Skip to content

Commit 5e9f051

Browse files
authored
chore(ci): Simplified GovCloud Deploy (#3763)
1 parent afab04f commit 5e9f051

File tree

2 files changed

+86
-105
lines changed

2 files changed

+86
-105
lines changed

.github/workflows/layer_govcloud_verify.yml

+57-30
Original file line numberDiff line numberDiff line change
@@ -5,19 +5,39 @@
55
on:
66
workflow_dispatch:
77
inputs:
8+
environment:
9+
description: Deployment environment
10+
type: choice
11+
options:
12+
- Gamma
13+
- Prod
14+
required: true
815
version:
9-
description: Layer version to verify information
16+
description: Layer version to verify
1017
type: string
1118
required: true
19+
govcloud_version:
20+
description: GovCloud Layer version to verify, this is mostly used in Gamma where a version mismatch might exist
21+
type: string
22+
required: false
23+
1224
workflow_call:
1325
inputs:
26+
environment:
27+
description: Deployment environment
28+
type: string
29+
required: true
1430
version:
15-
description: Layer version to verify information
31+
description: Layer version to verify
1632
type: string
1733
required: true
34+
govcloud_version:
35+
description: GovCloud Layer version to verify, this is mostly used in Gamma where a version mismatch might exist
36+
type: string
37+
required: false
1838

1939
name: Layer Verification (GovCloud)
20-
run-name: Layer Verification (GovCloud) - version ${{ inputs.version }}
40+
run-name: Layer Verification (GovCloud) / Version ${{ inputs.version }}
2141

2242
permissions: {}
2343

@@ -38,44 +58,51 @@ jobs:
3858
- name: Output AWSLambdaPowertoolsTypeScriptV2
3959
# fetch the specific layer version information from the us-east-1 commercial region
4060
run: |
41-
aws --region us-east-1 lambda get-layer-version-by-arn --arn 'arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }}' | jq -r '{"Layer Version Arn": .LayerVersionArn, "Version": .Version, "Description": .Description, "Compatible Runtimes": .CompatibleRuntimes[0], "Compatible Architectures": .CompatibleArchitectures[0], "SHA": .Content.CodeSha256} | keys[] as $k | [$k, .[$k]] | @tsv' | column -t -s $'\t'
61+
aws --region us-east-1 lambda get-layer-version-by-arn --arn 'arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }}' > AWSLambdaPowertoolsTypeScriptV2.json
62+
- name: Store Metadata
63+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
64+
with:
65+
name: AWSLambdaPowertoolsTypeScriptV2.json
66+
path: AWSLambdaPowertoolsTypeScriptV2.json
67+
retention-days: 1
68+
if-no-files-found: error
4269

43-
gov_east:
44-
name: Verify (East)
70+
verify:
71+
name: Verify
4572
needs: commercial
4673
runs-on: ubuntu-latest
4774
permissions:
4875
id-token: write
4976
contents: read
50-
environment: GovCloud Prod (East)
77+
environment: GovCloud ${{ inputs.environment }}
78+
strategy:
79+
matrix:
80+
region:
81+
- us-gov-east-1
82+
- us-gov-west-1
5183
steps:
52-
- name: Configure AWS Credentials
53-
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
84+
- name: Download Metadata
85+
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
5486
with:
55-
role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
56-
aws-region: us-gov-east-1
57-
mask-aws-account-id: true
58-
- name: Verify Layer AWSLambdaPowertoolsTypeScriptV2
59-
id: verify-layer
87+
name: AWSLambdaPowertoolsTypeScriptV2.json
88+
- id: transform
6089
run: |
61-
aws --region us-gov-east-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-east-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }}' | jq -r '{"Layer Version Arn": .LayerVersionArn, "Version": .Version, "Description": .Description, "Compatible Runtimes": .CompatibleRuntimes[0], "Compatible Architectures": .CompatibleArchitectures[0], "SHA": .Content.CodeSha256} | keys[] as $k | [$k, .[$k]] | @tsv' | column -t -s $'\t'
62-
63-
gov_west:
64-
name: Verify (West)
65-
needs: commercial
66-
runs-on: ubuntu-latest
67-
permissions:
68-
id-token: write
69-
contents: read
70-
environment: GovCloud Prod (West)
71-
steps:
90+
echo 'CONVERTED_REGION=${{ matrix.region }}' | tr 'a-z\-' 'A-Z_' >> "$GITHUB_OUTPUT"
7291
- name: Configure AWS Credentials
7392
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
7493
with:
75-
role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
76-
aws-region: us-gov-east-1
94+
role-to-assume: ${{ secrets[format('IAM_ROLE_{0}', steps.transform.outputs.CONVERTED_REGION)] }}
95+
aws-region: ${{ matrix.region}}
7796
mask-aws-account-id: true
78-
- name: Verify Layer AWSLambdaPowertoolsTypeScriptV2
79-
id: verify-layer
97+
- id: govcloud_version
98+
name: GovCloud Layer Version
99+
run: |
100+
echo 'govcloud_version=$([[ -n "${{ inputs.govcloud_version}}" ]] && echo ${{ inputs.govcloud_version}} || echo ${{ inputs.version }} )' >> "$GITHUB_OUTPUT"
101+
- name: Verify Layer
80102
run: |
81-
aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }}' | jq -r '{"Layer Version Arn": .LayerVersionArn, "Version": .Version, "Description": .Description, "Compatible Runtimes": .CompatibleRuntimes[0], "Compatible Architectures": .CompatibleArchitectures[0], "SHA": .Content.CodeSha256} | keys[] as $k | [$k, .[$k]] | @tsv' | column -t -s $'\t'
103+
export layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json'
104+
aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn "arn:aws-us-gov:lambda:${{ matrix.region}}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ steps.govcloud_version.outputs.govcloud_version }}" > $layer_output
105+
REMOTE_SHA=$(jq -r '.Content.CodeSha256' $layer_output)
106+
LOCAL_SHA=$(jq -r '.Content.CodeSha256' AWSLambdaPowertoolsTypeScriptV2.json)
107+
test "$REMOTE_SHA" == "$LOCAL_SHA" && echo "SHA OK: ${LOCAL_SHA}" || exit 1
108+
jq -s -r '["Layer Arn", "Runtimes", "Version", "Description", "SHA256"], ([.[0], .[1]] | .[] | [.LayerArn, (.CompatibleRuntimes | join("/")), .Version, .Description, .Content.CodeSha256]) |@tsv' AWSLambdaPowertoolsTypeScriptV2.json $layer_output | column -t -s $'\t'

.github/workflows/layers_govcloud.yml

+29-75
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,7 @@ on:
3333
type: string
3434
required: true
3535

36-
run-name: Layer Deployment (GovCloud) - ${{ inputs.environment }} - version - ${{ inputs.version }}
36+
run-name: Layer Deployment (GovCloud) - ${{ inputs.environment }} / Version - ${{ inputs.version }}
3737

3838
permissions:
3939
contents: read
@@ -71,14 +71,19 @@ jobs:
7171
retention-days: 1
7272
if-no-files-found: error
7373

74-
copy_east:
75-
name: Copy (East)
74+
copy:
75+
name: Copy
7676
needs: download
7777
runs-on: ubuntu-latest
7878
permissions:
7979
id-token: write
8080
contents: read
81-
environment: GovCloud ${{ inputs.environment }} (East)
81+
environment: GovCloud ${{ inputs.environment }}
82+
strategy:
83+
matrix:
84+
region:
85+
- us-gov-east-1
86+
- us-gov-west-1
8287
steps:
8388
- name: Download Zip
8489
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
@@ -92,86 +97,29 @@ jobs:
9297
run: |
9398
SHA=$(jq -r '.Content.CodeSha256' 'AWSLambdaPowertoolsTypeScriptV2.json')
9499
test "$(openssl dgst -sha256 -binary AWSLambdaPowertoolsTypeScriptV2.zip | openssl enc -base64)" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1
95-
- name: Configure AWS Credentials
96-
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
97-
with:
98-
role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
99-
aws-region: us-gov-east-1
100-
mask-aws-account-id: true
101-
- name: Create Layer
102-
id: create-layer
103-
run: |
104-
cat AWSLambdaPowertoolsTypeScriptV2.json | jq '{"LayerName": "AWSLambdaPowertoolsTypeScriptV2", "Description": .Description, "CompatibleRuntimes": .CompatibleRuntimes, "LicenseInfo": .LicenseInfo}' > input.json
105-
106-
LAYER_VERSION=$(aws --region us-gov-east-1 lambda publish-layer-version \
107-
--zip-file fileb://./AWSLambdaPowertoolsTypeScriptV2.zip \
108-
--cli-input-json file://./input.json \
109-
--query 'Version' \
110-
--output text)
111-
112-
echo "LAYER_VERSION=$LAYER_VERSION" >> "$GITHUB_OUTPUT"
113-
114-
aws --region us-gov-east-1 lambda add-layer-version-permission \
115-
--layer-name 'AWSLambdaPowertoolsTypeScriptV2' \
116-
--statement-id 'PublicLayer' \
117-
--action lambda:GetLayerVersion \
118-
--principal '*' \
119-
--version-number "$LAYER_VERSION"
120-
- name: Verify Layer
121-
env:
122-
LAYER_VERSION: ${{ steps.create-layer.outputs.LAYER_VERSION }}
100+
- id: transform
123101
run: |
124-
REMOTE_SHA=$(aws --region us-gov-east-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-east-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ env.LAYER_VERSION }}' --query 'Content.CodeSha256' --output text)
125-
SHA=$(jq -r '.Content.CodeSha256' 'AWSLambdaPowertoolsTypeScriptV2.json')
126-
test "$REMOTE_SHA" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1
127-
aws --region us-gov-east-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-east-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ env.LAYER_VERSION }}' > govcloud.json
128-
echo ::notice::GovCloud Details
129-
cat govcloud.json | jq -r '{"Layer Version Arn": .LayerVersionArn, "Version": .Version, "Description": .Description, "Compatible Runtimes": .CompatibleRuntimes, "SHA": .Content.CodeSha256} | keys[] as $k | [$k, .[$k]] | @tsv' | column -t -s $'\t'
130-
echo ::notice::Commercial Details
131-
cat AWSLambdaPowertoolsTypeScriptV2.json | jq -r '{"Layer Version Arn": .LayerVersionArn, "Version": .Version, "Description": .Description, "Compatible Runtimes": .CompatibleRuntimes, "SHA": .Content.CodeSha256} | keys[] as $k | [$k, .[$k]] | @tsv' | column -t -s $'\t'
132-
133-
copy_west:
134-
name: Copy (West)
135-
needs: download
136-
runs-on: ubuntu-latest
137-
permissions:
138-
id-token: write
139-
contents: read
140-
environment:
141-
name: GovCloud ${{ inputs.environment }} (West)
142-
steps:
143-
- name: Download Zip
144-
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
145-
with:
146-
name: AWSLambdaPowertoolsTypeScriptV2.zip
147-
- name: Download Metadata
148-
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
149-
with:
150-
name: AWSLambdaPowertoolsTypeScriptV2.json
151-
- name: Verify Layer Signature
152-
run: |
153-
SHA=$(jq -r '.Content.CodeSha256' 'AWSLambdaPowertoolsTypeScriptV2.json')
154-
test "$(openssl dgst -sha256 -binary AWSLambdaPowertoolsTypeScriptV2.zip | openssl enc -base64)" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1
102+
echo 'CONVERTED_REGION=${{ matrix.region }}' | tr 'a-z\-' 'A-Z_' >> "$GITHUB_OUTPUT"
155103
- name: Configure AWS Credentials
156104
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
157105
with:
158-
role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
159-
aws-region: us-gov-west-1
106+
role-to-assume: ${{ secrets[format('IAM_ROLE_{0}', steps.transform.outputs.CONVERTED_REGION)] }}
107+
aws-region: ${{ matrix.region}}
160108
mask-aws-account-id: true
161109
- name: Create Layer
162110
id: create-layer
163111
run: |
164112
cat AWSLambdaPowertoolsTypeScriptV2.json | jq '{"LayerName": "AWSLambdaPowertoolsTypeScriptV2", "Description": .Description, "CompatibleRuntimes": .CompatibleRuntimes, "LicenseInfo": .LicenseInfo}' > input.json
165113
166-
LAYER_VERSION=$(aws --region us-gov-west-1 lambda publish-layer-version \
114+
LAYER_VERSION=$(aws --region ${{ matrix.region}} lambda publish-layer-version \
167115
--zip-file fileb://./AWSLambdaPowertoolsTypeScriptV2.zip \
168116
--cli-input-json file://./input.json \
169117
--query 'Version' \
170118
--output text)
171119
172120
echo "LAYER_VERSION=$LAYER_VERSION" >> "$GITHUB_OUTPUT"
173121
174-
aws --region us-gov-west-1 lambda add-layer-version-permission \
122+
aws --region ${{ matrix.region}} lambda add-layer-version-permission \
175123
--layer-name 'AWSLambdaPowertoolsTypeScriptV2' \
176124
--statement-id 'PublicLayer' \
177125
--action lambda:GetLayerVersion \
@@ -181,11 +129,17 @@ jobs:
181129
env:
182130
LAYER_VERSION: ${{ steps.create-layer.outputs.LAYER_VERSION }}
183131
run: |
184-
REMOTE_SHA=$(aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ env.LAYER_VERSION }}' --query 'Content.CodeSha256' --output text)
185-
SHA=$(jq -r '.Content.CodeSha256' 'AWSLambdaPowertoolsTypeScriptV2.json')
186-
test "$REMOTE_SHA" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1
187-
aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ env.LAYER_VERSION }}' > govcloud.json
188-
echo ::notice::GovCloud Details
189-
cat govcloud.json | jq -r '{"Layer Version Arn": .LayerVersionArn, "Version": .Version, "Description": .Description, "Compatible Runtimes": .CompatibleRuntimes, "SHA": .Content.CodeSha256} | keys[] as $k | [$k, .[$k]] | @tsv' | column -t -s $'\t'
190-
echo ::notice::Commercial Details
191-
cat AWSLambdaPowertoolsTypeScriptV2.json | jq -r '{"Layer Version Arn": .LayerVersionArn, "Version": .Version, "Description": .Description, "Compatible Runtimes": .CompatibleRuntimes, "SHA": .Content.CodeSha256} | keys[] as $k | [$k, .[$k]] | @tsv' | column -t -s $'\t'
132+
export layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json'
133+
aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:${{ matrix.region}}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ env.LAYER_VERSION }}' > $layer_output
134+
REMOTE_SHA=$(jq -r '.Content.CodeSha256' $layer_output)
135+
LOCAL_SHA=$(jq -r '.Content.CodeSha256' AWSLambdaPowertoolsTypeScriptV2.json)
136+
test "$REMOTE_SHA" == "$LOCAL_SHA" && echo "SHA OK: ${LOCAL_SHA}" || exit 1
137+
jq -s -r '["Layer Arn", "Runtimes", "Version", "Description", "SHA256"], ([.[0], .[1]] | .[] | [.LayerArn, (.CompatibleRuntimes | join("/")), .Version, .Description, .Content.CodeSha256]) |@tsv' AWSLambdaPowertoolsTypeScriptV2.json $layer_output | column -t -s $'\t'
138+
139+
- name: Store Metadata - ${{ matrix.region }}
140+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
141+
with:
142+
name: AWSLambdaPowertoolsTypeScriptV2-${{ matrix.region }}.json
143+
path: AWSLambdaPowertoolsTypeScriptV2-${{ matrix.region }}.json
144+
retention-days: 1
145+
if-no-files-found: error

0 commit comments

Comments
 (0)