Cross account deployment - initial support / split Lambda and DB deployment requests (#301)

* Cross account

- Fixes #253

* Proxy to parent deployer when configured

* Add child deployer construct

* Split version controller out into many files

* Add DeployVersionLite

* Fix build / retain versions

* Build fix

* Try to fix deploy

* Update API.md

* Fix ARN

* Fix account ID fetching

* Minor fixes

- Typo
- Fix tag name in tests (had `microapp[s]-managed` but it's not supposed to have an `s`
- Change `StringEqualsIfExists` to `StringEquals` so it is required that the string be present

* Stop publishing if `CreateAlias` fails

* Update DeployClient.ts

* Log arn base

* Implement deployVersionLite and tests

* Fix more tests

* Add test for proxying of deployVersionLite

* Use deployVersionLite from microapps-publish

* Pass functionUrl to DeployVersionLite

* Check if function version exists in LambdaAlias request

* Add hotswap flag on CDK deploys

* Cache TypeScript build output

* Fix ids

* Revert accidental DeployVersion change

* Actually skip build if cached

Author: huntharo

.github/workflows/ci.yml

@@ -55,7 +55,7 @@ jobs:
           path: |
             node_modules
             packages/**/node_modules
-          key: node-modules-${{ hashFiles('package.json', '**/yarn.lock') }}
+          key: node-modules-${{ hashFiles('package.json', 'yarn.lock', '**/yarn.lock') }}
 
       - name: Optionally Install Node Modules
         if: steps.cache-node-modules.outputs.cache-hit != 'true'
@@ -84,7 +84,17 @@ jobs:
           echo 'NEXTJS_DEMO_APP_PACKAGE_VERSION='${NEXTJS_DEMO_APP_PACKAGE_VERSION}
           echo 'RELEASE_APP_PACKAGE_VERSION='${RELEASE_APP_PACKAGE_VERSION}
 
-      - name: Build All TypeScript
+      - name: Cache TypeScript Build Output
+        id: cache-typescript-build
+        uses: actions/cache@v3
+        with:
+          path: |
+            packages/**/dist
+            packages/microapps-cdk/lib
+          key: typescript-build-${{ hashFiles('package.json', 'yarn.lock', 'tsconfig.json', 'tsconfig.packages.json', 'packages/**/tsconfig.json', 'packages/**/*.ts') }}
+
+      - name: Optionally Build All TypeScript
+        if: steps.cache-typescript-build.outputs.cache-hit != 'true'
         run: yarn build 
 
       - name: Run Lint
@@ -152,13 +162,23 @@ jobs:
           path: |
             node_modules
             packages/**/node_modules
-          key: node-modules-${{ hashFiles('package.json', '**/yarn.lock') }}
+          key: node-modules-${{ hashFiles('package.json', 'yarn.lock', '**/yarn.lock') }}
 
       - name: Optionally Install Node Modules
         if: steps.cache-node-modules.outputs.cache-hit != 'true'
         run: yarn install --frozen-lockfile
 
-      - name: Build All TypeScript
+      - name: Cache TypeScript Build Output
+        id: cache-typescript-build
+        uses: actions/cache@v3
+        with:
+          path: |
+            packages/**/dist
+            packages/microapps-cdk/lib
+          key: typescript-build-${{ hashFiles('package.json', 'yarn.lock', 'tsconfig.json', 'tsconfig.packages.json', 'packages/**/tsconfig.json', 'packages/**/*.ts') }}
+
+      - name: Optionally Build All TypeScript
+        if: steps.cache-typescript-build.outputs.cache-hit != 'true'
         run: yarn build
 
       - name: Build Edge-to-Origin for Local Deploy
@@ -217,9 +237,19 @@ jobs:
             --context @pwrdrvr/microapps:deployReleaseApp=true \
             --require-approval never ${{ matrix.deployName }}
 
+      - name: Set Hotswap Flag on PRs
+        run: |
+          if [ -n "${PR_NUMBER}" ]; then
+            echo "HOTSWAP_FLAG=--hotswap" >> $GITHUB_ENV
+          else
+            echo "HOTSWAP_FLAG=" >> $GITHUB_ENV
+          fi
+
       - name: Deploy CDK Stack
         run: |
-          npx cdk deploy --context @pwrdrvr/microapps:deployDemoApp=true \
+          npx cdk deploy \
+            ${HOTSWAP_FLAG} \
+            --context @pwrdrvr/microapps:deployDemoApp=true \
             --context @pwrdrvr/microapps:deployNexjsDemoApp=true \
             --context @pwrdrvr/microapps:deployReleaseApp=true \
             --require-approval never ${{ matrix.deployName }}
@@ -419,7 +449,7 @@ jobs:
           path: |
             node_modules
             packages/**/node_modules
-          key: node-modules-${{ hashFiles('package.json', '**/yarn.lock') }}
+          key: node-modules-${{ hashFiles('package.json', 'yarn.lock', '**/yarn.lock') }}
 
       - name: Optionally Install Node Modules
         if: steps.cache-node-modules.outputs.cache-hit != 'true'

.github/workflows/main-build.yml

@@ -39,7 +39,7 @@ jobs:
           path: |
             node_modules
             packages/**/node_modules
-          key: node-modules-${{ hashFiles('package.json', '**/yarn.lock') }}
+          key: node-modules-${{ hashFiles('package.json', 'yarn.lock', '**/yarn.lock') }}
       - name: Install dependencies
         if: steps.cache-node-modules.outputs.cache-hit != 'true'
         run: yarn install --frozen-lockfile
@@ -136,7 +136,7 @@ jobs:
           path: |
             node_modules
             packages/**/node_modules
-          key: node-modules-${{ hashFiles('package.json', '**/yarn.lock') }}
+          key: node-modules-${{ hashFiles('package.json', 'yarn.lock', '**/yarn.lock') }}
       - name: Optionally Install Node Modules
         if: steps.cache-node-modules.outputs.cache-hit != 'true'
         run: yarn install --frozen-lockfile

.github/workflows/release.yml

@@ -40,7 +40,7 @@ jobs:
           path: |
             node_modules
             packages/**/node_modules
-          key: node-modules-${{ hashFiles('package.json', '**/yarn.lock') }}
+          key: node-modules-${{ hashFiles('package.json', 'yarn.lock', '**/yarn.lock') }}
       - name: Install dependencies
         if: steps.cache-node-modules.outputs.cache-hit != 'true'
         run: yarn install --frozen-lockfile
@@ -130,7 +130,7 @@ jobs:
           path: |
             node_modules
             packages/**/node_modules
-          key: node-modules-${{ hashFiles('package.json', '**/yarn.lock') }}
+          key: node-modules-${{ hashFiles('package.json', 'yarn.lock', '**/yarn.lock') }}
       - name: Optionally Install Node Modules
         if: steps.cache-node-modules.outputs.cache-hit != 'true'
         run: yarn install --frozen-lockfile

packages/cdk/lib/MicroApps.ts

@@ -251,6 +251,9 @@ export class MicroAppsStack extends Stack {
         removalPolicy,
       });
 
+      const appVersion = (demoApp.lambdaFunction as lambda.Function).currentVersion;
+      appVersion.applyRemovalPolicy(RemovalPolicy.RETAIN);
+
       new CfnOutput(this, 'demo-app-func-name', {
         value: `${demoApp.lambdaFunction.functionName}`,
         exportName: `${this.stackName}-demo-app-func-name`,
@@ -266,6 +269,7 @@ export class MicroAppsStack extends Stack {
       });
 
       const appVersion = (app.lambdaFunction as lambda.Function).currentVersion;
+      appVersion.applyRemovalPolicy(RemovalPolicy.RETAIN);
 
       new CfnOutput(this, 'release-app-func-name', {
         value: `${app.lambdaFunction.functionName}`,
@@ -288,6 +292,7 @@ export class MicroAppsStack extends Stack {
       });
 
       const appVersion = (app.lambdaFunction as lambda.Function).currentVersion;
+      appVersion.applyRemovalPolicy(RemovalPolicy.RETAIN);
 
       new CfnOutput(this, 'nextjs-demo-app-func-name', {
         value: `${app.lambdaFunction.functionName}`,

packages/microapps-cdk/API.md

@@ -1479,6 +1479,17 @@ Optional asset name suffix.
 
 ---
 
+##### `deployerTimeout`<sup>Optional</sup> <a name="@pwrdrvr/microapps-cdk.MicroAppsSvcsProps.deployerTimeout"></a>
+
+- *Type:* [`aws-cdk-lib.Duration`](#aws-cdk-lib.Duration)
+- *Default:* 2 minutes
+
+Deployer timeout.
+
+For larger applications this needs to be set up to 2-5 minutes for the S3 copy
+
+---
+
 ##### `httpApi`<sup>Optional</sup> <a name="@pwrdrvr/microapps-cdk.MicroAppsSvcsProps.httpApi"></a>
 
 - *Type:* [`@aws-cdk/aws-apigatewayv2-alpha.HttpApi`](#@aws-cdk/aws-apigatewayv2-alpha.HttpApi)
@@ -1503,7 +1514,7 @@ Note: if set to DESTROY the S3 buckes will have `autoDeleteObjects` set to `true
 - *Type:* `boolean`
 - *Default:* true
 
-Require IAM auth on API Gateway.
+Require IAM auth on API Gateway and Lambda Function URLs.
 
 ---
 

packages/microapps-cdk/src/MicroAppsChildDeployer.ts

@@ -0,0 +1,161 @@
+import { existsSync } from 'fs';
+import * as path from 'path';
+import { Aws, Duration, RemovalPolicy } from 'aws-cdk-lib';
+import * as iam from 'aws-cdk-lib/aws-iam';
+import * as lambda from 'aws-cdk-lib/aws-lambda';
+import * as lambdaNodejs from 'aws-cdk-lib/aws-lambda-nodejs';
+import * as logs from 'aws-cdk-lib/aws-logs';
+import { Construct } from 'constructs';
+
+/**
+ * Properties to initialize an instance of `MicroAppsChildDeployer`.
+ */
+export interface MicroAppsChildDeployerProps {
+  /**
+   * ARN of the parent Deployer Lambda Function
+   */
+  readonly parentDeployerLambdaARN: string;
+
+  /**
+   * RemovalPolicy override for child resources
+   *
+   * Note: if set to DESTROY the S3 buckes will have `autoDeleteObjects` set to `true`
+   *
+   * @default - per resource default
+   */
+  readonly removalPolicy?: RemovalPolicy;
+
+  /**
+   * Application environment, passed as `NODE_ENV`
+   * to the Router and Deployer Lambda functions
+   */
+  readonly appEnv: string;
+
+  /**
+   * Optional asset name root
+   *
+   * @example microapps
+   * @default - resource names auto assigned
+   */
+  readonly assetNameRoot?: string;
+
+  /**
+   * Optional asset name suffix
+   *
+   * @example -dev-pr-12
+   * @default none
+   */
+  readonly assetNameSuffix?: string;
+
+  /**
+   * Deployer timeout
+   *
+   * For larger applications this needs to be set up to 2-5 minutes for the S3 copy
+   *
+   * @default 2 minutes
+   */
+  readonly deployerTimeout?: Duration;
+}
+
+/**
+ * Represents a MicroApps Child Deployer
+ */
+export interface IMicroAppsChildDeployer {
+  /**
+   * Lambda function for the Deployer
+   */
+  readonly deployerFunc: lambda.IFunction;
+}
+
+/**
+ * Create a new MicroApps Child Deployer construct.
+ */
+export class MicroAppsChildDeployer extends Construct implements IMicroAppsChildDeployer {
+  private _deployerFunc: lambda.Function;
+  public get deployerFunc(): lambda.IFunction {
+    return this._deployerFunc;
+  }
+
+  constructor(scope: Construct, id: string, props?: MicroAppsChildDeployerProps) {
+    super(scope, id);
+
+    if (props === undefined) {
+      throw new Error('props cannot be undefined');
+    }
+
+    const {
+      appEnv,
+      deployerTimeout = Duration.minutes(2),
+      assetNameRoot,
+      assetNameSuffix,
+      removalPolicy,
+      parentDeployerLambdaARN,
+    } = props;
+
+    //
+    // Deployer Lambda Function
+    //
+
+    // Create Deployer Lambda Function
+    const deployerFuncName = assetNameRoot
+      ? `${assetNameRoot}-deployer${assetNameSuffix}`
+      : undefined;
+    const deployerFuncProps: Omit<lambda.FunctionProps, 'handler' | 'code'> = {
+      functionName: deployerFuncName,
+      memorySize: 1769,
+      logRetention: logs.RetentionDays.ONE_MONTH,
+      runtime: lambda.Runtime.NODEJS_16_X,
+      timeout: deployerTimeout,
+      environment: {
+        NODE_ENV: appEnv,
+        AWS_NODEJS_CONNECTION_REUSE_ENABLED: '1',
+        PARENT_DEPLOYER_LAMBDA_ARN: parentDeployerLambdaARN,
+      },
+    };
+    if (
+      process.env.NODE_ENV === 'test' &&
+      existsSync(path.join(__dirname, '..', '..', 'microapps-deployer', 'dist', 'index.js'))
+    ) {
+      // This is for local dev
+      this._deployerFunc = new lambda.Function(this, 'deployer-func', {
+        code: lambda.Code.fromAsset(path.join(__dirname, '..', '..', 'microapps-deployer', 'dist')),
+        handler: 'index.handler',
+        ...deployerFuncProps,
+      });
+    } else if (existsSync(path.join(__dirname, 'microapps-deployer', 'index.js'))) {
+      // This is for built apps packaged with the CDK construct
+      this._deployerFunc = new lambda.Function(this, 'deployer-func', {
+        code: lambda.Code.fromAsset(path.join(__dirname, 'microapps-deployer')),
+        handler: 'index.handler',
+        ...deployerFuncProps,
+      });
+    } else {
+      this._deployerFunc = new lambdaNodejs.NodejsFunction(this, 'deployer-func', {
+        entry: path.join(__dirname, '..', '..', 'microapps-deployer', 'src', 'index.ts'),
+        handler: 'handler',
+        bundling: {
+          minify: true,
+          sourceMap: true,
+        },
+        ...deployerFuncProps,
+      });
+    }
+    if (removalPolicy !== undefined) {
+      this._deployerFunc.applyRemovalPolicy(removalPolicy);
+    }
+
+    // Grant full control over lambdas that indicate they are microapps
+    const policyAPIManageLambdas = new iam.PolicyStatement({
+      effect: iam.Effect.ALLOW,
+      actions: ['lambda:*'],
+      resources: [
+        `arn:aws:lambda:${Aws.REGION}:${Aws.ACCOUNT_ID}:function:*`,
+        `arn:aws:lambda:${Aws.REGION}:${Aws.ACCOUNT_ID}:function:*:*`,
+      ],
+      conditions: {
+        StringEquals: { 'aws:ResourceTag/microapp-managed': 'true' },
+      },
+    });
+    this._deployerFunc.addToRolePolicy(policyAPIManageLambdas);
+  }
+}

packages/microapps-cdk/src/MicroAppsSvcs.ts

@@ -3,7 +3,7 @@ import * as path from 'path';
 import * as apigwy from '@aws-cdk/aws-apigatewayv2-alpha';
 import * as apigwyAuth from '@aws-cdk/aws-apigatewayv2-authorizers-alpha';
 import * as apigwyint from '@aws-cdk/aws-apigatewayv2-integrations-alpha';
-import { Aws, Duration, PhysicalName, RemovalPolicy, Stack } from 'aws-cdk-lib';
+import { Aws, Duration, PhysicalName, RemovalPolicy, Stack, Tags } from 'aws-cdk-lib';
 import * as cf from 'aws-cdk-lib/aws-cloudfront';
 import * as dynamodb from 'aws-cdk-lib/aws-dynamodb';
 import * as iam from 'aws-cdk-lib/aws-iam';
@@ -148,7 +148,7 @@ export interface MicroAppsSvcsProps {
   readonly rootPathPrefix?: string;
 
   /**
-   * Require IAM auth on API Gateway
+   * Require IAM auth on API Gateway and Lambda Function URLs
    *
    * @default true
    */
@@ -169,6 +169,15 @@ export interface MicroAppsSvcsProps {
    * @default created by construct
    */
   readonly table?: dynamodb.ITable;
+
+  /**
+   * Deployer timeout
+   *
+   * For larger applications this needs to be set up to 2-5 minutes for the S3 copy
+   *
+   * @default 2 minutes
+   */
+  readonly deployerTimeout?: Duration;
 }
 
 /**
@@ -223,6 +232,7 @@ export class MicroAppsSvcs extends Construct implements IMicroAppsSvcs {
       bucketApps,
       bucketAppsOAI,
       bucketAppsStaging,
+      deployerTimeout = Duration.minutes(2),
       s3PolicyBypassAROAs = [],
       s3PolicyBypassPrincipalARNs = [],
       s3StrictBucketPolicy = false,
@@ -284,7 +294,7 @@ export class MicroAppsSvcs extends Construct implements IMicroAppsSvcs {
       memorySize: 1769,
       logRetention: logs.RetentionDays.ONE_MONTH,
       runtime: lambda.Runtime.NODEJS_16_X,
-      timeout: Duration.seconds(15),
+      timeout: deployerTimeout,
       environment: {
         NODE_ENV: appEnv,
         ...(httpApi ? { APIGWY_ID: httpApi.httpApiId } : {}),
@@ -331,8 +341,11 @@ export class MicroAppsSvcs extends Construct implements IMicroAppsSvcs {
     this._table.grantReadWriteData(this._deployerFunc);
     this._table.grant(this._deployerFunc, 'dynamodb:DescribeTable');
 
+    // Add Tags to Deployer
+    Tags.of(this._deployerFunc).add('microapps-deployer', 'true');
+
     //
-    // Deloyer upload temp role
+    // Deployer upload temp role
     // Deployer assumes this role with a limited policy to generate
     // an STS temp token to return to microapps-publish for the upload.
     //