Merge pull request #216 from umihico/2024-02-17T2113/fix

Fix urls with CI updates

Author: umihico

.github/workflows/.terraform.lock.hcl

@@ -7,15 +7,23 @@ on:
     branches:
       - feat/github-actions
 
+concurrency:
+  group: deploy-prod-stack
+
 jobs:
   auto-update:
     runs-on: ubuntu-latest
-
+    env:
+      AWS_REGION: ap-northeast-1
     steps:
       - name: Checkout
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ env.AWS_REGION }}
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
       - name: Install serverless
         run: npm install -g serverless
       - name: Note docker image digest
@@ -44,13 +52,9 @@ jobs:
           SHA256_DIGEST=${{ steps.docker-image-digest.outputs.SHA256_DIGEST }}
           CHROME_VERSION=${{ steps.chrome-versions.outputs.CHROME_VERSION }}
           SELENIUM_VERSION=${{ steps.selenium-version.outputs.SELENIUM_VERSION }}
-          sed -r "s/public.ecr.aws\/lambda\/python[:@a-z0-9]+/public.ecr.aws\/lambda\/python\@sha256\:${SHA256_DIGEST}/g; s/chrome-for-testing\/[0-9.]+/chrome-for-testing\/${CHROME_VERSION}/g; s/selenium==[0-9\.]*/selenium==${SELENIUM_VERSION}/g" -i Dockerfile
+          sed -r "s/public.ecr.aws\/lambda\/python[:@a-z0-9]+/public.ecr.aws\/lambda\/python\@sha256\:${SHA256_DIGEST}/g; s/chrome-for-testing-public\/[0-9.]+/chrome-for-testing-public\/${CHROME_VERSION}/g; s/selenium==[0-9\.]*/selenium==${SELENIUM_VERSION}/g" -i Dockerfile
       - name: Deploy
         run: sls deploy
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          AWS_REGION: ${{ secrets.AWS_REGION }}
       - name: Note chrome version
         id: chrome-version
         run: |
@@ -64,10 +68,6 @@ jobs:
       - name: Invoke
         id: invoke
         run: sls invoke -f demo > /tmp/scraping-result.txt
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          AWS_REGION: ${{ secrets.AWS_REGION }}
       - name: Archive result
         uses: actions/upload-artifact@v3
         if: ${{ !env.ACT }}

.github/workflows/auto-update.yml

@@ -0,0 +1,33 @@
+name: check
+
+on:
+  - push
+
+permissions:
+  id-token: write
+  contents: read
+
+concurrency:
+  group: deploy-prod-stack
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    env:
+      AWS_REGION: ap-northeast-1
+    steps:
+      - uses: actions/checkout@v4
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ env.AWS_REGION }}
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+      - name: Install Serverless Framework
+        run: npm install -g serverless
+      - name: Wait for CloudFormation stack to be updated
+        run: aws cloudformation wait stack-update-complete --stack-name="docker-selenium-lambda-prod" || true
+      - name: Deploy
+        run: sls deploy
+      - name: Invoke
+        run: sls invoke --function demo |& tee /tmp/scraping-result.txt
+      - name: Check
+        run: cat /tmp/scraping-result.txt | grep -q "This domain is for use in illustrative examples in documents"

.github/workflows/check.yml

@@ -8,19 +8,23 @@ on:
     branches:
       - feat/github-actions**
 
+concurrency:
+  group: deploy-prod-stack
+
 jobs:
   demo-test:
     runs-on: ubuntu-latest
-
+    env:
+      AWS_REGION: ap-northeast-1
     steps:
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ env.AWS_REGION }}
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
       - name: Demo README's instructions
         run: |
           npm install -g serverless
           sls create --template-url "https://github.com/umihico/docker-selenium-lambda/tree/main" --path docker-selenium-lambda && cd $_
           sls deploy
           sls invoke --function demo |& tee /tmp/scraping-result.txt
           cat /tmp/scraping-result.txt | grep -q "This domain is for use in illustrative examples in documents"
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          AWS_REGION: ${{ secrets.AWS_REGION }}

.github/workflows/demo-test.yml

@@ -0,0 +1,46 @@
+terraform {
+  backend "local" {
+    path = ".terraform/oidc/terraform.tfstate"
+  }
+}
+
+provider "aws" {
+  region = "ap-northeast-1"
+}
+
+data "aws_caller_identity" "current" {}
+
+data "aws_iam_openid_connect_provider" "github_actions" {
+  arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com"
+}
+
+resource "aws_iam_role" "github_actions" {
+  name = "github-actions-docker-selenium-lambda"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect = "Allow"
+      Action = "sts:AssumeRoleWithWebIdentity"
+      Principal = {
+        Federated = data.aws_iam_openid_connect_provider.github_actions.arn
+      }
+      Condition = {
+        StringLike = {
+          "token.actions.githubusercontent.com:sub" = [
+            "repo:umihico/docker-selenium-lambda:*"
+          ]
+        }
+      }
+    }]
+  })
+  managed_policy_arns = ["arn:aws:iam::aws:policy/AdministratorAccess"]
+}
+
+output "aws_iam_openid_connect_provider" {
+  value = data.aws_iam_openid_connect_provider.github_actions.arn
+}
+
+output "aws_iam_role" {
+  # gh secret set AWS_ROLE_ARN
+  value = aws_iam_role.github_actions.arn
+}

.github/workflows/oidc.tf

@@ -1,7 +1,7 @@
 FROM public.ecr.aws/lambda/python@sha256:c95e0a2af8bd2bb58e9de147305d30a6e8e598200ef4a2e9a06d14a4934fb204 as build
 RUN dnf install -y unzip && \
-    curl -Lo "/tmp/chromedriver-linux64.zip" "https://edgedl.me.gvt1.com/edgedl/chrome/chrome-for-testing/121.0.6167.85/linux64/chromedriver-linux64.zip" && \
-    curl -Lo "/tmp/chrome-linux64.zip" "https://edgedl.me.gvt1.com/edgedl/chrome/chrome-for-testing/121.0.6167.85/linux64/chrome-linux64.zip" && \
+    curl -Lo "/tmp/chromedriver-linux64.zip" "https://storage.googleapis.com/chrome-for-testing-public/121.0.6167.85/linux64/chromedriver-linux64.zip" && \
+    curl -Lo "/tmp/chrome-linux64.zip" "https://storage.googleapis.com/chrome-for-testing-public/121.0.6167.85/linux64/chrome-linux64.zip" && \
     unzip /tmp/chromedriver-linux64.zip -d /opt/ && \
     unzip /tmp/chrome-linux64.zip -d /opt/