Adding Amazon DynamoDB stream infrastructure

.github/workflows/05-exposing-amazon-dynamodb-stream.yml

@@ -1,5 +1,11 @@
 name: 05. Exposing Amazon DynamoDB Stream
-on: workflow_dispatch
+on:
+  workflow_dispatch:
+    inputs:
+      AWS_REGION:
+        description: 'AWS Region'
+        required: true
+        default: 'eu-central-1'
 permissions:
   id-token: write
   contents: read
@@ -9,15 +15,50 @@ jobs:
     steps:
     - name: Checkout
       uses: actions/checkout@v4
+    - name: Configure AWS Credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+        aws-region: ${{ github.event.inputs.AWS_REGION }}
+    - name: Deploy CloudFormation Stack
+      uses: aws-actions/aws-cloudformation-github-deploy@v1
+      with:
+        name: 'exposing-dynamodb-stream-ecr'
+        template: './infrastructure/exposing-amazon-dynamodb-stream-ecr.yml'
   build-and-push-webapp-image:
     runs-on: ubuntu-latest
     needs: deploy-elastic-container-registry
     steps:
     - name: Checkout
       uses: actions/checkout@v4
+    - name: Configure AWS Credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+        aws-region: ${{ github.event.inputs.AWS_REGION }}
+    - name: Login to Container Registry
+      id: container-registry-login
+      uses: aws-actions/amazon-ecr-login@v2
+    - name: Docker Build
+      run: |
+        docker build './src/' -t ${{ steps.container-registry-login.outputs.registry }}/app-exposing-dynamodb-stream-repository:1.0.0
+    - name: Docker Push
+      run: |
+        docker push ${{ steps.container-registry-login.outputs.registry }}/app-exposing-dynamodb-stream-repository:1.0.0
   deploy-infrastructure:
     runs-on: ubuntu-latest
     needs: [deploy-elastic-container-registry, build-and-push-webapp-image]
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v4
+    - name: Configure AWS Credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+        aws-region: ${{ github.event.inputs.AWS_REGION }}
+    - name: Deploy CloudFormation Stack
+      uses: aws-actions/aws-cloudformation-github-deploy@v1
+      with:
+        name: 'exposing-dynamodb-stream-apprunner'
+        template: './infrastructure/exposing-amazon-dynamodb-stream-apprunner.yml'
+        capabilities: 'CAPABILITY_NAMED_IAM'

infrastructure/exposing-amazon-dynamodb-stream-apprunner.yml

@@ -0,0 +1,67 @@
+AWSTemplateFormatVersion: 2010-09-09
+
+Parameters:
+  AppName:
+    Type: String
+    Default: 'app-exposing-dynamodb-stream'
+  AppVersion:
+    Type: String
+    Default: '1.0.0'
+
+Resources:
+  ProjectContainerRegistryAccessRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: !Sub '${AppName}-access-role'
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service:
+                - build.apprunner.amazonaws.com
+            Action: sts:AssumeRole
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/service-role/AWSAppRunnerServicePolicyForECRAccess
+  ProjectAppRunnerServiceInstanceRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: !Sub '${AppName}-instance-role'
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service:
+                - tasks.apprunner.amazonaws.com
+            Action: sts:AssumeRole
+      ManagedPolicyArns:
+        # This is overly permissive, just for a demo
+        - arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess
+  ProjectAppRunnerService:
+    Type: AWS::AppRunner::Service
+    Properties:
+      ServiceName: !Sub '${AppName}-app'
+      SourceConfiguration:
+        AuthenticationConfiguration:
+          AccessRoleArn: !GetAtt ProjectContainerRegistryAccessRole.Arn
+        AutoDeploymentsEnabled: true
+        ImageRepository:
+          ImageIdentifier: !Sub '${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/${AppName}-repository:${AppVersion}'
+          ImageRepositoryType: 'ECR'
+          ImageConfiguration:
+            Port: 8080
+            RuntimeEnvironmentVariables: [
+              {
+                'Name': 'ChangefeedService',
+                'Value': 'AmazonDynamoDB'
+              },
+              {
+                'Name': 'AmazonDynamoDB__RegionSystemName',
+                'Value': !Sub '${AWS::Region}'
+              }
+          ]
+      InstanceConfiguration:
+        Cpu: '0.25 vCPU'
+        Memory: '0.5 GB'
+        InstanceRoleArn: !GetAtt ProjectAppRunnerServiceInstanceRole.Arn

infrastructure/exposing-amazon-dynamodb-stream-ecr.yml

@@ -0,0 +1,13 @@
+AWSTemplateFormatVersion: 2010-09-09
+
+Parameters:
+  AppName:
+    Type: String
+    Default: 'app-exposing-dynamodb-stream'
+
+Resources:
+  ProjectContainerRegistry:
+    Type: AWS::ECR::Repository
+    Properties:
+      RepositoryName: !Sub '${AppName}-repository'
+      EmptyOnDelete: true

src/Dockerfile

@@ -0,0 +1,22 @@
+ARG SDK_VERSION=8.0-jammy
+ARG ASPNET_VERSION=8.0-jammy-chiseled
+
+FROM mcr.microsoft.com/dotnet/sdk:$SDK_VERSION AS build-env
+WORKDIR /src
+
+COPY . .
+RUN dotnet restore /src/Demo.AspNetCore.Changefeed \
+  --runtime linux-x64
+
+RUN dotnet publish /src/Demo.AspNetCore.Changefeed \
+  --no-restore \
+  --runtime linux-x64 \
+  --configuration Release \
+  --output /app/publish
+
+FROM mcr.microsoft.com/dotnet/aspnet:$ASPNET_VERSION
+USER $APP_UID
+WORKDIR /app
+COPY --from=build-env /app/publish .
+EXPOSE 8080
+ENTRYPOINT ["./Demo.AspNetCore.Changefeed"]