intermediate source code archive to check for changes (#30)

* intermediate source code archive to check for changes
* introduce caching of built python modules
* arbitrary change to lambda source code for testing cache keys in the pipeline
* giving var a proper name hoping to pass static analysis
* moved python builds to "data" type (from "resource")
* build when build files are absent
* adding cache to rsa public crl workflow as well, and update cache action version

.github/workflows/ecdsa_default.yml

@@ -72,6 +72,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Set up Python 3.12
+        id: setup_python
         uses: actions/setup-python@v5
         with:
           python-version: '3.12'
@@ -90,11 +91,17 @@ jobs:
 
       - name: Terraform initialise
         run: >
-          terraform init 
-          -backend-config=bucket=${{ secrets.TERRAFORM_STATE_BUCKET}} 
-          -backend-config=key=${{ secrets.TERRAFORM_STATE_KEY}} 
+          terraform init
+          -backend-config=bucket=${{ secrets.TERRAFORM_STATE_BUCKET}}
+          -backend-config=key=${{ secrets.TERRAFORM_STATE_KEY}}
           -backend-config=region=${{ secrets.TERRAFORM_STATE_REGION}}
 
+      - name: cache built python modules
+        uses: actions/cache@v4
+        with:
+          key: modules_terraform-aws-ca-lambda_build_${{ hashFiles('./modules/terraform-aws-ca-lambda/lambda_code/**') }}_py${{ steps.setup_python.outputs.python-version }}
+          path: ./modules/terraform-aws-ca-lambda/build
+
       - name: terraform plan
         run: terraform plan -out tfplan
 
@@ -135,7 +142,7 @@ jobs:
 
       - name: Delete all DynamoDB items
         run: |
-          python tests/scripts/delete_db_table_items.py        
+          python tests/scripts/delete_db_table_items.py
 
   start_ca:
     name: Start CA
@@ -180,7 +187,7 @@ jobs:
       id-token: write
       contents: read
       checks: write
-        
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4

.github/workflows/rsa_public_crl.yml

@@ -76,6 +76,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Set up Python 3.12
+        id: setup_python
         uses: actions/setup-python@v5
         with:
           python-version: '3.12'
@@ -94,11 +95,17 @@ jobs:
 
       - name: Terraform initialise
         run: >
-          terraform init 
-          -backend-config=bucket=${{ secrets.RSA_TERRAFORM_STATE_BUCKET}} 
-          -backend-config=key=${{ secrets.TERRAFORM_STATE_KEY}} 
+          terraform init
+          -backend-config=bucket=${{ secrets.RSA_TERRAFORM_STATE_BUCKET}}
+          -backend-config=key=${{ secrets.TERRAFORM_STATE_KEY}}
           -backend-config=region=${{ secrets.TERRAFORM_STATE_REGION}}
 
+      - name: cache built python modules
+        uses: actions/cache@v4
+        with:
+          key: modules_terraform-aws-ca-lambda_build_${{ hashFiles('./modules/terraform-aws-ca-lambda/lambda_code/**') }}_py${{ steps.setup_python.outputs.python-version }}
+          path: ./modules/terraform-aws-ca-lambda/build
+
       - name: terraform plan
         run: terraform plan -out tfplan
 
@@ -175,7 +182,7 @@ jobs:
       - name: Start CA
         run: |
           python tests/scripts/start_ca_step_function.py
-  
+
   integration_tests:
     name: Integration Tests
     runs-on: ubuntu-latest
@@ -184,7 +191,7 @@ jobs:
       id-token: write
       contents: read
       checks: write
-        
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -203,7 +210,7 @@ jobs:
         with:
           role-to-assume: ${{ secrets.RSA_AWS_DEPLOY_ROLE_ARN}}
           aws-region: ${{ secrets.AWS_REGION }}
-          
+
       - name: Integration tests
         run: |
           pytest -v tests

modules/terraform-aws-ca-lambda/main.tf

@@ -1,6 +1,9 @@
 resource "null_resource" "install_python_dependencies" {
   triggers = {
-    always_run = timestamp()
+    source_archive_checksum = data.archive_file.lambda_source.output_base64sha256
+
+    # static value (true) if present, variable value (timestamp()) when not present. (so the 'false' state isn't static and forces a build by change of state whenever so. a static false value doesn't force change of state.)
+    build_already_present = fileexists("${path.module}/build/${local.file_name}/__init__.py") ? true : timestamp()
   }
 
   provisioner "local-exec" {
@@ -19,16 +22,22 @@ resource "null_resource" "install_python_dependencies" {
   }
 }
 
+data "archive_file" "lambda_source" {
+  type        = "zip"
+  source_dir  = "${path.module}/lambda_code/${local.file_name}"
+  output_path = "${path.module}/archive/${local.file_name}.src.zip"
+}
+
 data "archive_file" "lambda_zip" {
   depends_on  = [null_resource.install_python_dependencies]
   type        = "zip"
   source_dir  = "${path.module}/build/${local.file_name}"
-  output_path = "${path.module}/build/${local.file_name}.zip"
+  output_path = "${path.module}/archive/${local.file_name}.zip"
 }
 
 resource "aws_lambda_function" "lambda" {
-  filename         = "${path.module}/build/${local.file_name}.zip"
-  source_code_hash = sha1(join("", [for f in fileset("${path.module}/lambda_code/${local.file_name}", "*") : filesha1("${path.module}/lambda_code/${local.file_name}/${f}")]))
+  filename         = data.archive_file.lambda_zip.output_path
+  source_code_hash = data.archive_file.lambda_zip.output_base64sha256
   function_name    = "${var.project}-${var.function_name}-${var.env}"
   description      = "${var.project} ${var.description}"
   role             = var.lambda_role_arn
@@ -71,4 +80,4 @@ resource "aws_lambda_permission" "lambda_invoke" {
   action        = "lambda:InvokeFunction"
   function_name = aws_lambda_function.lambda.function_name
   principal     = each.value
-}
+}

modules/terraform-aws-ca-lambda/scripts/lambda-build/create-package.sh

@@ -37,4 +37,4 @@ cp -r $path_cwd/utils $path_cwd/build/$dir_name
 echo "Removing virtual environment folder..."
 rm -rf $path_cwd/build/env_$function_name
 
-echo "Finished script execution!"
+echo "Finished script execution!"