google-workspace-agent/deploy_lambda.sh at main · singulart/google-workspace-agent · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
#!/usr/bin/env bash
# Package and upload Vincent Lambdas to S3 for Terraform deployment.
set -euo pipefail

ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
BUCKET="${LAMBDA_S3_BUCKET:-argorand-lambdas-repository}"
BUILD_DIR="${ROOT}/.lambda-build"
PYTHON="${PYTHON:-python3}"

usage() {
  cat <<EOF
Usage: $(basename "$0") [all|vincent-authorizer|vincent-agentcore]

Environment:
  LAMBDA_S3_BUCKET  S3 bucket (default: argorand-lambdas-repository)
  PYTHON            Python interpreter for pip fallback (default: python3)

Authorizer builds use Docker (public.ecr.aws/lambda/python:3.14-arm64) when available
so native deps (cryptography, etc.) are Linux arm64, not macOS.

Upload keys:
  s3://\$BUCKET/vincent-authorizer/deployment.zip
  s3://\$BUCKET/vincent-agentcore/deployment.zip
EOF
}

require_cmd() {
  command -v "$1" >/dev/null 2>&1 || {
    echo "Missing required command: $1" >&2
    exit 1
  }
}

verify_linux_arm64_binaries() {
  local pkg_dir="$1"
  local bad=""

  while IFS= read -r -d '' so; do
    if ! file "${so}" | grep -q 'ELF 64-bit.*ARM aarch64'; then
      bad="${bad}\n  ${so}: $(file -b "${so}")"
    fi
  done < <(find "${pkg_dir}" -name '*.so' -print0 2>/dev/null)

  if [[ -n "${bad}" ]]; then
    echo "ERROR: Found non-Linux-arm64 shared libraries in the Lambda package:${bad}" >&2
    echo "Rebuild with Docker (recommended) or fix pip --platform flags; do not use macOS-native wheels." >&2
    exit 1
  fi
}

install_authorizer_deps_docker() {
  local src="$1"
  local pkg_dir="$2"
  local image="public.ecr.aws/lambda/python:3.14-arm64"

  # Lambda base images use a runtime entrypoint (handler name); override for pip install.
  docker run --rm --platform linux/arm64 \
    --entrypoint /bin/bash \
    -v "${src}/requirements.txt:/tmp/requirements.txt:ro" \
    -v "${pkg_dir}:/out" \
    "${image}" \
    -lc "python -m pip install -r /tmp/requirements.txt -t /out --quiet && chmod -R a+rX /out"
}

install_authorizer_deps_pip() {
  local src="$1"
  local pkg_dir="$2"

  # No macOS fallback: a failed cross-install must not silently bundle Darwin .so files.
  "${PYTHON}" -m pip install -r "${src}/requirements.txt" -t "${pkg_dir}" --quiet \
    --platform manylinux2014_aarch64 \
    --implementation cp \
    --python-version 3.14
}

build_authorizer() {
  local name="vincent-authorizer"
  local src="${ROOT}/lambda/${name}"
  local work="${BUILD_DIR}/${name}"
  local zip="${work}/deployment.zip"

  rm -rf "${work}"
  mkdir -p "${work}/package"

  if command -v docker >/dev/null 2>&1; then
    echo "Building ${name} dependencies in Lambda Python 3.14 arm64 Docker image..."
    install_authorizer_deps_docker "${src}" "${work}/package"
  else
    echo "Docker not found; using pip cross-install for manylinux2014_aarch64..."
    install_authorizer_deps_pip "${src}" "${work}/package"
  fi

  verify_linux_arm64_binaries "${work}/package"

  cp "${src}/handler.py" "${work}/package/"
  (cd "${work}/package" && zip -qr "${zip}" .)
  echo "Zip sanity check:"
  unzip -l "${zip}" | grep -E 'handler.py|requests/|cryptography/' || true
  # SHA256 checksum on upload so Terraform can read checksum_sha256 from the S3 object.
  aws s3 cp "${zip}" "s3://${BUCKET}/${name}/deployment.zip" --checksum-algorithm SHA256
  echo "Uploaded s3://${BUCKET}/${name}/deployment.zip"
}

build_agentcore() {
  local name="vincent-agentcore"
  local src="${ROOT}/lambda/${name}"
  local work="${BUILD_DIR}/${name}"
  local zip="${work}/deployment.zip"

  rm -rf "${work}"
  mkdir -p "${work}/package"
  cp "${src}/handler.py" "${work}/package/"
  cp "${ROOT}/agent/chat_payload.py" "${work}/package/"
  (cd "${work}/package" && zip -qr "${zip}" .)
  aws s3 cp "${zip}" "s3://${BUCKET}/${name}/deployment.zip" --checksum-algorithm SHA256
  echo "Uploaded s3://${BUCKET}/${name}/deployment.zip"
}

main() {
  require_cmd aws
  require_cmd zip
  require_cmd "${PYTHON}"

  local target="${1:-all}"
  case "${target}" in
    all)
      build_authorizer
      build_agentcore
      ;;
    vincent-authorizer)
      build_authorizer
      ;;
    vincent-agentcore)
      build_agentcore
      ;;
    -h|--help|help)
      usage
      ;;
    *)
      echo "Unknown target: ${target}" >&2
      usage
      exit 1
      ;;
  esac
}

main "$@"