Trigger download lambda on deploy (#39)

npalm · web-flow · commit e23447a9fd52 · 2020-06-18T09:32:00.000+02:00
* Trigger download lambda on deploy

* Update docs
diff --git a/README.md b/README.md
@@ -158,7 +158,7 @@ terraform init
 terraform apply
 ```
 
-Check the terraform output for the API gateway url (endpoint), which you need in the next step. The lambda for syncing the GitHub distribution will be executed by a trigger via CloudWatch. To ensure the binary is cached, trigger the `runner-binaries-syncer` manually. The payload does not matter. (e.g. `aws lambda invoke --function-name <environment>-syncer response.json`)
+Check the terraform output for the API gateway url (endpoint), which you need in the next step. The lambda for syncing the GitHub distribution will be executed by a trigger via CloudWatch. After deployment the function is triggered via S3 to ensure the distribution is cached.
 
 ### Setup GitHub App (part 2)
 
diff --git a/modules/runner-binaries-syncer/README.md b/modules/runner-binaries-syncer/README.md
@@ -1,6 +1,6 @@
 # Module - Runner binaries syncer
 
-This module creates a lambda that will sync GitHub action binary to a S3 bucket, the lambda will be triggered via a CloudWatch event. The distribution is cached to avoid the latency of downloading the distribution during the setup.
+This module creates a lambda that will sync GitHub action binary to a S3 bucket, the lambda will be triggered via a CloudWatch event. The distribution is cached to avoid the latency of downloading the distribution during the setup. After deployment the lambda will be triggered via an S3 object created at deployment time.
 
 ## Usages
 
@@ -41,31 +41,31 @@ No requirements.
 ## Providers
 
 | Name | Version |
-|------|---------|
-| aws | n/a |
+| ---- | ------- |
+| aws  | n/a     |
 
 ## Inputs
 
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| aws\_region | AWS region. | `string` | n/a | yes |
-| distribution\_bucket\_name | Bucket for storing the action runner distribution. | `string` | n/a | yes |
-| environment | A name that identifies the environment, used as prefix and for tagging. | `string` | n/a | yes |
-| lambda\_schedule\_expression | Scheduler expression for action runner binary syncer. | `string` | `"cron(27 * * * ? *)"` | no |
-| lambda\_timeout | Time out of the lambda in seconds. | `number` | `300` | no |
-| lambda\_zip | File location of the lambda zip file. | `string` | `null` | no |
-| role\_path | The path that will be added to the role, if not set the environment name will be used. | `string` | `null` | no |
-| role\_permissions\_boundary | Permissions boundary that will be added to the created role for the lambda. | `string` | `null` | no |
-| tags | Map of tags that will be added to created resources. By default resources will be tagged with name and environment. | `map(string)` | `{}` | no |
+| Name                         | Description                                                                                                         | Type          | Default                | Required |
+| ---------------------------- | ------------------------------------------------------------------------------------------------------------------- | ------------- | ---------------------- | :------: |
+| aws\_region                  | AWS region.                                                                                                         | `string`      | n/a                    |   yes    |
+| distribution\_bucket\_name   | Bucket for storing the action runner distribution.                                                                  | `string`      | n/a                    |   yes    |
+| environment                  | A name that identifies the environment, used as prefix and for tagging.                                             | `string`      | n/a                    |   yes    |
+| lambda\_schedule\_expression | Scheduler expression for action runner binary syncer.                                                               | `string`      | `"cron(27 * * * ? *)"` |    no    |
+| lambda\_timeout              | Time out of the lambda in seconds.                                                                                  | `number`      | `300`                  |    no    |
+| lambda\_zip                  | File location of the lambda zip file.                                                                               | `string`      | `null`                 |    no    |
+| role\_path                   | The path that will be added to the role, if not set the environment name will be used.                              | `string`      | `null`                 |    no    |
+| role\_permissions\_boundary  | Permissions boundary that will be added to the created role for the lambda.                                         | `string`      | `null`                 |    no    |
+| tags                         | Map of tags that will be added to created resources. By default resources will be tagged with name and environment. | `map(string)` | `{}`                   |    no    |
 
 ## Outputs
 
-| Name | Description |
-|------|-------------|
-| bucket | n/a |
-| lambda | n/a |
-| lambda\_role | n/a |
-| runner\_distribution\_object\_key | n/a |
+| Name                              | Description |
+| --------------------------------- | ----------- |
+| bucket                            | n/a         |
+| lambda                            | n/a         |
+| lambda\_role                      | n/a         |
+| runner\_distribution\_object\_key | n/a         |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
diff --git a/modules/runner-binaries-syncer/runner-binaries-syncer.tf b/modules/runner-binaries-syncer/runner-binaries-syncer.tf
@@ -12,7 +12,6 @@ resource "aws_lambda_function" "syncer" {
   runtime          = "nodejs12.x"
   timeout          = var.lambda_timeout
 
-
   environment {
     variables = {
       S3_BUCKET_NAME = aws_s3_bucket.action_dist.id
@@ -77,3 +76,36 @@ resource "aws_lambda_permission" "syncer" {
   source_arn    = aws_cloudwatch_event_rule.syncer.arn
 }
 
+###################################################################################
+### Extra trigger to trigger from S3 to execute the lambda after first deployment
+###################################################################################
+
+resource "aws_s3_bucket_object" "trigger" {
+  bucket = aws_s3_bucket.action_dist.id
+  key    = "triggers/${aws_lambda_function.syncer.id}-trigger.json"
+  source = "${path.module}/trigger.json"
+  etag   = filemd5("${path.module}/trigger.json")
+
+  depends_on = [aws_s3_bucket_notification.on_deploy]
+}
+
+resource "aws_s3_bucket_notification" "on_deploy" {
+  bucket = aws_s3_bucket.action_dist.id
+
+  lambda_function {
+    lambda_function_arn = aws_lambda_function.syncer.arn
+    events              = ["s3:ObjectCreated:*"]
+    filter_prefix       = "triggers/"
+    filter_suffix       = ".json"
+  }
+
+  depends_on = [aws_lambda_permission.on_deploy]
+}
+
+resource "aws_lambda_permission" "on_deploy" {
+  statement_id  = "AllowExecutionFromS3Bucket"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.syncer.arn
+  principal     = "s3.amazonaws.com"
+  source_arn    = aws_s3_bucket.action_dist.arn
+}
diff --git a/modules/runner-binaries-syncer/trigger.json b/modules/runner-binaries-syncer/trigger.json
@@ -0,0 +1,3 @@
+{
+  "key": "value"
+}
