Skip to content

Layer Deployment (GovCloud) - Gamma #5

Layer Deployment (GovCloud) - Gamma

Layer Deployment (GovCloud) - Gamma #5

# GovCloud Layer Publish
# ---
# This workflow publishes a specific layer version in an AWS account based on the environment input.
#
# Using a matrix, we pull each architecture and python version of the layer and store them as artifacts
# we upload them to each of the GovCloud AWS accounts.
#
# A number of safety checks are performed to ensure safety.
on:
workflow_dispatch:
inputs:
environment:
description: Deployment environment
type: choice
options:
- Gamma
- Prod
default: Gamma
required: true
version:
description: Layer version to duplicate
type: number
required: true
workflow_call:
inputs:
environment:
description: Deployment environment
type: string
default: Gamma
required: true
version:
description: Layer version to duplicate
type: number
required: true
name: Layer Deployment (GovCloud)
run-name: Layer Deployment (GovCloud) - ${{ inputs.environment }}
jobs:
download:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
strategy:
matrix:
layer:
- AWSLambdaPowertoolsPythonV3-python38
- AWSLambdaPowertoolsPythonV3-python39
- AWSLambdaPowertoolsPythonV3-python310
- AWSLambdaPowertoolsPythonV3-python311
- AWSLambdaPowertoolsPythonV3-python312
arch:
- arm64
- x86_64
environment: Prod (Readonly)
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
aws-region: us-east-1
mask-aws-account-id: true
- name: Grab Zip
run: |
aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:017000801446:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ inputs.version }} --query 'Content.Location' | xargs curl -L -o ${{ matrix.layer }}_${{ matrix.arch }}.zip
aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:017000801446:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ inputs.version }} > ${{ matrix.layer }}_${{ matrix.arch }}.json
- name: Store Zip
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: ${{ matrix.layer }}_${{ matrix.arch }}.zip
path: ${{ matrix.layer }}_${{ matrix.arch }}.zip
retention-days: 1
if-no-files-found: error
- name: Store Metadata
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: ${{ matrix.layer }}_${{ matrix.arch }}.json
path: ${{ matrix.layer }}_${{ matrix.arch }}.json
retention-days: 1
if-no-files-found: error
copy_east:
name: Copy (East)
needs: download
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
strategy:
matrix:
layer:
- AWSLambdaPowertoolsPythonV3-python38
- AWSLambdaPowertoolsPythonV3-python39
- AWSLambdaPowertoolsPythonV3-python310
- AWSLambdaPowertoolsPythonV3-python311
- AWSLambdaPowertoolsPythonV3-python312
arch:
- arm64
- x86_64
environment: GovCloud ${{ inputs.environment }} (East)
steps:
- name: Download Zip
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: ${{ matrix.layer }}_${{ matrix.arch }}.zip
- name: Download Metadata
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: ${{ matrix.layer }}_${{ matrix.arch }}.json
- name: Verify Layer Signature
run: |
SHA=$(jq -r '.Content.CodeSha256' ${{ matrix.layer }}_${{ matrix.arch }}.json)
test $(openssl dgst -sha256 -binary ${{ matrix.layer }}_${{ matrix.arch }}.zip | openssl enc -base64) == $SHA && echo "SHA OK: ${SHA}" || exit 1
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
aws-region: us-gov-east-1
mask-aws-account-id: true
- name: Create Layer
run: |
aws --region us-gov-east-1 lambda publish-layer-version \
--layer-name ${{ matrix.layer }}-${{ matrix.arch }} \
--zip-file fileb://./${{ matrix.layer }}_${{ matrix.arch }}.zip \
--compatible-runtimes $(jq -r ".CompatibleRuntimes[0]" ${{ matrix.layer }}_${{ matrix.arch }}.json) \
--compatible-architectures $(jq -r ".CompatibleArchitectures[0]" ${{ matrix.layer }}_${{ matrix.arch }}.json) \
--license-info "MIT-0" \
--description "$(jq -r '.Description' ${{ matrix.layer }}_${{ matrix.arch }}.json)" \
--query 'Version' | \
xargs aws --region us-gov-east-1 lambda add-layer-version-permission \
--layer-name ${{ matrix.layer }}-${{ matrix.arch }} \
--statement-id 'PublicLayer' \
--action lambda:GetLayerVersion \
--principal '*' \
--version-number
- name: Verify Layer
run: |
REMOTE_SHA=$(aws --region us-gov-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-gov-east-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ inputs.version }} --query 'Content.CodeSha256' --output text)
SHA=$(jq -r '.Content.CodeSha256' ${{ matrix.layer }}_${{ matrix.arch }}.json)
test $($REMOTE_SHA == $SHA && echo "SHA OK: ${SHA}" || exit 1
copy_west:
name: Copy (West)
needs: download
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
strategy:
matrix:
layer:
- AWSLambdaPowertoolsPythonV3-python38
- AWSLambdaPowertoolsPythonV3-python39
- AWSLambdaPowertoolsPythonV3-python310
- AWSLambdaPowertoolsPythonV3-python311
- AWSLambdaPowertoolsPythonV3-python312
arch:
- arm64
- x86_64
environment:
name: GovCloud ${{ inputs.environment }} (West)
steps:
- name: Download Zip
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: ${{ matrix.layer }}_${{ matrix.arch }}.zip
- name: Download Metadata
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: ${{ matrix.layer }}_${{ matrix.arch }}.json
- name: Verify Layer Signature
run: |
SHA=$(jq -r '.Content.CodeSha256' ${{ matrix.layer }}_${{ matrix.arch }}.json)
test $(openssl dgst -sha256 -binary ${{ matrix.layer }}_${{ matrix.arch }}.zip | openssl enc -base64) == $SHA && echo "SHA OK: ${SHA}" || exit 1
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
aws-region: us-gov-west-1
mask-aws-account-id: true
- name: Create Layer
run: |
aws --region us-gov-west-1 lambda publish-layer-version \
--layer-name ${{ matrix.layer }}-${{ matrix.arch }} \
--zip-file fileb://./${{ matrix.layer }}_${{ matrix.arch }}.zip \
--compatible-runtimes $(jq -r ".CompatibleRuntimes[0]" ${{ matrix.layer }}_${{ matrix.arch }}.json) \
--compatible-architectures $(jq -r ".CompatibleArchitectures[0]" ${{ matrix.layer }}_${{ matrix.arch }}.json) \
--license-info "MIT-0" \
--description "$(jq -r '.Description' ${{ matrix.layer }}_${{ matrix.arch }}.json)" \
--query 'Version' | \
xargs aws --region us-gov-west-1 lambda add-layer-version-permission \
--layer-name ${{ matrix.layer }}-${{ matrix.arch }} \
--statement-id 'PublicLayer' \
--action lambda:GetLayerVersion \
--principal '*' \
--version-number
- name: Verify Layer
run: |
REMOTE_SHA=$(aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ inputs.version }} --query 'Content.CodeSha256' --output text)
SHA=$(jq -r '.Content.CodeSha256' ${{ matrix.layer }}_${{ matrix.arch }}.json)
test $($REMOTE_SHA == $SHA && echo "SHA OK: ${SHA}" || exit 1