feat(lambda): convert project to swift

Author: luke-h1

.github/actions/deploy/action.yml

@@ -13,10 +13,6 @@ inputs:
 runs:
   using: composite
   steps:
-    - name: Validate environment
-      shell: bash
-      run: if [ "${{ inputs.environment }}" != "staging" ] && [ "${{ inputs.environment }}" != "live" ]; then echo "Invalid environment"; exit 1; fi
-
     - name: Setup Terraform
       uses: hashicorp/setup-terraform@v3
       with:
@@ -56,18 +52,21 @@ runs:
       working-directory: terraform
       run: terraform validate
 
-    - name: Setup version information
+    - name: Build functions for Lambda
       shell: bash
-      env:
-        GITHUB_EVENT_NAME: ${{ github.event_name }}
-        GITHUB_REF_NAME: ${{ github.ref_name }}
       run: |
-        chmod +x scripts/version.sh
-        ./scripts/version.sh info
-
-    - name: Build functions
-      shell: bash
-      run: swift build -c release
+        docker run --rm \
+          --platform linux/amd64 \
+          -v "${{ github.workspace }}:/workspace" \
+          -w /workspace \
+          swift:6.1-amazonlinux2 \
+          bash -c "swift build -c release --static-swift-stdlib && \
+            cp .build/release/lambda .build/release/bootstrap && \
+            chmod 755 .build/release/bootstrap && \
+            mkdir -p .build/release/authorizer-package && \
+            cp .build/release/authorizer .build/release/authorizer-package/bootstrap && \
+            chmod 755 .build/release/authorizer-package/bootstrap"
+        sudo chown -R $(id -u):$(id -g) .build
 
     - name: Terraform plan
       id: plan

.github/actions/install/action.yml

@@ -10,17 +10,12 @@ runs:
     - name: Setup Swift
       uses: swift-actions/setup-swift@v3
       with:
-        swift-version: "6.2.0"
+        swift-version: "6.1.0"
 
     - name: Resolve Swift dependencies
       shell: bash
       run: swift package resolve
 
-    # https://github.com/actions/virtual-environments/issues/1187
-    - name: tune linux network
-      run: sudo ethtool -K eth0 tx off rx off
-      shell: bash
-
     - name: 🥟 Setup Bun
       uses: oven-sh/setup-bun@v2
       with:

.github/workflows/build-prerelease-version.yml

@@ -1,8 +1,8 @@
 name: Build pre-release version
 on:
   workflow_dispatch:
-  pull_request:
-    types: [opened, synchronize, edited, reopened]
+  # pull_request:
+  #   types: [opened, synchronize, edited, reopened]
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -27,7 +27,7 @@ permissions: write-all
 jobs:
   deploy:
     name: Deploy to staging
-    runs-on: macos-latest
+    runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
       - name: Checkout repository
@@ -39,17 +39,17 @@ jobs:
       - name: Ensure rebased with main
         run: ./scripts/ensure-rebased.sh
 
-      - name: Install
-        uses: ./.github/actions/install
+      # - name: Install
+      #   uses: ./.github/actions/install
 
-      - name: Validate
-        uses: ./.github/actions/validate
+      # - name: Validate
+      #   uses: ./.github/actions/validate
 
-      - name: Changelogs
-        uses: ./.github/actions/changelog
-        with:
-          prerelease: true
-          publish: false
+      # - name: Changelogs
+      #   uses: ./.github/actions/changelog
+      #   with:
+      #     prerelease: true
+      #     publish: false
 
       - name: fetch latest commits
         run: git fetch && git pull

.github/workflows/deploy-test.yml

@@ -0,0 +1,78 @@
+name: Build test version
+on:
+  workflow_dispatch:
+  pull_request:
+    types: [opened, synchronize, edited, reopened]
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+env:
+  TF_VAR_env: test
+  TF_VAR_env_vars: ${{ secrets.LIVE_ENV_VARS }}
+  TF_VAR_zone_id: ${{ secrets.LIVE_ZONE_ID }}
+  TF_VAR_root_domain: lhowsam.com
+  TF_VAR_sub_domain: nowplaying.lhowsam.com
+  TF_VAR_private_key: ${{ secrets.STAGING_PRIVATE_KEY }}
+  TF_VAR_certificate_body: ${{ secrets.STAGING_CERTIFICATE_BODY }}
+  TF_VAR_certificate_chain: ${{ secrets.STAGING_CERTIFICATE_CHAIN }}
+  TF_VAR_deployed_by: ${{ github.actor }}
+  TF_VAR_git_sha: ${{ github.sha }}
+  TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
+  TURBO_TEAM: luke-h1-project
+  TF_VAR_api_key: ${{ secrets.STAGING_API_KEY }}
+  TF_VAR_discord_webhook_url: ${{ secrets.DISCORD_ALERTS_WEBHOOK_URL}}
+
+permissions: write-all
+
+jobs:
+  deploy:
+    name: Deploy to staging
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ github.head_ref }}
+
+      - name: Ensure rebased with main
+        run: ./scripts/ensure-rebased.sh
+
+      # - name: Install
+      #   uses: ./.github/actions/install
+
+      # - name: Validate
+      #   uses: ./.github/actions/validate
+
+      # - name: Changelogs
+      #   uses: ./.github/actions/changelog
+      #   with:
+      #     prerelease: true
+      #     publish: false
+
+      - name: fetch latest commits
+        run: git fetch && git pull
+
+      - name: Deploy
+        uses: ./.github/actions/deploy
+        with:
+          environment: ${{ env.TF_VAR_env }}
+          aws-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+
+      - name: Get versions
+        id: lambda-version
+        run: |
+          echo "::set-output name=LAMBDA_VERSION::$(./scripts/version.sh get)"
+          echo "::set-output name=AUTHORIZER_VERSION::$(./scripts/version.sh get)"
+
+      - uses: actions/github-script@v7
+        with:
+          script: |
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: '* [Lambda version](https://nowplaying-${{env.TF_VAR_env}}.lhowsam.com) - `${{ steps.lambda-version.outputs.LAMBDA_VERSION }}`\n* [Authorizer version](https://nowplaying-${{env.TF_VAR_env}}.lhowsam.com) - `${{ steps.lambda-version.outputs.AUTHORIZER_VERSION }}`'
+            })

.github/workflows/deploy.yml

@@ -47,11 +47,11 @@ jobs:
       - name: Install
         uses: ./.github/actions/install
 
-      - name: Validate
-        uses: ./.github/actions/validate
+      # - name: Validate
+      #   uses: ./.github/actions/validate
 
-      - name: Changelogs
-        uses: ./.github/actions/changelog
+      # - name: Changelogs
+      #   uses: ./.github/actions/changelog
 
       - name: Deploy
         uses: ./.github/actions/deploy

Package.swift

@@ -1,4 +1,4 @@
-// swift-tools-version: 6.2
+// swift-tools-version: 6.1
 // The swift-tools-version declares the minimum version of Swift required to build this package.
 
 import PackageDescription
@@ -15,6 +15,7 @@ let package = Package(
         .package(
             url: "https://github.com/swift-server/swift-aws-lambda-runtime.git", from: "2.4.0"),
         .package(url: "https://github.com/awslabs/swift-aws-lambda-events.git", from: "1.0.0"),
+        .package(url: "https://github.com/apple/swift-log.git", "1.0.0"..<"1.8.0"),
     ],
     targets: [
         .executableTarget(

Sources/authorizer/main.swift

@@ -1,7 +1,32 @@
-import AWSLambdaEvents
 import AWSLambdaRuntime
 import Foundation
 
+// MARK: - Custom Request/Response types for HTTP API v2 Authorizer
+
+struct AuthorizerRequest: Codable {
+    let version: String?
+    let type: String?
+    let routeArn: String?
+    let routeKey: String?
+    let rawPath: String?
+    let rawQueryString: String?
+    let headers: [String: String]?
+    let requestContext: RequestContext?
+
+    struct RequestContext: Codable {
+        let http: HTTPContext?
+
+        struct HTTPContext: Codable {
+            let method: String?
+            let path: String?
+        }
+    }
+}
+
+struct AuthorizerSimpleResponse: Codable {
+    let isAuthorized: Bool
+}
+
 // MARK: - Helper Functions
 
 /// Gets a header value from the request headers (case-insensitive)
@@ -19,64 +44,35 @@ func getHeaderValue(_ headers: [String: String]?, key: String) -> String? {
     return nil
 }
 
-/// Generates an IAM policy response for API Gateway
-func generatePolicy(
-    principalId: String,
-    effect: APIGatewayLambdaAuthorizerPolicyResponse.PolicyDocument.Statement.Effect,
-    resource: String
-) -> APIGatewayLambdaAuthorizerPolicyResponse {
-    return APIGatewayLambdaAuthorizerPolicyResponse(
-        principalId: principalId,
-        policyDocument: .init(statement: [
-            .init(
-                action: "execute-api:Invoke",
-                effect: effect,
-                resource: resource
-            )
-        ]),
-        context: nil
-    )
-}
-
 // MARK: - Lambda Runtime
 
-let authorizerHandler:
-    (APIGatewayLambdaAuthorizerRequest, LambdaContext) async throws ->
-        APIGatewayLambdaAuthorizerPolicyResponse = {
-            (request: APIGatewayLambdaAuthorizerRequest, context: LambdaContext) in
-
-            let consumer = getHeaderValue(request.headers, key: "x-consumer")
-            let validConsumers = ["lhowsam-dev", "lhowsam-prod", "lhowsam-local"]
-
-            let apiKey = getHeaderValue(request.headers, key: "x-api-key")
-            let validKey = ProcessInfo.processInfo.environment["API_KEY"]
-
-            let resource = request.routeArn ?? "*"
-
-            if apiKey != validKey {
-                context.logger.info("Deny")
-                return generatePolicy(
-                    principalId: "user",
-                    effect: .deny,
-                    resource: resource
-                )
-            }
-
-            if let consumer = consumer, !validConsumers.contains(consumer) {
-                context.logger.info("Deny")
-                return generatePolicy(
-                    principalId: "user",
-                    effect: .deny,
-                    resource: resource
-                )
-            }
-
-            return generatePolicy(
-                principalId: "user",
-                effect: .allow,
-                resource: resource
-            )
-        }
+let runtime = LambdaRuntime {
+    (event: AuthorizerRequest, context: LambdaContext) -> AuthorizerSimpleResponse in
+
+    context.logger.info("Authorizer invoked")
+    context.logger.info("Headers: \(String(describing: event.headers))")
+    context.logger.info("RouteArn: \(String(describing: event.routeArn))")
+
+    let consumer = getHeaderValue(event.headers, key: "x-consumer")
+    let validConsumers = ["lhowsam-dev", "lhowsam-prod", "lhowsam-local"]
+
+    let apiKey = getHeaderValue(event.headers, key: "x-api-key")
+    let validKey = ProcessInfo.processInfo.environment["API_KEY"]
+
+    context.logger.info("API Key from header: '\(apiKey ?? "nil")'")
+
+    if apiKey != validKey {
+        context.logger.info("Deny - API key mismatch")
+        return AuthorizerSimpleResponse(isAuthorized: false)
+    }
+
+    if let consumer = consumer, !validConsumers.contains(consumer) {
+        context.logger.info("Deny - Invalid consumer: \(consumer)")
+        return AuthorizerSimpleResponse(isAuthorized: false)
+    }
+
+    context.logger.info("Allow - Authorization successful")
+    return AuthorizerSimpleResponse(isAuthorized: true)
+}
 
-let runtime = LambdaRuntime(body: authorizerHandler)
 try await runtime.run()