thumb hash — initial check in (#234)

* thumb hash — initial check in

Thumbnail generator based on [thumbhash](https://evanw.github.io/thumbhash/) implemented as a lambda function URL with/in Rust.

* rust pr pipeline

* rust pr pipeline

* rust pr pipeline

* rust pr pipeline

* rust pr pipeline

* rust pr pipeline

* export function URL to ssm param store

.github/dependabot.yml

@@ -22,4 +22,21 @@ updates:
     schedule:
       interval: "weekly"
     reviewers:
-      - "stroeer/teams/buzz-end"
+      - "stroeer/teams/buzz-end"
+
+  - package-ecosystem: "terraform"
+    directory: "/source/thumbs/terraform"
+    schedule:
+      interval: "weekly"
+    reviewers:
+      - "stroeer/teams/buzz-end"
+
+  # Enable version updates for Cargo
+  - package-ecosystem: "cargo"
+    # Look `Cargo.toml` in the repository root
+    directory: "/source/thumbs/"
+    # Check for updates every week
+    schedule:
+      interval: "weekly"
+    reviewers:
+      - "stroeer/teams/buzz-end"

.github/workflows/deploy.yml

@@ -4,15 +4,28 @@ on:
   push:
     branches:
       - main
+    paths-ignore:
+      - "**.tf"
+  pull_request:
+    branches:
+      - main
+    paths-ignore:
+      - "**.tf"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+# read+write needed for `aws-actions/configure-aws-credentials` to work
+permissions:
+  id-token: write
+  contents: read
 
 jobs:
-  build:
+  image-handler:
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     runs-on: ubuntu-20.04
-    permissions:
-      id-token: write
-      contents: read
 
     steps:
       - uses: actions/checkout@v3
@@ -30,15 +43,72 @@ jobs:
         run: make npm/install
       - name: install
         run: make npm/test
-      - name: install
+      - name: build
         run: make build
 
       - name: configure aws credentials
+        # 📌 Runs only if:
+        # 1. is a 'push to main'
+        # 2. did not run in a fork
+        if: ${{ github.ref == 'refs/heads/main' && github.repository_owner == 'stroeer' }}
+        uses: aws-actions/configure-aws-credentials@master
+        with:
+          role-to-assume: arn:aws:iam::053041861227:role/github-s3-access-eu-west-1
+          role-session-name: GitHubActions
+          aws-region: eu-west-1
+
+      - name: s3 upload artefact
+        # 📌 Runs only if:
+        # 1. is a 'push to main'
+        # 2. did not run in a fork
+        if: ${{ github.ref == 'refs/heads/main' && github.repository_owner == 'stroeer' }}
+        run: make upload
+
+  thumbnail-generator:
+    env:
+      CARGO_TERM_COLOR: always
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup Rust
+        uses: actions-rs/toolchain@v1
+        with:
+          toolchain: stable
+          override: true
+      - name: Set up cargo cache
+        uses: actions/cache@v3
+        continue-on-error: false
+        with:
+          path: |
+            ~/.cargo/bin/
+            ~/.cargo/registry/index/
+            ~/.cargo/registry/cache/
+            ~/.cargo/git/db/
+            target/
+          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: ${{ runner.os }}-cargo-
+      - name: install cargo lambda
+        run: pip3 install cargo-lambda
+      - name: cargo lambda build
+        run: make build SERVICE=thumbs
+
+      - name: configure aws credentials
+        # 📌 Runs only if:
+        # 1. is a 'push to main'
+        # 2. did not run in a fork
+        if: ${{ github.ref == 'refs/heads/main' && github.repository_owner == 'stroeer' }}
         uses: aws-actions/configure-aws-credentials@master
         with:
           role-to-assume: arn:aws:iam::053041861227:role/github-s3-access-eu-west-1
           role-session-name: GitHubActions
           aws-region: eu-west-1
 
       - name: s3 upload artefact
-        run: make upload
+        # 📌 Runs only if:
+        # 1. is a 'push to main'
+        # 2. did not run in a fork
+        if: ${{ github.ref == 'refs/heads/main' && github.repository_owner == 'stroeer' }}
+        run: make upload SERVICE=thumbs

.github/workflows/pr.yml

@@ -1,31 +0,0 @@
-name: pr
-
-on:
-  pull_request:
-    paths-ignore:
-      - "**.tf"
-
-jobs:
-  build:
-    env:
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    runs-on: ubuntu-20.04
-
-    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
-        with:
-          node-version: '18'
-
-      - uses: actions/cache@v3
-        with:
-          path: ~/.npm
-          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
-          restore-keys: |
-            ${{ runner.os }}-node-
-      - name: install
-        run: make npm/install
-      - name: install
-        run: make npm/test
-      - name: install
-        run: make build

Makefile

@@ -1,15 +1,17 @@
-SERVICE := image-handler
-TF_VAR_region ?= eu-west-1
-TF_VAR_app_suffix ?=
-MODE ?= plan
-DO_TF_UPGRADE ?= false
+SERVICE 			:= image-handler
+REGION 				?= eu-west-1
+APP_SUFFIX 			?=
+MODE 				?= plan
+DO_TF_UPGRADE 		?= false
 
-ACCOUNT 			= $(eval ACCOUNT := $(shell aws --output text sts get-caller-identity --query "Account"))$(ACCOUNT)
+ACCOUNT_ID 			= $(eval ACCOUNT_ID := $(shell aws --output text sts get-caller-identity --query "Account"))$(ACCOUNT_ID)
 VERSION 			= $(eval VERSION := $$(shell git rev-parse --short HEAD))$(VERSION)
 
-TF_BACKEND_CFG 		:= -backend-config=bucket=terraform-state-${ACCOUNT}-$${TF_VAR_region} \
-						-backend-config=region=$${TF_VAR_region} \
-						-backend-config=key="regional/lambda/$(SERVICE)/terraform$(TF_VAR_app_suffix).tfstate"
+TF_BACKEND_CFG 		= $(eval TF_BACKEND_CFG := -backend-config=bucket=terraform-state-$(ACCOUNT_ID)-$(REGION) \
+							-backend-config=region=$(REGION) \
+							-backend-config=key="regional/lambda/$(SERVICE)/terraform$(APP_SUFFIX).tfstate")$(TF_BACKEND_CFG)
+
+TF_VARS				= $(eval TF_VARS := -var="region=$(REGION)" -var="account_id=$(ACCOUNT_ID)" -var="app_suffix=$(APP_SUFFIX)")$(TF_VARS)
 
 WORK_DIR := source/$(SERVICE)
 
@@ -23,20 +25,31 @@ npm/test ::
 	cd $(WORK_DIR) && npm run test
 
 build ::
-	cd $(WORK_DIR) && npm run build
+	cd $(WORK_DIR) && if [ -f 'package.json' ] ; then \
+		npm run test && npm run build ; \
+	elif [ -f 'Cargo.toml' ]; then \
+		cargo lambda build --arm64 --release --output-format zip --lambda-dir target/lambda/arm64 ; \
+	else \
+		echo 'Unknown SERVICE/Build: $(SERVICE). Aborting.' ; exit 1 ; \
+	fi
 
-export TF_VAR_region
-export TF_VAR_app_suffix
 tf ::
 	rm -f $(WORK_DIR)/terraform/.terraform/terraform.tfstate || true
-	terraform -chdir=$(WORK_DIR)/terraform init -reconfigure -upgrade=$(DO_TF_UPGRADE) $(TF_BACKEND_CFG)
+	terraform -chdir=$(WORK_DIR)/terraform init $(TF_VARS) -reconfigure -upgrade=$(DO_TF_UPGRADE) $(TF_BACKEND_CFG)
 	if [ "true" == "$(DO_TF_UPGRADE)" ]; then terraform -chdir=$(WORK_DIR)/terraform providers lock -platform=darwin_amd64 -platform=linux_amd64; fi
-	terraform -chdir=$(WORK_DIR)/terraform $(MODE)
+	terraform -chdir=$(WORK_DIR)/terraform $(MODE) $(TF_VARS)
 
 invoke :: # invoke the running docker lambda by posting a sample API-GW-Event
+	@echo nothing to do
 
 
 upload :: build # build and push the app to production (given sufficient permissions)
-	aws s3 cp $(WORK_DIR)/dist/image-handler.zip s3://ci-$(ACCOUNT)-$(TF_VAR_region)/image-handler/image-handler$(TF_VAR_app_suffix).zip
+	if [ $(SERVICE) == 'image-handler' ]; then \
+		aws s3 cp $(WORK_DIR)/dist/image-handler.zip s3://ci-$(ACCOUNT_ID)-$(REGION)/image-handler/image-handler$(APP_SUFFIX).zip ; \
+	elif [ $(SERVICE) == 'thumbs' ]; then \
+        aws s3 cp $(WORK_DIR)/target/lambda/arm64/thumbs/bootstrap.zip s3://ci-$(ACCOUNT_ID)-$(REGION)/image-thumbs/image-thumbs$(APP_SUFFIX).zip ; \
+	else \
+		echo 'Unknown SERVICE/Upload: $(SERVICE). Aborting.' ; exit 1 ; \
+	fi
 
 all :: build tf

source/image-handler/package.json

@@ -17,7 +17,7 @@
   },
   "scripts": {
     "pretest": "npm run build:init && npm install",
-    "test": "jest ./**/*.spec.js --coverage --silent",
+    "test": "npm install && jest ./**/*.spec.js --coverage --silent",
     "build:init": "rm -rf package-lock.json dist/ node_modules/ coverage/",
     "build:zip": "zip --recurse-paths image-handler.zip --quiet . --exclude 'terraform/*'",
     "build:dist": "mkdir -p dist && mv image-handler.zip dist/",

source/image-handler/terraform/main.tf

@@ -47,6 +47,16 @@ resource "aws_lambda_function_url" "production" {
   qualifier          = aws_lambda_alias.this.name
 }
 
+resource "aws_lambda_permission" "function_url_allow_public_access" {
+  action                 = "lambda:InvokeFunctionUrl"
+  function_name          = aws_lambda_alias.this.function_name
+  qualifier              = aws_lambda_alias.this.name
+  principal              = "*"
+  function_url_auth_type = "NONE"
+  statement_id           = "FunctionURLAllowPublicAccess"
+}
+
+
 # ---------------------------------------------------------------------------------------------------------------------
 # Deployment resources
 # ---------------------------------------------------------------------------------------------------------------------

source/image-handler/terraform/variables.tf

@@ -7,6 +7,10 @@ variable "region" {
   }
 }
 
+variable "account_id" {
+  type = string
+}
+
 variable "app_suffix" {
   description = "Deployment variant"
   type        = string

source/image-handler/test/sample_event.json

@@ -1,5 +1,5 @@
 {
-  "path": "2021/10/HX3ocMbUAg4b/0x637:4157x2771/fit-in/414x0/geheime-internet-ueberwachung-secret-internet-surveillance-publicationxinxgerxsuixautxonly-copyright-xtaylorxcalleryx-12360210.jpg",
+  "path": "authors/2022/11/1QMZP3Eu4KQG/334x0:1333x1333/fit-in/126x0/filters:roundCrop%28%29/filters:format%28png%29/image.jpg",
   "httpMethod": "GET",
   "headers": {
     "Accept": "*/*"

source/thumbs/.gitignore

@@ -0,0 +1 @@
+/target