diff --git a/.github/workflows/layers_partition_verify.yml b/.github/workflows/layers_partition_verify.yml new file mode 100644 index 000000000..f258c9490 --- /dev/null +++ b/.github/workflows/layers_partition_verify.yml @@ -0,0 +1,132 @@ +# Parition Layer Verification +# --- +# This workflow queries the Parition layer info in production only + +on: + workflow_dispatch: + inputs: + environment: + description: Deployment environment + type: choice + options: + - Gamma + - Prod + required: true + version: + description: Layer version to verify + type: string + required: true + partition_version: + description: Layer version to verify, this is mostly used in Gamma where a version mismatch might exist + type: string + required: false + partition: + description: Partition to deploy to + type: choice + options: + - China + - GovCloud + workflow_call: + inputs: + environment: + description: Deployment environment + type: string + required: true + version: + description: Layer version to verify + type: string + required: true + partition_version: + description: Partition Layer version to verify, this is mostly used in Gamma where a version mismatch might exist + type: string + required: false + +name: Layer Verification (Partition) +run-name: Layer Verification (${{ inputs.partition }}) - ${{ inputs.environment }} / Version - ${{ inputs.version }} + +permissions: {} + +jobs: + setup: + runs-on: ubuntu-latest + outputs: + regions: ${{ format('{0}{1}', steps.regions_china.outputs.regions, steps.regions_govcloud.outputs.regions) }} + parition: ${{ format('{0}{1}', steps.regions_china.outputs.partition, steps.regions_govcloud.outputs.parition) }} + steps: + - id: regions_china + name: Parition (China) + if: ${{ inputs.partition == 'China' }} + run: | + echo regions='["cn-north-1", "cn-northwest-1"]'>> "$GITHUB_OUTPUT" + echo partition='aws-cn'>> "$GITHUB_OUTPUT" + - id: regions_govcloud + name: Partition (GovCloud) + if: ${{ inputs.partition == 'GovCloud' }} + run: | + echo regions='["us-gov-east-1", "us-gov-west-1"]'>> "$GITHUB_OUTPUT" + echo partition='aws-us-gov'>> "$GITHUB_OUTPUT" + commercial: + runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + environment: Prod (Readonly) + steps: + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + with: + role-to-assume: ${{ secrets.AWS_IAM_ROLE }} + aws-region: us-east-1 + mask-aws-account-id: true + - name: Output AWSLambdaPowertoolsTypeScriptV2 + # fetch the specific layer version information from the us-east-1 commercial region + run: | + aws --region us-east-1 lambda get-layer-version-by-arn --arn 'arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }}' > AWSLambdaPowertoolsTypeScriptV2.json + - name: Store Metadata + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: AWSLambdaPowertoolsTypeScriptV2.json + path: AWSLambdaPowertoolsTypeScriptV2.json + retention-days: 1 + if-no-files-found: error + + verify: + name: Verify + needs: + - setup + - commercial + runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + # Environment should interperlate as "GovCloud Prod" or "China Beta" + environment: ${{ inputs.partition }} ${{ inputs.environment }} + strategy: + matrix: + region: ${{ fromJson(needs.setup.outputs.regions) }} + steps: + - name: Download Metadata + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + with: + name: AWSLambdaPowertoolsTypeScriptV2.json + - id: transform + run: | + echo 'CONVERTED_REGION=${{ matrix.region }}' | tr 'a-z\-' 'A-Z_' >> "$GITHUB_OUTPUT" + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + with: + role-to-assume: ${{ secrets[format('IAM_ROLE_{0}', steps.transform.outputs.CONVERTED_REGION)] }} + aws-region: ${{ matrix.region}} + mask-aws-account-id: true + - id: partition_version + name: Partition Layer Version + run: | + echo 'partition_version=$([[ -n "${{ inputs.partition_version}}" ]] && echo ${{ inputs.partition_version}} || echo ${{ inputs.version }} )' >> "$GITHUB_OUTPUT" + - name: Verify Layer + run: | + export layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json' + aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn "arn:${{ needs.setup.outputs.parition }}:lambda:${{ matrix.region}}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ steps.partition_version.outputs.partition_version }}" > $layer_output + REMOTE_SHA=$(jq -r '.Content.CodeSha256' $layer_output) + LOCAL_SHA=$(jq -r '.Content.CodeSha256' AWSLambdaPowertoolsTypeScriptV2.json) + test "$REMOTE_SHA" == "$LOCAL_SHA" && echo "SHA OK: ${LOCAL_SHA}" || exit 1 + jq -s -r '["Layer Arn", "Runtimes", "Version", "Description", "SHA256"], ([.[0], .[1]] | .[] | [.LayerArn, (.CompatibleRuntimes | join("/")), .Version, .Description, .Content.CodeSha256]) |@tsv' AWSLambdaPowertoolsTypeScriptV2.json $layer_output | column -t -s $'\t' \ No newline at end of file diff --git a/.github/workflows/layers_partitions.yml b/.github/workflows/layers_partitions.yml new file mode 100644 index 000000000..e4860062b --- /dev/null +++ b/.github/workflows/layers_partitions.yml @@ -0,0 +1,169 @@ +# Partitioned Layer Publish +# --- +# This workflow publishes a specific layer version in an AWS account based on the environment input. +# +# We pull each the version of the layer and store them as artifacts, the we upload them to each of the Partitioned AWS accounts. +# +# A number of safety checks are performed to ensure safety. + +on: + workflow_dispatch: + inputs: + environment: + description: Deployment environment + type: choice + options: + - Gamma + - Prod + required: true + version: + description: Layer version to duplicate + type: string + required: true + partition: + description: Partition to deploy to + type: choice + options: + - China + - GovCloud + workflow_call: + inputs: + environment: + description: Deployment environment + type: string + required: true + version: + description: Layer version to duplicate + type: string + required: true + +name: Layer Deployment (Partitions) +run-name: Layer Deployment (${{ inputs.partition }}) - ${{ inputs.environment }} / Version - ${{ inputs.version }} + +permissions: + contents: read + +jobs: + setup: + runs-on: ubuntu-latest + outputs: + regions: ${{ format('{0}{1}', steps.regions_china.outputs.regions, steps.regions_govcloud.outputs.regions) }} + parition: ${{ format('{0}{1}', steps.regions_china.outputs.partition, steps.regions_govcloud.outputs.parition) }} + steps: + - id: regions_china + name: Parition (China) + if: ${{ inputs.partition == 'China' }} + run: | + echo regions='["cn-north-1", "cn-northwest-1"]'>> "$GITHUB_OUTPUT" + echo partition='aws-cn'>> "$GITHUB_OUTPUT" + - id: regions_govcloud + name: Partition (GovCloud) + if: ${{ inputs.partition == 'GovCloud' }} + run: | + echo regions='["us-gov-east-1", "us-gov-west-1"]'>> "$GITHUB_OUTPUT" + echo partition='aws-us-gov'>> "$GITHUB_OUTPUT" + download: + runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + environment: Prod (Readonly) + steps: + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + with: + role-to-assume: ${{ secrets.AWS_IAM_ROLE }} + aws-region: us-east-1 + mask-aws-account-id: true + - name: Grab Zip + run: | + aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }} --query 'Content.Location' | xargs curl -L -o AWSLambdaPowertoolsTypeScriptV2.zip + aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }} > AWSLambdaPowertoolsTypeScriptV2.json + - name: Store Zip + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: AWSLambdaPowertoolsTypeScriptV2.zip + path: AWSLambdaPowertoolsTypeScriptV2.zip + retention-days: 1 + if-no-files-found: error + - name: Store Metadata + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: AWSLambdaPowertoolsTypeScriptV2.json + path: AWSLambdaPowertoolsTypeScriptV2.json + retention-days: 1 + if-no-files-found: error + + copy: + name: Copy + needs: + - setup + - download + runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + # Environment should interperlate as "GovCloud Prod" or "China Beta" + environment: ${{ inputs.partition }} ${{ inputs.environment }} + strategy: + matrix: + region: ${{ fromJson(needs.setup.outputs.regions) }} + steps: + - name: Download Zip + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + with: + name: AWSLambdaPowertoolsTypeScriptV2.zip + - name: Download Metadata + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + with: + name: AWSLambdaPowertoolsTypeScriptV2.json + - name: Verify Layer Signature + run: | + SHA=$(jq -r '.Content.CodeSha256' 'AWSLambdaPowertoolsTypeScriptV2.json') + test "$(openssl dgst -sha256 -binary AWSLambdaPowertoolsTypeScriptV2.zip | openssl enc -base64)" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1 + - id: transform + run: | + echo 'CONVERTED_REGION=${{ matrix.region }}' | tr 'a-z\-' 'A-Z_' >> "$GITHUB_OUTPUT" + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + with: + role-to-assume: ${{ secrets[format('IAM_ROLE_{0}', steps.transform.outputs.CONVERTED_REGION)] }} + aws-region: ${{ matrix.region}} + mask-aws-account-id: true + - name: Create Layer + id: create-layer + run: | + cat AWSLambdaPowertoolsTypeScriptV2.json | jq '{"LayerName": "AWSLambdaPowertoolsTypeScriptV2", "Description": .Description, "CompatibleRuntimes": .CompatibleRuntimes, "LicenseInfo": .LicenseInfo}' > input.json + + LAYER_VERSION=$(aws --region ${{ matrix.region}} lambda publish-layer-version \ + --zip-file fileb://./AWSLambdaPowertoolsTypeScriptV2.zip \ + --cli-input-json file://./input.json \ + --query 'Version' \ + --output text) + + echo "LAYER_VERSION=$LAYER_VERSION" >> "$GITHUB_OUTPUT" + + aws --region ${{ matrix.region}} lambda add-layer-version-permission \ + --layer-name 'AWSLambdaPowertoolsTypeScriptV2' \ + --statement-id 'PublicLayer' \ + --action lambda:GetLayerVersion \ + --principal '*' \ + --version-number "$LAYER_VERSION" + - name: Verify Layer + env: + LAYER_VERSION: ${{ steps.create-layer.outputs.LAYER_VERSION }} + run: | + export layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json' + aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn 'arn:${{ needs.setup.outputs.parition }}:lambda:${{ matrix.region}}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ env.LAYER_VERSION }}' > $layer_output + REMOTE_SHA=$(jq -r '.Content.CodeSha256' $layer_output) + LOCAL_SHA=$(jq -r '.Content.CodeSha256' AWSLambdaPowertoolsTypeScriptV2.json) + test "$REMOTE_SHA" == "$LOCAL_SHA" && echo "SHA OK: ${LOCAL_SHA}" || exit 1 + jq -s -r '["Layer Arn", "Runtimes", "Version", "Description", "SHA256"], ([.[0], .[1]] | .[] | [.LayerArn, (.CompatibleRuntimes | join("/")), .Version, .Description, .Content.CodeSha256]) |@tsv' AWSLambdaPowertoolsTypeScriptV2.json $layer_output | column -t -s $'\t' + + - name: Store Metadata - ${{ matrix.region }} + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: AWSLambdaPowertoolsTypeScriptV2-${{ matrix.region }}.json + path: AWSLambdaPowertoolsTypeScriptV2-${{ matrix.region }}.json + retention-days: 1 + if-no-files-found: error \ No newline at end of file