lambda.DockerImageCode.fromEcr: imageTagOrDigest field cannot recognize digests supplied as CfnParameter

[chrislciaba]

Describe the bug

Since imageTagOrDigest supplied in the props for lambda.DockerImageCode.fromEcr can contain either an image tag or digest, if the value isn't explicitly known (in my example it's a CfnParameter) it defaults to it being a tag. There appears to be no workaround for this at the moment

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

The following cloudformation code should be produced

"Code": {
     "ImageUri": {
      "Fn::Join": [
       "",
       [
        {
         "Fn::Select": [
          4,
          {
           "Fn::Split": [
            ":",
            {
             "Ref": "EcrRepoArn"
            }
           ]
          }
         ]
        },
        ".dkr.ecr.",
        {
         "Fn::Select": [
          3,
          {
           "Fn::Split": [
            ":",
            {
             "Ref": "EcrRepoArn"
            }
           ]
          }
         ]
        },
        ".",
        {
         "Ref": "AWS::URLSuffix"
        },
        "/",
        {
         "Ref": "EcrRepoName"
        },
        "@",
        {
         "Ref": "ImageDigest"
        }
       ]
      ]
     }
    },

Current Behavior

The following code is produced. Notice the : splitting the image tag

"Code": {
     "ImageUri": {
      "Fn::Join": [
       "",
       [
        {
         "Fn::Select": [
          4,
          {
           "Fn::Split": [
            ":",
            {
             "Ref": "EcrRepoArn"
            }
           ]
          }
         ]
        },
        ".dkr.ecr.",
        {
         "Fn::Select": [
          3,
          {
           "Fn::Split": [
            ":",
            {
             "Ref": "EcrRepoArn"
            }
           ]
          }
         ]
        },
        ".",
        {
         "Ref": "AWS::URLSuffix"
        },
        "/",
        {
         "Ref": "EcrRepoName"
        },
        ":",
        {
         "Ref": "ImageDigest"
        }
       ]
      ]
     }
    },

Reproduction Steps

The following code produces an ECR URI with a : separating the image digest from the URL instead of an @. This causes a deployment failure in cloudformation due to a validation error on the lambda side

const imageDigest = new cdk.CfnParameter(this, 'ImageDigest', {
      type: 'String',
      description: 'The image digest',
      default: 'sha256:...',
    });

    const lambdaFunction = new lambda.DockerImageFunction(this, `${lambdaPrefix}`, {
      code: lambda.DockerImageCode.fromEcr(
        ecr.Repository.fromRepositoryAttributes(this, 'RepoCrossAccount', {
          repositoryArn: ecrRepoArn.valueAsString,
          repositoryName: ecrRepoName.valueAsString,
        }), {
          tagOrDigest:  imageDigest.valueAsString,
        }
      ),
    });

Possible Solution

Partition the imageTagOrDigest field into two separate fields or add a type tag

Additional Information/Context

No response

CDK CLI Version

2.162.1

Framework Version

No response

Node.js Version

v22.4.1

OS

MacOS 14.6.1

Language

TypeScript

Language Version

No response

Other information

No response

[pahud]

I think it's because repositoryUriForTagOrDigest() is not handling unresolved tokens well.

aws-cdk/packages/aws-cdk-lib/aws-lambda/lib/code.ts

Line 513 in d1d179f

imageUri: this.repository.repositoryUriForTagOrDigest(this.props?.tagOrDigest ?? this.props?.tag ?? 'latest'),

Specifically this func

aws-cdk/packages/aws-cdk-lib/aws-ecr/lib/repository.ts

Lines 226 to 232 in d1d179f

	public repositoryUriForTagOrDigest(tagOrDigest?: string): string {
	if (tagOrDigest?.startsWith('sha256:')) {
	return this.repositoryUriForDigest(tagOrDigest);
	} else {
	return this.repositoryUriForTag(tagOrDigest);
	}
	}

Making this a p1 and we probably need a PR to better handle unresolved tokens.