🛠️ Replace layer and zips with docker images.

.github/workflows/pipeline.yml

@@ -94,25 +94,25 @@ jobs:
 
   # Deploy
 
-  build-deployment:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@v4
-      - name: Set up python 3.11
-        uses: actions/setup-python@v4
-        with:
-          python-version: "3.11"
-      - name: Install dependencies
-        run: |
-          make install-ci
-      - name: Build Lambda Layer
-        run: make build-layer
-      - name: Upload deployment folder artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: deployment-${{ github.sha }}
-          path: ./.deployment
+#  build-deployment:
+#    runs-on: ubuntu-latest
+#    steps:
+#      - name: Checkout repo
+#        uses: actions/checkout@v4
+#      - name: Set up python 3.11
+#        uses: actions/setup-python@v4
+#        with:
+#          python-version: "3.11"
+#      - name: Install dependencies
+#        run: |
+#          make install-ci
+#      - name: Build Lambda Layer
+#        run: make build-layer
+#      - name: Upload deployment folder artifact
+#        uses: actions/upload-artifact@v4
+#        with:
+#          name: deployment-${{ github.sha }}
+#          path: ./.deployment
 
   deploy-dev:
     runs-on: ubuntu-latest
@@ -123,7 +123,6 @@ jobs:
       - check-mypy
       - check-poetry-lock
       - unit-tests
-      - build-deployment
     steps:
       - name: Checkout repo
         uses: actions/checkout@v4

Makefile

@@ -84,9 +84,6 @@ kill:
 
 # Deploy
 
-build-layer:
-	./scripts/build_layer.sh
-
 update:
 	cd tf; make update;
 
@@ -101,8 +98,10 @@ deploy:
 
 # Quick and dirty
 
-wip:
-	make format
+wip: format
 	git add .
 	git commit -m "Auto commit" --no-verify
-	git push
+
+amend: format
+	git add .
+	git commit --amend --no-edit --no-verify

tf/Makefile

@@ -2,25 +2,25 @@ TERRAFORM_PLAN_FILE=deploy.tfplan
 WORKSPACE=default
 AWS_REGION=us-east-1
 
-build-layer:
-	cd ../; make build-layer
-
 update:
 	terraform get -update
 
+upgrade:
+	terraform init -upgrade
+
+refresh:
+	terraform workspace select $(WORKSPACE)
+	terraform refresh \
+		-var-file="$(WORKSPACE).tfvars" \
+
 plan:
 	terraform workspace select $(WORKSPACE)
 	terraform plan \
 		-out $(TERRAFORM_PLAN_FILE) \
 		-var-file="$(WORKSPACE).tfvars" \
 		-var="aws_region=$(AWS_REGION)"
 
-refresh:
-	terraform workspace select $(WORKSPACE)
-	terraform refresh \
-		-var-file="$(WORKSPACE).tfvars" \
-
 apply:
 	terraform apply $(TERRAFORM_PLAN_FILE)
 
-deploy: build-layer plan apply
+deploy: plan apply

tf/app.Dockerfile

@@ -0,0 +1,16 @@
+ARG SRC_IMAGE
+ARG SRC_TAG
+
+FROM ${SRC_IMAGE}:${SRC_TAG}
+
+WORKDIR /tmp/build
+# Copy dependencies
+COPY requirements.lock .
+# Install dependencies
+RUN pip install --no-deps --target ${LAMBDA_TASK_ROOT} -r requirements.lock
+
+WORKDIR ${LAMBDA_TASK_ROOT}
+# Copy source code
+COPY src/ .
+# Point to lambda handler
+CMD [ "lambda_handler.handle"]

tf/images.tf

@@ -0,0 +1,83 @@
+# Vars and data
+
+locals {
+  lock_file      = "${local.project_root}/poetry.lock"
+  lock_file_sha = filebase64sha256(local.lock_file)
+  app_dockerfile = "${local.tf_root}/app.Dockerfile"
+}
+
+# ECR Repo
+
+resource "aws_ecr_repository" "ecr_repo" {
+  name = "${local.service_name}-ecr"
+}
+
+resource "aws_ecr_lifecycle_policy" "ecr_lifecycle_policy" {
+  repository = aws_ecr_repository.ecr_repo.name
+  policy     = <<EOF
+{
+  "rules": [
+    {
+      "rulePriority": 1,
+      "description": "Keep last 3 images",
+      "selection": {
+        "tagStatus": "any",
+        "countType": "imageCountMoreThan",
+        "countNumber": 3
+      },
+      "action": {
+        "type": "expire"
+      }
+    }
+  ]
+}
+EOF
+}
+
+# Prepare
+
+resource "null_resource" "lock_export" {
+  triggers = {
+    lock_file = local.lock_file_sha
+  }
+
+  provisioner "local-exec" {
+    command = <<EOF
+           cd ${local.project_root}; make lock-export || exit 1
+       EOF
+  }
+}
+
+module "app_archive" {
+  source     = "github.com/asaf-kali/resources//tf/filtered_archive"
+  name       = "service"
+  source_dir = local.lambda_src_root
+  exclude_patterns = [
+    ".coverage",
+    "**/__pycache__/**",
+    "**/.pytest_cache/**",
+  ]
+}
+
+# Image
+
+module "app_image" {
+  name           = "app"
+  source         = "github.com/asaf-kali/resources//tf/ecr_builder"
+  aws_account_id = local.aws_account_id
+  aws_region     = var.aws_region
+  build_dir      = local.project_root
+  docker_file    = local.app_dockerfile
+  ecr_name       = aws_ecr_repository.ecr_repo.name
+  ecr_url        = aws_ecr_repository.ecr_repo.repository_url
+  src_image      = "public.ecr.aws/lambda/python"
+  src_tag        = local.python_version
+  triggers = {
+    docker_file = filebase64sha256(local.app_dockerfile)
+    lock_file  = local.lock_file_sha
+    source_dir = module.app_archive.output_sha
+  }
+  depends_on = [
+    null_resource.lock_export
+  ]
+}

tf/main.tf

@@ -47,11 +47,11 @@ locals {
   # Base
   project_name    = "the-spymaster-bot"
   service_name    = "${local.project_name}-${local.env}"
-  aws_account_id = data.aws_caller_identity.current.account_id
+  aws_account_id  = data.aws_caller_identity.current.account_id
+  python_version = "3.11"
   # Paths
   tf_root = abspath(path.module)
   project_root = abspath("${path.module}/../")
-  layer_src_root  = "${local.project_root}/.deployment/layer-dependencies"
   lambda_src_root = "${local.project_root}/src/"
   # Domain
   base_app_domain = "303707.xyz"

tf/service.tf

@@ -1,47 +1,15 @@
-# Layer
-
-module "layer_archive" {
-  source     = "github.com/asaf-kali/resources//tf/filtered_archive"
-  source_dir = local.layer_src_root
-  name       = "layer"
-}
-
-output "layer_archive_hash" {
-  value = filebase64sha256(module.layer_archive.output_path)
-}
-
-resource "aws_lambda_layer_version" "dependencies_layer" {
-  layer_name       = "${local.service_name}-layer"
-  filename         = module.layer_archive.output_path
-  source_code_hash = filebase64sha256(module.layer_archive.output_path)
-  skip_destroy     = true
-}
-
 # Lambda
 
-module "lambda_archive" {
-  source           = "github.com/asaf-kali/resources//tf/filtered_archive"
-  source_dir       = local.lambda_src_root
-  name             = "service"
-  exclude_patterns = [
-    ".coverage",
-    "**/__pycache__/**",
-    "**/.pytest_cache/**",
-  ]
-}
-
 resource "aws_lambda_function" "service_lambda" {
   function_name                  = "${local.service_name}-lambda"
   role                           = aws_iam_role.lambda_exec_role.arn
-  handler                        = "lambda_handler.handle"
-  runtime                        = "python3.11"
-  filename                       = module.lambda_archive.output_path
-  source_code_hash               = filebase64sha256(module.lambda_archive.output_path)
   timeout                        = 30
+  image_uri                      = "${aws_ecr_repository.ecr_repo.repository_url}@${module.app_image.id}"
+  package_type                   = "Image"
   memory_size                    = 200
   reserved_concurrent_executions = 2
-  layers                         = [
-    aws_lambda_layer_version.dependencies_layer.arn
+  depends_on = [
+    module.app_image
   ]
   environment {
     variables = {
@@ -57,7 +25,7 @@ data "aws_iam_policy_document" "lambda_assume_policy_doc" {
     actions = ["sts:AssumeRole"]
 
     principals {
-      type        = "Service"
+      type = "Service"
       identifiers = ["lambda.amazonaws.com"]
     }
   }
@@ -67,7 +35,7 @@ resource "aws_iam_role" "lambda_exec_role" {
   name               = "${local.service_name}-lambda-exec-role"
   assume_role_policy = data.aws_iam_policy_document.lambda_assume_policy_doc.json
   inline_policy {
-    name   = "${local.service_name}-lambda-exec-role-policy"
+    name = "${local.service_name}-lambda-exec-role-policy"
     policy = jsonencode(
       {
         "Version" : "2012-10-17",