ci: deploy to lambda

Author: sorah

.github/workflows/ci.yml

@@ -57,8 +57,9 @@ jobs:
           context: '.'
           push: true
           tags: "${{ steps.login-ecr.outputs.registry }}/rko-router:${{ github.sha }},${{ steps.login-ecr.outputs.registry }}/rko-router:latest"
-  deploy:
-    name: deploy
+
+  deploy-apprunner:
+    name: deploy-apprunner
     if: "github.ref == 'refs/heads/master'"
     environment:
       name: apprunner-prod
@@ -89,3 +90,27 @@ jobs:
           memory: '0.5' # GB
           port: "8080"
 
+  deploy-lambda:
+    name: deploy-lambda
+    if: "github.ref == 'refs/heads/test'"
+    environment:
+      name: lambda-prod
+      url: https://rko-router.rubykaigi.org
+    concurrency:
+      group: lambda-prod
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ubuntu-slim
+    needs:
+      - ci
+    steps:
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: "us-west-2"
+          role-skip-session-tagging: true
+          role-to-assume: "arn:aws:iam::005216166247:role/GhaRkoRouterDeploy"
+          mask-aws-account-id: 'false' # only string works
+      - run: 'aws lambda update-function-code --function-name rko-router --image-uri "$IMAGE_URI"'
+        env:
+          IMAGE_URI: "${{needs.ci.outputs.image-tag}}"

tf/iam_GhaRkoRouterDeploy.tf

@@ -17,6 +17,7 @@ data "aws_iam_policy_document" "rko-router-deploy-trust" {
       variable = "token.actions.githubusercontent.com:sub"
       values = [
         "repo:ruby-no-kai/rko-router:environment:apprunner-prod",
+        "repo:ruby-no-kai/rko-router:environment:lambda-prod",
         "repo:ruby-no-kai/rko-router:ref:refs/heads/master",
         "repo:ruby-no-kai/rko-router:ref:refs/heads/test",
       ]
@@ -109,4 +110,26 @@ data "aws_iam_policy_document" "rko-router-deploy-apprunner" {
     ]
     resources = ["*"]
   }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "lambda:UpdateFunctionCode",
+    ]
+    resources = [
+      aws_lambda_function.rko-router.arn,
+    ]
+  }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "ecr:BatchGetImage",
+      "ecr:GetDownloadUrlForLayer",
+    ]
+    resources = [
+      aws_ecr_repository.rko-router.arn,
+    ]
+  }
+
 }

tf/lambda.tf

@@ -2,7 +2,7 @@ resource "aws_lambda_function" "rko-router" {
   function_name = "rko-router"
 
   package_type  = "Image"
-  image_uri     = "${aws_ecr_repository.rko-router.repository_url}:3285c10bdd196708e97523c116baeba981b8b8a7"
+  image_uri     = "${aws_ecr_repository.rko-router.repository_url}:7e1c5410f5b39e9be0d8396509b44dfcdb77d43d"
   architectures = ["x86_64"]
 
   role = aws_iam_role.LambdaRkoRouter.arn
@@ -23,11 +23,11 @@ resource "aws_lambda_function" "rko-router" {
     Name = "rko-router"
   }
 
-  # lifecycle {
-  #   ignore_changes = [
-  #     image_uri,
-  #   ]
-  # }
+  lifecycle {
+    ignore_changes = [
+      image_uri,
+    ]
+  }
 }
 
 resource "aws_lambda_function_url" "rko-router" {