use the new deployment and lambda method

.github/workflows/deploy-dev.yml

@@ -0,0 +1,82 @@
+name: Deploy all resources to DEV
+run-name: DEV deploy - @${{ github.actor }}
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+jobs:
+  test-unit:
+    runs-on: ubuntu-latest
+    name: Run Unit Tests
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up Python 3.11 for testing
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.11
+      - name: Run unit testing
+        run: make test_unit
+  deploy-dev:
+    runs-on: ubuntu-latest
+    concurrency:
+      group: ${{ github.event.repository.name }}-dev
+      cancel-in-progress: false
+    environment: "AWS DEV"
+    name: Deploy to AWS DEV
+    needs:
+      - test-unit
+    steps:
+      - uses: actions/checkout@v3
+      - uses: aws-actions/setup-sam@v2
+        with:
+          use-installer: true
+      - uses: aws-actions/configure-aws-credentials@v2
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: us-east-1
+      - run: make deploy_dev
+  test:
+    runs-on: ubuntu-latest
+    name: Run Live Integration Tests
+    needs:
+      - deploy
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up Python 3.11 for testing
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.11
+      - name: Run live testing
+        run: make test_live_integration
+  deploy-aws-prod:
+    runs-on: ubuntu-latest
+    name: Deploy to AWS PROD
+    concurrency:
+      group: ${{ github.event.repository.name }}-prod
+      cancel-in-progress: false
+    needs:
+      - test
+      - deploy-dev
+    environment: "AWS PROD"
+    steps:
+      - uses: actions/checkout@v3
+      - uses: aws-actions/setup-sam@v2
+        with:
+          use-installer: true
+      - uses: aws-actions/configure-aws-credentials@v2
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: us-east-1
+      - run: make deploy_prod
+  health-check-prod:
+    runs-on: ubuntu-latest
+    name: Confirm services healthy
+    needs:
+      - deploy-aws-prod
+    steps:
+      - name: Call the health check script
+        run: make prod_health_check

.github/workflows/deploy-prod.yml

@@ -0,0 +1,53 @@
+name: Deploy all resources to DEV/PROD
+run-name: PROD deploy - @${{ github.actor }}
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+jobs:
+  test-unit:
+    runs-on: ubuntu-latest
+    name: Run Unit Tests
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up Python 3.11 for testing
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.11
+      - name: Run unit testing
+        run: make test_unit
+  deploy:
+    runs-on: ubuntu-latest
+    concurrency:
+      group: ${{ github.event.repository.name }}-dev
+      cancel-in-progress: false
+    environment: "AWS DEV"
+    name: Deploy to AWS DEV
+    needs:
+      - test-unit
+    steps:
+      - uses: actions/checkout@v3
+      - uses: aws-actions/setup-sam@v2
+        with:
+          use-installer: true
+      - uses: aws-actions/configure-aws-credentials@v2
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: us-east-1
+      - run: make deploy_dev
+  test:
+    runs-on: ubuntu-latest
+    name: Run Live Integration Tests
+    needs:
+      - deploy
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up Python 3.11 for testing
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.11
+      - name: Run live testing
+        run: make test_live_integration

Makefile

@@ -0,0 +1,67 @@
+run_env = ParameterKey=RunEnvironment,ParameterValue
+set_application_prefix = ParameterKey=ApplicationPrefix,ParameterValue
+set_application_name = ParameterKey=ApplicationFriendlyName,ParameterValue
+
+prod_aws_account = 298118738376
+dev_aws_account = 427040638965
+
+src_directory_root = src/
+integration_test_directory_root = tests/live_integration
+
+# CHANGE ME (as needed)
+application_key=infra-membership-api
+application_name="MembershipApi"
+techlead="[email protected]"
+region="us-east-1"
+
+# DO NOT CHANGE
+common_params = --no-confirm-changeset \
+                --no-fail-on-empty-changeset \
+                --capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND \
+                --region $(region) \
+                --stack-name $(application_key) \
+				--tags "project=$(application_key)" "techlead=$(techlead)" \
+				--s3-prefix $(application_key) \
+				--resolve-s3
+
+check_account_prod:
+	@aws_account_id=$$(aws sts get-caller-identity --query Account --output text); \
+	if [ "$$aws_account_id" != "$(prod_aws_account)" ]; then \
+		echo "Error: running in incorrect account $$aws_account_id, expected account ID $(prod_aws_account)"; \
+		exit 1; \
+	fi
+check_account_dev:
+	@aws_account_id=$$(aws sts get-caller-identity --query Account --output text); \
+	if [ "$$aws_account_id" != "$(dev_aws_account)" ]; then \
+		echo "Error: running in incorrect account $$aws_account_id, expected account ID $(dev_aws_account)"; \
+		exit 1; \
+	fi
+
+build:
+	sam build --template-file cloudformation/main.yml
+
+local:
+	sam local start-api --env-vars local.env.json --warm-containers EAGER
+
+deploy_prod: check_account_prod build 
+	aws sts get-caller-identity --query Account --output text
+	sam deploy $(common_params) --parameter-overrides $(run_env)=prod $(set_application_prefix)=$(application_key) $(set_application_name)="$(application_name)"
+
+deploy_dev: check_account_dev build
+	sam deploy $(common_params) --parameter-overrides $(run_env)=dev $(set_application_prefix)=$(application_key) $(set_application_name)="$(application_name)"
+
+install_test_deps:
+	pip install -r $(integration_test_directory_root)/requirements.txt
+	pip install -r $(src_directory_root)/requirements-testing.txt
+
+test_live_integration: install_test_deps
+	APPLICATION_KEY=$(application_key) pytest -rP $(integration_test_directory_root)
+
+test_unit: install_test_deps
+	APPLICATION_KEY=$(application_key) pytest -rP $(src_directory_root)
+
+dev_health_check:
+	curl -f https://$(application_key).aws.qa.acmuiuc.org/api/v1/healthz
+
+prod_health_check:
+	curl -f https://$(application_key).aws.acmuiuc.org/api/v1/healthz

cloudformation/iam.yml

@@ -0,0 +1,110 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: ACM Membership API - IAM roles
+Transform: AWS::Serverless-2016-10-31
+Parameters:
+  LambdaFunctionName:
+    Type: String
+    AllowedPattern: ^[a-zA-Z0-9]+[a-zA-Z0-9-]+[a-zA-Z0-9]+$
+  AuthLambdaFunctionName:
+    Default: undefined
+    Type: String
+    AllowedPattern: ^[a-zA-Z0-9]+[a-zA-Z0-9-]+[a-zA-Z0-9]+$
+Conditions:
+  AuthorizerFunctionEnabled:
+    Fn::Not:
+    - Fn::Equals:
+      - Ref: AuthLambdaFunctionName
+      - undefined
+Resources:
+  AuthLambdaIAMRole:
+    Condition: AuthorizerFunctionEnabled
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+        - Action:
+          - sts:AssumeRole
+          Effect: Allow
+          Principal:
+            Service:
+            - lambda.amazonaws.com
+            - apigateway.amazonaws.com
+      Policies:
+      - PolicyDocument:
+          Version: '2012-10-17'
+          Statement:
+          - Action:
+            - logs:CreateLogGroup
+            - logs:CreateLogStream
+            - logs:PutLogEvents
+            Effect: Allow
+            Resource:
+            - Fn::Sub: arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${AuthLambdaFunctionName}:*
+        PolicyName: lambda
+  ApiLambdaIAMRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+        - Action:
+          - sts:AssumeRole
+          Effect: Allow
+          Principal:
+            Service:
+            - lambda.amazonaws.com
+      Policies:
+      - PolicyDocument:
+          Version: '2012-10-17'
+          Statement:
+          - Action:
+            - logs:CreateLogGroup
+            - logs:CreateLogStream
+            - logs:PutLogEvents
+            Effect: Allow
+            Resource:
+            - Fn::Sub: arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${LambdaFunctionName}:*
+          - Effect: Allow
+            Action:
+            - ec2:CreateNetworkInterface
+            - ec2:DescribeNetworkInterfaces
+            - ec2:DeleteNetworkInterface
+            - ec2:DescribeSubnets
+            - ec2:AssignPrivateIpAddresses
+            - ec2:UnassignPrivateIpAddresses
+            Resource: '*'
+        PolicyName: lambda
+      - PolicyDocument:
+          Version: 2012-10-17
+          Statement:
+            - Action:
+                - secretsmanager:GetSecretValue
+              Effect: Allow
+              Resource:
+                - !Sub arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:infra-membership-api-secrets*
+        PolicyName: lambda-secret
+      - PolicyDocument:
+          Version: 2012-10-17
+          Statement:
+            - Action:
+                - dynamodb:*
+              Effect: Allow
+              Resource:
+                - !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-membership-api-cache
+                - !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-membership-api-external-lists
+        PolicyName: lambda-dynamo
+Outputs:
+  MainFunctionRoleArn:
+    Description: Main API IAM role ARN
+    Value:
+      Fn::GetAtt:
+      - ApiLambdaIAMRole
+      - Arn
+  AuthFunctionRoleArn:
+    Condition: AuthorizerFunctionEnabled
+    Description: Authorizer lambda IAM role ARN
+    Value:
+      Fn::GetAtt:
+      - AuthLambdaIAMRole
+      - Arn