feat: lambda code deploy

.github/workflows/build.yml

@@ -66,7 +66,7 @@ jobs:
         run: just backend-build
 
       - name: Upload Lambda zips
-        uses: chrispsheehan/just-aws-oidc-action@0.1.1
+        uses: chrispsheehan/just-aws-oidc-action@0.1.3
         env:
           BUCKET_NAME: ${{ needs.infra.outputs.lambda_bucket_name }}
         with:

.github/workflows/deploy.yml

@@ -30,9 +30,10 @@ permissions:
 env:
   TF_VAR_lambda_version: ${{ inputs.lambda_version }}
   AWS_OIDC_ROLE_ARN: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/aws-serverless-github-deploy-${{ inputs.environment }}-github-oidc-role
+  BUCKET_NAME: ${{ inputs.lambda_bucket }}
 
 jobs:
-  oidc:
+  setup:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -44,35 +45,79 @@ jobs:
           aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }}
           tg_directory: infra/live/${{ inputs.environment }}/aws/oidc
 
-  backend:
-    needs:
-      - oidc
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          ref: ${{ inputs.infra_version }}
-
-      - name: check Lambda vars
-        uses: chrispsheehan/just-aws-oidc-action@0.1.1
+      - name: check Lambda version
+        uses: chrispsheehan/just-aws-oidc-action@0.1.3
         env:
-          BUCKET_NAME: ${{ inputs.lambda_bucket }}
           VERSION: ${{ inputs.lambda_version }}
         with:
           aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }}
           just_action: check-version
 
   api:
-    needs:
-      - oidc
+    needs: setup
     runs-on: ubuntu-latest
+    env:
+      APP_SPEC_FILE: ${{ github.workspace }}/appspec.yml
+      APP_SPEC_KEY: ${{ inputs.lambda_version }}/appspec.zip
     steps:
       - uses: actions/checkout@v4
         with:
           ref: ${{ inputs.infra_version }}
 
-      - name: Deploy API
+      - name: deploy api
+        id: deploy-api
         uses: chrispsheehan/terragrunt-aws-oidc-action@0.4.0
         with:
           aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }}
           tg_directory: infra/live/${{ inputs.environment }}/aws/api
+
+      - name: get api variables
+        id: get-api-vars
+        env:
+          TG_OUTPUTS: ${{ steps.deploy-api.outputs.tg_outputs  }}
+        run: |
+          echo "lambda_zip_key=$(echo $TG_OUTPUTS | jq -r '.lambda_zip_key.value')" >> $GITHUB_OUTPUT
+          echo "lambda_function_name=$(echo $TG_OUTPUTS | jq -r '.lambda_function_name.value')" >> $GITHUB_OUTPUT
+          echo "lambda_alias_name=$(echo $TG_OUTPUTS | jq -r '.lambda_alias_name.value')" >> $GITHUB_OUTPUT
+          echo "code_deploy_app_name=$(echo $TG_OUTPUTS | jq -r '.code_deploy_app_name.value')" >> $GITHUB_OUTPUT
+          echo "code_deploy_group_name=$(echo $TG_OUTPUTS | jq -r '.code_deploy_group_name.value')" >> $GITHUB_OUTPUT
+
+      - name: get lambda version
+        id: lambda-get-version
+        uses: chrispsheehan/just-aws-oidc-action@0.1.3
+        env:
+          FUNCTION_NAME: ${{ steps.get-api-vars.outputs.lambda_function_name }}
+          ALIAS_NAME: ${{ steps.get-api-vars.outputs.lambda_alias_name }}
+        with:
+          aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }}
+          just_action: lambda-get-version
+
+      - name: create lambda version
+        id: lambda-create-version
+        uses: chrispsheehan/just-aws-oidc-action@0.1.3
+        env:
+          LAMBDA_ZIP_KEY: ${{ steps.get-api-vars.outputs.lambda_zip_key }}
+          FUNCTION_NAME: ${{ steps.get-api-vars.outputs.lambda_function_name }}
+        with:
+          aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }}
+          just_action: lambda-create-version
+
+      - name: Prepare and upload AppSpec File to s3
+        uses: chrispsheehan/just-aws-oidc-action@0.1.3
+        env:
+          FUNCTION_NAME: ${{ steps.get-api-vars.outputs.lambda_function_name }}
+          ALIAS_NAME: ${{ steps.get-api-vars.outputs.lambda_alias_name }}
+          CURRENT_VERSION: ${{ steps.lambda-get-version.outputs.just_outputs }}
+          NEW_VERSION: ${{ steps.lambda-create-version.outputs.just_outputs }}
+        with:
+          aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }}
+          just_action: lambda-upload-bundle
+
+      - name: deploy lambda
+        uses: chrispsheehan/just-aws-oidc-action@0.1.3
+        env:
+          CODE_DEPLOY_APP_NAME: ${{ steps.get-api-vars.outputs.code_deploy_app_name }}
+          CODE_DEPLOY_GROUP_NAME: ${{ steps.get-api-vars.outputs.code_deploy_group_name }}
+        with:
+          aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }}
+          just_action: lambda-deploy

.github/workflows/get_build.yml

@@ -53,7 +53,7 @@ jobs:
           echo "bucket_lambda=$(echo $TG_OUTPUTS | jq -r '.bucket_lambda.value')" >> $GITHUB_OUTPUT
 
       - name: Check Lambda version exists
-        uses: chrispsheehan/just-aws-oidc-action@0.1.1
+        uses: chrispsheehan/just-aws-oidc-action@0.1.3
         env:
           BUCKET_NAME: ${{ steps.get_bucket_name.outputs.bucket_lambda }}
           VERSION: ${{ inputs.version }}

.github/workflows/pull_request.yml

@@ -76,19 +76,6 @@ jobs:
         run: terragrunt hclfmt --terragrunt-check
         working-directory: infra
 
-  format-frontend:
-    needs: check
-    runs-on: ubuntu-latest
-    if: ${{ needs.check.outputs.frontend == 'true' }}
-    name: Run astro formatting checks
-    timeout-minutes: 2
-    steps:
-      - uses: actions/checkout@v4
-      - name: Run prettier checks
-        run: |
-          npm install --prefix frontend
-          npm run format:check --prefix frontend
-
   build-backend:
     needs: check
     runs-on: ubuntu-latest

appspec.yml

@@ -0,0 +1,9 @@
+version: 0.0
+Resources:
+  - LambdaFunction:
+      Type: AWS::Lambda::Function
+      Properties:
+        Name: ${FUNCTION_NAME}
+        Alias: ${FUNCTION_ALIAS}
+        CurrentVersion: ${CURRENT_VERSION}
+        TargetVersion: ${NEW_VERSION}

infra/live/global_vars.hcl

@@ -5,7 +5,8 @@ locals {
     "iam:*",
     "lambda:*",
     "logs:*",
-    "apigateway:*"
+    "apigateway:*",
+    "codedeploy:*"
   ]
 }
 

infra/modules/aws/api/outputs.tf

@@ -1,3 +1,31 @@
 output "invoke_url" {
   value = aws_apigatewayv2_api.http_api.api_endpoint
 }
+
+output "cloudwatch_log_group" {
+  value = module.lambda_api.cloudwatch_log_group
+}
+
+output "lambda_zip_key" {
+  value = module.lambda_api.lambda_zip_key
+}
+
+output "code_deploy_app_name" {
+  value = module.lambda_api.code_deploy_app_name
+}
+
+output "code_deploy_group_name" {
+  value = module.lambda_api.code_deploy_group_name
+}
+
+output "lambda_arn" {
+  value = module.lambda_api.arn
+}
+
+output "lambda_function_name" {
+  value = module.lambda_api.function_name
+}
+
+output "lambda_alias_name" {
+  value = module.lambda_api.alias_name
+}

infra/modules/aws/code_bucket/main.tf

@@ -10,3 +10,18 @@ resource "aws_s3_bucket_ownership_controls" "lambda" {
     object_ownership = "BucketOwnerEnforced"
   }
 }
+
+resource "aws_s3_bucket_lifecycle_configuration" "delete_old_files" {
+  count = var.s3_expiration_days > 0 ? 1 : 0
+
+  bucket = aws_s3_bucket.lambda.id
+
+  rule {
+    id     = "delete-expired-objects"
+    status = "Enabled"
+
+    expiration {
+      days = var.s3_expiration_days
+    }
+  }
+}

infra/modules/aws/code_bucket/variables.tf

@@ -1,4 +1,13 @@
+### start of static vars set in root.hcl ###
 variable "lambda_bucket" {
   description = "S3 bucket to host lambda code files"
   type        = string
 }
+### end of static vars set in root.hcl ###
+
+
+variable "s3_expiration_days" {
+  description = "Number of days before objects are deleted (set to 0 to disable)"
+  type        = number
+  default     = 0
+}

infra/modules/aws/lambda/data.tf

@@ -14,3 +14,80 @@ data "aws_iam_policy_document" "assume_role" {
     actions = ["sts:AssumeRole"]
   }
 }
+
+data "aws_iam_policy_document" "code_deploy_assume" {
+  statement {
+    actions = ["sts:AssumeRole"]
+    principals {
+      type        = "Service"
+      identifiers = ["codedeploy.amazonaws.com"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "codedeploy_lambda" {
+  statement {
+    sid    = "LambdaControl"
+    effect = "Allow"
+    actions = [
+      "lambda:GetFunction",
+      "lambda:PublishVersion",
+      "lambda:GetAlias",
+      "lambda:CreateAlias",
+      "lambda:UpdateAlias",
+      "lambda:ListAliases",
+      "lambda:ListVersionsByFunction",
+    ]
+    resources = [
+      aws_lambda_function.lambda.arn,
+      "${aws_lambda_function.lambda.arn}:*",
+    ]
+  }
+
+  statement {
+    sid     = "ReadArtifactObject"
+    effect  = "Allow"
+    actions = ["s3:GetObject", "s3:GetObjectVersion"]
+    resources = [
+      "arn:aws:s3:::${data.aws_s3_bucket.lambda_code.bucket}/${var.lambda_version}/*"
+    ]
+  }
+
+  # Allow listing the bucket for that prefix (some SDKs call this)
+  statement {
+    sid       = "ListArtifactPrefix"
+    effect    = "Allow"
+    actions   = ["s3:ListBucket", "s3:GetBucketLocation"]
+    resources = ["arn:aws:s3:::${data.aws_s3_bucket.lambda_code.bucket}"]
+    condition {
+      test     = "StringLike"
+      variable = "s3:prefix"
+      values   = ["${var.lambda_version}/*"]
+    }
+  }
+
+  statement {
+    sid       = "DescribeAlarms"
+    effect    = "Allow"
+    actions   = ["cloudwatch:DescribeAlarms"]
+    resources = ["*"]
+  }
+}
+
+data "aws_iam_policy_document" "lambda_iam_policy" {
+  statement {
+    sid = "AllowLambdaCloudwatchLogGroupPut"
+
+    actions = [
+      "logs:CreateLogStream",
+      "logs:PutLogEvents"
+    ]
+
+    effect = "Allow"
+
+    resources = [
+      "${aws_cloudwatch_log_group.lambda_cloudwatch_group.arn}",
+      "${aws_cloudwatch_log_group.lambda_cloudwatch_group.arn}:*"
+    ]
+  }
+}

infra/modules/aws/lambda/main.tf

@@ -11,4 +11,80 @@ resource "aws_lambda_function" "lambda" {
 
   s3_bucket = data.aws_s3_bucket.lambda_code.bucket
   s3_key    = local.lambda_code_zip_key
-}
+
+  # publish ONE immutable version so we can create an alias
+  publish = true
+
+  lifecycle {
+    # Do not update on changes to the initial s3 file version
+    ignore_changes = [
+      s3_bucket,
+      s3_key,
+      s3_object_version,
+    ]
+  }
+}
+
+resource "aws_cloudwatch_log_group" "lambda_cloudwatch_group" {
+  name              = "/aws/lambda/${local.lambda_name}"
+  retention_in_days = var.log_retention_days
+}
+
+resource "aws_lambda_alias" "live" {
+  name             = var.environment
+  function_name    = aws_lambda_function.lambda.arn
+  function_version = aws_lambda_function.lambda.version
+
+  # CodeDeploy will repoint this alias → ignore drift
+  lifecycle {
+    ignore_changes = [function_version, routing_config]
+  }
+}
+
+resource "aws_codedeploy_app" "app" {
+  name             = "${local.lambda_name}-app"
+  compute_platform = "Lambda"
+}
+
+resource "aws_iam_role" "code_deploy_role" {
+  name               = "${local.lambda_name}-codedeploy-role"
+  assume_role_policy = data.aws_iam_policy_document.code_deploy_assume.json
+}
+
+resource "aws_iam_role_policy" "cd_lambda" {
+  name   = "${local.lambda_name}-codedeploy-lambda"
+  role   = aws_iam_role.code_deploy_role.id
+  policy = data.aws_iam_policy_document.codedeploy_lambda.json
+}
+
+resource "aws_codedeploy_deployment_config" "lambda_deployment_config" {
+  # A custom Lambda deployment config that sends 50% traffic for 1 minute, then shifts to 100% (with your DG using it and auto-rollback on failure/alarms).
+  deployment_config_name = "${local.lambda_name}-deployment-config"
+  compute_platform       = "Lambda"
+
+  traffic_routing_config {
+    type = "TimeBasedCanary"
+    time_based_canary {
+      percentage = 50
+      interval   = 1
+    }
+  }
+}
+
+resource "aws_codedeploy_deployment_group" "dg" {
+  app_name              = aws_codedeploy_app.app.name
+  deployment_group_name = "${local.lambda_name}-dg"
+  service_role_arn      = aws_iam_role.code_deploy_role.arn
+
+  deployment_style {
+    deployment_type   = "BLUE_GREEN"
+    deployment_option = "WITH_TRAFFIC_CONTROL"
+  }
+
+  deployment_config_name = aws_codedeploy_deployment_config.lambda_deployment_config.id
+
+  auto_rollback_configuration {
+    enabled = true
+    events  = ["DEPLOYMENT_FAILURE", "DEPLOYMENT_STOP_ON_ALARM"]
+  }
+}