Desplegar funciones AWS Lambda con GitHub Actions
Automatizá el build, test y despliegue de funciones AWS Lambda usando GitHub Actions, con entornos basados en ramas y rollback opcional ante fallo del health check.
Prerrequisitos
- Una función AWS Lambda ya creada
- Un usuario o rol IAM con los permisos requeridos (ver más abajo)
- Un repositorio de GitHub con el código de la Lambda
Empecemos
Paso 1 — Estructura del proyecto
Organizá tu proyecto Lambda de esta forma:
lambda-project/
├── .github/
│ └── workflows/
│ └── deploy.yml
├── src/
│ └── handlers/
│ └── example_handler.py
├── requirements.txt
└── README.md
Paso 2 — Función Lambda de ejemplo (Python)
import json
import os
import boto3
import logging
logger = logging.getLogger()
logger.setLevel(logging.INFO)
def lambda_handler(event, context):
try:
table_name = os.environ.get('TABLE_NAME', 'default-table')
logger.info(f"Processing event: {json.dumps(event)}")
dynamodb = boto3.resource('dynamodb')
table = dynamodb.Table(table_name)
table.put_item(Item={
'id': event.get('id', 'unknown'),
'data': event.get('data', {}),
'request_id': context.aws_request_id
})
return {
'statusCode': 200,
'body': json.dumps({'message': 'Success', 'request_id': context.aws_request_id})
}
except Exception as e:
logger.error(f"Error: {str(e)}", exc_info=True)
return {'statusCode': 500, 'body': json.dumps({'error': str(e)})}
Paso 3 — Workflow de GitHub Actions
Crear .github/workflows/deploy.yml:
name: Deploy Lambda
on:
push:
branches: [main]
pull_request:
branches: [main]
env:
AWS_REGION: us-east-1
LAMBDA_FUNCTION_NAME: example-lambda
jobs:
deploy:
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main'
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Cache dependencies
uses: actions/cache@v3
with:
path: ~/.cache/pip
key: ${{ runner.os }}-pip-${{ hashFiles('requirements.txt') }}
- name: Install dependencies
run: |
pip install -r requirements.txt -t ./package
cp -r src/* ./package/
- name: Create deployment package
run: |
cd package
zip -r ../lambda-deployment.zip .
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}
- name: Deploy to Lambda
run: |
aws lambda update-function-code \
--function-name ${{ env.LAMBDA_FUNCTION_NAME }} \
--zip-file fileb://lambda-deployment.zip
- name: Update Lambda configuration
run: |
aws lambda update-function-configuration \
--function-name ${{ env.LAMBDA_FUNCTION_NAME }} \
--environment Variables="{TABLE_NAME=${{ secrets.DYNAMODB_TABLE }}}" \
--timeout 30 \
--memory-size 256
- name: Health check
run: |
aws lambda invoke \
--function-name ${{ env.LAMBDA_FUNCTION_NAME }} \
--payload '{"id": "health-check"}' \
response.json
status=$(jq -r '.statusCode' response.json)
if [ "$status" != "200" ]; then
echo "Health check falló (status: $status)"
exit 1
fi
Paso 4 — Agregar secrets en GitHub
Ir a Settings → Secrets and variables → Actions y agregar:
| Secret | Descripción |
|---|---|
AWS_ACCESS_KEY_ID | Access key de AWS |
AWS_SECRET_ACCESS_KEY | Secret key de AWS |
DYNAMODB_TABLE | Nombre de la tabla DynamoDB (opcional) |
Paso 5 — Permisos IAM requeridos
El usuario o rol IAM usado por GitHub Actions necesita como mínimo:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration",
"lambda:PublishVersion",
"lambda:UpdateAlias",
"lambda:InvokeFunction"
],
"Resource": "arn:aws:lambda:us-east-1:*:function:example-lambda"
}
]
}
Solución de problemas
Package demasiado grande: Usá Lambda Layers para dependencias pesadas:
aws lambda publish-layer-version \
--layer-name common-dependencies \
--zip-file fileb://dependencies-layer.zip \
--compatible-runtimes python3.11
aws lambda update-function-configuration \
--function-name example-lambda \
--layers arn:aws:lambda:us-east-1:123456789:layer:common-dependencies:1
Permission denied: Verificá que la política IAM del Paso 5 esté adjunta al rol usado por GitHub Actions.