Add AWS Lambda deployment infrastructure with GitHub Actions OIDC

Author: hellosunghyun

.github/workflows/deploy-lambda.yml

@@ -0,0 +1,170 @@
+name: Deploy to AWS Lambda
+
+on:
+  push:
+    branches:
+      - main
+      - develop
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: 'Environment to deploy to'
+        required: true
+        default: 'dev'
+        type: choice
+        options:
+          - dev
+          - staging
+          - prod
+
+permissions:
+  id-token: write
+  contents: read
+
+env:
+  AWS_REGION: ap-northeast-2
+  ECR_REPOSITORY: invidious-api-lambda
+
+jobs:
+  build-and-deploy:
+    runs-on: ubuntu-latest
+    
+    strategy:
+      matrix:
+        include:
+          - environment: dev
+            branch: develop
+          - environment: prod
+            branch: main
+    
+    # Only run the matrix job if the branch matches
+    if: |
+      (github.event_name == 'workflow_dispatch') ||
+      (github.event_name == 'push' && github.ref_name == matrix.branch) ||
+      (github.event_name == 'pull_request')
+    
+    environment: ${{ matrix.environment }}
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Need full history for git versioning
+      
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          role-session-name: github-actions-${{ github.run_id }}
+          aws-region: ${{ env.AWS_REGION }}
+      
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+      
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      
+      - name: Generate image metadata
+        id: meta
+        run: |
+          # Generate version tag
+          VERSION=$(git describe --tags --always --dirty)
+          TIMESTAMP=$(date +%Y%m%d%H%M%S)
+          
+          # Set image tags
+          if [ "${{ matrix.environment }}" == "prod" ]; then
+            TAGS="${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:latest"
+            TAGS="$TAGS,${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:$VERSION"
+            TAGS="$TAGS,${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:prod-$TIMESTAMP"
+          else
+            TAGS="${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ matrix.environment }}"
+            TAGS="$TAGS,${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ matrix.environment }}-$VERSION"
+            TAGS="$TAGS,${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ matrix.environment }}-$TIMESTAMP"
+          fi
+          
+          echo "tags=$TAGS" >> $GITHUB_OUTPUT
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "timestamp=$TIMESTAMP" >> $GITHUB_OUTPUT
+      
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: docker/Dockerfile.lambda
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-args: |
+            BUILD_DATE=${{ steps.meta.outputs.timestamp }}
+            VERSION=${{ steps.meta.outputs.version }}
+      
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "1.5.0"
+      
+      - name: Terraform Init
+        working-directory: terraform
+        run: |
+          terraform init \
+            -backend-config="bucket=${{ secrets.TERRAFORM_STATE_BUCKET }}" \
+            -backend-config="key=${{ matrix.environment }}/invidious-lambda/terraform.tfstate" \
+            -backend-config="region=${{ env.AWS_REGION }}" \
+            -backend-config="dynamodb_table=${{ secrets.TERRAFORM_STATE_LOCK_TABLE }}"
+      
+      - name: Terraform Plan
+        working-directory: terraform
+        run: |
+          terraform plan \
+            -var="environment=${{ matrix.environment }}" \
+            -var="image_tag=${{ matrix.environment }}-${{ steps.meta.outputs.version }}" \
+            -var="aws_region=${{ env.AWS_REGION }}" \
+            -out=tfplan
+      
+      - name: Terraform Apply
+        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+        working-directory: terraform
+        run: |
+          terraform apply -auto-approve tfplan
+      
+      - name: Update Lambda function
+        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+        run: |
+          # Get the latest image URI
+          IMAGE_URI="${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ matrix.environment }}-${{ steps.meta.outputs.version }}"
+          
+          # Update Lambda function with new image
+          aws lambda update-function-code \
+            --function-name invidious-api-${{ matrix.environment }} \
+            --image-uri $IMAGE_URI \
+            --region ${{ env.AWS_REGION }}
+          
+          # Wait for update to complete
+          aws lambda wait function-updated \
+            --function-name invidious-api-${{ matrix.environment }} \
+            --region ${{ env.AWS_REGION }}
+      
+      - name: Get deployment info
+        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+        working-directory: terraform
+        run: |
+          echo "## Deployment Summary" >> $GITHUB_STEP_SUMMARY
+          echo "- **Environment**: ${{ matrix.environment }}" >> $GITHUB_STEP_SUMMARY
+          echo "- **Version**: ${{ steps.meta.outputs.version }}" >> $GITHUB_STEP_SUMMARY
+          echo "- **Timestamp**: ${{ steps.meta.outputs.timestamp }}" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### Endpoints" >> $GITHUB_STEP_SUMMARY
+          echo "- **API Gateway**: $(terraform output -raw api_endpoint)" >> $GITHUB_STEP_SUMMARY
+          if [ "$(terraform output -raw function_url)" != "null" ]; then
+            echo "- **Function URL**: $(terraform output -raw function_url)" >> $GITHUB_STEP_SUMMARY
+          fi
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### Resources" >> $GITHUB_STEP_SUMMARY
+          echo "- **Lambda Function**: $(terraform output -raw lambda_function_name)" >> $GITHUB_STEP_SUMMARY
+          echo "- **CloudWatch Logs**: [View Logs](https://console.aws.amazon.com/cloudwatch/home?region=${{ env.AWS_REGION }}#logsV2:log-groups/log-group/$(terraform output -raw cloudwatch_log_group))" >> $GITHUB_STEP_SUMMARY

Makefile

@@ -81,12 +81,29 @@ verify:
 # TODO
 
 
+# -----------------------
+#  Lambda
+# -----------------------
+
+lambda-build:
+	./scripts/build-lambda.sh
+
+lambda-build-push:
+	./scripts/build-lambda.sh --push --ecr-repo $(ECR_REPO)
+
+lambda-local:
+	crystal build src/lambda_handler.cr -o bin/bootstrap \
+	  --release --static --no-debug \
+	  -Dapi_only -Dskip_videojs_download
+
+
 # -----------------------
 #  Cleaning
 # -----------------------
 
 clean:
-	rm invidious
+	rm -f invidious
+	rm -f bin/bootstrap
 
 distclean: clean
 	rm -rf libs
@@ -109,6 +126,10 @@ help:
 	@echo "  verify           Just make sure that the code compiles, but without"
 	@echo "                   generating any binaries. Useful to search for errors"
 	@echo ""
+	@echo "  lambda-build     Build Docker image for AWS Lambda"
+	@echo "  lambda-build-push Build and push to ECR (requires ECR_REPO)"
+	@echo "  lambda-local     Build Lambda binary locally"
+	@echo ""
 	@echo "  clean            Remove build artifacts"
 	@echo "  distclean        Remove build artifacts and libraries"
 	@echo ""
@@ -126,3 +147,4 @@ help:
 # No targets generates an output named after themselves
 .PHONY: all get-libs build amd64 run
 .PHONY: format test verify clean distclean help
+.PHONY: lambda-build lambda-build-push lambda-local

config/lambda.example.yml

@@ -0,0 +1,85 @@
+# Lambda deployment configuration example
+# This configuration is optimized for AWS Lambda API-only mode
+
+# No database configuration needed for API-only mode
+# The application will use stub implementations
+
+##
+## Server config
+##
+# Lambda handles the network binding, so these are not used
+# but kept for compatibility
+host_binding: 0.0.0.0
+port: 3000
+
+##
+## Logging
+##
+log_level: Info
+colorize_logs: false  # Disable color codes in CloudWatch logs
+
+##
+## Features
+##
+# These features require database/frontend, so they're disabled
+channel_threads: 0
+feed_threads: 0
+popular_enabled: false
+statistics_enabled: false
+login_enabled: false
+registration_enabled: false
+enable_user_notifications: false
+
+##
+## External services
+##
+# Signature server for YouTube playback (required for some videos)
+# Example: https://your-signature-server.example.com
+signature_server:
+
+##
+## Video player behavior
+##
+default_user_preferences:
+  autoplay: false
+  continue: false
+  listen: false
+  local: false
+  speed: 1.0
+  quality: hd720
+  quality_dash: auto
+  volume: 100
+  vr_mode: true
+  
+##
+## API settings
+##
+# CORS is handled by API Gateway, but these can be used as fallback
+disable_proxy: false
+force_resolve: ipv4  # Lambda doesn't support IPv6
+
+##
+## Pool size (not used in Lambda, but required)
+##
+pool_size: 1
+
+##
+## HMAC key for secure operations
+##
+# Generate with: pwgen 20 1
+hmac_key: "CHANGE_ME_CHANGE_ME_"
+
+##
+## Domain configuration (optional)
+##
+# domain:
+# external_port:
+# https_only: false
+
+##
+## Miscellaneous
+##
+use_pubsub_feeds: false
+use_innertube_for_captions: false
+modified_source_code_url: ""
+cache_annotations: false

docker/Dockerfile.lambda

@@ -0,0 +1,59 @@
+# AWS Lambda Dockerfile for Invidious API-only mode
+# This creates a container image compatible with AWS Lambda runtime
+
+# Build stage
+FROM crystallang/crystal:1.16.3-alpine AS builder
+
+# Install build dependencies
+RUN apk add --no-cache \
+    sqlite-static \
+    yaml-static \
+    libevent-static \
+    pcre-static \
+    pcre2-static \
+    gc-static \
+    zlib-static \
+    xz-static \
+    libxml2-static
+
+WORKDIR /invidious
+
+# Copy dependency files first for better caching
+COPY ./shard.yml ./shard.yml
+COPY ./shard.lock ./shard.lock
+
+# Install Crystal dependencies
+RUN shards install --production
+
+# Copy source code
+COPY ./src/ ./src/
+
+# Copy git directory for version information
+COPY ./.git/ ./.git/
+
+# Build the Lambda handler as 'bootstrap' (required name for custom runtime)
+RUN crystal build ./src/lambda_handler.cr \
+    -o bootstrap \
+    --release \
+    --static \
+    --no-debug \
+    -Dapi_only \
+    -Dskip_videojs_download \
+    --link-flags "-lxml2 -llzma -lz -lpcre -lpcre2-8 -levent -lgc"
+
+# Runtime stage - using AWS Lambda provided base image
+FROM public.ecr.aws/lambda/provided:al2023
+
+# Copy the built binary
+COPY --from=builder /invidious/bootstrap ${LAMBDA_RUNTIME_DIR}/
+
+# Copy configuration files and locales
+COPY ./config/config.example.yml ${LAMBDA_TASK_ROOT}/config/config.yml
+COPY ./locales/ ${LAMBDA_TASK_ROOT}/locales/
+
+# Set proper permissions
+RUN chmod 755 ${LAMBDA_RUNTIME_DIR}/bootstrap
+
+# Lambda will automatically execute the 'bootstrap' binary
+ENTRYPOINT ["/lambda-entrypoint.sh"]
+CMD ["bootstrap"]