initial commit

Author: rojopolis

.gitignore

@@ -7,3 +7,9 @@
 
 # .tfvars files
 *.tfvars
+
+# VSCode junk
+.vscode/*
+
+# OSX Garbage
+.DS_Store

README.md

@@ -1,2 +1,58 @@
 # terraform-aws-lamba-python-archive
 Package python source and dependencies into Lambda package with stable hash.
+
+See: https://docs.aws.amazon.com/lambda/latest/dg/lambda-python-how-to-create-deployment-package.html
+
+I created this module because using the standard technique of using an
+ `archive_file` data source has a few shortcomings:
+1. This doesn't allow processing a requirements file.
+2. Each apply results in a diff in `source_code_hash` becuase the archive includes
+metadata and generated files (*.pyc).  This module doesn't include file metadata
+or .pyc files in the archive so the hash is stable unless the source or dependencies
+change. 
+
+## Example
+```
+module "python_lambda_archive" {
+    source = "rojopolis/lambda-python-archive/aws"
+    src_dir = "${path.module}/python"
+}
+
+resource "aws_iam_role" "iam_for_lambda" {
+  name = "iam_for_lambda"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "lambda.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_lambda_function" "test_lambda" {
+  filename         = "${module.python_lambda_archive.archive_path}"
+  function_name    = "lambda_function_name"
+  role             = "${aws_iam_role.iam_for_lambda.arn}"
+  handler          = "exports.test"
+  source_code_hash = "${module.python_lambda_archive.source_code_hash}"
+  runtime          = "python3.6"
+
+  environment {
+    variables = {
+      foo = "bar"
+    }
+  }
+}
+```
+
+## External Dependencies
+1. Python3.4+

examples/lambda_python_archive.tf

@@ -0,0 +1,39 @@
+module "python_lambda_archive" {
+    source = "../"
+    src_dir = "${path.module}/python"
+}
+
+resource "aws_iam_role" "iam_for_lambda" {
+  name = "iam_for_lambda"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "lambda.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_lambda_function" "test_lambda" {
+  filename         = "${module.python_lambda_archive.archive_path}"
+  function_name    = "lambda_function_name"
+  role             = "${aws_iam_role.iam_for_lambda.arn}"
+  handler          = "exports.test"
+  source_code_hash = "${module.python_lambda_archive.source_code_hash}"
+  runtime          = "python3.6"
+
+  environment {
+    variables = {
+      foo = "bar"
+    }
+  }
+}

examples/python/my_lambda.py

@@ -0,0 +1,3 @@
+def entrypoint():
+    print("Hello world.")
+    return 0

examples/python/requirements.txt

@@ -0,0 +1,2 @@
+pandas
+scikit-learn

main.tf

@@ -0,0 +1,6 @@
+data "external" "lambda_archive" {
+    program = ["python", "${path.module}/scripts/build_lambda.py"]
+    query = {
+        src_dir = "${var.src_dir}"
+    }
+}

outputs.tf

@@ -0,0 +1,9 @@
+output "archive_path" {
+    description = "Path of the archive file."
+    value       = "${data.external.lambda_archive.result.archive}"
+}
+
+output "source_code_hash" {
+    description = "Base64 encoded SHA256 hash of the archive file."
+    value       = "${data.external.lambda_archive.result.base64sha256}"
+}

scripts/build_lambda.py

@@ -0,0 +1,64 @@
+
+from distutils.dir_util import copy_tree
+
+import base64
+import glob
+import hashlib
+import json
+import os
+import shutil
+import subprocess
+import sys
+import tempfile
+import zipfile
+
+def build(src_dir):
+    with tempfile.TemporaryDirectory() as build_dir:
+        copy_tree(src_dir, build_dir)
+        if os.path.exists(os.path.join(src_dir, 'requirements.txt')):
+            subprocess.run(
+                [sys.executable,
+                 '-m',
+                 'pip',
+                 'install',
+                 '--ignore-installed',
+                 '--target', build_dir,
+                 '-r', os.path.join(build_dir, 'requirements.txt')],
+                 check=True,
+                 capture_output=True
+            )
+        artifact=tempfile.NamedTemporaryFile(delete=False)
+        make_archive(build_dir, artifact)
+        return artifact.name
+
+
+def make_archive(src_dir, archive_file):
+    with zipfile.ZipFile(archive_file, 'w') as archive:
+        for root, dirs, files in os.walk(src_dir):
+            for file in files:
+                if file.endswith('.pyc'):
+                    break
+                metadata = zipfile.ZipInfo(
+                    os.path.join(root, file).replace(src_dir, '')
+                )
+                with open(os.path.join(root, file), 'rb') as f:
+                    data = f.read()
+                archive.writestr(
+                    metadata,
+                    data
+                )
+
+def get_hash(archive_file):
+    '''
+    Return base64 encoded sha256 hash of archive file
+    '''
+    with open(archive_file, 'rb') as f:
+        h = hashlib.sha256()
+        h.update(f.read())
+    return base64.standard_b64encode(h.digest()).decode('utf-8', 'strict')
+
+
+if __name__ == '__main__':
+    query = json.loads(sys.stdin.read())
+    archive = build(query['src_dir'])
+    print(json.dumps({'archive': archive, "base64sha256":get_hash(archive)}))

variables.tf

@@ -0,0 +1,4 @@
+variable "src_dir" {
+    description = "Path to root of Python source to package."
+    type        = "string"
+}