feat: introduce github caching

Author: dblinkhorn

lambdas/functions/control-plane/src/github/auth.test.ts

@@ -1,10 +1,9 @@
-import { createAppAuth } from '@octokit/auth-app';
-import { StrategyOptions } from '@octokit/auth-app/dist-types/types';
+import { createAppAuth, type StrategyOptions } from '@octokit/auth-app';
 import { request } from '@octokit/request';
 import { RequestInterface, RequestParameters } from '@octokit/types';
 import { getParameter } from '@aws-github-runner/aws-ssm-util';
 import * as nock from 'nock';
-
+import { reset } from './cache';
 import { createGithubAppAuth, createOctokitClient } from './auth';
 import { describe, it, expect, beforeEach, vi } from 'vitest';
 
@@ -29,6 +28,7 @@ const PARAMETER_GITHUB_APP_KEY_BASE64_NAME = `/actions-runner/${ENVIRONMENT}/git
 const mockedGet = vi.mocked(getParameter);
 
 beforeEach(() => {
+  reset(); // clear all caches before each test
   vi.resetModules();
   vi.clearAllMocks();
   process.env = { ...cleanEnv };

lambdas/functions/control-plane/src/github/auth.ts

@@ -22,6 +22,8 @@ import { throttling } from '@octokit/plugin-throttling';
 import { createChildLogger } from '@aws-github-runner/aws-powertools-util';
 import { getParameter } from '@aws-github-runner/aws-ssm-util';
 import { EndpointDefaults } from '@octokit/types';
+import { getInstallationAuthObject, getAuthConfig, createAuthCacheKey, createAuthConfigCacheKey } from './cache';
+import type { GithubAppConfig } from './types';
 
 const logger = createChildLogger('gh-auth');
 
@@ -64,32 +66,47 @@ export async function createGithubInstallationAuth(
   installationId: number | undefined,
   ghesApiUrl = '',
 ): Promise<InstallationAccessTokenAuthentication> {
-  const auth = await createAuth(installationId, ghesApiUrl);
-  const installationAuthOptions: InstallationAuthOptions = { type: 'installation', installationId };
-  return auth(installationAuthOptions);
+  const cacheKey = createAuthCacheKey('installation', installationId, ghesApiUrl);
+
+  return getInstallationAuthObject(cacheKey, async () => {
+    const auth = await createAuth(installationId, ghesApiUrl);
+    const installationAuthOptions: InstallationAuthOptions = { type: 'installation', installationId };
+    return auth(installationAuthOptions);
+  });
 }
 
 async function createAuth(installationId: number | undefined, ghesApiUrl: string): Promise<AuthInterface> {
-  const appId = parseInt(await getParameter(process.env.PARAMETER_GITHUB_APP_ID_NAME));
-  let authOptions: StrategyOptions = {
-    appId,
-    privateKey: Buffer.from(
+  const configCacheKey = createAuthConfigCacheKey(ghesApiUrl);
+
+  const config = await getAuthConfig(configCacheKey, async (): Promise<GithubAppConfig> => {
+    const appId = parseInt(await getParameter(process.env.PARAMETER_GITHUB_APP_ID_NAME));
+    const privateKey = Buffer.from(
       await getParameter(process.env.PARAMETER_GITHUB_APP_KEY_BASE64_NAME),
       'base64',
       // replace literal \n characters with new lines to allow the key to be stored as a
       // single line variable. This logic should match how the GitHub Terraform provider
       // processes private keys to retain compatibility between the projects
     )
       .toString()
-      .replace('/[\\n]/g', String.fromCharCode(10)),
+      .replace('/[\\n]/g', String.fromCharCode(10));
+
+    return {
+      appId,
+      privateKey,
+    };
+  });
+
+  let authOptions: StrategyOptions = {
+    appId: config.appId,
+    privateKey: config.privateKey,
   };
   if (installationId) authOptions = { ...authOptions, installationId };
 
   logger.debug(`GHES API URL: ${ghesApiUrl}`);
   if (ghesApiUrl) {
     authOptions.request = request.defaults({
       baseUrl: ghesApiUrl,
-    });
+    }) as RequestInterface;
   }
   return createAppAuth(authOptions);
 }

lambdas/functions/control-plane/src/github/cache.ts

@@ -0,0 +1,42 @@
+import type { InstallationAccessTokenAuthentication } from '@octokit/auth-app';
+import type { GithubAppConfig } from './types';
+
+const installationAuthObjects = new Map<string, InstallationAccessTokenAuthentication>();
+const authConfigs = new Map<string, GithubAppConfig>();
+
+export function createAuthCacheKey(type: 'app' | 'installation', installationId?: number, ghesApiUrl: string = '') {
+  const id = installationId || 'none';
+  return `${type}-auth-${id}-${ghesApiUrl}`;
+}
+
+export function createAuthConfigCacheKey(ghesApiUrl: string = '') {
+  return `auth-config-${ghesApiUrl}`;
+}
+
+export async function getInstallationAuthObject(
+  key: string,
+  creator: () => Promise<InstallationAccessTokenAuthentication>,
+): Promise<InstallationAccessTokenAuthentication> {
+  if (installationAuthObjects.has(key)) {
+    return installationAuthObjects.get(key)!;
+  }
+
+  const authObj = await creator();
+  installationAuthObjects.set(key, authObj);
+  return authObj;
+}
+
+export async function getAuthConfig(key: string, creator: () => Promise<GithubAppConfig>) {
+  if (authConfigs.has(key)) {
+    return authConfigs.get(key)!;
+  }
+
+  const config = await creator();
+  authConfigs.set(key, config);
+  return config;
+}
+
+export function reset() {
+  installationAuthObjects.clear();
+  authConfigs.clear();
+}

lambdas/functions/control-plane/src/github/index.ts

@@ -0,0 +1,2 @@
+export * from './cache';
+export * from './types';

lambdas/functions/control-plane/src/github/types.ts

@@ -0,0 +1,5 @@
+export interface GithubAppConfig {
+  appId: number;
+  privateKey: string;
+  installationId?: number;
+}

lambdas/functions/control-plane/src/local.ts

@@ -7,7 +7,6 @@ const sqsEvent = {
     {
       messageId: 'e8d74d08-644e-42ca-bf82-a67daa6c4dad',
       receiptHandle:
-        // eslint-disable-next-line max-len
         'AQEBCpLYzDEKq4aKSJyFQCkJduSKZef8SJVOperbYyNhXqqnpFG5k74WygVAJ4O0+9nybRyeOFThvITOaS21/jeHiI5fgaM9YKuI0oGYeWCIzPQsluW5CMDmtvqv1aA8sXQ5n2x0L9MJkzgdIHTC3YWBFLQ2AxSveOyIHwW+cHLIFCAcZlOaaf0YtaLfGHGkAC4IfycmaijV8NSlzYgDuxrC9sIsWJ0bSvk5iT4ru/R4+0cjm7qZtGlc04k9xk5Fu6A+wRxMaIyiFRY+Ya19ykcevQldidmEjEWvN6CRToLgclk=',
       body: {
         repositoryName: 'self-hosted',

modules/multi-runner/README.md

@@ -171,7 +171,7 @@ module "multi-runner" {
 | <a name="input_runners_ssm_housekeeper"></a> [runners\_ssm\_housekeeper](#input\_runners\_ssm\_housekeeper) | Configuration for the SSM housekeeper lambda. This lambda deletes token / JIT config from SSM.<br/><br/>  `schedule_expression`: is used to configure the schedule for the lambda.<br/>  `enabled`: enable or disable the lambda trigger via the EventBridge.<br/>  `lambda_memory_size`: lambda memory size limit.<br/>  `lambda_timeout`: timeout for the lambda in seconds.<br/>  `config`: configuration for the lambda function. Token path will be read by default from the module. | <pre>object({<br/>    schedule_expression = optional(string, "rate(1 day)")<br/>    enabled             = optional(bool, true)<br/>    lambda_memory_size  = optional(number, 512)<br/>    lambda_timeout      = optional(number, 60)<br/>    config = object({<br/>      tokenPath      = optional(string)<br/>      minimumDaysOld = optional(number, 1)<br/>      dryRun         = optional(bool, false)<br/>    })<br/>  })</pre> | <pre>{<br/>  "config": {}<br/>}</pre> | no |
 | <a name="input_scale_down_lambda_memory_size"></a> [scale\_down\_lambda\_memory\_size](#input\_scale\_down\_lambda\_memory\_size) | Memory size limit in MB for scale down. | `number` | `512` | no |
 | <a name="input_scale_up_lambda_memory_size"></a> [scale\_up\_lambda\_memory\_size](#input\_scale\_up\_lambda\_memory\_size) | Memory size limit in MB for scale\_up lambda. | `number` | `512` | no |
-| <a name="input_ssm_paths"></a> [ssm\_paths](#input\_ssm\_paths) | The root path used in SSM to store configuration and secreets. | <pre>object({<br/>    root    = optional(string, "github-action-runners")<br/>    app     = optional(string, "app")<br/>    runners = optional(string, "runners")<br/>    webhook = optional(string, "webhook")<br/>  })</pre> | `{}` | no |
+| <a name="input_ssm_paths"></a> [ssm\_paths](#input\_ssm\_paths) | The root path used in SSM to store configuration and secrets. | <pre>object({<br/>    root    = optional(string, "github-action-runners")<br/>    app     = optional(string, "app")<br/>    runners = optional(string, "runners")<br/>    webhook = optional(string, "webhook")<br/>  })</pre> | `{}` | no |
 | <a name="input_state_event_rule_binaries_syncer"></a> [state\_event\_rule\_binaries\_syncer](#input\_state\_event\_rule\_binaries\_syncer) | Option to disable EventBridge Lambda trigger for the binary syncer, useful to stop automatic updates of binary distribution | `string` | `"ENABLED"` | no |
 | <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | List of subnets in which the action runners will be launched, the subnets needs to be subnets in the `vpc_id`. | `list(string)` | n/a | yes |
 | <a name="input_syncer_lambda_s3_key"></a> [syncer\_lambda\_s3\_key](#input\_syncer\_lambda\_s3\_key) | S3 key for syncer lambda function. Required if using S3 bucket to specify lambdas. | `string` | `null` | no |