From 297e2aba5a86ec10a506865116924efd07105acc Mon Sep 17 00:00:00 2001 From: Simon Thulbourn Date: Fri, 27 Sep 2024 12:21:57 +0200 Subject: [PATCH 1/7] feat(ci): GovCloud Layer Workflow Signed-off-by: Simon Thulbourn --- .github/workflows/layer_govcloud.yml | 141 +++++++++++++++++++++++++++ 1 file changed, 141 insertions(+) create mode 100644 .github/workflows/layer_govcloud.yml diff --git a/.github/workflows/layer_govcloud.yml b/.github/workflows/layer_govcloud.yml new file mode 100644 index 00000000000..bcc1c12bbff --- /dev/null +++ b/.github/workflows/layer_govcloud.yml @@ -0,0 +1,141 @@ +on: + workflow_dispatch: + inputs: + environment: + description: Deployment environment + type: choice + options: + - Gamma + - Prod + default: Gamma + required: true + version: + description: Layer version to duplicate + type: number + required: true + +name: Layer Deployment (GovCloud) +run-name: Layer Deployment (GovCloud) - ${{ inputs.environment }} + +jobs: + stash: + runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + strategy: + matrix: + layer: + - AWSLambdaPowertoolsPythonV3-python38 + - AWSLambdaPowertoolsPythonV3-python39 + - AWSLambdaPowertoolsPythonV3-python310 + - AWSLambdaPowertoolsPythonV3-python311 + - AWSLambdaPowertoolsPythonV3-python312 + arch: + - arm64 + - x86 + environment: Prod (Readonly) + steps: + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 + with: + role-to-assume: ${{ secrets.AWS_IAM_ROLE }} + aws-region: us-east-1 + mask-aws-account-id: true + - name: Grab Zip + run: | + aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:017000801446:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ inputs.version }} --query 'Content.Location' | xargs curl -L -o ${{ matrix.layer }}_${{ matrix.arch }}.zip + - name: Store Zip + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + with: + name: ${{ matrix.layer }}_${{ matrix.arch }}.zip + path: ${{ matrix.layer }}_${{ matrix.arch }}.zip + retention-days: 1 + if-no-files-found: error + + copy_east: + name: Copy (East) + needs: stash + runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + strategy: + matrix: + layer: + - AWSLambdaPowertoolsPythonV3-python38 + - AWSLambdaPowertoolsPythonV3-python39 + - AWSLambdaPowertoolsPythonV3-python310 + - AWSLambdaPowertoolsPythonV3-python311 + - AWSLambdaPowertoolsPythonV3-python312 + arch: + - arm64 + - x86 + environment: GovCloud ${{ inputs.environment }} (East) + steps: + - name: Download Zip + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 + with: + name: ${{ matrix.layer }}_${{ matrix.arch }}.zip + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 + with: + role-to-assume: ${{ secrets.AWS_IAM_ROLE }} + aws-region: us-gov-east-1 + mask-aws-account-id: true + - name: Create Layer + run: | + aws --region us-gov-east-1 lambda publish-layer-version \ + --layer-name ${{ inputs.environment }}-${{ matrix.layer }}-${{ matrix.arch }} \ + --zip-file fileb://./${{ matrix.layer }}_${{ matrix.arch }}.zip \ + --query 'Version' | \ + xargs aws --region us-gov-east-1 lambda add-layer-version-permission \ + --layer-name ${{ inputs.environment }}-${{ matrix.layer }}-${{ matrix.arch }} \ + --statement-id 'PublicLayer' \ + --action lambda:GetLayerVersion \ + --principal '*' \ + --version-number + + copy_west: + name: Copy (West) + needs: stash + runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + strategy: + matrix: + layer: + - AWSLambdaPowertoolsPythonV3-python38 + - AWSLambdaPowertoolsPythonV3-python39 + - AWSLambdaPowertoolsPythonV3-python310 + - AWSLambdaPowertoolsPythonV3-python311 + - AWSLambdaPowertoolsPythonV3-python312 + arch: + - arm64 + - x86 + environment: + name: GovCloud ${{ inputs.environment }} (West) + steps: + - name: Download Zip + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 + with: + name: ${{ matrix.layer }}_${{ matrix.arch }}.zip + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 + with: + role-to-assume: ${{ secrets.AWS_IAM_ROLE }} + aws-region: us-gov-west-1 + mask-aws-account-id: true + - name: Create Layer + run: | + aws --region us-gov-west-1 lambda publish-layer-version \ + --layer-name ${{ inputs.environment }}-${{ matrix.layer }}-${{ matrix.arch }} \ + --zip-file fileb://./${{ matrix.layer }}_${{ matrix.arch }}.zip \ + --query 'Version' | \ + xargs aws --region us-gov-west-1 lambda add-layer-version-permission \ + --layer-name ${{ inputs.environment }}-${{ matrix.layer }}-${{ matrix.arch }} \ + --statement-id 'PublicLayer' \ + --action lambda:GetLayerVersion \ + --principal '*' \ + --version-number From f3aba6b60e5e76f6b113f3b696f50a6fef994ee1 Mon Sep 17 00:00:00 2001 From: Simon Thulbourn Date: Mon, 30 Sep 2024 16:39:42 +0200 Subject: [PATCH 2/7] add description --- .github/workflows/layer_govcloud.yml | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/.github/workflows/layer_govcloud.yml b/.github/workflows/layer_govcloud.yml index bcc1c12bbff..1346ec23e46 100644 --- a/.github/workflows/layer_govcloud.yml +++ b/.github/workflows/layer_govcloud.yml @@ -1,3 +1,12 @@ +# GovCloud Layer Publish +# --- +# This workflow publishes a specific layer version in an AWS account based on the environment input. +# +# Using a matrix, we pull each architecture and python version of the layer and store them as artifacts +# we upload them to each of the GovCloud AWS accounts. +# +# A number of safety checks are performed to ensure safety. + on: workflow_dispatch: inputs: @@ -13,12 +22,23 @@ on: description: Layer version to duplicate type: number required: true + workflow_call: + inputs: + environment: + description: Deployment environment + type: string + default: Gamma + required: true + version: + description: Layer version to duplicate + type: number + required: true name: Layer Deployment (GovCloud) run-name: Layer Deployment (GovCloud) - ${{ inputs.environment }} jobs: - stash: + download: runs-on: ubuntu-latest permissions: id-token: write @@ -45,6 +65,7 @@ jobs: - name: Grab Zip run: | aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:017000801446:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ inputs.version }} --query 'Content.Location' | xargs curl -L -o ${{ matrix.layer }}_${{ matrix.arch }}.zip + - name: Store Zip uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: @@ -55,7 +76,7 @@ jobs: copy_east: name: Copy (East) - needs: stash + needs: download runs-on: ubuntu-latest permissions: id-token: write @@ -98,7 +119,7 @@ jobs: copy_west: name: Copy (West) - needs: stash + needs: download runs-on: ubuntu-latest permissions: id-token: write From b5757a2b8aadef08a2914fb750b99224b4c50c82 Mon Sep 17 00:00:00 2001 From: Simon Thulbourn Date: Tue, 1 Oct 2024 11:11:32 +0000 Subject: [PATCH 3/7] Add metadata and checks - checks SHA256 against expected - sets metadata for layer --- .github/workflows/layer_govcloud.yml | 35 ++++++++++++++++++++++++++-- 1 file changed, 33 insertions(+), 2 deletions(-) diff --git a/.github/workflows/layer_govcloud.yml b/.github/workflows/layer_govcloud.yml index 1346ec23e46..a28d0711c4d 100644 --- a/.github/workflows/layer_govcloud.yml +++ b/.github/workflows/layer_govcloud.yml @@ -65,7 +65,7 @@ jobs: - name: Grab Zip run: | aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:017000801446:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ inputs.version }} --query 'Content.Location' | xargs curl -L -o ${{ matrix.layer }}_${{ matrix.arch }}.zip - + aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:017000801446:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ inputs.version }} > ${{ matrix.layer }}_${{ matrix.arch }}.json - name: Store Zip uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: @@ -73,6 +73,13 @@ jobs: path: ${{ matrix.layer }}_${{ matrix.arch }}.zip retention-days: 1 if-no-files-found: error + - name: Store Metadata + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + with: + name: ${{ matrix.layer }}_${{ matrix.arch }}.json + path: ${{ matrix.layer }}_${{ matrix.arch }}.json + retention-days: 1 + if-no-files-found: error copy_east: name: Copy (East) @@ -98,6 +105,14 @@ jobs: uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: ${{ matrix.layer }}_${{ matrix.arch }}.zip + - name: Download Metadata + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 + with: + name: ${{ matrix.layer }}_${{ matrix.arch }}.json + - name: Verify Layer Signature + run: | + SHA=$(jq -r '.Content.CodeSha256' ${{ matrix.layer }}_${{ matrix.arch }}.json) + test $(openssl dgst -sha256 -binary ${{ matrix.layer }}_${{ matrix.arch }}.zip | openssl enc -base64) == $SHA && echo "SHA OK: ${SHA}" || exit 1 - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: @@ -109,6 +124,10 @@ jobs: aws --region us-gov-east-1 lambda publish-layer-version \ --layer-name ${{ inputs.environment }}-${{ matrix.layer }}-${{ matrix.arch }} \ --zip-file fileb://./${{ matrix.layer }}_${{ matrix.arch }}.zip \ + --compatible-runtimes $(jq -r ".CompatibleRuntimes[0]" ${{ matrix.layer }}_${{ matrix.arch }}.json) \ + --compatible-architectures $(jq -r ".CompatibleArchitectures[0]" ${{ matrix.layer }}_${{ matrix.arch }}.json) \ + --license-info "MIT-0" \ + --description "$(jq -r \".Description\" ${{ matrix.layer }}_${{ matrix.arch }}.json)" \ --query 'Version' | \ xargs aws --region us-gov-east-1 lambda add-layer-version-permission \ --layer-name ${{ inputs.environment }}-${{ matrix.layer }}-${{ matrix.arch }} \ @@ -142,6 +161,14 @@ jobs: uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: ${{ matrix.layer }}_${{ matrix.arch }}.zip + - name: Download Metadata + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 + with: + name: ${{ matrix.layer }}_${{ matrix.arch }}.json + - name: Verify Layer Signature + run: | + SHA=$(jq -r '.Content.CodeSha256' ${{ matrix.layer }}_${{ matrix.arch }}.json) + test $(openssl dgst -sha256 -binary ${{ matrix.layer }}_${{ matrix.arch }}.zip | openssl enc -base64) == $SHA && echo "SHA OK: ${SHA}" || exit 1 - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: @@ -153,10 +180,14 @@ jobs: aws --region us-gov-west-1 lambda publish-layer-version \ --layer-name ${{ inputs.environment }}-${{ matrix.layer }}-${{ matrix.arch }} \ --zip-file fileb://./${{ matrix.layer }}_${{ matrix.arch }}.zip \ + --compatible-runtimes $(jq -r ".CompatibleRuntimes[0]" ${{ matrix.layer }}_${{ matrix.arch }}.json) \ + --compatible-architectures $(jq -r ".CompatibleArchitectures[0]" ${{ matrix.layer }}_${{ matrix.arch }}.json) \ + --license-info "MIT-0" \ + --description "$(jq -r \".Description\" ${{ matrix.layer }}_${{ matrix.arch }}.json)" \ --query 'Version' | \ xargs aws --region us-gov-west-1 lambda add-layer-version-permission \ --layer-name ${{ inputs.environment }}-${{ matrix.layer }}-${{ matrix.arch }} \ --statement-id 'PublicLayer' \ --action lambda:GetLayerVersion \ --principal '*' \ - --version-number + --version-number \ No newline at end of file From bc86ba3ab8821d82d0fbf27bb2c414ce161d1bf2 Mon Sep 17 00:00:00 2001 From: Simon Thulbourn Date: Tue, 1 Oct 2024 11:12:27 +0000 Subject: [PATCH 4/7] set correct arch types --- .github/workflows/layer_govcloud.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/layer_govcloud.yml b/.github/workflows/layer_govcloud.yml index a28d0711c4d..c9b688bbbd9 100644 --- a/.github/workflows/layer_govcloud.yml +++ b/.github/workflows/layer_govcloud.yml @@ -53,7 +53,7 @@ jobs: - AWSLambdaPowertoolsPythonV3-python312 arch: - arm64 - - x86 + - x86_64 environment: Prod (Readonly) steps: - name: Configure AWS Credentials @@ -98,7 +98,7 @@ jobs: - AWSLambdaPowertoolsPythonV3-python312 arch: - arm64 - - x86 + - x86_64 environment: GovCloud ${{ inputs.environment }} (East) steps: - name: Download Zip @@ -153,7 +153,7 @@ jobs: - AWSLambdaPowertoolsPythonV3-python312 arch: - arm64 - - x86 + - x86_64 environment: name: GovCloud ${{ inputs.environment }} (West) steps: From 82de2b26f60e09dcb6cafb95c31c35073df682a2 Mon Sep 17 00:00:00 2001 From: Simon Thulbourn Date: Tue, 1 Oct 2024 11:15:43 +0000 Subject: [PATCH 5/7] remove env prefix from layer name --- .github/workflows/layer_govcloud.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/layer_govcloud.yml b/.github/workflows/layer_govcloud.yml index c9b688bbbd9..91f4e82ca75 100644 --- a/.github/workflows/layer_govcloud.yml +++ b/.github/workflows/layer_govcloud.yml @@ -122,7 +122,7 @@ jobs: - name: Create Layer run: | aws --region us-gov-east-1 lambda publish-layer-version \ - --layer-name ${{ inputs.environment }}-${{ matrix.layer }}-${{ matrix.arch }} \ + --layer-name ${{ matrix.layer }}-${{ matrix.arch }} \ --zip-file fileb://./${{ matrix.layer }}_${{ matrix.arch }}.zip \ --compatible-runtimes $(jq -r ".CompatibleRuntimes[0]" ${{ matrix.layer }}_${{ matrix.arch }}.json) \ --compatible-architectures $(jq -r ".CompatibleArchitectures[0]" ${{ matrix.layer }}_${{ matrix.arch }}.json) \ @@ -130,7 +130,7 @@ jobs: --description "$(jq -r \".Description\" ${{ matrix.layer }}_${{ matrix.arch }}.json)" \ --query 'Version' | \ xargs aws --region us-gov-east-1 lambda add-layer-version-permission \ - --layer-name ${{ inputs.environment }}-${{ matrix.layer }}-${{ matrix.arch }} \ + --layer-name ${{ matrix.layer }}-${{ matrix.arch }} \ --statement-id 'PublicLayer' \ --action lambda:GetLayerVersion \ --principal '*' \ @@ -178,7 +178,7 @@ jobs: - name: Create Layer run: | aws --region us-gov-west-1 lambda publish-layer-version \ - --layer-name ${{ inputs.environment }}-${{ matrix.layer }}-${{ matrix.arch }} \ + --layer-name ${{ matrix.layer }}-${{ matrix.arch }} \ --zip-file fileb://./${{ matrix.layer }}_${{ matrix.arch }}.zip \ --compatible-runtimes $(jq -r ".CompatibleRuntimes[0]" ${{ matrix.layer }}_${{ matrix.arch }}.json) \ --compatible-architectures $(jq -r ".CompatibleArchitectures[0]" ${{ matrix.layer }}_${{ matrix.arch }}.json) \ @@ -186,7 +186,7 @@ jobs: --description "$(jq -r \".Description\" ${{ matrix.layer }}_${{ matrix.arch }}.json)" \ --query 'Version' | \ xargs aws --region us-gov-west-1 lambda add-layer-version-permission \ - --layer-name ${{ inputs.environment }}-${{ matrix.layer }}-${{ matrix.arch }} \ + --layer-name ${{ matrix.layer }}-${{ matrix.arch }} \ --statement-id 'PublicLayer' \ --action lambda:GetLayerVersion \ --principal '*' \ From f6949943b649efbf071e975b54bc664168de55cc Mon Sep 17 00:00:00 2001 From: Simon Thulbourn Date: Thu, 3 Oct 2024 08:49:48 +0000 Subject: [PATCH 6/7] fix description --- .github/workflows/layer_govcloud.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/layer_govcloud.yml b/.github/workflows/layer_govcloud.yml index 91f4e82ca75..8a9e68c3ed9 100644 --- a/.github/workflows/layer_govcloud.yml +++ b/.github/workflows/layer_govcloud.yml @@ -127,7 +127,7 @@ jobs: --compatible-runtimes $(jq -r ".CompatibleRuntimes[0]" ${{ matrix.layer }}_${{ matrix.arch }}.json) \ --compatible-architectures $(jq -r ".CompatibleArchitectures[0]" ${{ matrix.layer }}_${{ matrix.arch }}.json) \ --license-info "MIT-0" \ - --description "$(jq -r \".Description\" ${{ matrix.layer }}_${{ matrix.arch }}.json)" \ + --description "$(jq -r '.Description' ${{ matrix.layer }}_${{ matrix.arch }}.json)" \ --query 'Version' | \ xargs aws --region us-gov-east-1 lambda add-layer-version-permission \ --layer-name ${{ matrix.layer }}-${{ matrix.arch }} \ @@ -183,7 +183,7 @@ jobs: --compatible-runtimes $(jq -r ".CompatibleRuntimes[0]" ${{ matrix.layer }}_${{ matrix.arch }}.json) \ --compatible-architectures $(jq -r ".CompatibleArchitectures[0]" ${{ matrix.layer }}_${{ matrix.arch }}.json) \ --license-info "MIT-0" \ - --description "$(jq -r \".Description\" ${{ matrix.layer }}_${{ matrix.arch }}.json)" \ + --description "$(jq -r '.Description' ${{ matrix.layer }}_${{ matrix.arch }}.json)" \ --query 'Version' | \ xargs aws --region us-gov-west-1 lambda add-layer-version-permission \ --layer-name ${{ matrix.layer }}-${{ matrix.arch }} \ From 38a95f686a6428ec14d0b619d53fe22ee2424941 Mon Sep 17 00:00:00 2001 From: Simon Thulbourn Date: Thu, 3 Oct 2024 09:29:03 +0000 Subject: [PATCH 7/7] verify sha after upload --- .github/workflows/layer_govcloud.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/workflows/layer_govcloud.yml b/.github/workflows/layer_govcloud.yml index 8a9e68c3ed9..fa5a9279294 100644 --- a/.github/workflows/layer_govcloud.yml +++ b/.github/workflows/layer_govcloud.yml @@ -135,6 +135,11 @@ jobs: --action lambda:GetLayerVersion \ --principal '*' \ --version-number + - name: Verify Layer + run: | + REMOTE_SHA=$(aws --region us-gov-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-gov-east-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ inputs.version }} --query 'Content.CodeSha256' --output text) + SHA=$(jq -r '.Content.CodeSha256' ${{ matrix.layer }}_${{ matrix.arch }}.json) + test $($REMOTE_SHA == $SHA && echo "SHA OK: ${SHA}" || exit 1 copy_west: name: Copy (West) @@ -190,4 +195,9 @@ jobs: --statement-id 'PublicLayer' \ --action lambda:GetLayerVersion \ --principal '*' \ - --version-number \ No newline at end of file + --version-number + - name: Verify Layer + run: | + REMOTE_SHA=$(aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ inputs.version }} --query 'Content.CodeSha256' --output text) + SHA=$(jq -r '.Content.CodeSha256' ${{ matrix.layer }}_${{ matrix.arch }}.json) + test $($REMOTE_SHA == $SHA && echo "SHA OK: ${SHA}" || exit 1 \ No newline at end of file