himari-aws 0.2.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2cc2ae7b20fd4a41872281249587bacae7170a411651458cfab901afc08a9bfe
-  data.tar.gz: dc2cd99bad600b636b817c1534b5ea8c17e59bb49a9bf667b4ee7f0d41f17acd
+  metadata.gz: 85a23ea8f8d589be0168080f22f979e78d26113119166ba0a99936448b74ed7c
+  data.tar.gz: 1837996eac719023197e7e56544c77b2b4d93426e6942cf60e37053bf007d2c5
 SHA512:
-  metadata.gz: 5f0fdb41114958bf5330173fd12de1db680f77ef8719d84e0fc1724ea9bb0311c8d7d63363111ec9490ee4a39227d91acff8224f601a5ae055e1199a239a7f64
-  data.tar.gz: 2ee76e5b556d477ee37d51a92a5a4fb03d8c751c5e877d295c46970bb073cfb6bf6b7f4a70611b4ade5890caec4e15f42a98a6d94fb81a02553df6cf2815a8ff
+  metadata.gz: 6e74908b3c34af13b018436918b6a83f87d4180d28505348c9aba6e25024ddcab1cc323df5c151c2e45aa3ec00afb4d40b2fb2c7c6a9b6bc77193010a0d757ae
+  data.tar.gz: 2b5bcd9303a70d87b51c80ef9dead217844d13ec68b942941088aa3ba6e9398bd09419d102321600efa9e311c11ae596e23e404988bd8763e30d8c802cf9166b

data/CHANGELOG.md

@@ -0,0 +1,15 @@
+## [0.3.0] - 2026-06-03
+
+### Enhancements
+
+- Lambda image: copy the prebuilt image with skopeo instead of docker (gains an `architecture` input), with Terraform AWS provider v6 compatibility and a `role_name` output [#18](https://github.com/sorah/himari/pull/18)
+- DynamoDB storage: compare-and-swap writes backing refresh-token rotation [#14](https://github.com/sorah/himari/pull/14)
+- Lambda image: bundle `omniauth-entra-id` and `omniauth-okta`, depend explicitly on `aws-sdk-ssm` and `aws-sdk-secretsmanager`, and make `rack-cors` available.
+
+### Changes
+
+- Lambda image: Ruby 4.0, build on dnf, and rolled dependencies (including `apigatewayv2_rack` 0.5.0).
+
+## [0.2.0] - 2023-03-22
+
+- Initial release: `Himari::Aws::DynamodbStorage`, Secrets Manager signing key provider and rotation handler, prebuilt Lambda container image, and Terraform modules.

data/README.md

@@ -50,7 +50,7 @@ gem 'nokogiri'
 
 ### Secrets Manager Rotation Handler
 
-1. Deploy [./lib/himari/aws/secretsmanager_signing_key_rotation_handler.rb]() as a Lambda function. This file works standalone.
+1. Deploy [./lib/himari/aws/secretsmanager_signing_key_rotation_handler.rb](./lib/himari/aws/secretsmanager_signing_key_rotation_handler.rb) as a Lambda function. This file works standalone.
 
    - Refer to the [./lambda](./lambda) for prebuilt container image
 

data/lambda/Dockerfile

@@ -1,14 +1,20 @@
 # context must be repository root
-FROM public.ecr.aws/lambda/ruby:2.7 as builder
-RUN yum install -y gcc gcc-c++ make pkg-config git
+FROM public.ecr.aws/lambda/ruby:4.0 as builder
+RUN --mount=type=cache,target=/var/cache/dnf dnf update -y && dnf install -y gcc gcc-c++ make
 
 COPY ./himari/himari.gemspec ${LAMBDA_TASK_ROOT}/app/himari/himari.gemspec
 COPY ./himari/lib/himari/version.rb ${LAMBDA_TASK_ROOT}/app/himari/lib/himari/version.rb
+
 COPY ./himari-aws/himari-aws.gemspec ${LAMBDA_TASK_ROOT}/app/himari-aws/himari-aws.gemspec
 COPY ./himari-aws/lib/himari/aws/version.rb ${LAMBDA_TASK_ROOT}/app/himari-aws/lib/himari/aws/version.rb
+
+COPY ./omniauth-himari/omniauth-himari.gemspec ${LAMBDA_TASK_ROOT}/app/omniauth-himari/omniauth-himari.gemspec
+COPY ./omniauth-himari/lib/omniauth-himari/version.rb ${LAMBDA_TASK_ROOT}/app/omniauth-himari/lib/omniauth-himari/version.rb
+
 COPY ./himari-aws/lambda/Gemfile* ${LAMBDA_TASK_ROOT}/app/himari-aws/lambda/
 WORKDIR ${LAMBDA_TASK_ROOT}/app
 
+ENV LANG=C.UTF-8
 ENV BUNDLE_GEMFILE ${LAMBDA_TASK_ROOT}/app/himari-aws/lambda/Gemfile
 ENV BUNDLE_PATH ${LAMBDA_TASK_ROOT}/vendor/bundle
 ENV BUNDLE_DEPLOYMENT 1
@@ -18,7 +24,7 @@ RUN bundle install
 
 COPY . ${LAMBDA_TASK_ROOT}/app
 
-FROM public.ecr.aws/lambda/ruby:2.7
+FROM public.ecr.aws/lambda/ruby:4.0
 
 COPY --from=builder ${LAMBDA_TASK_ROOT}/vendor ${LAMBDA_TASK_ROOT}/vendor
 COPY . ${LAMBDA_TASK_ROOT}/app
@@ -26,6 +32,7 @@ COPY . ${LAMBDA_TASK_ROOT}/app
 COPY ./himari-aws/lambda/entrypoint.rb ${LAMBDA_TASK_ROOT}/himari_lambda_entrypoint.rb
 
 WORKDIR ${LAMBDA_TASK_ROOT}/app
+ENV LANG=C.UTF-8
 ENV BUNDLE_GEMFILE ${LAMBDA_TASK_ROOT}/app/himari-aws/lambda/Gemfile
 ENV BUNDLE_PATH ${LAMBDA_TASK_ROOT}/vendor/bundle
 ENV BUNDLE_DEPLOYMENT 1

data/lambda/Gemfile

@@ -1,24 +1,35 @@
+# frozen_string_literal: true
+
 source 'https://rubygems.org'
 
 root = File.join('..', '..')
 
 gem 'himari', path: File.join(root, 'himari')
 gem 'himari-aws', path: File.join(root, 'himari-aws')
+gem 'omniauth-himari', path: File.join(root, 'omniauth-himari')
+
+gem 'aws-sdk-secretsmanager'
+gem 'aws-sdk-ssm' # paraemeter store
 gem 'nokogiri'
-#gem 'apigatewayv2_rack', git: 'https://github.com/sorah/apigatewayv2_rack'
-gem 'apigatewayv2_rack', '>= 0.1.3'
+# gem 'apigatewayv2_rack', git: 'https://github.com/sorah/apigatewayv2_rack'
+gem 'apigatewayv2_rack', '>= 0.5.0'
 
 # contribs
+gem 'secure_headers'
+gem 'rack-cors'
+
 gem 'omniauth-oauth2'
 gem 'omniauth-saml'
-#gem 'omniauth-twitter'
+# gem 'omniauth-twitter'
 gem 'omniauth-github'
 gem 'omniauth-auth0'
-#gem 'omniauth-shibboleth'
+gem 'omniauth-entra-id'
+gem 'omniauth-okta'
+# gem 'omniauth-shibboleth'
 gem 'omniauth-gitlab'
-#gem 'omniauth-kerberos'
+# gem 'omniauth-kerberos'
 gem 'omniauth-google-oauth2'
 gem 'omniauth-discord'
 gem 'omniauth-apple'
 # gem 'omniauth-ldap' # omniauth < 2
-#gem 'omniauth-slack'# omniauth-oauth2 version constraints does not match with omniauth-github
+# gem 'omniauth-slack'# omniauth-oauth2 version constraints does not match with omniauth-github

data/lambda/Gemfile.lock

@@ -1,18 +1,30 @@
 PATH
   remote: ../../himari
   specs:
-    himari (0.2.0)
+    himari (0.6.0)
       addressable
+      concurrent-ruby
+      httpx
       omniauth (>= 2.0)
       openid_connect
       rack-oauth2
       rack-protection
       sinatra (>= 3.0)
 
+PATH
+  remote: ../../omniauth-himari
+  specs:
+    omniauth-himari (0.3.0)
+      faraday
+      jwt
+      oauth2
+      omniauth
+      omniauth-oauth2
+
 PATH
   remote: ..
   specs:
-    himari-aws (0.2.0)
+    himari-aws (0.3.0)
       apigatewayv2_rack
       aws-sdk-dynamodb
       aws-sdk-secretsmanager
@@ -21,169 +33,227 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    activemodel (7.0.4.3)
-      activesupport (= 7.0.4.3)
-    activesupport (7.0.4.3)
-      concurrent-ruby (~> 1.0, >= 1.0.2)
+    activemodel (8.1.3)
+      activesupport (= 8.1.3)
+    activesupport (8.1.3)
+      base64
+      bigdecimal
+      concurrent-ruby (~> 1.0, >= 1.3.1)
+      connection_pool (>= 2.2.5)
+      drb
       i18n (>= 1.6, < 2)
+      json
+      logger (>= 1.4.2)
       minitest (>= 5.1)
-      tzinfo (~> 2.0)
-    addressable (2.8.1)
-      public_suffix (>= 2.0.2, < 6.0)
+      securerandom (>= 0.3)
+      tzinfo (~> 2.0, >= 2.0.5)
+      uri (>= 0.13.1)
+    addressable (2.9.0)
+      public_suffix (>= 2.0.2, < 8.0)
     aes_key_wrap (1.1.0)
-    apigatewayv2_rack (0.1.3)
+    apigatewayv2_rack (0.5.0)
+      base64
       rack
-    attr_required (1.0.1)
-    aws-eventstream (1.2.0)
-    aws-partitions (1.732.0)
-    aws-sdk-core (3.170.1)
-      aws-eventstream (~> 1, >= 1.0.2)
-      aws-partitions (~> 1, >= 1.651.0)
-      aws-sigv4 (~> 1.5)
+      stringio
+    attr_required (1.0.2)
+    auth-sanitizer (0.1.4)
+      version_gem (~> 1.1, >= 1.1.9)
+    aws-eventstream (1.4.0)
+    aws-partitions (1.1257.0)
+    aws-sdk-core (3.251.0)
+      aws-eventstream (~> 1, >= 1.3.0)
+      aws-partitions (~> 1, >= 1.992.0)
+      aws-sigv4 (~> 1.9)
+      base64
+      bigdecimal
       jmespath (~> 1, >= 1.6.1)
-    aws-sdk-dynamodb (1.83.0)
-      aws-sdk-core (~> 3, >= 3.165.0)
-      aws-sigv4 (~> 1.1)
-    aws-sdk-secretsmanager (1.73.0)
-      aws-sdk-core (~> 3, >= 3.165.0)
-      aws-sigv4 (~> 1.1)
-    aws-sigv4 (1.5.2)
+      logger
+    aws-sdk-dynamodb (1.168.0)
+      aws-sdk-core (~> 3, >= 3.248.0)
+      aws-sigv4 (~> 1.5)
+    aws-sdk-secretsmanager (1.133.0)
+      aws-sdk-core (~> 3, >= 3.248.0)
+      aws-sigv4 (~> 1.5)
+    aws-sdk-ssm (1.216.0)
+      aws-sdk-core (~> 3, >= 3.248.0)
+      aws-sigv4 (~> 1.5)
+    aws-sigv4 (1.12.1)
       aws-eventstream (~> 1, >= 1.0.2)
-    bindata (2.4.15)
-    concurrent-ruby (1.2.2)
-    date (3.3.3)
-    faraday (2.7.4)
-      faraday-net_http (>= 2.0, < 3.1)
-      ruby2_keywords (>= 0.0.4)
-    faraday-follow_redirects (0.3.0)
+    base64 (0.3.0)
+    bigdecimal (4.1.2)
+    bindata (2.5.1)
+    cgi (0.5.1)
+    concurrent-ruby (1.3.6)
+    connection_pool (3.0.2)
+    date (3.5.1)
+    drb (2.2.3)
+    faraday (2.14.2)
+      faraday-net_http (>= 2.0, < 3.5)
+      json
+      logger
+    faraday-follow_redirects (0.5.0)
       faraday (>= 1, < 3)
-    faraday-net_http (3.0.2)
-    hashie (5.0.0)
-    i18n (1.12.0)
+    faraday-net_http (3.4.4)
+      net-http (~> 0.5)
+    hashie (5.1.0)
+      logger
+    http-2 (1.1.3)
+    httpx (1.7.8)
+      http-2 (>= 1.1.3)
+    i18n (1.14.8)
       concurrent-ruby (~> 1.0)
     jmespath (1.6.2)
-    json-jwt (1.16.3)
+    json (2.19.8)
+    json-jwt (1.17.1)
       activesupport (>= 4.2)
       aes_key_wrap
+      base64
       bindata
       faraday (~> 2.0)
       faraday-follow_redirects
-    jwt (2.7.0)
-    mail (2.8.1)
+    jwt (2.10.3)
+      base64
+    logger (1.7.0)
+    mail (2.9.0)
+      logger
       mini_mime (>= 0.1.1)
       net-imap
       net-pop
       net-smtp
-    mini_mime (1.1.2)
-    mini_portile2 (2.8.1)
-    minitest (5.18.0)
-    multi_xml (0.6.0)
-    mustermann (3.0.0)
-      ruby2_keywords (~> 0.0.1)
-    net-imap (0.3.4)
+    mini_mime (1.1.5)
+    mini_portile2 (2.8.9)
+    minitest (6.0.6)
+      drb (~> 2.0)
+      prism (~> 1.5)
+    multi_xml (0.9.1)
+      bigdecimal (>= 3.1, < 5)
+    mustermann (3.1.1)
+    net-http (0.9.1)
+      uri (>= 0.11.1)
+    net-imap (0.6.4)
       date
       net-protocol
     net-pop (0.1.2)
       net-protocol
-    net-protocol (0.2.1)
+    net-protocol (0.2.2)
       timeout
-    net-smtp (0.3.3)
+    net-smtp (0.5.1)
       net-protocol
-    nokogiri (1.14.2)
-      mini_portile2 (~> 2.8.0)
+    nokogiri (1.19.3)
+      mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
-    oauth2 (2.0.9)
-      faraday (>= 0.17.3, < 3.0)
-      jwt (>= 1.0, < 3.0)
+    oauth2 (2.0.20)
+      auth-sanitizer (~> 0.1, >= 0.1.3)
+      faraday (>= 0.17.3, < 4.0)
+      jwt (>= 1.0, < 4.0)
+      logger (~> 1.2)
       multi_xml (~> 0.5)
       rack (>= 1.2, < 4)
-      snaky_hash (~> 2.0)
-      version_gem (~> 1.1)
-    omniauth (2.1.1)
+      snaky_hash (~> 2.0, >= 2.0.4)
+      version_gem (~> 1.1, >= 1.1.9)
+    omniauth (2.1.4)
       hashie (>= 3.4.6)
+      logger
       rack (>= 2.2.3)
       rack-protection
-    omniauth-apple (1.3.0)
+    omniauth-apple (1.4.0)
       json-jwt
       omniauth-oauth2
-    omniauth-auth0 (3.1.0)
+    omniauth-auth0 (3.2.0)
+      jwt (~> 2)
       omniauth (~> 2)
       omniauth-oauth2 (~> 1)
-    omniauth-discord (1.0.0)
-      omniauth
-      omniauth-oauth2
+    omniauth-discord (1.2.0)
+      omniauth-oauth2 (~> 1.6)
+    omniauth-entra-id (3.1.1)
+      jwt (>= 2.9.2)
+      omniauth-oauth2 (~> 1.8)
     omniauth-github (2.0.1)
       omniauth (~> 2.0)
       omniauth-oauth2 (~> 1.8)
     omniauth-gitlab (4.1.0)
       omniauth (~> 2.0)
       omniauth-oauth2 (~> 1.8.0)
-    omniauth-google-oauth2 (1.1.1)
-      jwt (>= 2.0)
-      oauth2 (~> 2.0.6)
+    omniauth-google-oauth2 (1.2.2)
+      jwt (>= 2.9.2)
+      oauth2 (~> 2.0)
       omniauth (~> 2.0)
-      omniauth-oauth2 (~> 1.8.0)
+      omniauth-oauth2 (~> 1.8)
     omniauth-oauth2 (1.8.0)
       oauth2 (>= 1.4, < 3)
       omniauth (~> 2.0)
-    omniauth-saml (2.1.0)
+    omniauth-okta (2.0.0)
       omniauth (~> 2.0)
-      ruby-saml (~> 1.12)
-    openid_connect (2.2.0)
+      omniauth-oauth2 (~> 1.7, >= 1.7.1)
+    omniauth-saml (2.2.5)
+      omniauth (~> 2.1)
+      ruby-saml (~> 1.18)
+    openid_connect (2.5.0)
       activemodel
       attr_required (>= 1.0.0)
       faraday (~> 2.0)
       faraday-follow_redirects
       json-jwt (>= 1.16)
-      net-smtp
+      mail
       rack-oauth2 (~> 2.2)
       swd (~> 2.0)
       tzinfo
-      validate_email
       validate_url
       webfinger (~> 2.0)
-    public_suffix (5.0.1)
-    racc (1.6.2)
-    rack (2.2.6.4)
-    rack-oauth2 (2.2.0)
+    prism (1.9.0)
+    public_suffix (7.0.5)
+    racc (1.8.1)
+    rack (3.2.6)
+    rack-cors (3.0.0)
+      logger
+      rack (>= 3.0.14)
+    rack-oauth2 (2.3.0)
       activesupport
       attr_required
       faraday (~> 2.0)
       faraday-follow_redirects
       json-jwt (>= 1.11.0)
       rack (>= 2.1.0)
-    rack-protection (3.0.5)
-      rack
-    rexml (3.2.5)
-    ruby-saml (1.15.0)
+    rack-protection (4.2.1)
+      base64 (>= 0.1.0)
+      logger (>= 1.6.0)
+      rack (>= 3.0.0, < 4)
+    rack-session (2.1.2)
+      base64 (>= 0.1.0)
+      rack (>= 3.0.0)
+    rexml (3.4.4)
+    ruby-saml (1.18.1)
       nokogiri (>= 1.13.10)
       rexml
-    ruby2_keywords (0.0.5)
-    sinatra (3.0.5)
+    secure_headers (7.2.0)
+      cgi (>= 0.1)
+    securerandom (0.4.1)
+    sinatra (4.2.1)
+      logger (>= 1.6.0)
       mustermann (~> 3.0)
-      rack (~> 2.2, >= 2.2.4)
-      rack-protection (= 3.0.5)
+      rack (>= 3.0.0, < 4)
+      rack-protection (= 4.2.1)
+      rack-session (>= 2.0.0, < 3)
       tilt (~> 2.0)
-    snaky_hash (2.0.1)
-      hashie
-      version_gem (~> 1.1, >= 1.1.1)
-    swd (2.0.2)
+    snaky_hash (2.0.4)
+      hashie (>= 0.1.0, < 6)
+      version_gem (>= 1.1.8, < 3)
+    stringio (3.2.0)
+    swd (2.0.3)
       activesupport (>= 3)
       attr_required (>= 0.0.5)
       faraday (~> 2.0)
       faraday-follow_redirects
-    tilt (2.1.0)
-    timeout (0.3.2)
+    tilt (2.7.0)
+    timeout (0.6.1)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-    validate_email (0.1.6)
-      activemodel (>= 3.0)
-      mail (>= 2.2.5)
+    uri (1.1.1)
     validate_url (1.0.15)
       activemodel (>= 3.0.0)
       public_suffix
-    version_gem (1.1.2)
-    webfinger (2.1.2)
+    version_gem (1.1.10)
+    webfinger (2.1.3)
       activesupport
       faraday (~> 2.0)
       faraday-follow_redirects
@@ -192,18 +262,113 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
-  apigatewayv2_rack (>= 0.1.3)
+  apigatewayv2_rack (>= 0.5.0)
+  aws-sdk-secretsmanager
+  aws-sdk-ssm
   himari!
   himari-aws!
   nokogiri
   omniauth-apple
   omniauth-auth0
   omniauth-discord
+  omniauth-entra-id
   omniauth-github
   omniauth-gitlab
   omniauth-google-oauth2
+  omniauth-himari!
   omniauth-oauth2
+  omniauth-okta
   omniauth-saml
+  rack-cors
+  secure_headers
+
+CHECKSUMS
+  activemodel (8.1.3) sha256=90c05cbe4cef3649b8f79f13016191ea94c4525ce4a5c0fb7ef909c4b91c8219
+  activesupport (8.1.3) sha256=21a5e0dfbd4c3ddd9e1317ec6a4d782fa226e7867dc70b0743acda81a1dca20e
+  addressable (2.9.0) sha256=7fdf6ac3660f7f4e867a0838be3f6cf722ace541dd97767fa42bc6cfa980c7af
+  aes_key_wrap (1.1.0) sha256=b935f4756b37375895db45669e79dfcdc0f7901e12d4e08974d5540c8e0776a5
+  apigatewayv2_rack (0.5.0) sha256=30fb327ddacfeb0490657052791cea327ef852348ca32c21fa412161bfe492b2
+  attr_required (1.0.2) sha256=f0ebfc56b35e874f4d0ae799066dbc1f81efefe2364ca3803dc9ea6a4de6cb99
+  auth-sanitizer (0.1.4) sha256=ded72221d4d3a7c91e34e8a87b21e6a42cbf7829697f140dcf49d542422faedc
+  aws-eventstream (1.4.0) sha256=116bf85c436200d1060811e6f5d2d40c88f65448f2125bc77ffce5121e6e183b
+  aws-partitions (1.1257.0) sha256=03c531f40fdd979a9ae2aae70140c60e59000e6f62a60b3d6171b78cdded960c
+  aws-sdk-core (3.251.0) sha256=ef8186cb5509147e590310da58fab4c5b0901eba0e85a72955abdf772e425c87
+  aws-sdk-dynamodb (1.168.0) sha256=9bd479a23c6ab006130c7c1ebf5f9dd4c05d90ce03255f69ca8d04748fef0aec
+  aws-sdk-secretsmanager (1.133.0) sha256=467d64d44aa5206fa45d9fc9d5b90290ed7aa9101ed18393caf9b8fbe5c277dc
+  aws-sdk-ssm (1.216.0) sha256=7d03b033d183025ae5a4b473766d215fc0fca6a2978b347a16f2a3cdff49b62c
+  aws-sigv4 (1.12.1) sha256=6973ff95cb0fd0dc58ba26e90e9510a2219525d07620c8babeb70ef831826c00
+  base64 (0.3.0) sha256=27337aeabad6ffae05c265c450490628ef3ebd4b67be58257393227588f5a97b
+  bigdecimal (4.1.2) sha256=53d217666027eab4280346fba98e7d5b66baaae1b9c3c1c0ffe89d48188a3fbd
+  bindata (2.5.1) sha256=53186a1ec2da943d4cb413583d680644eb810aacbf8902497aac8f191fad9e58
+  bundler (4.0.12) sha256=7f8b757d28dfb636e7b24fba2344ac6dd13b5b24f4b46d62573d483f211825ac
+  cgi (0.5.1) sha256=e93fcafc69b8a934fe1e6146121fa35430efa8b4a4047c4893764067036f18e9
+  concurrent-ruby (1.3.6) sha256=6b56837e1e7e5292f9864f34b69c5a2cbc75c0cf5338f1ce9903d10fa762d5ab
+  connection_pool (3.0.2) sha256=33fff5ba71a12d2aa26cb72b1db8bba2a1a01823559fb01d29eb74c286e62e0a
+  date (3.5.1) sha256=750d06384d7b9c15d562c76291407d89e368dda4d4fff957eb94962d325a0dc0
+  drb (2.2.3) sha256=0b00d6fdb50995fe4a45dea13663493c841112e4068656854646f418fda13373
+  faraday (2.14.2) sha256=73ccb9994a9e8648f010e32eca2ae82e41c57860aa10932cda29418b9e0223ad
+  faraday-follow_redirects (0.5.0) sha256=5cde93c894b30943a5d2b93c2fe9284216a6b756f7af406a1e55f211d97d10ad
+  faraday-net_http (3.4.4) sha256=0e78af151747ed1b00f33e25973b4bc220d7f16c00c39676817c8b12331eb588
+  hashie (5.1.0) sha256=c266471896f323c446ea8207f8ffac985d2718df0a0ba98651a3057096ca3870
+  himari (0.6.0)
+  himari-aws (0.3.0)
+  http-2 (1.1.3) sha256=1b2f379d35a11dbae94f8a1a52c053d8c161eb4a0c98b5d1605ff1b2bf171c9c
+  httpx (1.7.8) sha256=6d769465ed608287a272ba0e4700fc22cee6f0335d80bd5c2effaf7fb7bd2a3a
+  i18n (1.14.8) sha256=285778639134865c5e0f6269e0b818256017e8cde89993fdfcbfb64d088824a5
+  jmespath (1.6.2) sha256=238d774a58723d6c090494c8879b5e9918c19485f7e840f2c1c7532cf84ebcb1
+  json (2.19.8) sha256=6354310fd76ef69b87d5bd1f38b40d730613baf90b6803d2d0a48f618d32dfaa
+  json-jwt (1.17.1) sha256=5e1ced0f7b206b4c567efee19e6503c1426a819749132926cda579ec013d1f46
+  jwt (2.10.3) sha256=e4d9352fbc7309b1a7448c7dd713dfe4d8c47077af80759cdbed8f878ea0b484
+  logger (1.7.0) sha256=196edec7cc44b66cfb40f9755ce11b392f21f7967696af15d274dde7edff0203
+  mail (2.9.0) sha256=6fa6673ecd71c60c2d996260f9ee3dd387d4673b8169b502134659ece6d34941
+  mini_mime (1.1.5) sha256=8681b7e2e4215f2a159f9400b5816d85e9d8c6c6b491e96a12797e798f8bccef
+  mini_portile2 (2.8.9) sha256=0cd7c7f824e010c072e33f68bc02d85a00aeb6fce05bb4819c03dfd3c140c289
+  minitest (6.0.6) sha256=153ea36d1d987a62942382b61075745042a2b3123b1cd48f4c3675af9cc7d6f1
+  multi_xml (0.9.1) sha256=7ce766b59c17241ed62976caeae1fae9b2431b263398c35396239a68c4a64e57
+  mustermann (3.1.1) sha256=4c6170c7234d5499c345562ba7c7dfe73e1754286dcc1abb053064d66a127198
+  net-http (0.9.1) sha256=25ba0b67c63e89df626ed8fac771d0ad24ad151a858af2cc8e6a716ca4336996
+  net-imap (0.6.4) sha256=9a5598c67a3022c284d98430ef1d4948e7dbdb62596f61081ea8ca933270a02b
+  net-pop (0.1.2) sha256=848b4e982013c15b2f0382792268763b748cce91c9e91e36b0f27ed26420dff3
+  net-protocol (0.2.2) sha256=aa73e0cba6a125369de9837b8d8ef82a61849360eba0521900e2c3713aa162a8
+  net-smtp (0.5.1) sha256=ed96a0af63c524fceb4b29b0d352195c30d82dd916a42f03c62a3a70e5b70736
+  nokogiri (1.19.3) sha256=78312cbac32a40c812780d9678221b79d51288eec00054c1a8d15f7ce05960e8
+  oauth2 (2.0.20) sha256=790c6316346da12f9dcaf27a67530f802950af05d35c3874918da84f2deae674
+  omniauth (2.1.4) sha256=42a05b0496f0d22e1dd85d42aaf602f064e36bb47a6826a27ab55e5ba608763c
+  omniauth-apple (1.4.0) sha256=f449ce4c206e784536cbaf64b7c36072ac5e7c73103b1a01ba3c1d9454bf6e24
+  omniauth-auth0 (3.2.0) sha256=9241a8ce3ead46070f101f8f5170f09d7c2c3841321734d7a4852d954815db9c
+  omniauth-discord (1.2.0) sha256=e6e92649a645862ccb29ce3d5f2f876de9e26198722b9d05f9f6d4f3805d5c70
+  omniauth-entra-id (3.1.1) sha256=16622979423891352f916709f0698401e692e60bb41d4dbf5f7a17d98fee27ef
+  omniauth-github (2.0.1) sha256=8ff8e70ac6d6db9d52485eef52cfa894938c941496e66b52b5e2773ade3ccad4
+  omniauth-gitlab (4.1.0) sha256=543f1fa710488220b382bd683a3f314f5b29c36de85ad746f356f37795959613
+  omniauth-google-oauth2 (1.2.2) sha256=74c3f3d0221c048f938846092fb15a1f15237526f50a7c93d9793f9a4ff1be11
+  omniauth-himari (0.3.0)
+  omniauth-oauth2 (1.8.0) sha256=b2f8e9559cc7e2d4efba57607691d6d2b634b879fc5b5b6ccfefa3da85089e78
+  omniauth-okta (2.0.0) sha256=6425fd3140c3130bc8793a536f8200bfc154faac69fe6661d03959d841639655
+  omniauth-saml (2.2.5) sha256=552ad464564d711f0dfd169e0ad801de809cf3ac71c4bc9094f152d5a0d7ab59
+  openid_connect (2.5.0) sha256=659aff8edce0907798e3f6837e5f27ae2937ae8735216f3e900ab8daa29e39c4
+  prism (1.9.0) sha256=7b530c6a9f92c24300014919c9dcbc055bf4cdf51ec30aed099b06cd6674ef85
+  public_suffix (7.0.5) sha256=1a8bb08f1bbea19228d3bed6e5ed908d1cb4f7c2726d18bd9cadf60bc676f623
+  racc (1.8.1) sha256=4a7f6929691dbec8b5209a0b373bc2614882b55fc5d2e447a21aaa691303d62f
+  rack (3.2.6) sha256=5ed78e1f73b2e25679bec7d45ee2d4483cc4146eb1be0264fc4d94cb5ef212c2
+  rack-cors (3.0.0) sha256=7b95be61db39606906b61b83bd7203fa802b0ceaaad8fcb2fef39e097bf53f68
+  rack-oauth2 (2.3.0) sha256=43e02cf73f13886a0a06499603caeec58aeba6eae1fefc4977c9678b7652c632
+  rack-protection (4.2.1) sha256=cf6e2842df8c55f5e4d1a4be015e603e19e9bc3a7178bae58949ccbb58558bac
+  rack-session (2.1.2) sha256=595434f8c0c3473ae7d7ac56ecda6cc6dfd9d37c0b2b5255330aa1576967ffe8
+  rexml (3.4.4) sha256=19e0a2c3425dfbf2d4fc1189747bdb2f849b6c5e74180401b15734bc97b5d142
+  ruby-saml (1.18.1) sha256=1b0e7a44aef150b4197955f5e015d593672e242cfdc5d06aa7554ec2350b9107
+  secure_headers (7.2.0) sha256=713b3d20af12b8c6633d97e276b286f1520e57be0d84b00f3bf43d22a1b70f83
+  securerandom (0.4.1) sha256=cc5193d414a4341b6e225f0cb4446aceca8e50d5e1888743fac16987638ea0b1
+  sinatra (4.2.1) sha256=b7aeb9b11d046b552972ade834f1f9be98b185fa8444480688e3627625377080
+  snaky_hash (2.0.4) sha256=2b12758c57defa6796341a1620f84b1a23737421d8d7e2575d0550b53cc4fece
+  stringio (3.2.0) sha256=c37cb2e58b4ffbd33fe5cd948c05934af997b36e0b6ca6fdf43afa234cf222e1
+  swd (2.0.3) sha256=4cdbe2a4246c19f093fce22e967ec3ebdd4657d37673672e621bf0c7eb770655
+  tilt (2.7.0) sha256=0d5b9ba69f6a36490c64b0eee9f6e9aad517e20dcc848800a06eb116f08c6ab3
+  timeout (0.6.1) sha256=78f57368a7e7bbadec56971f78a3f5ecbcfb59b7fcbb0a3ed6ddc08a5094accb
+  tzinfo (2.0.6) sha256=8daf828cc77bcf7d63b0e3bdb6caa47e2272dcfaf4fbfe46f8c3a9df087a829b
+  uri (1.1.1) sha256=379fa58d27ffb1387eaada68c749d1426738bd0f654d812fcc07e7568f5c57c6
+  validate_url (1.0.15) sha256=72fe164c0713d63a9970bd6700bea948babbfbdcec392f2342b6704042f57451
+  version_gem (1.1.10) sha256=d0575dc9f2949b2db9497051f96e5c36d7c6c2f2e81afd1a73cacccd4690e506
+  webfinger (2.1.3) sha256=567a52bde77fb38ca6b67e55db755f988766ec4651c1d24916a65aa70540695c
 
 BUNDLED WITH
-   2.3.21
+  4.0.12

data/lambda/entrypoint.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # BUNDLE_GEMFILE is defined at Dockerfile
 require 'bundler/setup'
 require 'himari/aws/lambda_handler'

data/lambda/terraform/README.md

@@ -36,10 +36,13 @@ module "himari_image" {
 
   repository_name  = "himari-lambda"
   source_image_tag = "" # Replace with image tag
+  architecture     = "x86_64" # or arm64; must match the Lambda architecture
 }
 ```
 
-- Uses null_resource with `docker` command to perform pull, retag and push to ECR private locally
+- Uses null_resource with `skopeo` command to copy the image to ECR private locally (requires `skopeo` on the machine running Terraform)
+- `architecture` selects which platform to copy out of the multi-arch source image (defaults to `x86_64`); set it to match the `architecture` you pass to the functions module
+- Requires Terraform >= 1.10 and AWS provider >= 5.83 (ephemeral resource for ECR credentials)
 - Prebuilt image tag is based on git commit SHA: https://github.com/sorah/himari/commits/main
 
 ## functions

data/lambda/terraform/iam/outputs.tf

@@ -1,3 +1,7 @@
 output "role_arn" {
   value = aws_iam_role.role.arn
 }
+
+output "role_name" {
+  value = aws_iam_role.role.name
+}

data/lambda/terraform/iam/variables.tf

@@ -40,5 +40,5 @@ variable "secrets_rotation_function_arn" {
 }
 
 locals {
-  dynamodb_table_arn = coalesce(var.dynamodb_table_arn, var.dynamodb_table_name != null ? "arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${var.dynamodb_table_name}" : null)
+  dynamodb_table_arn = coalesce(var.dynamodb_table_arn, var.dynamodb_table_name != null ? "arn:aws:dynamodb:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:table/${var.dynamodb_table_name}" : null)
 }

data/lambda/terraform/iam/versions.tf

@@ -1,7 +1,8 @@
 terraform {
   required_providers {
     aws = {
-      source = "hashicorp/aws"
+      source  = "hashicorp/aws"
+      version = ">= 6.0"
     }
   }
 }

data/lambda/terraform/image/copy.tf

@@ -1,17 +1,45 @@
+ephemeral "aws_ecr_authorization_token" "repo" {}
+
+locals {
+  # Map Lambda's architecture notation to the source image's OS/arch so skopeo
+  # picks the matching image out of the multi-arch index deterministically,
+  # regardless of the host running Terraform.
+  skopeo_platform = {
+    x86_64 = { os = "linux", arch = "amd64" }
+    arm64  = { os = "linux", arch = "arm64" }
+  }[var.architecture]
+}
+
 resource "null_resource" "copy-image" {
   triggers = {
-    region           = data.aws_region.current.name
+    region           = data.aws_region.current.region
     repository_url   = aws_ecr_repository.repo.repository_url
     source_image_tag = var.source_image_tag
+    architecture     = var.architecture
   }
+
   provisioner "local-exec" {
-    command = "cd ${path.module} && ./copy.sh"
-    environment = {
-      AWS_REGION         = data.aws_region.current.name
-      AWS_DEFAULT_REGION = data.aws_region.current.name
+    interpreter = ["/bin/bash", "-c"]
+    # public.ecr.aws is pulled anonymously; only the destination ECR needs credentials.
+    # The password is fed over stdin into a temporary authfile rather than passed as a
+    # command-line argument, so it never appears in the process argument list.
+    command = <<-EOT
+      set -euo pipefail
+      authfile="$(mktemp)"
+      trap 'rm -f "$authfile"' EXIT
+      # skopeo login reads the authfile before merging the new credential into it,
+      # so seed it with an empty JSON object; mktemp's 0-byte file is invalid JSON.
+      printf '{}' > "$authfile"
+      printf '%s' "$DEST_PASSWORD" | skopeo login --username AWS --password-stdin --authfile "$authfile" "$${REPOSITORY_URL%%/*}"
+      skopeo copy --authfile "$authfile" --override-os "$OVERRIDE_OS" --override-arch "$OVERRIDE_ARCH" "docker://public.ecr.aws/sorah/himari-lambda:$SOURCE_IMAGE_TAG" "docker://$REPOSITORY_URL:$SOURCE_IMAGE_TAG"
+    EOT
 
+    environment = {
+      DEST_PASSWORD    = ephemeral.aws_ecr_authorization_token.repo.password
       REPOSITORY_URL   = aws_ecr_repository.repo.repository_url
       SOURCE_IMAGE_TAG = var.source_image_tag
+      OVERRIDE_OS      = local.skopeo_platform.os
+      OVERRIDE_ARCH    = local.skopeo_platform.arch
     }
   }
 }

data/lambda/terraform/image/variables.tf

@@ -7,3 +7,14 @@ variable "source_image_tag" {
   type        = string
   description = "Image tag for public.ecr.aws/sorah/himari-lambda. You can use Git commit hash on https://github.com/sorah/himari"
 }
+
+variable "architecture" {
+  type        = string
+  default     = "x86_64"
+  description = "Lambda CPU architecture to copy from the multi-arch source image (x86_64 or arm64)"
+
+  validation {
+    condition     = contains(["x86_64", "arm64"], var.architecture)
+    error_message = "architecture must be one of: x86_64, arm64."
+  }
+}

data/lambda/terraform/image/versions.tf

@@ -1,7 +1,9 @@
 terraform {
+  required_version = ">= 1.10"
   required_providers {
     aws = {
-      source = "hashicorp/aws"
+      source  = "hashicorp/aws"
+      version = ">= 6.0"
     }
   }
 }

data/lib/himari/aws/dynamodb_storage.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'himari/storages/base'
 require 'aws-sdk-dynamodb'
 
@@ -8,34 +10,55 @@ module Himari
 
       # @param client [Aws::DynamoDB::Client]
       # @param table_name [String] name of DynamoDB table with hash=pk/range=sk key.
-      def initialize(client: ::Aws::DynamoDB::Client.new, table_name:)
+      # @param consistent_read [Boolean] use consitent read when querying. default to true.
+      def initialize(client: ::Aws::DynamoDB::Client.new, table_name:, consistent_read: true)
         @client = client
         @table_name = table_name
+        @consistent_read = consistent_read
       end
 
       attr_reader :client, :table_name
 
-      private def write(kind, key, content, overwrite: false)
+      def consistent_read?; !!@consistent_read; end
+
+      private def write(kind, key, content, overwrite: false, if_version: nil)
         pk = "storage:#{kind}:#{key}"
-        payload = {
+        # version and updated_at are mirrored to top-level attributes (besides living inside
+        # content_json) so the refresh-token compare-and-swap can reference them in a condition.
+        attrs = {
           content_json: JSON.pretty_generate(content),
-          ttl: content[:ttl] || content[:expiry],
-        }
+          version: content[:version],
+          updated_at: content[:updated_at],
+        }.compact
+        ttl = content[:ttl] || content[:expiry]
+        attrs[:ttl] = ttl if ttl
+
+        update_expression = +"SET #{attrs.keys.map { |k| "##{k} = :#{k}" }.join(", ")}"
+        update_expression << "\nREMOVE #ttl" unless attrs.key?(:ttl)
+
+        expression_attribute_names = attrs.keys.to_h { |k| ["##{k}", k.to_s] }
+        expression_attribute_names['#ttl'] = 'ttl' unless attrs.key?(:ttl)
+        expression_attribute_values = attrs.transform_keys { ":#{_1}" }
+
+        condition_expression =
+          if if_version
+            expression_attribute_names['#version'] = 'version'
+            expression_attribute_values[':expected_version'] = if_version
+            'attribute_exists(pk) AND #version = :expected_version'
+          elsif !overwrite
+            'attribute_not_exists(pk)'
+          end
+
         @client.update_item(
           table_name: @table_name,
           key: {
             'pk' => pk,
             'sk' => pk,
           },
-          # #{payload.each_key.map { |k| "##{k} = :#{k}" }.join(', ')}
-          update_expression: <<~EOS,
-          SET
-            #content_json = :content_json
-          #{payload[:ttl] ? ", #ttl = :ttl" : "REMOVE #ttl"}
-          EOS
-          condition_expression: overwrite ? nil : 'attribute_not_exists(pk)',
-          expression_attribute_names: payload.each_key.map { |k| ["##{k}", k] }.to_h,
-          expression_attribute_values: payload.transform_keys { ":#{_1}" },
+          update_expression: update_expression,
+          condition_expression: condition_expression,
+          expression_attribute_names: expression_attribute_names,
+          expression_attribute_values: expression_attribute_values,
         )
         nil
       rescue ::Aws::DynamoDB::Errors::ConditionalCheckFailedException
@@ -50,9 +73,11 @@ module Himari
           limit: 1,
           key_condition_expression: 'pk = :pk AND sk = :sk',
           expression_attribute_values: {":pk" => pk, ":sk" => pk},
+          consistent_read: consistent_read?,
         ).items.first
 
-        return nil unless item
+        return unless item
+
         JSON.parse(item.fetch('content_json'), symbolize_names: true)
       end
 
@@ -60,7 +85,7 @@ module Himari
         pk = "storage:#{kind}:#{key}"
         @client.delete_item(
           table_name: @table_name,
-          key: {'pk' => pk, 'sk' => pk}
+          key: {'pk' => pk, 'sk' => pk},
         )
         nil
       end

data/lib/himari/aws/lambda_handler.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'himari'
 require 'himari/aws/secretsmanager_signing_key_rotation_handler'
 
@@ -11,19 +13,20 @@ module Himari
   module Aws
     module LambdaHandler
       def self.app
-        @app ||= make_app()
+        @app ||= make_app
       end
 
       def self.config_ru
         a = Time.now
         retval = config_ru_from_task_root || config_ru_from_dynamodb
         b = Time.now
-        $stdout.puts(JSON.generate(config_ru: {ts: b, elapsed_time: b-a}))
+        $stdout.puts(JSON.generate(config_ru: {ts: b, elapsed_time: b - a}))
         retval
       end
 
       def self.config_ru_from_task_root
-        return nil unless ENV['LAMBDA_TASK_ROOT']
+        return unless ENV['LAMBDA_TASK_ROOT']
+
         File.read(File.join(ENV['LAMBDA_TASK_ROOT'], 'config.ru'))
       rescue Errno::ENOENT, Errno::EPERM
         nil
@@ -32,9 +35,10 @@ module Himari
       def self.config_ru_from_dynamodb
         dgst = ENV.fetch('HIMARI_RACK_DIGEST')
         table_name = ENV.fetch('HIMARI_RACK_DYNAMODB_TABLE')
-        pk, sk = "rack", "rack:#{dgst}"
+        pk = "rack"
+        sk = "rack:#{dgst}"
 
-        ddb = ::Aws::DynamoDB::Client.new()
+        ddb = ::Aws::DynamoDB::Client.new
         item = ddb.query(
           table_name: table_name,
           select: 'ALL_ATTRIBUTES',

data/lib/himari/aws/secretsmanager_signing_key_provider.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'aws-sdk-secretsmanager'
 require 'himari/signing_key'
 require 'himari/middlewares/signing_key'
@@ -26,10 +28,12 @@ module Himari
 
         def collect(id: nil, active: nil, group: nil, **_remainder)
           return [] if group && group != @group
+
           case
           when id
             return [] unless id.start_with?("#{@kid_prefix}_")
-            version_id = id[(@kid_prefix.size+1)..-1] || ''
+
+            version_id = id[(@kid_prefix.size + 1)..-1] || ''
             [secret_value_to_signing_key(@client.get_secret_value(secret_id: @secret_id, version_id: version_id))].compact
 
           when active
@@ -50,10 +54,10 @@ module Himari
             JSON.parse(value.secret_string)
           rescue JSON::ParserError
             warn "JSON::ParserError while parsing #{value.arn} #{value.version_id}"
-            return nil
+            return
           end
-          
-          return nil unless json['kind'] == 'himari.signing_key'
+
+          return unless json['kind'] == 'himari.signing_key'
 
           pkey = case json.fetch('kty')
           when 'rsa'
@@ -76,4 +80,3 @@ module Himari
     end
   end
 end
-

data/lib/himari/aws/secretsmanager_signing_key_rotation_handler.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_how.html
 require 'openssl'
 require 'json'
@@ -11,7 +13,7 @@ module Himari
       RotationRequest = Struct.new(:step, :id, :token, :secret, keyword_init: true)
 
       def self.handler(event:, context:)
-        @secretsmanager ||= ::Aws::SecretsManager::Client.new()
+        @secretsmanager ||= ::Aws::SecretsManager::Client.new
 
         secret = prerequisite_check!(event)
 
@@ -40,10 +42,12 @@ module Himari
       def self.prerequisite_check!(event)
         secret = @secretsmanager.describe_secret(secret_id: event.fetch('SecretId'))
         raise "secret #{secret.arn.inspect} have not enabled rotation" unless secret.rotation_enabled
+
         stages = secret.version_ids_to_stages[event.fetch('ClientRequestToken')]
-        raise "Secret version #{event.fetch('ClientRequestToken').inspect} has no stage for secret #{secret.arn.inspect}" unless stages
-        raise "Secret version #{event.fetch('ClientRequestToken').inspect} is on AWSCURRENT for secret #{secret.arn.inspect}" if stages.include?('AWSCURRENT') && !stages.include?('AWSPENDING')
-        raise "Secret version #{event.fetch('ClientRequestToken').inspect} is not on AWSPENDING for secret #{secret.arn.inspect}" unless stages.include?('AWSPENDING')
+        raise "Secret version #{event.fetch("ClientRequestToken").inspect} has no stage for secret #{secret.arn.inspect}" unless stages
+        raise "Secret version #{event.fetch("ClientRequestToken").inspect} is on AWSCURRENT for secret #{secret.arn.inspect}" if stages.include?('AWSCURRENT') && !stages.include?('AWSPENDING')
+        raise "Secret version #{event.fetch("ClientRequestToken").inspect} is not on AWSPENDING for secret #{secret.arn.inspect}" unless stages.include?('AWSPENDING')
+
         secret
       end
 
@@ -81,9 +85,9 @@ module Himari
           JSON.pretty_generate({kind: 'himari.signing_key', kty: 'rsa', rsa: {pem: rsa.to_pem}})
         when 'ec'
           curve = case param.fetch(:len, 256).to_i
-          when 256; 'prime256v1'
-          when 384; 'secp384r1'
-          when 521; 'secp521r1'
+          when 256 then 'prime256v1'
+          when 384 then 'secp384r1'
+          when 521 then 'secp521r1'
           else
             raise ArgumentError, "unknown len: #{param.inspect}"
           end
@@ -110,6 +114,7 @@ module Himari
         begin
           return JSON.parse(str, symbolize_names: true)
         rescue JSON::ParserError
+          # fall through to raise below
         end
 
         raise "cannot parse keygen param #{str.inspect}"
@@ -126,7 +131,7 @@ module Himari
       end
 
       def self.finish_secret(req)
-        current_version = req.secret.version_ids_to_stages.find { |k,v| v.include?('AWSCURRENT') }.first
+        current_version = req.secret.version_ids_to_stages.find { |_k, v| v.include?('AWSCURRENT') }.first
         if current_version == req.token
           puts "finishSecret: #{current_version} on #{req.id} is on AWSCURRENT, do nothing"
           return

data/lib/himari/aws/version.rb

@@ -2,6 +2,6 @@
 
 module Himari
   module Aws
-    VERSION = "0.2.0"
+    VERSION = "0.3.0"
   end
 end

data/lib/himari-aws.rb

@@ -1 +1,3 @@
+# frozen_string_literal: true
+
 require 'himari/aws'

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: himari-aws
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Sorah Fukumori
-autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-03-21 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: himari
@@ -25,7 +24,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: aws-sdk-secretsmanager
+  name: apigatewayv2_rack
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -53,7 +52,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: apigatewayv2_rack
+  name: aws-sdk-secretsmanager
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -66,7 +65,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description:
 email:
 - her@sorah.jp
 executables: []
@@ -74,6 +72,7 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".rspec"
+- CHANGELOG.md
 - LICENSE.txt
 - README.md
 - Rakefile
@@ -96,7 +95,6 @@ files:
 - lambda/terraform/iam/variables.tf
 - lambda/terraform/iam/versions.tf
 - lambda/terraform/image/aws.tf
-- lambda/terraform/image/copy.sh
 - lambda/terraform/image/copy.tf
 - lambda/terraform/image/ecr.tf
 - lambda/terraform/image/outputs.tf
@@ -121,7 +119,6 @@ licenses:
 metadata:
   homepage_uri: https://github.com/sorah/himari
   source_code_uri: https://github.com/sorah/himari
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -136,8 +133,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.6
-signing_key:
+rubygems_version: 4.0.10
 specification_version: 4
 summary: AWS related plugins for Himari
 test_files: []

data/lambda/terraform/image/copy.sh

@@ -1,5 +0,0 @@
-#!/bin/bash -xe
-aws ecr get-login-password | docker login --username AWS --password-stdin "${REPOSITORY_URL}"
-docker pull "public.ecr.aws/sorah/himari-lambda:${SOURCE_IMAGE_TAG}"
-docker tag "public.ecr.aws/sorah/himari-lambda:${SOURCE_IMAGE_TAG}" "${REPOSITORY_URL}:${SOURCE_IMAGE_TAG}"
-docker push "${REPOSITORY_URL}:${SOURCE_IMAGE_TAG}"