[DEV-3762] GitHub action deploy ivs function (#2115)

* github action to deploy ivs function

* Github action to deploy ivs lambda

* missed paramenter github repository

* fix missed variables and output parameter

* fix missed artifact to deploy the lambda function at the first time

* update readme and arcive file

* fix archive file

* update iam role in deploy action

Author: uolter

.github/workflows/code_review_infra.yaml

@@ -41,12 +41,6 @@ jobs:
       - name: Compile Cloudfront Functions
         run: npm run compile -w cloudfront-functions
 
-      - name: Build Cognito Functions
-        run: npm run build -w cognito-functions
-
-      - name: Build IVS Functions
-        run: npm run build -w ivs-functions
-
       - name: Pull & update submodules recursively
         run: git submodule update --init --recursive
 

.github/workflows/deploy_infra.yml

@@ -57,9 +57,6 @@ jobs:
       - name: Compile Cloudfront Functions
         run: npm run compile -w cloudfront-functions
 
-      - name: Build IVS Functions
-        run: npm run build -w ivs-functions
-      
       - name: Pull & update submodules recursively
         run: git submodule update --init --recursive
 

.github/workflows/deploy_ivs_lambdas.yaml

@@ -0,0 +1,79 @@
+name: Deploy IVS Lambda Functions
+run-name: Deploy IVS Lambda Functions to ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.environment || 'dev' }}
+
+on:
+  push:
+    branches:
+      - "main"
+    paths:
+      - "apps/ivs-functions/**"
+      - ".github/workflows/deploy_ivs_lambdas.yaml"
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: 'Choose environment'
+        type: choice
+        required: true
+        default: dev
+        options:
+          - dev
+          - uat
+          - prod
+
+jobs:
+  build:
+    runs-on: ubuntu-24.04
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup node
+        uses: actions/setup-node@v3
+        with:
+          node-version: '22.x'
+
+      - name: Install dependencies
+        run: npm ci --audit=false --fund=false
+
+      - name: Build
+        run: npm run build -w ivs-functions
+
+      - name: Archive build artifacts
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: ivs-functions
+          path: apps/ivs-functions/out/ivs-functions.zip
+
+  deploy:
+    name: Deploy IVS Lambda Functions
+    runs-on: ubuntu-24.04
+    needs: build
+    env:
+      ENV_SHORT: ${{ fromJSON('{"dev":"d","uat":"u","prod":"p"}')[github.event.inputs.environment || 'dev'] }}
+      AWS_REGION: eu-central-1
+
+    environment: ${{ github.event.inputs.environment || 'dev' }}
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - name: Download build artifacts
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: ivs-functions
+          path: ./target
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.DEPLOY_IVS_FUNCTION_IAM_ROLE }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Deploy ivs_custom_message
+        run: |
+          aws lambda update-function-code \
+            --function-name devportal-${{ env.ENV_SHORT }}-ivs-video-processing \
+            --zip-file fileb://target/ivs-functions.zip \
+            --region ${{ env.AWS_REGION }}

apps/infrastructure/src/main.tf

@@ -266,6 +266,7 @@ module "video_streaming" {
   # Right now only one channel is supported for metrics, so we can directly reference it here. 
   # In the future, if more channels are added and we want to use them for metrics, we can change this to a list of ARNs or similar.
   webinar_metrics_channel_key = "channell-01"
+  github_repository           = var.github_repository
 
 }
 

apps/infrastructure/src/modules/video_streaming/README.md

@@ -8,6 +8,7 @@
 
 | Name | Version |
 |------|---------|
+| <a name="provider_archive"></a> [archive](#provider\_archive) | n/a |
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.28.0 |
 | <a name="provider_aws.us-east-1"></a> [aws.us-east-1](#provider\_aws.us-east-1) | >= 6.28.0 |
 | <a name="provider_random"></a> [random](#provider\_random) | n/a |
@@ -20,8 +21,18 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [archive_file.ivs_function](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/resources/file) | resource |
 | [aws_acm_certificate.cdn_cert](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate) | resource |
 | [aws_acm_certificate_validation.cdn_cert_validation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate_validation) | resource |
+| [aws_api_gateway_api_key.webinar_metrics](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_api_key) | resource |
+| [aws_api_gateway_deployment.webinar_metrics](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_deployment) | resource |
+| [aws_api_gateway_integration.metrics_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_integration) | resource |
+| [aws_api_gateway_method.metrics_post](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method) | resource |
+| [aws_api_gateway_resource.metrics](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_resource) | resource |
+| [aws_api_gateway_rest_api.webinar_metrics](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_rest_api) | resource |
+| [aws_api_gateway_stage.webinar_metrics](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage) | resource |
+| [aws_api_gateway_usage_plan.webinar_metrics](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_usage_plan) | resource |
+| [aws_api_gateway_usage_plan_key.webinar_metrics](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_usage_plan_key) | resource |
 | [aws_athena_database.cloudfront_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/athena_database) | resource |
 | [aws_athena_named_query.create_cloudfront_logs_table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/athena_named_query) | resource |
 | [aws_athena_named_query.sample_cloudfront_queries](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/athena_named_query) | resource |
@@ -30,16 +41,24 @@ No modules.
 | [aws_cloudfront_origin_access_control.video_oac](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_control) | resource |
 | [aws_cloudfront_response_headers_policy.cors_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_response_headers_policy) | resource |
 | [aws_cloudwatch_log_group.lambda_index_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_cloudwatch_log_group.webinar_metrics_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_cloudwatch_metric_alarm.lambda_errors](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
+| [aws_iam_policy.deploy_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.ivs_recording_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.deploy_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.ivs_recording_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.ivs_video_processing_function](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.webinar_metrics](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy.ivs_video_processing_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.webinar_metrics](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy_attachment.deploy_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.ivs_recording_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_ivs_channel.channels](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ivs_channel) | resource |
 | [aws_ivs_recording_configuration.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ivs_recording_configuration) | resource |
 | [aws_lambda_function.ivs_video_processing_function](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
+| [aws_lambda_function.webinar_metrics](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
 | [aws_lambda_permission.allow_s3_invoke_ivs_video_processing_function](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
+| [aws_lambda_permission.apigw_webinar_metrics](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
 | [aws_route53_record.cdn_alias_record](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_route53_record.cert_validation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_s3_bucket.athena_results](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
@@ -61,7 +80,9 @@ No modules.
 | [aws_sns_topic_subscription.alerts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
 | [aws_ssm_parameter.strapi_api_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
 | [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
+| [archive_file.webinar_metrics](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.deploy_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_ivs_stream_key.channels](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ivs_stream_key) | data source |
 | [aws_route53_zone.selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
 
@@ -70,12 +91,15 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_environment"></a> [environment](#input\_environment) | Environment | `string` | n/a | yes |
+| <a name="input_github_repository"></a> [github\_repository](#input\_github\_repository) | The GitHub repository (e.g., org/repo) allowed to assume the deploy role via OIDC. | `string` | n/a | yes |
 | <a name="input_project_name"></a> [project\_name](#input\_project\_name) | A name for the project to prefix resources. | `string` | n/a | yes |
 | <a name="input_strapi_api_url"></a> [strapi\_api\_url](#input\_strapi\_api\_url) | The URL of the Strapi API. | `string` | n/a | yes |
 | <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | The AWS region to deploy resources in. | `string` | `"eu-central-1"` | no |
 | <a name="input_custom_domain_name"></a> [custom\_domain\_name](#input\_custom\_domain\_name) | The custom domain name (e.g., video.example.com) to assign to the CloudFront distribution. | `string` | `null` | no |
 | <a name="input_ivs_channels"></a> [ivs\_channels](#input\_ivs\_channels) | A map of IVS channels to create. The key will be used for resource identification. | <pre>map(object({<br/>    name         = string<br/>    latency_mode = optional(string, "LOW")<br/>    type         = optional(string, "STANDARD")<br/>  }))</pre> | `{}` | no |
 | <a name="input_route53_zone_id"></a> [route53\_zone\_id](#input\_route53\_zone\_id) | The ID of the existing Route 53 hosted zone for the custom domain. | `string` | `null` | no |
+| <a name="input_webinar_metrics_channel_key"></a> [webinar\_metrics\_channel\_key](#input\_webinar\_metrics\_channel\_key) | The key from ivs\_channels to use for the webinar metrics Lambda. If null, IVS\_CHANNEL\_ARN is not set and the Lambda uses its default. | `string` | `null` | no |
+| <a name="input_webinar_metrics_stage_name"></a> [webinar\_metrics\_stage\_name](#input\_webinar\_metrics\_stage\_name) | The api webinar metrics stage name. | `string` | `"v1"` | no |
 
 ## Outputs
 
@@ -85,5 +109,10 @@ No modules.
 | <a name="output_athena_results_bucket_name"></a> [athena\_results\_bucket\_name](#output\_athena\_results\_bucket\_name) | The name of the S3 bucket where Athena query results are stored. |
 | <a name="output_athena_workgroup_name"></a> [athena\_workgroup\_name](#output\_athena\_workgroup\_name) | The name of the Athena workgroup for running queries. |
 | <a name="output_cloudfront_logs_bucket_name"></a> [cloudfront\_logs\_bucket\_name](#output\_cloudfront\_logs\_bucket\_name) | The name of the S3 bucket where CloudFront access logs are stored. |
+| <a name="output_deploy_lambda_role_arn"></a> [deploy\_lambda\_role\_arn](#output\_deploy\_lambda\_role\_arn) | The ARN of the IAM role used by GitHub Actions to deploy the IVS video processing Lambda. |
 | <a name="output_ivs_channel_details"></a> [ivs\_channel\_details](#output\_ivs\_channel\_details) | A map containing the details for each created IVS channel. |
 | <a name="output_s3_recording_bucket_name"></a> [s3\_recording\_bucket\_name](#output\_s3\_recording\_bucket\_name) | The name of the S3 bucket where all recordings will be stored. |
+| <a name="output_webinar_metrics_api_key_id"></a> [webinar\_metrics\_api\_key\_id](#output\_webinar\_metrics\_api\_key\_id) | The ID of the API key for the webinar metrics API. Retrieve the value with: aws apigateway get-api-key --api-key <id> --include-value |
+| <a name="output_webinar_metrics_api_url"></a> [webinar\_metrics\_api\_url](#output\_webinar\_metrics\_api\_url) | The invoke URL of the webinar metrics API Gateway. |
+| <a name="output_webinar_metrics_lambda_arn"></a> [webinar\_metrics\_lambda\_arn](#output\_webinar\_metrics\_lambda\_arn) | The ARN of the webinar metrics Lambda function. |
+| <a name="output_webinar_metrics_lambda_name"></a> [webinar\_metrics\_lambda\_name](#output\_webinar\_metrics\_lambda\_name) | The name of the webinar metrics Lambda function. |

apps/infrastructure/src/modules/video_streaming/iam_policy.tf

@@ -0,0 +1,120 @@
+data "aws_iam_policy_document" "deploy_github" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    principals {
+      type        = "Federated"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com"]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "token.actions.githubusercontent.com:sub"
+      values   = ["repo:${var.github_repository}:*"]
+    }
+
+    condition {
+      test     = "ForAllValues:StringEquals"
+      variable = "token.actions.githubusercontent.com:iss"
+      values   = ["https://token.actions.githubusercontent.com"]
+    }
+
+    condition {
+      test     = "ForAllValues:StringEquals"
+      variable = "token.actions.githubusercontent.com:aud"
+      values   = ["sts.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_policy" "deploy_lambda" {
+  name        = "DeployIvsVideoProcessingLambda"
+  description = "Policy to allow deploying the IVS video processing Lambda function"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "lambda:UpdateFunctionCode"
+        ]
+        Effect = "Allow"
+        Resource = [
+          aws_lambda_function.ivs_video_processing_function.arn
+        ]
+      }
+    ]
+  })
+}
+
+
+resource "aws_iam_role_policy" "webinar_metrics" {
+  name = "${var.project_name}-webinar-metrics-policy"
+  role = aws_iam_role.webinar_metrics.id
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "logs:CreateLogGroup",
+          "logs:CreateLogStream",
+          "logs:PutLogEvents"
+        ]
+        Resource = "${aws_cloudwatch_log_group.webinar_metrics_logs.arn}:*"
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "athena:StartQueryExecution",
+          "athena:GetQueryExecution",
+          "athena:GetQueryResults"
+        ]
+        Resource = "*"
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "glue:GetTable",
+          "glue:GetPartitions",
+          "glue:GetDatabase"
+        ]
+        Resource = "*"
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "s3:GetObject",
+          "s3:ListBucket"
+        ]
+        Resource = [
+          aws_s3_bucket.cloudfront_logs.arn,
+          "${aws_s3_bucket.cloudfront_logs.arn}/*"
+        ]
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "s3:GetObject",
+          "s3:PutObject",
+          "s3:GetBucketLocation",
+          "s3:ListBucket"
+        ]
+        Resource = [
+          aws_s3_bucket.athena_results.arn,
+          "${aws_s3_bucket.athena_results.arn}/*"
+        ]
+      },
+      {
+        Effect   = "Allow"
+        Action   = ["cloudwatch:GetMetricStatistics"]
+        Resource = "*"
+      },
+      {
+        Effect   = "Allow"
+        Action   = ["ivs:ListStreamSessions"]
+        Resource = "arn:aws:ivs:*:*:channel/*"
+      }
+    ]
+  })
+}

apps/infrastructure/src/modules/video_streaming/iam_role.tf

@@ -0,0 +1,32 @@
+###############################################################################
+#          Define IAM Role to deploy the IVS video processing Lambda         #
+###############################################################################
+resource "aws_iam_role" "deploy_lambda" {
+  name               = "GitHubActionDeployIvsVideoProcessingLambda"
+  description        = "Role assumed by GitHub Actions to deploy the IVS video processing Lambda"
+  assume_role_policy = data.aws_iam_policy_document.deploy_github.json
+}
+
+resource "aws_iam_role_policy_attachment" "deploy_lambda" {
+  role       = aws_iam_role.deploy_lambda.name
+  policy_arn = aws_iam_policy.deploy_lambda.arn
+}
+
+
+
+resource "aws_iam_role" "webinar_metrics" {
+  name                  = "${var.project_name}-webinar-metrics-role"
+  force_detach_policies = true
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "lambda.amazonaws.com"
+        }
+      }
+    ]
+  })
+}