[windmgc]

@chan-vince I'm not sure about it, maybe you can reach out the Konnect help for an answer :)

[rosskukulinski]

Hi @chan-vince - I'm the overall product lead for Konnect. Once you update your runtimes (Gateway dataplanes) to a version that has this fix included, you should be good-to-go.

[chan-vince]

Hi @chan-vince - I'm the overall product lead for Konnect. Once you update your runtimes (Gateway dataplanes) to a version that has this fix included, you should be good-to-go.

Thanks for jumping in @rosskukulinski 😀
That is good to know, I sort of thought that might be the case.

My dataplanes are using the kong/kong-gateway:3.0.0.0 Docker image which I believe is the latest at this moment. I'm guessing that is the same as the 3.0.0 version?

I don't see this PR number in the release notes for any version up and including 3.0.0, so I assume I have to wait a bit.

P.S. I have a fair amount of technical feedback on Konnect in general; off topic here but let me know if you're interested.

[rosskukulinski]

@chan-vince Since this was just merged 15 days ago, it'll go out in the next gateway release which should be 3.1. It's also been backported to the 2.8.x release branch so it'll go out in the next 2.8 patch release

On the Konnect feedback - would love to hear that. You can reach me at firstname -at- konghq dot com.