sonyasha · sonyasha · Mar 16, 2025 · Mar 14, 2025 · Mar 14, 2025 · Mar 14, 2025
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,10 @@
+__pycache__/
+.git/
+.serverless/
+.gitignore
+serverless.yml
+
+*.env
+
+.DS_Store
+.vscode/
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -14,13 +14,14 @@ on:
         - prod
 
 env:
-  AWS_REGION: "us-east-1"
   SERVERLESS_ACCESS_KEY: ${{ secrets.SERVERLESS_ACCESS_KEY }}
   ENV: ${{ inputs.environment }}
+  FLASK_DEBUG: 0
 
 jobs:
   deploy:
     runs-on: ubuntu-latest
+    if: github.actor == github.repository_owner
 
     steps:
     - uses: actions/checkout@v3
@@ -47,14 +48,15 @@ jobs:
     - name: Install Serverless plugins
       run: |
         serverless plugin install -n serverless-wsgi
+        serverless plugin install -n serverless-ssm-fetch
         serverless plugin install -n serverless-python-requirements
 
     - name: Configure AWS credentials
       uses: aws-actions/configure-aws-credentials@v4
       with:
         aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
         aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-        aws-region: ${{ env.AWS_REGION }}
+        aws-region: ${{ secrets.AWS_REGION }}
 
     - name: Deploy to environment
       run: |

diff --git a/.github/workflows/docker-test.yml b/.github/workflows/docker-test.yml
@@ -0,0 +1,58 @@
+# This workflow performs linting, builds Docker container, and runs test suite for all branches
+# And bandit security checks for master branch
+
+name: Docker container test
+
+on:
+  push:
+
+
+env:
+  API_KEY: ${{ secrets.API_KEY }}
+  PORT: ${{ secrets.PORT }}
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up Python 3.x
+      uses: actions/setup-python@v4
+      with:
+        python-version: '3.13'
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install -r requirements-lint.txt     
+    - name: Run ruff check
+      run: ruff check .
+    - name: Run black check
+      run: black --check .
+    - name: Run isort check
+      run: isort --check .
+
+  test:
+    runs-on: ubuntu-latest
+    needs: lint
+
+    steps:
+    - uses: actions/checkout@v3
+
+    - name: Build Docker image
+      run: docker compose build
+    - name: Run tests inside the container
+      run: docker compose run --rm app pytest --cov=api tests/
+
+  bandit-scan:
+    if: github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    needs: test
+    steps:
+    - uses: actions/checkout@v3
+    # Runs a pre configured Bandit scan 
+    - name: Run bandit
+      uses: jpetrucciani/bandit-check@master
+      with:
+        # only scans under this path
+        path: './api'
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,12 @@
+FROM python:3.13-alpine
+
+WORKDIR /app
+
+COPY requirements.txt /app/requirements.txt
+RUN pip install --no-cache-dir -r requirements.txt
+
+COPY . /app
+
+EXPOSE 5000
+
+CMD ["flask", "--app", "api/app.py", "run", "-h", "0.0.0.0", "-p", "5000"]
diff --git a/api/app.py b/api/app.py
@@ -6,10 +6,9 @@
 
 from flask import Flask, jsonify, request, send_from_directory
 
+from api.utils import DEV_PATHS, QUOTES, require_api_key
 from api.views import bp as views_bp
 
-from .utils import DEV_PATHS, QUOTES, require_api_key
-
 app = Flask(__name__, template_folder="templates", static_folder="static")
 app.secret_key = os.environ.get("SECRET_KEY", "dev-secret-key")
 app.register_blueprint(views_bp)
@@ -188,3 +187,8 @@ def update_milestone(roadmap_id, milestone_index):
 @app.route("/favicon.ico")
 def favicon():
     return send_from_directory(app.static_folder, "favicon.ico", mimetype="image/vnd.microsoft.icon")
+
+
+if __name__ == "__main__":
+    debug_mode = os.environ.get("FLASK_DEBUG", "0") == "1"
+    app.run(debug=debug_mode, host="127.0.0.1", port=int(os.environ.get("PORT", 5000)))
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -0,0 +1,11 @@
+services:
+  app:
+    platform: linux/amd64
+    build: .
+    volumes:
+      - ./api:/app/api
+    ports:
+      - "${PORT}:${PORT}"
+    environment:
+      - API_KEY=${API_KEY}
+      - FLASK_DEBUG=1
diff --git a/package.json b/package.json
@@ -1,6 +1,7 @@
 {
   "devDependencies": {
     "serverless-python-requirements": "^6.1.2",
+    "serverless-ssm-fetch": "^2.0.0",
     "serverless-wsgi": "^3.0.5"
   }
 }
diff --git a/requirements.txt b/requirements.txt
@@ -21,6 +21,7 @@ platformdirs==4.3.6
 pydantic==2.10.6
 pydantic_core==2.27.2
 pytest==8.3.5
+pytest-cov==6.0.0
 requests==2.32.3
 sniffio==1.3.1
 tqdm==4.67.1

diff --git a/serverless.yml b/serverless.yml
@@ -1,13 +1,14 @@
-service: flask-serverless-ai
+service: flask-serverless-lambda
 
 provider:
   name: aws
   runtime: python3.13
-  region: us-east-1
+  region: us-west-1
   memorySize: 128
 plugins:
 - serverless-python-requirements
 - serverless-wsgi
+- serverless-ssm-fetch
 package:
   exclude:
   - node_modules/**
@@ -23,9 +24,13 @@ custom:
     app: api.app.app
     pythonRequirements:
       dockerizePip: true
+  serverlessSsmFetch:
+    API_KEY: /flask-serverless-lambda/api-key
 functions:
   app:
     handler: wsgi_handler.handler
+    environment:
+      FLASK_DEBUG: 0
     events:
     - http: ANY /
     - http: 'ANY {proxy+}'