From 8c2cb483df7a02e78a260b3b4f753ebab51d9167 Mon Sep 17 00:00:00 2001 From: Simon Thulbourn Date: Mon, 24 Mar 2025 12:46:08 +0100 Subject: [PATCH 01/12] chore(ci): Simpllified GovCloud Deploy --- .github/workflows/layers_govcloud.yml | 101 +++++++------------------- 1 file changed, 28 insertions(+), 73 deletions(-) diff --git a/.github/workflows/layers_govcloud.yml b/.github/workflows/layers_govcloud.yml index cc8a31833..09e1adda4 100644 --- a/.github/workflows/layers_govcloud.yml +++ b/.github/workflows/layers_govcloud.yml @@ -71,14 +71,19 @@ jobs: retention-days: 1 if-no-files-found: error - copy_east: - name: Copy (East) + copy: + name: Copy needs: download runs-on: ubuntu-latest permissions: id-token: write contents: read - environment: GovCloud ${{ inputs.environment }} (East) + environment: GovCloud + strategy: + matrix: + region: + - us-gov-east-1 + - us-gov-west-1 steps: - name: Download Zip uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 @@ -92,78 +97,21 @@ jobs: run: | SHA=$(jq -r '.Content.CodeSha256' 'AWSLambdaPowertoolsTypeScriptV2.json') test "$(openssl dgst -sha256 -binary AWSLambdaPowertoolsTypeScriptV2.zip | openssl enc -base64)" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1 - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 - with: - role-to-assume: ${{ secrets.AWS_IAM_ROLE }} - aws-region: us-gov-east-1 - mask-aws-account-id: true - - name: Create Layer - id: create-layer - run: | - cat AWSLambdaPowertoolsTypeScriptV2.json | jq '{"LayerName": "AWSLambdaPowertoolsTypeScriptV2", "Description": .Description, "CompatibleRuntimes": .CompatibleRuntimes, "LicenseInfo": .LicenseInfo}' > input.json - - LAYER_VERSION=$(aws --region us-gov-east-1 lambda publish-layer-version \ - --zip-file fileb://./AWSLambdaPowertoolsTypeScriptV2.zip \ - --cli-input-json file://./input.json \ - --query 'Version' \ - --output text) - - echo "LAYER_VERSION=$LAYER_VERSION" >> "$GITHUB_OUTPUT" - - aws --region us-gov-east-1 lambda add-layer-version-permission \ - --layer-name 'AWSLambdaPowertoolsTypeScriptV2' \ - --statement-id 'PublicLayer' \ - --action lambda:GetLayerVersion \ - --principal '*' \ - --version-number "$LAYER_VERSION" - - name: Verify Layer - env: - LAYER_VERSION: ${{ steps.create-layer.outputs.LAYER_VERSION }} + - id: transform run: | - REMOTE_SHA=$(aws --region us-gov-east-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-east-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ env.LAYER_VERSION }}' --query 'Content.CodeSha256' --output text) - SHA=$(jq -r '.Content.CodeSha256' 'AWSLambdaPowertoolsTypeScriptV2.json') - test "$REMOTE_SHA" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1 - aws --region us-gov-east-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-east-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ env.LAYER_VERSION }}' > govcloud.json - echo ::notice::GovCloud Details - cat govcloud.json | jq -r '{"Layer Version Arn": .LayerVersionArn, "Version": .Version, "Description": .Description, "Compatible Runtimes": .CompatibleRuntimes, "SHA": .Content.CodeSha256} | keys[] as $k | [$k, .[$k]] | @tsv' | column -t -s $'\t' - echo ::notice::Commercial Details - cat AWSLambdaPowertoolsTypeScriptV2.json | jq -r '{"Layer Version Arn": .LayerVersionArn, "Version": .Version, "Description": .Description, "Compatible Runtimes": .CompatibleRuntimes, "SHA": .Content.CodeSha256} | keys[] as $k | [$k, .[$k]] | @tsv' | column -t -s $'\t' - - copy_west: - name: Copy (West) - needs: download - runs-on: ubuntu-latest - permissions: - id-token: write - contents: read - environment: - name: GovCloud ${{ inputs.environment }} (West) - steps: - - name: Download Zip - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 - with: - name: AWSLambdaPowertoolsTypeScriptV2.zip - - name: Download Metadata - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 - with: - name: AWSLambdaPowertoolsTypeScriptV2.json - - name: Verify Layer Signature - run: | - SHA=$(jq -r '.Content.CodeSha256' 'AWSLambdaPowertoolsTypeScriptV2.json') - test "$(openssl dgst -sha256 -binary AWSLambdaPowertoolsTypeScriptV2.zip | openssl enc -base64)" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1 + echo 'CONVERTED_REGION=${{ matrix.region }}' | tr 'a-z\-' 'A-Z_' >> "$GITHUB_OUTPUT" - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 with: - role-to-assume: ${{ secrets.AWS_IAM_ROLE }} - aws-region: us-gov-west-1 + role-to-assume: ${{ secrets[format('{0}', steps.transform.outputs.CONVERTED_REGION)] }} + aws-region: ${{ matrix.region}} mask-aws-account-id: true - name: Create Layer id: create-layer run: | cat AWSLambdaPowertoolsTypeScriptV2.json | jq '{"LayerName": "AWSLambdaPowertoolsTypeScriptV2", "Description": .Description, "CompatibleRuntimes": .CompatibleRuntimes, "LicenseInfo": .LicenseInfo}' > input.json - LAYER_VERSION=$(aws --region us-gov-west-1 lambda publish-layer-version \ + LAYER_VERSION=$(aws --region ${{ matrix.region}} lambda publish-layer-version \ --zip-file fileb://./AWSLambdaPowertoolsTypeScriptV2.zip \ --cli-input-json file://./input.json \ --query 'Version' \ @@ -171,7 +119,7 @@ jobs: echo "LAYER_VERSION=$LAYER_VERSION" >> "$GITHUB_OUTPUT" - aws --region us-gov-west-1 lambda add-layer-version-permission \ + aws --region ${{ matrix.region}} lambda add-layer-version-permission \ --layer-name 'AWSLambdaPowertoolsTypeScriptV2' \ --statement-id 'PublicLayer' \ --action lambda:GetLayerVersion \ @@ -181,11 +129,18 @@ jobs: env: LAYER_VERSION: ${{ steps.create-layer.outputs.LAYER_VERSION }} run: | - REMOTE_SHA=$(aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ env.LAYER_VERSION }}' --query 'Content.CodeSha256' --output text) - SHA=$(jq -r '.Content.CodeSha256' 'AWSLambdaPowertoolsTypeScriptV2.json') + layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json' + aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:${{ matrix.region}}:${{ secrets.AWS_ACCOUNT_ID }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ env.LAYER_VERSION }}' > $layer_output + REMOTE_SHA=$(jq -r '.Content.CodeSha256' $layer_output) + LOCAL_SHA=$(jq -r '.Content.CodeSha256' AWSLambdaPowertoolsTypeScriptV2.json) test "$REMOTE_SHA" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1 - aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ env.LAYER_VERSION }}' > govcloud.json - echo ::notice::GovCloud Details - cat govcloud.json | jq -r '{"Layer Version Arn": .LayerVersionArn, "Version": .Version, "Description": .Description, "Compatible Runtimes": .CompatibleRuntimes, "SHA": .Content.CodeSha256} | keys[] as $k | [$k, .[$k]] | @tsv' | column -t -s $'\t' - echo ::notice::Commercial Details - cat AWSLambdaPowertoolsTypeScriptV2.json | jq -r '{"Layer Version Arn": .LayerVersionArn, "Version": .Version, "Description": .Description, "Compatible Runtimes": .CompatibleRuntimes, "SHA": .Content.CodeSha256} | keys[] as $k | [$k, .[$k]] | @tsv' | column -t -s $'\t' + echo ::notice::Layer Details - Commercial (Left) / GovCloud (Right) + jq -s -r '["Layer Arn", "Runtimes", "Version", "Description", "SHA256"], ([.[0], .[1]] | .[] | [.LayerArn, (.CompatibleRuntimes | join("/")), .Version, .Description, .Content.CodeSha256]) |@tsv' AWSLambdaPowertoolsTypeScriptV2.json $layer_output | column -t -s $'\t' + + - name: Store Metadata - ${{ matrix.region }} + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: AWSLambdaPowertoolsTypeScriptV2-${{ matrix.region }}.json + path: AWSLambdaPowertoolsTypeScriptV2-${{ matrix.region }}.json + retention-days: 1 + if-no-files-found: error \ No newline at end of file From 5ed641de5a56271106547c863da838769f0f3e4a Mon Sep 17 00:00:00 2001 From: Simon Thulbourn Date: Mon, 24 Mar 2025 12:53:32 +0100 Subject: [PATCH 02/12] add deploy env to assumed env --- .github/workflows/layers_govcloud.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/layers_govcloud.yml b/.github/workflows/layers_govcloud.yml index 09e1adda4..c4ba771c6 100644 --- a/.github/workflows/layers_govcloud.yml +++ b/.github/workflows/layers_govcloud.yml @@ -78,7 +78,7 @@ jobs: permissions: id-token: write contents: read - environment: GovCloud + environment: GovCloud ${{ inputs.environment }} strategy: matrix: region: From dcb94fd2adfd41fdf8d926a3680bf654fbbdf75a Mon Sep 17 00:00:00 2001 From: Simon Thulbourn Date: Mon, 24 Mar 2025 12:58:51 +0100 Subject: [PATCH 03/12] fix secret formatting --- .github/workflows/layers_govcloud.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/layers_govcloud.yml b/.github/workflows/layers_govcloud.yml index c4ba771c6..36fc80c97 100644 --- a/.github/workflows/layers_govcloud.yml +++ b/.github/workflows/layers_govcloud.yml @@ -103,7 +103,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 with: - role-to-assume: ${{ secrets[format('{0}', steps.transform.outputs.CONVERTED_REGION)] }} + role-to-assume: ${{ secrets[format('IAM_ROLE_{0}', steps.transform.outputs.CONVERTED_REGION)] }} aws-region: ${{ matrix.region}} mask-aws-account-id: true - name: Create Layer @@ -130,7 +130,7 @@ jobs: LAYER_VERSION: ${{ steps.create-layer.outputs.LAYER_VERSION }} run: | layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json' - aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:${{ matrix.region}}:${{ secrets.AWS_ACCOUNT_ID }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ env.LAYER_VERSION }}' > $layer_output + aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:${{ matrix.region}}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ env.LAYER_VERSION }}' > $layer_output REMOTE_SHA=$(jq -r '.Content.CodeSha256' $layer_output) LOCAL_SHA=$(jq -r '.Content.CodeSha256' AWSLambdaPowertoolsTypeScriptV2.json) test "$REMOTE_SHA" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1 From b764abb475ba9d70b4f506084cbeb14327281b9d Mon Sep 17 00:00:00 2001 From: Simon Thulbourn Date: Mon, 24 Mar 2025 13:16:02 +0100 Subject: [PATCH 04/12] comment out jq --- .github/workflows/layers_govcloud.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/layers_govcloud.yml b/.github/workflows/layers_govcloud.yml index 36fc80c97..d6b9d3229 100644 --- a/.github/workflows/layers_govcloud.yml +++ b/.github/workflows/layers_govcloud.yml @@ -135,7 +135,7 @@ jobs: LOCAL_SHA=$(jq -r '.Content.CodeSha256' AWSLambdaPowertoolsTypeScriptV2.json) test "$REMOTE_SHA" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1 echo ::notice::Layer Details - Commercial (Left) / GovCloud (Right) - jq -s -r '["Layer Arn", "Runtimes", "Version", "Description", "SHA256"], ([.[0], .[1]] | .[] | [.LayerArn, (.CompatibleRuntimes | join("/")), .Version, .Description, .Content.CodeSha256]) |@tsv' AWSLambdaPowertoolsTypeScriptV2.json $layer_output | column -t -s $'\t' + # jq -s -r '["Layer Arn", "Runtimes", "Version", "Description", "SHA256"], ([.[0], .[1]] | .[] | [.LayerArn, (.CompatibleRuntimes | join("/")), .Version, .Description, .Content.CodeSha256]) |@tsv' AWSLambdaPowertoolsTypeScriptV2.json $layer_output | column -t -s $'\t' - name: Store Metadata - ${{ matrix.region }} uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 From 727e0f99a7be9807ac81f1984b7490d2c76521b2 Mon Sep 17 00:00:00 2001 From: Simon Thulbourn Date: Mon, 24 Mar 2025 13:17:48 +0100 Subject: [PATCH 05/12] export var --- .github/workflows/layers_govcloud.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/layers_govcloud.yml b/.github/workflows/layers_govcloud.yml index d6b9d3229..5ff875526 100644 --- a/.github/workflows/layers_govcloud.yml +++ b/.github/workflows/layers_govcloud.yml @@ -129,13 +129,13 @@ jobs: env: LAYER_VERSION: ${{ steps.create-layer.outputs.LAYER_VERSION }} run: | - layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json' + export layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json' aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:${{ matrix.region}}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ env.LAYER_VERSION }}' > $layer_output REMOTE_SHA=$(jq -r '.Content.CodeSha256' $layer_output) LOCAL_SHA=$(jq -r '.Content.CodeSha256' AWSLambdaPowertoolsTypeScriptV2.json) test "$REMOTE_SHA" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1 echo ::notice::Layer Details - Commercial (Left) / GovCloud (Right) - # jq -s -r '["Layer Arn", "Runtimes", "Version", "Description", "SHA256"], ([.[0], .[1]] | .[] | [.LayerArn, (.CompatibleRuntimes | join("/")), .Version, .Description, .Content.CodeSha256]) |@tsv' AWSLambdaPowertoolsTypeScriptV2.json $layer_output | column -t -s $'\t' + jq -s -r '["Layer Arn", "Runtimes", "Version", "Description", "SHA256"], ([.[0], .[1]] | .[] | [.LayerArn, (.CompatibleRuntimes | join("/")), .Version, .Description, .Content.CodeSha256]) |@tsv' AWSLambdaPowertoolsTypeScriptV2.json $layer_output | column -t -s $'\t' - name: Store Metadata - ${{ matrix.region }} uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 From c044f6e07c6fc24e20c116dc1e7b8d23eea9670c Mon Sep 17 00:00:00 2001 From: Simon Thulbourn Date: Mon, 24 Mar 2025 13:20:22 +0100 Subject: [PATCH 06/12] remove all --- .github/workflows/layers_govcloud.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/layers_govcloud.yml b/.github/workflows/layers_govcloud.yml index 5ff875526..5572dce91 100644 --- a/.github/workflows/layers_govcloud.yml +++ b/.github/workflows/layers_govcloud.yml @@ -130,12 +130,6 @@ jobs: LAYER_VERSION: ${{ steps.create-layer.outputs.LAYER_VERSION }} run: | export layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json' - aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:${{ matrix.region}}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ env.LAYER_VERSION }}' > $layer_output - REMOTE_SHA=$(jq -r '.Content.CodeSha256' $layer_output) - LOCAL_SHA=$(jq -r '.Content.CodeSha256' AWSLambdaPowertoolsTypeScriptV2.json) - test "$REMOTE_SHA" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1 - echo ::notice::Layer Details - Commercial (Left) / GovCloud (Right) - jq -s -r '["Layer Arn", "Runtimes", "Version", "Description", "SHA256"], ([.[0], .[1]] | .[] | [.LayerArn, (.CompatibleRuntimes | join("/")), .Version, .Description, .Content.CodeSha256]) |@tsv' AWSLambdaPowertoolsTypeScriptV2.json $layer_output | column -t -s $'\t' - name: Store Metadata - ${{ matrix.region }} uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 From 7768d3606219246b9b2f269765ee33814f436102 Mon Sep 17 00:00:00 2001 From: Simon Thulbourn Date: Mon, 24 Mar 2025 13:21:47 +0100 Subject: [PATCH 07/12] add output file --- .github/workflows/layers_govcloud.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/layers_govcloud.yml b/.github/workflows/layers_govcloud.yml index 5572dce91..dc90b9731 100644 --- a/.github/workflows/layers_govcloud.yml +++ b/.github/workflows/layers_govcloud.yml @@ -130,6 +130,7 @@ jobs: LAYER_VERSION: ${{ steps.create-layer.outputs.LAYER_VERSION }} run: | export layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json' + aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:${{ matrix.region}}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ env.LAYER_VERSION }}' > $layer_output - name: Store Metadata - ${{ matrix.region }} uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 From c67185c714860af3cc2fa95e8f87b795c591220a Mon Sep 17 00:00:00 2001 From: Simon Thulbourn Date: Mon, 24 Mar 2025 13:26:32 +0100 Subject: [PATCH 08/12] fix verify --- .github/workflows/layers_govcloud.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/layers_govcloud.yml b/.github/workflows/layers_govcloud.yml index dc90b9731..54b0bc878 100644 --- a/.github/workflows/layers_govcloud.yml +++ b/.github/workflows/layers_govcloud.yml @@ -131,6 +131,11 @@ jobs: run: | export layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json' aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:${{ matrix.region}}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ env.LAYER_VERSION }}' > $layer_output + REMOTE_SHA=$(jq -r '.Content.CodeSha256' $layer_output) + LOCAL_SHA=$(jq -r '.Content.CodeSha256' AWSLambdaPowertoolsTypeScriptV2.json) + test "$REMOTE_SHA" == "$LOCAL_SHA" && echo "SHA OK: ${LOCAL_SHA}" || exit 1 + echo ::notice::Layer Details - Commercial (Left) / GovCloud (Right) + jq -s -r '["Layer Arn", "Runtimes", "Version", "Description", "SHA256"], ([.[0], .[1]] | .[] | [.LayerArn, (.CompatibleRuntimes | join("/")), .Version, .Description, .Content.CodeSha256]) |@tsv' AWSLambdaPowertoolsTypeScriptV2.json $layer_output | column -t -s $'\t' - name: Store Metadata - ${{ matrix.region }} uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 From 994d96d0b5381e6f5934897cf9c57f09234ddf1a Mon Sep 17 00:00:00 2001 From: Simon Thulbourn Date: Mon, 24 Mar 2025 13:33:03 +0100 Subject: [PATCH 09/12] remove echo --- .github/workflows/layers_govcloud.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/layers_govcloud.yml b/.github/workflows/layers_govcloud.yml index 54b0bc878..d811f16d1 100644 --- a/.github/workflows/layers_govcloud.yml +++ b/.github/workflows/layers_govcloud.yml @@ -134,7 +134,6 @@ jobs: REMOTE_SHA=$(jq -r '.Content.CodeSha256' $layer_output) LOCAL_SHA=$(jq -r '.Content.CodeSha256' AWSLambdaPowertoolsTypeScriptV2.json) test "$REMOTE_SHA" == "$LOCAL_SHA" && echo "SHA OK: ${LOCAL_SHA}" || exit 1 - echo ::notice::Layer Details - Commercial (Left) / GovCloud (Right) jq -s -r '["Layer Arn", "Runtimes", "Version", "Description", "SHA256"], ([.[0], .[1]] | .[] | [.LayerArn, (.CompatibleRuntimes | join("/")), .Version, .Description, .Content.CodeSha256]) |@tsv' AWSLambdaPowertoolsTypeScriptV2.json $layer_output | column -t -s $'\t' - name: Store Metadata - ${{ matrix.region }} From 486dbe62fd4e7d75890f38d615943314bb804a29 Mon Sep 17 00:00:00 2001 From: Simon Thulbourn Date: Mon, 24 Mar 2025 13:42:53 +0100 Subject: [PATCH 10/12] update verify workflow --- .github/workflows/layer_govcloud_verify.yml | 74 ++++++++++++--------- .github/workflows/layers_govcloud.yml | 2 +- 2 files changed, 45 insertions(+), 31 deletions(-) diff --git a/.github/workflows/layer_govcloud_verify.yml b/.github/workflows/layer_govcloud_verify.yml index 3a4b5f32e..74aae0a64 100644 --- a/.github/workflows/layer_govcloud_verify.yml +++ b/.github/workflows/layer_govcloud_verify.yml @@ -5,19 +5,30 @@ on: workflow_dispatch: inputs: + environment: + description: Deployment environment + type: choice + options: + - Gamma + - Prod + required: true version: - description: Layer version to verify information + description: Layer version to duplicate type: string required: true workflow_call: inputs: + environment: + description: Deployment environment + type: string + required: true version: - description: Layer version to verify information + description: Layer version to duplicate type: string required: true name: Layer Verification (GovCloud) -run-name: Layer Verification (GovCloud) - version ${{ inputs.version }} +run-name: Layer Verification (GovCloud) / Version ${{ inputs.version }} permissions: {} @@ -38,44 +49,47 @@ jobs: - name: Output AWSLambdaPowertoolsTypeScriptV2 # fetch the specific layer version information from the us-east-1 commercial region run: | - aws --region us-east-1 lambda get-layer-version-by-arn --arn 'arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }}' | jq -r '{"Layer Version Arn": .LayerVersionArn, "Version": .Version, "Description": .Description, "Compatible Runtimes": .CompatibleRuntimes[0], "Compatible Architectures": .CompatibleArchitectures[0], "SHA": .Content.CodeSha256} | keys[] as $k | [$k, .[$k]] | @tsv' | column -t -s $'\t' + aws --region us-east-1 lambda get-layer-version-by-arn --arn 'arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }}' > AWSLambdaPowertoolsTypeScriptV2.json + - name: Store Metadata + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: AWSLambdaPowertoolsTypeScriptV2.json + path: AWSLambdaPowertoolsTypeScriptV2.json + retention-days: 1 + if-no-files-found: error - gov_east: - name: Verify (East) + verify: + name: Verify needs: commercial runs-on: ubuntu-latest permissions: id-token: write contents: read - environment: GovCloud Prod (East) + environment: GovCloud ${{ inputs.environment }} + strategy: + matrix: + region: + - us-gov-east-1 + - us-gov-west-1 steps: - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 + - name: Download Metadata + uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 with: - role-to-assume: ${{ secrets.AWS_IAM_ROLE }} - aws-region: us-gov-east-1 - mask-aws-account-id: true - - name: Verify Layer AWSLambdaPowertoolsTypeScriptV2 - id: verify-layer + name: AWSLambdaPowertoolsTypeScriptV2.json + - id: transform run: | - aws --region us-gov-east-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-east-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }}' | jq -r '{"Layer Version Arn": .LayerVersionArn, "Version": .Version, "Description": .Description, "Compatible Runtimes": .CompatibleRuntimes[0], "Compatible Architectures": .CompatibleArchitectures[0], "SHA": .Content.CodeSha256} | keys[] as $k | [$k, .[$k]] | @tsv' | column -t -s $'\t' - - gov_west: - name: Verify (West) - needs: commercial - runs-on: ubuntu-latest - permissions: - id-token: write - contents: read - environment: GovCloud Prod (West) - steps: + echo 'CONVERTED_REGION=${{ matrix.region }}' | tr 'a-z\-' 'A-Z_' >> "$GITHUB_OUTPUT" - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 with: - role-to-assume: ${{ secrets.AWS_IAM_ROLE }} - aws-region: us-gov-east-1 + role-to-assume: ${{ secrets[format('IAM_ROLE_{0}', steps.transform.outputs.CONVERTED_REGION)] }} + aws-region: ${{ matrix.region}} mask-aws-account-id: true - - name: Verify Layer AWSLambdaPowertoolsTypeScriptV2 - id: verify-layer + - name: Verify Layer run: | - aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }}' | jq -r '{"Layer Version Arn": .LayerVersionArn, "Version": .Version, "Description": .Description, "Compatible Runtimes": .CompatibleRuntimes[0], "Compatible Architectures": .CompatibleArchitectures[0], "SHA": .Content.CodeSha256} | keys[] as $k | [$k, .[$k]] | @tsv' | column -t -s $'\t' \ No newline at end of file + export layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json' + aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:${{ matrix.region}}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ env.LAYER_VERSION }}' > $layer_output + REMOTE_SHA=$(jq -r '.Content.CodeSha256' $layer_output) + LOCAL_SHA=$(jq -r '.Content.CodeSha256' AWSLambdaPowertoolsTypeScriptV2.json) + test "$REMOTE_SHA" == "$LOCAL_SHA" && echo "SHA OK: ${LOCAL_SHA}" || exit 1 + jq -s -r '["Layer Arn", "Runtimes", "Version", "Description", "SHA256"], ([.[0], .[1]] | .[] | [.LayerArn, (.CompatibleRuntimes | join("/")), .Version, .Description, .Content.CodeSha256]) |@tsv' AWSLambdaPowertoolsTypeScriptV2.json $layer_output | column -t -s $'\t' \ No newline at end of file diff --git a/.github/workflows/layers_govcloud.yml b/.github/workflows/layers_govcloud.yml index d811f16d1..51d3d29db 100644 --- a/.github/workflows/layers_govcloud.yml +++ b/.github/workflows/layers_govcloud.yml @@ -33,7 +33,7 @@ on: type: string required: true -run-name: Layer Deployment (GovCloud) - ${{ inputs.environment }} - version - ${{ inputs.version }} +run-name: Layer Deployment (GovCloud) - ${{ inputs.environment }} / Version - ${{ inputs.version }} permissions: contents: read From 20669e0a5a6c18bb37b9452737315a254df62532 Mon Sep 17 00:00:00 2001 From: Simon Thulbourn Date: Mon, 24 Mar 2025 13:50:26 +0100 Subject: [PATCH 11/12] add govcloud version --- .github/workflows/layer_govcloud_verify.yml | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/.github/workflows/layer_govcloud_verify.yml b/.github/workflows/layer_govcloud_verify.yml index 74aae0a64..c080cb91f 100644 --- a/.github/workflows/layer_govcloud_verify.yml +++ b/.github/workflows/layer_govcloud_verify.yml @@ -13,9 +13,14 @@ on: - Prod required: true version: - description: Layer version to duplicate + description: Layer version to verify type: string required: true + govcloud_version: + description: GovCloud Layer version to verify, this is mostly used in Gamma where a version mismatch might exist + type: string + required: false + workflow_call: inputs: environment: @@ -23,9 +28,13 @@ on: type: string required: true version: - description: Layer version to duplicate + description: Layer version to verify type: string required: true + govcloud_version: + description: GovCloud Layer version to verify, this is mostly used in Gamma where a version mismatch might exist + type: string + required: false name: Layer Verification (GovCloud) run-name: Layer Verification (GovCloud) / Version ${{ inputs.version }} @@ -85,10 +94,14 @@ jobs: role-to-assume: ${{ secrets[format('IAM_ROLE_{0}', steps.transform.outputs.CONVERTED_REGION)] }} aws-region: ${{ matrix.region}} mask-aws-account-id: true + - id: govcloud_version + name: GovCloud Layer Version + run: | + echo 'govcloud_version=$([[ -n "${{ inputs.govcloud_version}}" ]] && echo ${{ inputs.govcloud_version}} || echo ${{ inputs.version }} )' >> "$GITHUB_OUTPUT" - name: Verify Layer run: | export layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json' - aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:${{ matrix.region}}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ env.LAYER_VERSION }}' > $layer_output + aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:${{ matrix.region}}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ steps.govcloud_version.outputs.govcloud_version }}' > $layer_output REMOTE_SHA=$(jq -r '.Content.CodeSha256' $layer_output) LOCAL_SHA=$(jq -r '.Content.CodeSha256' AWSLambdaPowertoolsTypeScriptV2.json) test "$REMOTE_SHA" == "$LOCAL_SHA" && echo "SHA OK: ${LOCAL_SHA}" || exit 1 From 30d867ba439ec2e500895bd6fd198ecac4d9d95a Mon Sep 17 00:00:00 2001 From: Simon Thulbourn Date: Mon, 24 Mar 2025 13:58:47 +0100 Subject: [PATCH 12/12] quotes --- .github/workflows/layer_govcloud_verify.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/layer_govcloud_verify.yml b/.github/workflows/layer_govcloud_verify.yml index c080cb91f..8d5899b05 100644 --- a/.github/workflows/layer_govcloud_verify.yml +++ b/.github/workflows/layer_govcloud_verify.yml @@ -101,7 +101,7 @@ jobs: - name: Verify Layer run: | export layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json' - aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:${{ matrix.region}}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ steps.govcloud_version.outputs.govcloud_version }}' > $layer_output + aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn "arn:aws-us-gov:lambda:${{ matrix.region}}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ steps.govcloud_version.outputs.govcloud_version }}" > $layer_output REMOTE_SHA=$(jq -r '.Content.CodeSha256' $layer_output) LOCAL_SHA=$(jq -r '.Content.CodeSha256' AWSLambdaPowertoolsTypeScriptV2.json) test "$REMOTE_SHA" == "$LOCAL_SHA" && echo "SHA OK: ${LOCAL_SHA}" || exit 1