-
-
Notifications
You must be signed in to change notification settings - Fork 37
/
lambda.ts
348 lines (311 loc) · 12.1 KB
/
lambda.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
import * as path from 'path';
import * as cdk from 'aws-cdk-lib';
import {
aws_ec2 as ec2,
aws_events as events,
aws_events_targets as events_targets,
aws_iam as iam,
aws_lambda as lambda,
aws_stepfunctions as stepfunctions,
aws_stepfunctions_tasks as stepfunctions_tasks,
custom_resources as cr,
} from 'aws-cdk-lib';
import { RetentionDays } from 'aws-cdk-lib/aws-logs';
import { Construct } from 'constructs';
import { BundledNodejsFunction } from '../utils';
import { Architecture, IImageBuilder, IRunnerProvider, Os, RunnerImage, RunnerProviderProps, RunnerRuntimeParameters } from './common';
import { CodeBuildImageBuilder } from './image-builders/codebuild';
export interface LambdaRunnerProps extends RunnerProviderProps {
/**
* Provider running an image to run inside CodeBuild with GitHub runner pre-configured.
*
* The default command (`CMD`) should be `["runner.handler"]` which points to an included `runner.js` with a function named `handler`. The function should start the GitHub runner.
*
* @see https://github.com/CloudSnorkel/cdk-github-runners/tree/main/src/providers/docker-images/lambda
* @default image builder with LambdaRunner.LINUX_X64_DOCKERFILE_PATH as Dockerfile
*/
readonly imageBuilder?: IImageBuilder;
/**
* GitHub Actions label used for this provider.
*
* @default 'lambda'
*/
readonly label?: string;
/**
* The amount of memory, in MB, that is allocated to your Lambda function.
* Lambda uses this value to proportionally allocate the amount of CPU
* power. For more information, see Resource Model in the AWS Lambda
* Developer Guide.
*
* @default 2048
*/
readonly memorySize?: number;
/**
* The size of the function’s /tmp directory in MiB.
*
* @default 10 GiB
*/
readonly ephemeralStorageSize?: cdk.Size;
/**
* The function execution time (in seconds) after which Lambda terminates
* the function. Because the execution time affects cost, set this value
* based on the function's expected execution time.
*
* @default Duration.minutes(15)
*/
readonly timeout?: cdk.Duration;
/**
* VPC to launch the runners in.
*
* @default no VPC
*/
readonly vpc?: ec2.IVpc;
/**
* Security Group to assign to this instance.
*
* @default public lambda with no security group
*/
readonly securityGroup?: ec2.ISecurityGroup;
/**
* Where to place the network interfaces within the VPC.
*
* @default no subnet
*/
readonly subnetSelection?: ec2.SubnetSelection;
}
/**
* GitHub Actions runner provider using Lambda to execute the actions.
*
* Creates a Docker-based function that gets executed for each job.
*
* This construct is not meant to be used by itself. It should be passed in the providers property for GitHubRunners.
*/
export class LambdaRunner extends Construct implements IRunnerProvider {
/**
* Path to Dockerfile for Linux x64 with all the requirement for Lambda runner. Use this Dockerfile unless you need to customize it further than allowed by hooks.
*
* Available build arguments that can be set in the image builder:
* * `BASE_IMAGE` sets the `FROM` line. This should be similar to public.ecr.aws/lambda/nodejs:14.
* * `EXTRA_PACKAGES` can be used to install additional packages.
*/
public static readonly LINUX_X64_DOCKERFILE_PATH = path.join(__dirname, 'docker-images', 'lambda', 'linux-x64');
/**
* Path to Dockerfile for Linux ARM64 with all the requirement for Lambda runner. Use this Dockerfile unless you need to customize it further than allowed by hooks.
*
* Available build arguments that can be set in the image builder:
* * `BASE_IMAGE` sets the `FROM` line. This should be similar to public.ecr.aws/lambda/nodejs:14.
* * `EXTRA_PACKAGES` can be used to install additional packages.
*/
public static readonly LINUX_ARM64_DOCKERFILE_PATH = path.join(__dirname, 'docker-images', 'lambda', 'linux-arm64');
/**
* The function hosting the GitHub runner.
*/
readonly function: lambda.Function;
/**
* Label associated with this provider.
*/
readonly label: string;
/**
* VPC used for hosting the function.
*/
readonly vpc?: ec2.IVpc;
/**
* Security group attached to the function.
*/
readonly securityGroup?: ec2.ISecurityGroup;
/**
* Grant principal used to add permissions to the runner role.
*/
readonly grantPrincipal: iam.IPrincipal;
/**
* Docker image used to start Lambda function.
*/
readonly image: RunnerImage;
constructor(scope: Construct, id: string, props: LambdaRunnerProps) {
super(scope, id);
this.label = props.label || 'lambda';
this.vpc = props.vpc;
this.securityGroup = props.securityGroup;
const imageBuilder = props.imageBuilder ?? new CodeBuildImageBuilder(this, 'Image Builder', {
dockerfilePath: LambdaRunner.LINUX_X64_DOCKERFILE_PATH,
});
const image = this.image = imageBuilder.bind();
let architecture: lambda.Architecture | undefined;
if (image.os.is(Os.LINUX)) {
if (image.architecture.is(Architecture.X86_64)) {
architecture = lambda.Architecture.X86_64;
}
if (image.architecture.is(Architecture.ARM64)) {
architecture = lambda.Architecture.ARM_64;
}
}
if (!architecture) {
throw new Error(`Unable to find support Lambda architecture for ${image.os.name}/${image.architecture.name}`);
}
// get image digest and make sure to get it every time the lambda function might be updated
// pass all variables that may change and cause a function update
// if we don't get the latest digest, the update may fail as a new image was already built outside the stack on a schedule
// we automatically delete old images, so we must always get the latest digest
const imageDigest = this.imageDigest(image, {
version: 1, // bump this for any non-user changes like description or defaults
label: this.label,
architecture: architecture.name,
vpc: this.vpc?.vpcId,
securityGroups: this.securityGroup?.securityGroupId,
vpcSubnets: props.subnetSelection?.subnets?.map(s => s.subnetId),
timeout: props.timeout?.toSeconds(),
memorySize: props.memorySize,
ephemeralStorageSize: props.ephemeralStorageSize?.toKibibytes(),
logRetention: props.logRetention?.toFixed(),
});
this.function = new lambda.DockerImageFunction(
this,
'Function',
{
description: `GitHub Actions runner for "${this.label}" label`,
// CDK requires "sha256:" literal prefix -- https://github.com/aws/aws-cdk/blob/ba91ca45ad759ab5db6da17a62333e2bc11e1075/packages/%40aws-cdk/aws-ecr/lib/repository.ts#L184
code: lambda.DockerImageCode.fromEcr(image.imageRepository, { tagOrDigest: `sha256:${imageDigest}` }),
architecture,
vpc: this.vpc,
securityGroups: this.securityGroup && [this.securityGroup],
vpcSubnets: props.subnetSelection,
timeout: props.timeout || cdk.Duration.minutes(15),
memorySize: props.memorySize || 2048,
ephemeralStorageSize: props.ephemeralStorageSize || cdk.Size.gibibytes(10),
logRetention: props.logRetention || RetentionDays.ONE_MONTH,
},
);
this.grantPrincipal = this.function.grantPrincipal;
this.addImageUpdater(image);
}
/**
* The network connections associated with this resource.
*/
public get connections(): ec2.Connections {
return this.function.connections;
}
/**
* Generate step function task(s) to start a new runner.
*
* Called by GithubRunners and shouldn't be called manually.
*
* @param parameters workflow job details
*/
getStepFunctionTask(parameters: RunnerRuntimeParameters): stepfunctions.IChainable {
return new stepfunctions_tasks.LambdaInvoke(
this,
this.label,
{
lambdaFunction: this.function,
payload: stepfunctions.TaskInput.fromObject({
token: parameters.runnerTokenPath,
runnerName: parameters.runnerNamePath,
label: this.label,
githubDomain: parameters.githubDomainPath,
owner: parameters.ownerPath,
repo: parameters.repoPath,
}),
},
);
}
private addImageUpdater(image: RunnerImage) {
// Lambda needs to be pointing to a specific image digest and not just a tag.
// Whenever we update the tag to a new digest, we need to update the lambda.
let stack = cdk.Stack.of(this);
const updater = BundledNodejsFunction.singleton(this, 'update-lambda', {
description: 'Function that updates a GitHub Actions runner function with the latest image digest after the image has been rebuilt',
timeout: cdk.Duration.seconds(30),
initialPolicy: [
new iam.PolicyStatement({
actions: ['cloudformation:DescribeStacks'],
resources: [stack.formatArn({
service: 'cloudformation',
resource: 'stack',
resourceName: `${stack.stackName}/*`,
})],
}),
],
});
updater.addToRolePolicy(new iam.PolicyStatement({
actions: ['lambda:UpdateFunctionCode'],
resources: [this.function.functionArn],
}));
let lambdaTarget = new events_targets.LambdaFunction(updater, {
event: events.RuleTargetInput.fromObject({
lambdaName: this.function.functionName,
repositoryUri: image.imageRepository.repositoryUri,
repositoryTag: image.imageTag,
stackName: stack.stackName,
}),
});
const rule = image.imageRepository.onEvent('Push rule', {
description: 'Update GitHub Actions runner Lambda on ECR image push',
eventPattern: {
detailType: ['ECR Image Action'],
detail: {
'action-type': ['PUSH'],
'repository-name': [image.imageRepository.repositoryName],
'image-tag': ['latest'],
'result': ['SUCCESS'],
},
},
target: lambdaTarget,
});
// the event never triggers without this - not sure why
(rule.node.defaultChild as events.CfnRule).addDeletionOverride('Properties.EventPattern.resources');
}
private imageDigest(image: RunnerImage, variableSettings: any): string {
// describe ECR image to get its digest
// the physical id is random so the resource always runs and always gets the latest digest, even if a scheduled build replaced the stack image
const reader = new cr.AwsCustomResource(this, 'Image Digest Reader', {
onCreate: {
service: 'ECR',
action: 'describeImages',
parameters: {
repositoryName: image.imageRepository.repositoryName,
imageIds: [
{
imageTag: image.imageTag,
},
],
},
physicalResourceId: cr.PhysicalResourceId.of('ImageDigest'),
},
onUpdate: {
service: 'ECR',
action: 'describeImages',
parameters: {
repositoryName: image.imageRepository.repositoryName,
imageIds: [
{
imageTag: image.imageTag,
},
],
},
physicalResourceId: cr.PhysicalResourceId.of('ImageDigest'),
},
onDelete: {
// this will NOT be called thanks to RemovalPolicy.RETAIN below
// we only use this to force the custom resource to be called again and get a new digest
service: 'fake',
action: 'fake',
parameters: variableSettings,
},
policy: cr.AwsCustomResourcePolicy.fromSdkCalls({
resources: [image.imageRepository.repositoryArn],
}),
resourceType: 'Custom::EcrImageDigest',
installLatestAwsSdk: false, // no need and it takes 60 seconds
logRetention: RetentionDays.ONE_MONTH,
});
const res = reader.node.tryFindChild('Resource') as cdk.CustomResource | undefined;
if (res) {
// don't actually call the fake onDelete above
res.applyRemovalPolicy(cdk.RemovalPolicy.RETAIN);
} else {
throw new Error('Resource not found in AwsCustomResource. Report this bug at https://github.com/CloudSnorkel/cdk-github-runners/issues.');
}
// return only the digest because CDK expects 'sha256:' literal above
return cdk.Fn.split(':', reader.getResponseField('imageDetails.0.imageDigest'), 2)[1];
}
}