import { readFileSync } from 'node:fs'; import { resolve } from 'node:path'; import * as aws from '@pulumi/aws'; import * as pulumi from '@pulumi/pulumi'; import { Environment } from './environment'; import { S3 } from './s3'; export function deployAWSArtifactsLambdaFunction(args: { environment: Environment; /** Note: We run this mirror only on the AWS S3 Bucket on purpose. */ s3Mirror: S3; }) { const lambdaRole = new aws.iam.Role('awsLambdaArtifactsHandlerRole', { assumeRolePolicy: { Version: '2012-10-17', Statement: [ { Effect: 'Allow', Principal: { Service: 'lambda.amazonaws.com' }, Action: 'sts:AssumeRole', }, ], }, }); new aws.iam.RolePolicyAttachment('lambdaBasicExecution', { role: lambdaRole.name, policyArn: aws.iam.ManagedPolicy.AWSLambdaBasicExecutionRole, }); const awsLambdaArtifactsHandler = new aws.lambda.Function('awsLambdaArtifactsHandler', { name: `hive-artifacts-handler-${args.environment.envName}`, runtime: aws.lambda.Runtime.NodeJS22dX, handler: 'index.handler', packageType: 'Zip', architectures: ['arm64'], code: new pulumi.asset.AssetArchive({ 'index.mjs': new pulumi.asset.StringAsset( readFileSync( process.env.AWS_LAMBDA_ARTIFACT_PATH || resolve(__dirname, '../../packages/services/cdn-worker/dist/index.lambda.mjs'), 'utf-8', ), ), }), role: lambdaRole.arn, region: 'us-east-2', environment: { variables: { // This could be done better with secrets manager etc. // But it adds a lot of complexity and overhead and runtime logic AWS_S3_ENDPOINT: args.s3Mirror.secret.raw.endpoint, AWS_S3_BUCKET_NAME: args.s3Mirror.secret.raw.bucket, AWS_S3_ACCESS_KEY_ID: args.s3Mirror.secret.raw.accessKeyId, AWS_S3_ACCESSS_KEY_SECRET: args.s3Mirror.secret.raw.secretAccessKey, }, }, // 448mb memorySize: 448, // 10 seconds timeout: 10, }); const example = new aws.lambda.FunctionUrl('awsLambdaArtifactsHandlerUrl', { functionName: awsLambdaArtifactsHandler.arn, authorizationType: 'NONE', invokeMode: 'BUFFERED', region: 'us-east-2', }); return { functionUrl: example.functionUrl, }; }