decommission App Runner service

.github/workflows/ci.yml

@@ -58,38 +58,6 @@ jobs:
           push: true
           tags: "${{ steps.login-ecr.outputs.registry }}/rko-router:${{ github.sha }},${{ steps.login-ecr.outputs.registry }}/rko-router:latest"
 
-  deploy-apprunner:
-    name: deploy-apprunner
-    if: "github.ref == 'refs/heads/master'"
-    environment:
-      name: apprunner-prod
-      url: https://rko-router.rubykaigi.org
-    concurrency:
-      group: apprunner-prod
-    permissions:
-      contents: read
-      id-token: write
-    runs-on: ubuntu-latest
-    needs:
-      - ci
-    steps:
-      - uses: aws-actions/configure-aws-credentials@v4
-        with:
-          aws-region: "us-west-2"
-          role-skip-session-tagging: true
-          role-to-assume: "arn:aws:iam::005216166247:role/GhaRkoRouterDeploy"
-          mask-aws-account-id: 'false' # only string works
-      - uses: awslabs/amazon-app-runner-deploy@v2.5.2
-        with:
-          region: "us-west-2"
-          service: "rko-router"
-          image: "${{needs.ci.outputs.image-tag}}"
-          access-role-arn:  "arn:aws:iam::005216166247:role/AppraRkoRouter"
-          wait-for-service-stability: true
-          cpu: '0.25' # vCPU
-          memory: '0.5' # GB
-          port: "8080"
-
   deploy-lambda:
     name: deploy-lambda
     if: "github.ref == 'refs/heads/master'"

.gitignore

@@ -2,3 +2,4 @@
 node_modules/
 tf/cf_functions/src/*.js
 tf/cf_functions/src/*.js.map
+*.tsbuildinfo

README.md

@@ -1,8 +1,8 @@
 # rubykaigi.org router
 
-nginx container deployed on AWS App Runner and served through CloudFront.
+nginx container deployed on Lambda Function URL and served through CloudFront.
 
-Detailed docs for RubyKaigi orgz: https://rubykaigi.esa.io/posts/1241
+- Detailed docs for RubyKaigi orgz: https://rubykaigi.esa.io/posts/1241
 
 ## Quick Reference
 
@@ -65,14 +65,13 @@ If you're going to do something more than the above, continue reading. Don't for
 Deployments are automatically performed on GitHub Actions on `master` branch after CI.
 
 - Lambda: [rko-router](https://us-west-2.console.aws.amazon.com/lambda/home?region=us-west-2#/functions/rko-router?tab=monitoring)
-- App Runner (deprecated): [arn:aws:apprunner:us-west-2:005216166247:service/rko-router/2c9219ae5e14411baaf46fa932f33025](https://us-west-2.console.aws.amazon.com/apprunner/home?region=us-west-2#/services/dashboard?service_arn=arn%3Aaws%3Aapprunner%3Aus-west-2%3A005216166247%3Aservice%2Frko-router%2F2c9219ae5e14411baaf46fa932f33025&active_tab=logs)
 - CloudFront: [arn:aws:cloudfront::005216166247:distribution/E2WEWQCYU12GVD](https://us-east-1.console.aws.amazon.com/cloudfront/v3/home?region=ap-northeast-1#/distributions/E2WEWQCYU12GVD)
 
 All resources except deployment is managed under Terraform [./tf](./tf).
 
-### Domains
+### Serving multiple domains in production
 
-Due to the quota of custom domains per App Runner service and the lambda function URL, the first hop on rko-router proxies a request to itself with correct `Host` header. We call this virtual host a _jump host._
+Because Lambda Function URL does not support custom domains, the first hop on rko-router proxies a request to itself with correct `Host` header. We call this virtual host a _jump host._
 
 `x-rko-host` and `x-rko-xfp` headers are referenced as a `Host` and `X-Forwarded-Proto` header for the second hop.
 

tf/cloudfront.tf

@@ -40,25 +40,6 @@ resource "aws_cloudfront_distribution" "rko-router" {
     }
   }
 
-  origin {
-    origin_id   = "rko-router-apprunner"
-    domain_name = replace(aws_apprunner_service.rko-router.service_url, "https://", "")
-
-    custom_origin_config {
-      http_port                = 80
-      https_port               = 443
-      origin_protocol_policy   = "https-only"
-      origin_ssl_protocols     = ["TLSv1.2"]
-      origin_keepalive_timeout = 30
-      origin_read_timeout      = 35
-    }
-
-    origin_shield {
-      enabled              = true
-      origin_shield_region = "us-west-2"
-    }
-  }
-
   origin {
     origin_id   = "rko-router-lambda"
     domain_name = replace(aws_lambda_function_url.rko-router.function_url, "/^https:\\/+|\\/$/", "")

tf/iam_GhaRkoRouterDeploy.tf

@@ -16,7 +16,6 @@ data "aws_iam_policy_document" "rko-router-deploy-trust" {
       test     = "StringEquals"
       variable = "token.actions.githubusercontent.com:sub"
       values = [
-        "repo:ruby-no-kai/rko-router:environment:apprunner-prod",
         "repo:ruby-no-kai/rko-router:environment:lambda-prod",
         "repo:ruby-no-kai/rko-router:ref:refs/heads/master",
         "repo:ruby-no-kai/rko-router:ref:refs/heads/test",
@@ -70,57 +69,21 @@ data "aws_iam_policy_document" "rko-router-deploy-apprunner" {
   statement {
     effect = "Allow"
     actions = [
-      "iam:PassRole",
-    ]
-    resources = [aws_iam_role.rko-router-access.arn]
-
-    condition {
-      test     = "StringEquals"
-      variable = "token.actions.githubusercontent.com:sub"
-      values = [
-        "repo:ruby-no-kai/rko-router:environment:apprunner-prod",
-      ]
-    }
-  }
-
-  statement {
-    effect = "Allow"
-    actions = [
-      "apprunner:DescribeService",
-      "apprunner:UpdateService",
-      "apprunner:ListOperations"
+      "lambda:UpdateFunctionCode",
     ]
     resources = [
-      aws_apprunner_service.rko-router.arn,
+      aws_lambda_function.rko-router.arn,
     ]
 
     condition {
       test     = "StringEquals"
       variable = "token.actions.githubusercontent.com:sub"
       values = [
-        "repo:ruby-no-kai/rko-router:environment:apprunner-prod",
+        "repo:ruby-no-kai/rko-router:environment:lambda-prod",
       ]
     }
   }
 
-  statement {
-    effect = "Allow"
-    actions = [
-      "apprunner:ListServices",
-    ]
-    resources = ["*"]
-  }
-
-  statement {
-    effect = "Allow"
-    actions = [
-      "lambda:UpdateFunctionCode",
-    ]
-    resources = [
-      aws_lambda_function.rko-router.arn,
-    ]
-  }
-
   statement {
     effect = "Allow"
     actions = [

tf/iam_GhaRkoRouterPurge.tf

@@ -16,7 +16,7 @@ data "aws_iam_policy_document" "rko-router-purge-trust" {
       test     = "StringEquals"
       variable = "token.actions.githubusercontent.com:sub"
       values = [
-        "repo:ruby-no-kai/rko-router:environment:apprunner-prod",
+        "repo:ruby-no-kai/rko-router:environment:lambda-prod",
         "repo:ruby-no-kai/rubykaigi.org:environment:github-pages",
       ]
     }