Node20.x and deps bump (#35)

* Node20.x and deps bump
* Switch to node20 runtime
* Remove globally installed serverless framework and update lock files
* Switch to new cert ca

.github/workflows/tests.yml

@@ -22,7 +22,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v3
         with:
-          node-version: '18.x'
+          node-version: '20.x'
       - run: npm ci
         working-directory: ./monitor
       - run: npm ci

Dockerfile

@@ -1,8 +1,8 @@
-FROM amazonlinux:2023.2.20230920.1
+FROM public.ecr.aws/lambda/nodejs:20
 ARG BUILDPLATFORM TARGETPLATFORM TARGETOS TARGETARCH
 
 # Install nodejs
-RUN yum install nodejs npm git wget unzip -y && yum clean all
+RUN dnf install wget unzip -y && dnf clean all
 
 # Install awscli
 RUN if [ "$TARGETARCH" = "arm64" ]; then \
@@ -25,9 +25,6 @@ RUN  mkdir -p /workspace/poduptime \
   /workspace/poduptime/website
 WORKDIR /workspace/poduptime
 
-# Install the serverless framework
-RUN npm install -g serverless@^3.35.2
-
 # Install deps
 COPY analytics/package*.json analytics
 RUN cd analytics && npm install --production=false --loglevel=error
@@ -41,4 +38,7 @@ COPY analytics      analytics
 COPY monitor        monitor
 COPY website        website
 COPY conf_test.js   .*
-COPY package*.json  ./
+COPY package*.json  ./
+
+# Reset endpoint defined in base image
+ENTRYPOINT []

analytics/common/database.js

@@ -1,6 +1,9 @@
 import pg from 'pg';
 import { formatISO, parseISO } from 'date-fns';
 import { Signer } from "@aws-sdk/rds-signer";
+import fs from 'fs';
+import url from 'url';
+const __dirname = url.fileURLToPath(new URL('.', import.meta.url));
 
 const { Pool, types } = pg;
 
@@ -13,6 +16,7 @@ types.setTypeParser(1114, x => formatISO(parseISO(x)));
 
 let pool = null;
 let expiresAtEpoch = null;
+let rdsCertificate = null;
 
 const EXPIRE_TOLERANCE = 60 * 1000; // 1 minute
 const TOKEN_LIFETIME = 15 * 60 * 1000; // 15 minutes
@@ -40,6 +44,26 @@ const _getAuthToken = async (hostname, port, username) => {
     }
 };
 
+const _getSslCertificate = () => {
+
+    if (rdsCertificate) {
+        return Promise.resolve(rdsCertificate);
+    }
+
+    return new Promise((resolve, reject) => {
+        const filepath = `${__dirname}../support/ssl/us-east-1-bundle.pem`;
+        fs.readFile(filepath, (err, content) => {
+            if (err) {
+                rdsCertificate = null;
+                reject(err);
+            } else {
+                rdsCertificate = content;
+                resolve(content);
+            }
+        });
+    });
+}
+
 const _epoch = () => {
     return (new Date()).getTime();
 }
@@ -77,6 +101,13 @@ const _getPool = async () => {
     let { token, ttl } = await _getAuthToken(
         process.env.PGHOST, parseInt(process.env.PGPORT, 10), process.env.PGUSER
     );
+
+    // Use ssl if we're running in AWS Lambda
+    let ssl = null;
+    if (process.env.AWS_EXECUTION_ENV) {
+        ssl = { ca: await _getSslCertificate() };
+    }
+
     expiresAtEpoch = _epoch() + ttl;
 
     pool = new Pool({
@@ -85,7 +116,7 @@ const _getPool = async () => {
         database: process.env.PGDATABASE,
         port: process.env.PGPORT,
         password: token,
-        ssl: !!process.env.AWS_EXECUTION_ENV
+        ssl: ssl
     });
 
     return pool;

analytics/deployment/resources/database.yml

@@ -36,6 +36,7 @@ Resources:
       DBClusterIdentifier: !Ref MainDatabaseCluster
       DBInstanceIdentifier: ${self:custom.appPrefix}-${opt:stage}-main-instance-1
       EnablePerformanceInsights: true
+      CACertificateIdentifier: rds-ca-rsa2048-g1
   MainDatabaseInstanceTwo:
     Condition: EnableDatabaseRedundancy
     Type: 'AWS::RDS::DBInstance'
@@ -44,4 +45,5 @@ Resources:
       DBInstanceClass: db.serverless
       DBClusterIdentifier: !Ref MainDatabaseCluster
       DBInstanceIdentifier: ${self:custom.appPrefix}-${opt:stage}-main-instance-2
-      EnablePerformanceInsights: true
+      EnablePerformanceInsights: true
+      CACertificateIdentifier: rds-ca-rsa2048-g1