Use a multi-stage build for the Lambda image

mcdonnnj · mcdonnnj · commit 2a44cdc6fa0d · 2022-12-01T04:03:29.000-05:00
Part of this project's goals is to support the option of running a
bespoke image as a Lambda and not just using deployment packages. Since
we care about the created image due to this we should build it similar
to how we would build other Docker images. Thus we switch to a multi-
stage build so that the only things included in the final image are
what is absolutely necessary to run the Lambda (per the dependency
files). With this configuration we saw space savings of almost 10% by
switching to a multi-stage build.
diff --git a/Dockerfile b/Dockerfile
@@ -1,12 +1,31 @@
 ARG PY_VERSION=3.9
 
-FROM amazon/aws-lambda-python:$PY_VERSION
+FROM amazon/aws-lambda-python:$PY_VERSION as install-stage
 
 # Declare it a second time so it's brought into this scope.
 ARG PY_VERSION=3.9
 
-# This must be present in the image to generate a deployment artifact.
-ENV BUILD_PY_VERSION=$PY_VERSION
+# Install the Python packages necessary to install the Lambda dependencies.
+RUN python3 -m pip install --no-cache-dir \
+    pip \
+    setuptools \
+    wheel \
+  # This version of pipenv is the minimum version to allow passing arguments
+  # to pip with the --extra-pip-args option.
+  && python3 -m pip install --no-cache-dir "pipenv>=2022.9.8"
+
+WORKDIR /tmp
+
+# Copy in the dependency files.
+COPY src/py$PY_VERSION/ .
+
+# Install the Lambda dependencies.
+#
+# The --extra-pip-args option is used to pass necessary arguments to the
+# underlying pip calls.
+RUN pipenv sync --extra-pip-args="--no-cache-dir --target ${LAMBDA_TASK_ROOT}"
+
+FROM amazon/aws-lambda-python:$PY_VERSION as build-stage
 
 ###
 # For a list of pre-defined annotation keys and value types see:
@@ -21,29 +40,18 @@ ENV BUILD_PY_VERSION=$PY_VERSION
 LABEL org.opencontainers.image.authors="github@cisa.dhs.gov"
 LABEL org.opencontainers.image.vendor="Cybersecurity and Infrastructure Security Agency"
 
-WORKDIR ${LAMBDA_TASK_ROOT}
-RUN mkdir build output
+# Declare it a third time so it's brought into this scope.
+ARG PY_VERSION=3.9
 
-# Install the Python packages necessary to install the Lambda dependencies.
-RUN python3 -m pip install --no-cache-dir \
-    pip \
-    setuptools \
-    wheel \
-  # This version of pipenv is the minimum version to allow passing arguments
-  # to pip with the --extra-pip-args option.
-  && python3 -m pip install --no-cache-dir "pipenv>=2022.9.8"
+# This must be present in the image to generate a deployment artifact.
+ENV BUILD_PY_VERSION=$PY_VERSION
 
-# Copy in the build files.
-COPY src/py$PY_VERSION/ build
-COPY src/lambda_handler.py .
+COPY --from=install-stage ${LAMBDA_TASK_ROOT} ${LAMBDA_TASK_ROOT}
 
-# Install the Lambda dependencies.
-#
-# The --extra-pip-args option is used to pass necessary arguments to the
-# underlying pip calls.
-WORKDIR ${LAMBDA_TASK_ROOT}/build
-RUN pipenv sync --extra-pip-args="--no-cache-dir --target .."
+WORKDIR ${LAMBDA_TASK_ROOT}
+
+# Copy in the handler.
+COPY src/lambda_handler.py .
 
 # Ensure our handler is invoked when the image is used.
-WORKDIR ${LAMBDA_TASK_ROOT}
 CMD ["lambda_handler.handler"]
