Use official Ruby Lambda images for S3-mpeg

somleng · Sep 16, 2024 · 4f105d1 · 4f105d1
1 parent 5eade55
commit 4f105d1
Show file tree

Hide file tree

Showing 18 changed files with 343 additions and 93 deletions.
diff --git a/.github/workflows/s3_mpeg.yml b/.github/workflows/s3_mpeg.yml
@@ -3,6 +3,9 @@ name: S3 MPEG
 
 env:
   CI: true
+  ECR_REGISTRY: 324279636507.dkr.ecr.ap-southeast-1.amazonaws.com
+  GHCR_REGISTRY: ghcr.io/somleng
+  REPOSITORY_NAME: s3-mpeg
 
 jobs:
   build:
@@ -44,25 +47,113 @@ jobs:
           [
             {
               "identifier": "s3-mpeg-staging",
+              "environment": "staging",
               "branch": "develop",
-              "image_tag": "staging"
+              "friendly_image_tag": "beta",
+              "image_tag": "stag-${{ github.sha }}"
             },
             {
               "identifier": "s3-mpeg",
+              "environment": "production",
               "branch": "master",
-              "image_tag": "latest"
+              "friendly_image_tag": "latest",
+              "image_tag": "prod-${{ github.sha }}"
             }
           ]
           EOF
           )
           matrix=$(echo $matrixSource | jq --arg branchName "$branchName" 'map(. | select((.branch==$branchName)) )')
-          echo ::set-output name=matrix::{\"include\":$(echo $matrix)}\"
-          echo ::set-output name=matrixLength::$(echo $matrix | jq length)
+          echo "matrix={\"include\":$(echo $matrix)}" >> $GITHUB_OUTPUT
+          echo "matrixLength=$(echo $matrix | jq length)" >> $GITHUB_OUTPUT
+
+  build-packages:
+    name: Build Packages
+    runs-on: ubuntu-latest
+    if: needs.build.outputs.matrixLength > 0
+
+    strategy:
+      matrix: ${{fromJson(needs.build.outputs.matrix)}}
+
+    needs:
+      - build
+
+    steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+          role-skip-session-tagging: true
+          role-duration-seconds: 3600
+          aws-region: ap-southeast-1
+
+      - name: Build image
+        uses: aws-actions/aws-codebuild-run-build@v1
+        with:
+          project-name: somleng-switch-arm64
+          buildspec-override:   |
+            version: 0.2
+            phases:
+              build:
+                steps:
+                  - name: Build
+                    run: |
+                      cd components/services
+                      aws ecr get-login-password --region ap-southeast-1 | docker login --username AWS --password-stdin ${{ env.ECR_REGISTRY }}
+                      export DOCKER_BUILDKIT=1
+                      docker buildx build --cache-from ${{ env.ECR_REGISTRY }}/${{ env.REPOSITORY_NAME }}:${{ matrix.friendly_image_tag }}-arm64 --tag ${{ env.ECR_REGISTRY }}/${{ env.REPOSITORY_NAME }}:${{ matrix.friendly_image_tag }}-arm64 --tag ${{ env.ECR_REGISTRY }}/${{ env.REPOSITORY_NAME }}:${{ matrix.image_tag }}-arm64 --push .
+                      docker buildx imagetools create -t ${{ env.ECR_REGISTRY }}/${{ env.REPOSITORY_NAME }}:${{ matrix.friendly_image_tag }} -t ${{ env.ECR_REGISTRY }}/${{ env.REPOSITORY_NAME }}:${{ matrix.image_tag }} ${{ env.ECR_REGISTRY }}/${{ env.REPOSITORY_NAME }}:${{ matrix.friendly_image_tag }}-arm64
+  publish_images:
+    name: Publish Images
+    runs-on: ubuntu-latest
+
+    needs:
+      - build
+      - build-packages
+
+    strategy:
+      matrix: ${{fromJSON(needs.build.outputs.matrix)}}
+
+    steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+          role-skip-session-tagging: true
+          role-duration-seconds: 3600
+          aws-region: ap-southeast-1
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Login to ECR
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.ECR_REGISTRY }}
+
+      - name: Publish Images
+        run: |
+          docker image pull ${{ env.ECR_REGISTRY }}/${{ env.REPOSITORY_NAME }}:${{ matrix.friendly_image_tag }}-arm64
+          docker tag ${{ env.ECR_REGISTRY }}/${{ env.REPOSITORY_NAME }}:${{ matrix.friendly_image_tag }}-arm64 ${{ env.GHCR_REGISTRY }}/${{ env.REPOSITORY_NAME }}:${{ matrix.friendly_image_tag }}-arm64
+          docker push ${{ env.GHCR_REGISTRY }}/${{ env.REPOSITORY_NAME }}:${{ matrix.friendly_image_tag }}-arm64
+          docker buildx imagetools create -t ${{ env.GHCR_REGISTRY }}/${{ env.REPOSITORY_NAME }}:${{ matrix.friendly_image_tag }} "${{ env.GHCR_REGISTRY }}/${{ env.REPOSITORY_NAME }}:${{ matrix.friendly_image_tag }}-arm64"
 
   deploy:
     name: Deploy
     runs-on: ubuntu-latest
-    needs: build
+    needs:
+      - build
+      - build-packages
     if: needs.build.outputs.matrixLength > 0
     defaults:
       run:
@@ -95,41 +186,17 @@ jobs:
           role-duration-seconds: 3600
           aws-region: ap-southeast-1
 
-      - name: Login to AWS ECR
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.ECR_REGISTRY }}
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Build and push
-        uses: docker/build-push-action@v6
-        with:
-          push: true
-          provenance: false
-          platforms: linux/arm64
-          cache-from: type=gha,scope=${{ matrix.identifier }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.identifier }}
-          context: components/s3_mpeg
-          tags: |
-            ${{ env.ECR_REPOSITORY }}:${{ matrix.image_tag }}
-            ${{ env.ECR_REPOSITORY }}:${{ env.IMAGE_TAG }}
-            ${{ env.GHCR_REPOSITORY }}:${{ matrix.image_tag }}
-
       - name: Deploy Lambda
         run: |
           aws lambda update-function-code --function-name ${{ matrix.identifier }} \
-                                          --image-uri ${{ env.ECR_REPOSITORY }}:${{ env.IMAGE_TAG }} \
+                                          --image-uri ${{ env.ECR_REGISTRY }}/${{ env.REPOSITORY_NAME }}:${{ matrix.image_tag }}-arm64 \
                                           --architectures "arm64" \
                                           --publish
+      - name: Create Sentry release
+        uses: getsentry/action-release@v1
+        env:
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          SENTRY_ORG: somleng
+          SENTRY_PROJECT: s3-mpeg
+        with:
+          environment: ${{ matrix.environment }}
diff --git a/components/s3_mpeg/Dockerfile b/components/s3_mpeg/Dockerfile
@@ -1,3 +1,5 @@
+# syntax=docker/dockerfile:1.7-labs
+
 ARG FUNCTION_DIR="/app"
 ARG RUBY_VERSION=3.3
 FROM public.ecr.aws/docker/library/ruby:$RUBY_VERSION-alpine AS build-image
@@ -24,6 +26,8 @@ RUN bundle install --jobs 20 --retry 5
 RUN rm -rf vendor/bundle/ruby/*/cache/ && find vendor/ -name "*.o" -delete && find vendor/ -name "*.c"
 
 COPY app.rb ${FUNCTION_DIR}
+COPY --exclude=*.key config/ ${FUNCTION_DIR}/config/
+COPY lib/ ${FUNCTION_DIR}/lib/
 
 #############################
 
@@ -43,5 +47,5 @@ RUN apk update && \
 
 ENV RUBY_YJIT_ENABLE=true
 
-ENTRYPOINT [ "/usr/local/bundle/bin/aws_lambda_ric" ]
-CMD [ "app.App::Handler.process" ]
+# ENTRYPOINT [ "/usr/local/bundle/bin/aws_lambda_ric" ]
+# CMD [ "app.App::Handler.process" ]
diff --git a/components/s3_mpeg/Gemfile b/components/s3_mpeg/Gemfile
@@ -6,6 +6,13 @@ git_source(:github) { |repo| "https://github.com/#{repo}.git" }
 
 gem "aws-sdk-s3"
 gem "ox" # XML parser. required by aws-sdk-s3
+gem "stackprof"
+gem "sentry-ruby"
+gem "base64"
+
+group :development do
+  gem "rake"
+end
 
 group :test do
   gem "rspec"

diff --git a/components/s3_mpeg/Gemfile.lock b/components/s3_mpeg/Gemfile.lock
@@ -17,10 +17,14 @@ GEM
       aws-sigv4 (~> 1.5)
     aws-sigv4 (1.9.1)
       aws-eventstream (~> 1, >= 1.0.2)
+    base64 (0.2.0)
+    bigdecimal (3.1.8)
+    concurrent-ruby (1.3.4)
     diff-lcs (1.5.1)
     docile (1.4.1)
     jmespath (1.6.2)
     ox (2.14.18)
+    rake (13.2.1)
     rexml (3.3.7)
     rspec (3.13.0)
       rspec-core (~> 3.13.0)
@@ -35,6 +39,9 @@ GEM
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
     rspec-support (3.13.1)
+    sentry-ruby (5.19.0)
+      bigdecimal
+      concurrent-ruby (~> 1.0, >= 1.0.2)
     simplecov (0.22.0)
       docile (~> 1.1)
       simplecov-html (~> 0.11)
@@ -44,16 +51,21 @@ GEM
       simplecov (~> 0.19)
     simplecov-html (0.13.1)
     simplecov_json_formatter (0.1.4)
+    stackprof (0.2.26)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
   aws-sdk-s3
+  base64
   ox
+  rake
   rspec
+  sentry-ruby
   simplecov
   simplecov-cobertura
+  stackprof
 
 BUNDLED WITH
    2.5.18
diff --git a/components/s3_mpeg/Rakefile b/components/s3_mpeg/Rakefile
@@ -0,0 +1,7 @@
+require_relative "lib/encrypted_credentials"
+
+namespace :credentials do
+  task :edit do
+    EncryptedCredentials::EncryptedFile.new.edit
+  end
+end
diff --git a/components/s3_mpeg/config/app_settings.rb b/components/s3_mpeg/config/app_settings.rb
@@ -0,0 +1,37 @@
+require "yaml"
+require "erb"
+require "pathname"
+require "encrypted_credentials"
+
+class AppSettings
+  DEFAULT_SETTINGS_PATH = Pathname(File.expand_path("app_settings.yml", __dir__))
+
+  class << self
+    attr_reader :app_settings
+
+    def fetch(key)
+      settings.fetch(key.to_s)
+    end
+
+    def env
+      ENV.fetch("APP_ENV", "development")
+    end
+
+    def [](key)
+      settings[key.to_s]
+    end
+
+    def credentials
+      @credentials ||= EncryptedCredentials::EncryptedFile.new.credentials.fetch(env, {})
+    end
+
+    private
+
+    def settings
+      @settings ||= begin
+        data = YAML.load(DEFAULT_SETTINGS_PATH.read, aliases: true).fetch(env, {})
+        YAML.load(ERB.new(data.to_yaml).result)
+      end
+    end
+  end
+end
diff --git a/components/s3_mpeg/config/app_settings.yml b/components/s3_mpeg/config/app_settings.yml
@@ -0,0 +1,15 @@
+default: &default
+
+production: &production
+  <<: *default
+  sentry_dsn: "<%= AppSettings.credentials.fetch('sentry_dsn') %>"
+
+staging:
+  <<: *production
+
+development: &development
+  <<: *default
+  stub_regions: true
+
+test:
+  <<: *development
diff --git a/components/s3_mpeg/config/credentials.yml.enc b/components/s3_mpeg/config/credentials.yml.enc
@@ -0,0 +1 @@
+Zzn6DieMrW83+d0fWqlbJQ==
diff --git a/components/s3_mpeg/config/initializers/sentry.rb b/components/s3_mpeg/config/initializers/sentry.rb
@@ -0,0 +1,6 @@
+require "sentry-ruby"
+
+Sentry.init do |config|
+  config.dsn = AppSettings[:sentry_dsn]
+  config.environment = AppSettings.env
+end