DataDog
diff --git a/‎.gitlab/scripts/publish_layer.sh
Lines changed: 0 additions & 1 deletion b/‎.gitlab/scripts/publish_layer.sh
Lines changed: 0 additions & 1 deletion
diff --git a/‎.gitlab/templates/pipeline.yaml.tpl
Lines changed: 16 additions & 9 deletions b/‎.gitlab/templates/pipeline.yaml.tpl
Lines changed: 16 additions & 9 deletions
diff --git a/‎scripts/publish_govcloud.sh
Lines changed: 0 additions & 37 deletions b/‎scripts/publish_govcloud.sh
Lines changed: 0 additions & 37 deletions
diff --git a/‎scripts/publish_govcloud_layers.sh
Lines changed: 134 additions & 0 deletions b/‎scripts/publish_govcloud_layers.sh
Lines changed: 134 additions & 0 deletions
@@ -35,7 +35,6 @@ fi
 
 
 LAYER_DIR=".layers"
-VALID_ACCOUNTS=("sandbox" "prod")
 
 publish_layer() {
     region=$1
 
@@ -302,28 +302,35 @@ publish image ({{ $multi_arch_image_flavor.name }}):
 
 {{ end }} # end multi_arch_image_flavors
 
-layer bundle:
-  stage: build
+{{ range $environment := (ds "environments").environments }}
+
+{{ if eq $environment.name "prod" }}signed {{ end }}layer bundle:
+  stage: {{ if eq $environment.name "prod }}sign{{ else }}build{{ end }}
   image: registry.ddbuild.io/images/docker:20.10
   tags: ["arch:amd64"]
+  rules:
+    - if: '"{{ $environment.name }}" =~ /^(sandbox|staging)/'
+    - if: '$CI_COMMIT_TAG =~ /^v.*/'
   needs:
     {{ range (ds "flavors").flavors }}
     {{ if .needs_layer_publish }}
-    - layer ({{ .name }})
+    - {{ if eq $environment.name "prod" }}sign {{ end }}layer ({{ .name }})
     {{ end }} # end needs_layer_publish
     {{ end }} # end flavors
   dependencies:
     {{ range (ds "flavors").flavors }}
     {{ if .needs_layer_publish }}
-    - layer ({{ .name }})
+    - {{ if eq $environment.name "prod" }}sign {{ end }}layer ({{ .name }})
     {{ end }} # end needs_layer_publish
     {{ end }} # end flavors
   artifacts:
     expire_in: 1 hr
     paths:
-      - datadog_extension-bundle-${CI_JOB_ID}/
-    name: datadog_extension-bundle-${CI_JOB_ID}
+      - datadog_extension-{{ if eq $environment.name "prod"}}signed-{{ end }}bundle-${CI_JOB_ID}/
+    name: datadog_extension-{{ if eq $environment.name "prod"}}signed-{{ end }}bundle-${CI_JOB_ID}
   script:
-    - rm -rf datadog_extension-bundle-${CI_JOB_ID}
-    - mkdir -p datadog_extension-bundle-${CI_JOB_ID}
-    - cp .layers/datadog_extension-*.zip datadog_extension-bundle-${CI_JOB_ID}
+    - rm -rf datadog_extension-{{ if eq $environment.name "prod"}}signed-{{ end }}bundle-${CI_JOB_ID}
+    - mkdir -p datadog_extension-{{ if eq $environment.name "prod"}}signed-{{ end }}bundle-${CI_JOB_ID}
+    - cp .layers/datadog_extension-*.zip datadog_extension-{{ if eq $environment.name "prod"}}signed-{{ end }}bundle-${CI_JOB_ID}
+
+{{ end }} # end environments
@@ -0,0 +1,134 @@
+#! /usr/bin/env bash
+
+# Unless explicitly stated otherwise all files in this repository are licensed
+# under the Apache License Version 2.0.
+# This product includes software developed at Datadog (https://www.datadoghq.com/).
+# Copyright 2025 Datadog, Inc.
+#
+# USAGE: download the layer bundle from the build pipeline in gitlab. Use the
+# Download button on the `layer bundle` job. This will be a zip file containing
+# all of the required layers. Run this script as follows:
+#
+# ENVIRONMENT=[us1-stagin-fed or us-fed] [WORKFLOW_LAYER_SUFFIX=optional-layer-suffix] [REGIONS=us-gov-west-1] ./scripts/publish_govcloud_layers.sh <layer-bundle.zip>
+
+set -e
+
+LAYER_PACKAGE=$1
+
+if [ -z "$LAYER_PACKAGE" ]; then
+    printf "[ERROR]: layer package not provided\n"
+    exit 1
+fi
+
+PACKAGE_NAME=$(basename "$LAYER_PACKAGE" .zip)
+
+if [ -z "$ENVIRONMENT" ]; then
+    printf "[ERROR]: ENVIRONMENT not specified\n"
+    exit 1
+fi
+
+if [ "$ENVIRONMENT" = "us1-staging-fed" ]; then
+    AWS_VAULT_ROLE=sso-govcloud-us1-staging-fed-power-user
+
+# this role looks like this in ~/.aws/config:
+# [profile sso-govcloud-us1-staging-fed-power-user]
+# sso_start_url=https://start.us-gov-home.awsapps.com/directory/d-9867188aeb
+# sso_account_id=553727695824
+# sso_role_name=power-user
+# sso_region=us-gov-west-1
+# region=us-gov-west-1
+
+    export ADD_PERMISSIONS=0
+    export AUTOMATICALLY_BUMP_VERSION=1
+
+    if [[ ! "$PACKAGE_NAME" =~ ^datadog_extension-(signed-)?bundle-[0-9]+$ ]]; then
+        echo "[ERROR]: Unexpected package name: $PACKAGE_NAME"
+        exit 1
+    fi
+
+elif [ $ENVIRONMENT = "us1-fed" ]; then
+    AWS_VAULT_ROLE=sso-govcloud-us1-fed-engineering
+
+# this role looks like this in ~/.aws/config:
+# [profile sso-govcloud-us1-fed-engineering]
+# sso_start_url=https://start.us-gov-west-1.us-gov-home.awsapps.com/directory/d-98671fdc8b
+# sso_account_id=002406178527
+# sso_role_name=engineering
+# sso_region=us-gov-west-1
+# region=us-gov-west-1
+
+    export ADD_PERMISSIONS=1
+    export AUTOMATICALLY_BUMP_VERSION=0
+
+    if [[ ! "$PACKAGE_NAME" =~ ^datadog_extension-signed-bundle-[0-9]+$ ]]; then
+        echo "[ERROR]: Unexpected package name: $PACKAGE_NAME"
+        exit 1
+    fi
+
+else
+    printf "[ERROR]: ENVIRONMENT not supported, must be us1-staging-fed or us1-fed.\n"
+    exit 1
+fi
+
+TEMP_DIR=$(mktemp -d)
+unzip $LAYER_PACKAGE -d $TEMP_DIR
+cp -v $TEMP_DIR/$PACKAGE_NAME/*.zip .layers/
+
+
+AWS_VAULT_PREFIX="aws-vault exec $AWS_VAULT_ROLE --"
+
+echo "Checking that you have access to the GovCloud AWS account"
+$AWS_VAULT_PREFIX aws sts get-caller-identity
+
+
+AVAILABLE_REGIONS=$($AWS_VAULT_PREFIX aws ec2 describe-regions | jq -r '.[] | .[] | .RegionName')
+
+# Determine the target regions
+if [ -z "$REGIONS" ]; then
+    echo "Region not specified, running for all available regions."
+    REGIONS=$AVAILABLE_REGIONS
+else
+    echo "Region specified: $REGIONS"
+    if [[ ! "$AVAILABLE_REGIONS" == *"$REGIONS"* ]]; then
+        echo "Could not find $REGIONS in available regions: $AVAILABLE_REGIONS"
+        echo ""
+        echo "EXITING SCRIPT."
+        exit 1
+    fi
+fi
+
+declare -A flavors
+
+flavors["amd64"]="arch=amd64 suffix=amd64 layer_name_base_suffix="
+flavors["arm64"]="arch=arm64 suffix=arm64 layer_name_base_suffix=-ARM"
+flavors["amd64-fips"]="arch=amd64 suffix=amd64-fips layer_name_base_suffix=-FIPS"
+flavors["arm64-fips"]="arch=arm64 suffix=arm64-fips layer_name_base_suffix=-FIPS-ARM"
+echo "$flavors"
+
+
+for region in $REGIONS
+do
+    echo "Starting publishing layers for region $region..."
+
+    export REGION=$region
+
+    for flavor in "${!flavors[@]}"; do
+        echo "Publishing $flavor"
+
+        IFS=' ' read -r -a values <<< "${flavors[$flavor]}"
+        for value in "${values[@]}"; do
+            case $value in
+                arch=*) export ARCHITECTURE="${value#arch=}" ;;
+                suffix=*) SUFFIX="${value#suffix=}" ;;
+                layer_name_base_suffix=*) export LAYER_NAME_BASE_SUFFIX="${value#layer_name_base_suffix=}" ;;
+            esac
+        done
+
+        export LAYER_FILE="datadog_extension-$SUFFIX.zip"
+
+        $AWS_VAULT_PREFIX .gitlab/scripts/publish_layer.sh
+    done
+
+done
+
+echo "Done !"