chore: migrating to lambda container image

.buildspec.yaml

@@ -1,18 +1,13 @@
 ---
 version: 0.2
-env:
-  variables:
-    LAMBDA_BUCKET_PREFIX: binxio-public
-    LAMBDA_BUCKET_REGION: eu-central-1
-    MAKE_TARGET: deploy
 phases:
   install:
     runtime-versions:
-      docker: 18
-      python: 3.7
+      docker: 20
+      python: 3.9
   build:
     commands:
       - >
         echo '{"registry-mirrors": ["https://mirror.gcr.io"]}' > /etc/docker/daemon.json
       - pkill -1 dockerd
-      - make S3_BUCKET_PREFIX=${LAMBDA_BUCKET_PREFIX} AWS_REGION=${LAMBDA_BUCKET_REGION} ${MAKE_TARGET:-deploy}
+      - make deploy

.make-release-support

@@ -1,5 +1,3 @@
-#!/bin/bash
-#
 #   Copyright 2015  Xebia Nederland B.V.
 #
 #   Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,7 +13,21 @@
 #   limitations under the License.
 #
 function hasChanges() {
-	test -n "$(git status -s .)"
+	test -n "$(showChanges)"
+}
+
+function showChanges() {
+	git status -s -- $(getTagOnChangesIn)
+}
+
+function getTagOnChangesIn() {
+	result=$(awk -F= '/^tag_on_changes_in=/{print $2}' .release)
+	if egrep -q -e '^\.$' -e '^\./?[ 	]' -e '[ 	]\./?[ 	]' <<< "$result" ; then
+		echo "$result"
+	else
+		echo ". $result"
+	fi
+	return 0
 }
 
 function getRelease() {
@@ -36,8 +48,8 @@ function getTag() {
 
 function setRelease() {
 	if [ -n "$1" ] ; then
-		sed -i.x -e "s/^tag=.*/tag=$(getTag $1)/" .release
-		sed -i.x -e "s/^release=.*/release=$1/g" .release
+		sed -i.x -e "s~^tag=.*~tag=$(getTag $1)~" .release
+		sed -i.x -e "s~^release=.*~release=$1~g" .release
 		rm -f .release.x
 		runPreTagCommand "$1"
 	else
@@ -63,16 +75,20 @@ function tagExists() {
 	test -n "$tag" && test -n "$(git tag | grep "^$tag\$")"
 }
 
+function showDiffFromRelease() {
+	git diff --compact-summary -r $tag -- $(getTagOnChangesIn)
+}
+
 function differsFromRelease() {
 	tag=$(getTag)
-	! tagExists $tag || test -n "$(git diff --shortstat -r $tag .)"
+	! tagExists $tag || test -n "$(showDiffFromRelease)"
 }
 
 function getVersion() {
 	result=$(getRelease)
 
 	if differsFromRelease; then
-		result="$result-$(git rev-parse --short HEAD)"
+		result="$result-$(git log -n 1 --format=%h $(getTagOnChangesIn))"
 	fi
 
 	if hasChanges ; then

.release

@@ -1,3 +1,3 @@
 release=2.0.1
 tag=v2.0.1
-pre_tag_command=sed -i '' -e 's^lambdas/cfn-secret-provider-[0-9]*\.[0-9]*\.[0-9]*[^\.]*\.^lambdas/cfn-secret-provider-@@RELEASE@@.^' README.md cloudformation/cfn-resource-provider.yaml
+pre_tag_command=sed -i '' -e 's^lambdas/cfn-secret-provider:[0-9]*\.[0-9]*\.[0-9]*[^\.]*\.^lambdas/cfn-secret-provider:@@RELEASE@@.^' README.md cloudformation/cfn-resource-provider.yaml

Dockerfile

@@ -0,0 +1,12 @@
+FROM --platform=linux/amd64 public.ecr.aws/lambda/python:3.9
+
+WORKDIR ${LAMBDA_TASK_ROOT}
+
+COPY requirements.txt .
+
+RUN pip install -r requirements.txt
+
+RUN find . -type d -print0 | xargs -0 chmod ugo+rx && \
+    find . -type f -print0 | xargs -0 chmod ugo+r
+
+CMD [ "secrets.handler" ]

Makefile

@@ -1,80 +1,29 @@
 include Makefile.mk
-
+USERNAME=xebia
 NAME=cfn-secret-provider
+
 S3_BUCKET_PREFIX=binxio-public
 AWS_REGION=eu-central-1
 S3_BUCKET=$(S3_BUCKET_PREFIX)-$(AWS_REGION)
+AWS_ACCOUNT=$(shell aws sts get-caller-identity --query Account --output text)
 ALL_REGIONS=$(shell aws --region $(AWS_REGION) \
 		ec2 describe-regions 		\
 		--query 'join(`\n`, Regions[?RegionName != `$(AWS_REGION)`].RegionName)' \
 		--output text)
 
+REGISTRY_HOST=$(AWS_ACCOUNT).dkr.ecr.$(AWS_REGION).amazonaws.com
+IMAGE=$(REGISTRY_HOST)/$(USERNAME)/$(NAME)
+TAG_WITH_LATEST=never
 
-help:
-	@echo 'make                 - builds a zip file to target/.'
-	@echo 'make release         - builds a zip file and deploys it to s3.'
-	@echo 'make clean           - the workspace.'
-	@echo 'make test            - execute the tests, requires a working AWS connection.'
-	@echo 'make deploy-provider - deploys the provider.'
-	@echo 'make delete-provider - deletes the provider.'
-	@echo 'make demo            - deploys the provider and the demo cloudformation stack.'
-	@echo 'make delete-demo     - deletes the demo cloudformation stack.'
-
-
-deploy: target/$(NAME)-$(VERSION).zip
-	aws s3 --region $(AWS_REGION) \
-		cp --acl public-read \
-		cloudformation/cfn-resource-provider.yaml \
-		s3://$(S3_BUCKET)/lambdas/$(NAME)-$(VERSION).yaml
-	aws s3 --region $(AWS_REGION) \
-		cp --acl public-read \
-		target/$(NAME)-$(VERSION).zip \
-		s3://$(S3_BUCKET)/lambdas/$(NAME)-$(VERSION).zip
-	aws s3 --region $(AWS_REGION) \
-		cp --acl public-read \
-		s3://$(S3_BUCKET)/lambdas/$(NAME)-$(VERSION).zip \
-		s3://$(S3_BUCKET)/lambdas/$(NAME)-latest.zip
-
-deploy-all-regions: deploy
-	@for REGION in $(ALL_REGIONS); do \
-		echo "copying to region $$REGION.." ; \
-		aws s3 --region $$REGION \
-			cp  --acl public-read \
-			s3://$(S3_BUCKET)/lambdas/$(NAME)-$(VERSION).zip \
-			s3://$(S3_BUCKET_PREFIX)-$$REGION/lambdas/$(NAME)-$(VERSION).zip; \
-		aws s3 --region $$REGION \
-			cp  --acl public-read \
-			s3://$(S3_BUCKET)/lambdas/$(NAME)-$(VERSION).zip \
-			s3://$(S3_BUCKET_PREFIX)-$$REGION/lambdas/$(NAME)-latest.zip; \
-	done
-
-undeploy:
-	@for REGION in $(ALL_REGIONS); do \
-                echo "removing lamdba from region $$REGION.." ; \
-                aws s3 --region $(AWS_REGION) \
-                        rm  \
-                        s3://$(S3_BUCKET_PREFIX)-$$REGION/lambdas/$(NAME)-$(VERSION).zip; \
-        done
-
-
-do-push: deploy
-
-do-build: target/$(NAME)-$(VERSION).zip
-
-target/$(NAME)-$(VERSION).zip: src/*.py requirements.txt
-	mkdir -p target/content
-	docker build --build-arg ZIPFILE=$(NAME)-$(VERSION).zip -t $(NAME)-lambda:$(VERSION) -f Dockerfile.lambda . && \
-		ID=$$(docker create $(NAME)-lambda:$(VERSION) /bin/true) && \
-		docker export $$ID | (cd target && tar -xvf - $(NAME)-$(VERSION).zip) && \
-		docker rm -f $$ID && \
-		chmod ugo+r target/$(NAME)-$(VERSION).zip
-
-clean:
-	rm -rf target src/*.pyc tests/*.pyc
 
 Pipfile.lock: Pipfile requirements.txt test-requirements.txt
-	pipenv install -r requirements.txt
-	pipenv install -d -r test-requirements.txt
+
+requirements.txt test-requirements.txt: Pipfile
+	pipenv requirements > requirements.txt
+	pipenv requirements --dev-only > test-requirements.txt
+
+Pipfile.lock: Pipfile
+	pipenv update
 
 test: Pipfile.lock
 	for n in ./cloudformation/*.yaml ; do aws cloudformation validate-template --template-body file://$$n ; done
@@ -83,26 +32,24 @@ test: Pipfile.lock
 fmt:
 	black src/*.py tests/*.py
 
-deploy-provider: target/$(NAME)-$(VERSION).zip
+deploy-provider:  ## deploy the provider to the current account
+	sed -i '' -e 's^cfn-secret-provider:[0-9]*\.[0-9]*\.[0-9]*[^\.]*^cfn-secret-provider:$(VERSION)^' cloudformation/cfn-resource-provider.yaml
 	aws cloudformation deploy \
                 --capabilities CAPABILITY_IAM \
                 --stack-name $(NAME) \
                 --template-file ./cloudformation/cfn-resource-provider.yaml \
-                --parameter-overrides \
-                        S3BucketPrefix=$(S3_BUCKET_PREFIX) \
-                        CFNCustomProviderZipFileName=lambdas/$(NAME)-$(VERSION).zip
 
 delete-provider:
 	aws cloudformation delete-stack --stack-name $(NAME)
 	aws cloudformation wait stack-delete-complete  --stack-name $(NAME)
 
+
+
 deploy-pipeline: 
 	aws cloudformation deploy \
                 --capabilities CAPABILITY_IAM \
                 --stack-name $(NAME)-pipeline \
-                --template-file ./cloudformation/cicd-pipeline.yaml \
-                --parameter-overrides \
-                        S3BucketPrefix=$(S3_BUCKET_PREFIX)
+                --template-file ./cloudformation/cicd-pipeline.yaml
 
 delete-pipeline: 
 	aws cloudformation delete-stack --stack-name $(NAME)-pipeline