refactor: convert Lambda code from S3 binary object to ECR container image

.github/lambda-filter.yml

@@ -0,0 +1,13 @@
+audit-logs: "lambda-code/audit-logs/**"
+audit-logs-archiver: "lambda-code/audit-logs-archiver/**"
+cognito-email-sender: "lambda-code/cognito-email-sender/**"
+cognito-pre-sign-up: "lambda-code/cognito-pre-sign-up/**"
+form-archiver: "lambda-code/form-archiver/**"
+load-testing: "lambda-code/load-testing/**"
+nagware: "lambda-code/nagware/**"
+notify-slack: "lambda-code/notify-slack/**"
+reliability: "lambda-code/reliability/**"
+reliability-dlq-consumer: "lambda-code/reliability-dlq-consumer/**"
+response-archiver: "lambda-code/response-archiver/**"
+submission: "lambda-code/submission/**"
+vault-integrity: "lambda-code/vault-integrity/**"

.github/module-filter.yml

@@ -0,0 +1,81 @@
+common: &common
+  - "env/common/**"
+  - "env/terragrunt.hcl"
+  - ".github/workflows/terragrunt-plan-staging.yml"
+  - ".github/workflows/terragrunt-apply-staging.yml"
+alarms:
+  - *common
+  - "aws/alarms/**"
+  - "env/cloud/alarms/**"
+app:
+  - *common
+  - "aws/app/**"
+  - "env/cloud/app/**"
+cognito:
+  - *common
+  - "aws/cognito/**"
+  - "env/cloud/cognito/**"
+dynamodb:
+  - *common
+  - "aws/dynamodb/**"
+  - "env/cloud/dynamodb/**"
+ecr:
+  - *common
+  - "aws/ecr/**"
+  - "env/cloud/ecr/**"
+file_scanning:
+  - *common
+  - "aws/file_scanning/**"
+  - "env/cloud/file_scanning/**"
+hosted_zone:
+  - *common
+  - "aws/hosted_zone/**"
+  - "env/cloud/hosted_zone/**"
+kms:
+  - *common
+  - "aws/kms/**"
+  - "env/cloud/kms/**"
+lambdas:
+  - *common
+  - "aws/lambdas/**"
+  - "env/cloud/lambdas/**"
+load_balancer:
+  - *common
+  - "aws/load_balancer/**"
+  - "env/cloud/load_balancer/**"
+load_testing:
+  - *common
+  - "aws/load_testing/**"
+  - "env/cloud/load_testing/**"
+network:
+  - *common
+  - "aws/network/**"
+  - "env/cloud/network/**"
+oidc_roles:
+  - *common
+  - "aws/oidc_roles/**"
+  - "env/cloud/oidc_roles/**"
+rds:
+  - *common
+  - "aws/rds/**"
+  - "env/cloud/rds/**"
+redis:
+  - *common
+  - "aws/redis/**"
+  - "env/cloud/redis/**"
+s3:
+  - *common
+  - "aws/s3/**"
+  - "env/cloud/s3/**"
+secrets:
+  - *common
+  - "aws/secrets/**"
+  - "env/cloud/secrets/**"
+sns:
+  - *common
+  - "aws/sns/**"
+  - "env/cloud/sns/**"
+sqs:
+  - *common
+  - "aws/sqs/**"
+  - "env/cloud/sqs/**"

.github/workflows/build-lambda-images/action.yml

@@ -0,0 +1,16 @@
+name: Build Lambda images
+
+inputs:
+  lambda-directory:
+    required: true
+  lambda-name:
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - run: docker build -t $LAMBDA_NAME-lambda .
+      env:
+        LAMBDA_NAME: ${{ inputs.lambda-name }}
+      working-directory: ${{ inputs.lambda-directory }}
+      shell: bash

.github/workflows/request-lambda-functions-to-use-new-image/action.yml

@@ -0,0 +1,42 @@
+name: Request Lambda functions to use new image
+
+inputs:
+  aws-role-to-assume:
+    required: true
+  aws-role-session-name:
+    required: true
+  aws-region:
+    required: true
+  lambda-name:
+    required: true
+  image-tag:
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Configure AWS credentials using OIDC
+      uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
+      with:
+        role-to-assume: ${{ inputs.aws-role-to-assume }}
+        role-session-name: ${{ inputs.aws-role-session-name }}
+        aws-region: ${{ inputs.aws-region }}
+
+    - name: Login to Staging Amazon ECR
+      id: login-ecr-staging
+      uses: aws-actions/amazon-ecr-login@v2
+
+    - name: Update Lambda function image
+      env:
+        LAMBDA_NAME: ${{ inputs.lambda-name }}
+        IMAGE_TAG: ${{ inputs.image-tag }}
+        ECR_REGISTRY: ${{ steps.login-ecr-staging.outputs.registry }}
+      run: |
+        functionName=$([ "$LAMBDA_NAME" == "submission" ] && echo "Submission" || echo "$LAMBDA_NAME")
+        aws lambda update-function-code --function-name $functionName --image-uri $ECR_REGISTRY/$LAMBDA_NAME-lambda:$IMAGE_TAG
+      shell: bash
+
+    - name: Logout of Staging Amazon ECR
+      if: always()
+      run: docker logout ${{ steps.login-ecr-staging.outputs.registry }}
+      shell: bash

.github/workflows/tag-and-push-lambda-images/action.yml

@@ -0,0 +1,45 @@
+name: Tag and push Lambda images
+
+inputs:
+  aws-role-to-assume:
+    required: true
+  aws-role-session-name:
+    required: true
+  aws-region:
+    required: true
+  lambda-name:
+    required: true
+  image-tag:
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Configure AWS credentials using OIDC
+      uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
+      with:
+        role-to-assume: ${{ inputs.aws-role-to-assume }}
+        role-session-name: ${{ inputs.aws-role-session-name }}
+        aws-region: ${{ inputs.aws-region }}
+
+    - name: Login to Staging Amazon ECR
+      id: login-ecr-staging
+      uses: aws-actions/amazon-ecr-login@v2
+
+    - name: Tag and push docker images
+      env:
+        LAMBDA_NAME: ${{ inputs.lambda-name }}
+        IMAGE_TAG: ${{ inputs.image-tag }}
+        ECR_REGISTRY: ${{ steps.login-ecr-staging.outputs.registry }}
+      run: |
+        REPOSITORY_NAME=$LAMBDA_NAME-lambda
+        docker tag $REPOSITORY_NAME $ECR_REGISTRY/$REPOSITORY_NAME:$IMAGE_TAG
+        docker tag $REPOSITORY_NAME $ECR_REGISTRY/$REPOSITORY_NAME:latest
+        docker push $ECR_REGISTRY/$REPOSITORY_NAME:$IMAGE_TAG
+        docker push $ECR_REGISTRY/$REPOSITORY_NAME:latest
+      shell: bash
+
+    - name: Logout of Staging Amazon ECR
+      if: always()
+      run: docker logout ${{ steps.login-ecr-staging.outputs.registry }}
+      shell: bash