Initial commit

Author: hf

.github/workflows/publish-release.yaml

@@ -0,0 +1,76 @@
+name: Publish Release
+
+on:
+  release:
+    types:
+      - published
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - run: |
+          set -x
+
+          yarn --pure-lockfile
+
+          yarn build
+
+          rm -rf node_modules
+
+          yarn --prod --pure-lockfile
+
+          zip -9 -r lambda.zip \
+            node_modules \
+            index.js \
+            index.js.map \
+            index.ts \
+            yarn.lock \
+            package.json \
+            tsconfig.json \
+            README.md \
+            template.yaml \
+            LICENSE
+      - uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: us-east-1
+      - env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -x
+
+          RELEASE_TYPE=""
+
+          if [ "true" == "${{ github.event.release.draft }}" ]
+          then
+            RELEASE_TYPE="draft-"
+          fi
+
+          if [ "true" == "${{ github.event.release.prerelease }}" ]
+          then
+            RELEASE_TYPE="$(echo $RELEASE_TYPE)pre"
+          fi
+
+          RELEASE_TYPE="$(echo $RELEASE_TYPE)release"
+
+          for region in us-east-1 eu-west-1
+          do
+            aws s3api put-object --region "$region" \
+              --bucket "github-com-hf-pubpubsub-$region" \
+              --key "$RELEASE_TYPE/cloudformation/${{ github.event.release.tag_name }}" \
+              --content-type application/x-yaml \
+              --body template.yaml
+
+            aws s3api put-object --region "$region" \
+              --bucket "github-com-hf-pubpubsub-$region" \
+              --key "$RELEASE_TYPE/lambda/${{ github.event.release.tag_name }}" \
+              --content-type application/zip \
+              --body lambda.zip
+          done
+
+          gh release upload "${{ github.event.release.tag_name }}" \
+            lambda.zip \
+            template.yaml

.gitignore

@@ -0,0 +1,3 @@
+*.js
+*.js.map
+node_modules

.vimrc

@@ -0,0 +1,4 @@
+let NERDTreeIgnore = ['.git$', '.cache$', 'node_modules$']
+let NERDTreeShowHidden = 1
+
+:set backupcopy=yes

LICENSE

@@ -0,0 +1,19 @@
+Copyright 2021 Stojan Dimitrovski
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is furnished to do
+so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,78 @@
+# PubPubSub
+
+A ready-made AWS Lambda function you can invoke to publish messages into
+Google's PubSub system.
+
+It's really useful for bridging AWS compute with Firebase or other Google Cloud
+projects.
+
+## Setup
+
+Follow the guide to setup [Workload Identity
+Federation][gcp-workload-identity-federation] in your Google Cloud projects.
+
+Then you can deploy the code in this repository as a Node.js Lambda function in
+your AWS account.
+
+Check out the Releases section for packages and instructions.
+
+Hosted versions are available out of my personal AWS account, should you need
+to get running quickly. You're encouraged to host it on your own accounts and
+service is provided without any guarantees or warranty express or implied.
+
+CloudFormation:
+
+```
+https://github-com-hf-pubpubsub-<region>.s3.amazonaws.com/release/cloudformation/<release>
+```
+
+Lambda:
+
+```
+https://github-com-hf-pubpubsub-<region>.s3.amazonaws.com/release/lambda/<release>
+```
+
+Currently available in: `us-east-1`, `eu-west-1`. Open an issue to
+request availability in other regions.
+
+Note that you're only allowed to access the S3 object, not the bucket itself.
+You must do it using AWS credentials, and your identity will be visible in my
+CloudTrail account.
+
+### Configuration
+
+The Lambda function expects these environment variables:
+
+- `GOOGLE_CLOUD_PROJECT_NUMBER` GCP project number where the Workload Identity
+  Federation provider resides
+- `GOOGLE_CLOUD_WEB_IDENTITY_POOL` ID of the web identity pool
+- `GOOGLE_CLOUD_WEB_IDENTITY_POOL_AWS_PROVIDER` ID of the AWS provider in the
+  web identity pool
+- `GOOGLE_CLOUD_SERVICE_ACCOUNT_EMAIL` Service account email to impersonate
+- `GOOGLE_CLOUD_DEFAULT_PROJECT_ID` (Optional) Project ID where messages
+  without a `projectId` property will be directed to
+
+## Use
+
+The Lambda function can be invoked synchronously or asynchronously.
+
+It accepts a JSON object with the following structure:
+
+- `topic` Pub/Sub topic to which to publish
+- `message` A string representing the message to be published
+- `base64` (Optional) A boolean whether the `mesasge` is encoded in Base64
+- `projectId` (Optional) GCP project ID where the `topic` lives
+
+It outputs a JSON object with the following structure:
+
+- `topic` Pub/Sub topic where the message was published
+- `projectId` GCP project ID where the `topic` lives
+- `messageId` ID of the message in the `topic`
+
+## License
+
+Copyright &copy; 2022 Stojan Dimitrovski. Some rights reserved.
+
+Licensed under the MIT X11 License. You can find a copy of it under `LICENSE`.
+
+[gcp-workload-identity-federation]: https://cloud.google.com/iam/docs/configuring-workload-identity-federation#aws

index.ts

@@ -0,0 +1,97 @@
+import "source-map-support/register";
+import * as fs from "fs";
+import { PubSub } from "@google-cloud/pubsub";
+
+const setupGoogleCloudCredentials = () => {
+  const gcloudServiceAccountCredentials = {
+    type: "external_account",
+    subject_token_type: "urn:ietf:params:aws:token-type:aws4_request",
+    credential_source: {
+      environment_id: "aws1",
+      region_url:
+        "http://169.254.169.254/latest/meta-data/placement/availability-zone",
+      url: "http://169.254.169.254/latest/meta-data/iam/security-credentials",
+      regional_cred_verification_url:
+        "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15",
+    },
+    token_url: "https://sts.googleapis.com/v1/token",
+    audience: `//iam.googleapis.com/projects/${process.env.GOOGLE_CLOUD_PROJECT_NUMBER}/locations/global/workloadIdentityPools/${process.env.GOOGLE_CLOUD_WEB_IDENTITY_POOL}/providers/${process.env.GOOGLE_CLOUD_WEB_IDENTITY_POOL_AWS_PROVIDER}`,
+    service_account_impersonation_url: `https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${process.env.GOOGLE_CLOUD_SERVICE_ACCOUNT_EMAIL}:generateAccessToken`,
+  };
+
+  process.env.GOOGLE_APPLICATION_CREDENTIALS =
+    "/tmp/gcloud-service-account-credentials.json";
+
+  fs.writeFileSync(
+    process.env.GOOGLE_APPLICATION_CREDENTIALS,
+    JSON.stringify(gcloudServiceAccountCredentials)
+  );
+
+  console.log(
+    "Google Cloud Service Account Credentials",
+    gcloudServiceAccountCredentials
+  );
+};
+
+const clients: { readonly [projectId: string]: PubSub } = (() => {
+  const underlying: any = {};
+  let credentialsSetup = false;
+
+  const projectIdRegexp = /^[a-z][a-z-0-9-]{4,28}[a-z0-9]$/;
+
+  return new Proxy(underlying, {
+    get: (_, projectId) => {
+      if ("string" !== typeof projectId) {
+        return underlying[projectId];
+      }
+
+      if (!projectIdRegexp.test(projectId)) {
+        throw new Error(`Invalid project id '${projectId}'`);
+      }
+
+      if (!credentialsSetup) {
+        setupGoogleCloudCredentials();
+
+        credentialsSetup = true;
+      }
+
+      if (!underlying[projectId]) {
+        underlying[projectId] = new PubSub({ projectId });
+      }
+
+      return underlying[projectId];
+    },
+    set: () => {
+      throw new Error("Read only object!");
+    },
+  });
+})();
+
+export const handler = async (event: {
+  topic: string;
+  message: string;
+  projectId?: string;
+  base64?: boolean;
+}) => {
+  const projectId =
+    event.projectId || process.env.GOOGLE_CLOUD_DEFAULT_PROJECT_ID || "";
+
+  try {
+    const messageId = await clients[projectId]
+      .topic(event.topic)
+      .publish(Buffer.from(event.message, event.base64 ? "base64" : "utf-8"));
+
+    return {
+      messageId,
+      projectId,
+      topic: event.topic,
+    };
+  } catch (e) {
+    console.error(
+      `Unable to publish message to topic '${event.topic}' on project '${projectId}'`,
+      e
+    );
+
+    throw e;
+  }
+};

package.json

@@ -0,0 +1,18 @@
+{
+  "private": true,
+  "license": "MIT",
+  "author": "Stojan Dimitrovski <[email protected]>",
+  "scripts": {
+    "prettier": "prettier --write .",
+    "build": "tsc"
+  },
+  "devDependencies": {
+    "@tsconfig/node12": "^1.0.9",
+    "prettier": "^2.5.1",
+    "typescript": "^4.5.4"
+  },
+  "dependencies": {
+    "@google-cloud/pubsub": "^2.18.4",
+    "source-map-support": "^0.5.21"
+  }
+}

template.yaml

@@ -0,0 +1,46 @@
+Parameters:
+  PPubPubSubCodeKey:
+    Type: String
+  PGoogleCloudProjectNumber:
+    Type: String
+  PGoogleCloudWebIdentityPool:
+    Type: String
+  PGoogleCloudWebIdentityPoolAWSProvider:
+    Type: String
+  PGoogleCloudServiceAccountEmail:
+    Type: String
+  PGoogleCloudDefaultProjectId:
+    Type: String
+    Default: ""
+
+Resources:
+  RoleLambdaPubPubSub:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: sts:AssumeRole
+            Principal:
+              Service: lambda.amazonaws.com
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
+  LambdaPubPubSub:
+    Type: AWS::Lambda::Function
+    Properties:
+      Runtime: nodejs14.x
+      Role: !Sub ${RoleLambdaPubPubSub.Arn}
+      Timeout: 60
+      MemorySize: 192
+      Handler: index.handler
+      Code:
+        S3Bucket: !Sub github-com-hf-pubpubsub-${AWS::Region}
+        S3Key: !Sub ${PPubPubSubCodeKey}
+      Environment:
+        Variables:
+          GOOGLE_CLOUD_PROJECT_NUMBER: !Ref PGoogleCloudProjectNumber
+          GOOGLE_CLOUD_WEB_IDENTITY_POOL: !Ref PGoogleCloudWebIdentityPool
+          GOOGLE_CLOUD_WEB_IDENTITY_POOL_AWS_PROVIDER: !Ref PGoogleCloudWebIdentityPoolAWSProvider
+          GOOGLE_CLOUD_SERVICE_ACCOUNT_EMAIL: !Ref PGoogleCloudServiceAccountEmail
+          GOOGLE_CLOUD_DEFAULT_PROJECT_ID: !Ref PGoogleCloudDefaultProjectId

tsconfig.json

@@ -0,0 +1,7 @@
+{
+  "extends": "@tsconfig/node12/tsconfig.json",
+  "compilerOptions": {
+    "sourceMap": true
+  },
+  "include": ["*.ts"]
+}