-
Notifications
You must be signed in to change notification settings - Fork 401
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore(layers): balance Python 3.13 layers in GovCloud partition (#5579)
Balancing layers Python 3.13 in GovCloud
- Loading branch information
1 parent
f3c3b8e
commit 2e51c19
Showing
1 changed file
with
205 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,205 @@ | ||
| # GovCloud Layer Publish | ||
| # --- | ||
| # This workflow publishes a specific layer version in an AWS account based on the environment input. | ||
| # | ||
| # Using a matrix, we pull each architecture and python version of the layer and store them as artifacts | ||
| # we upload them to each of the GovCloud AWS accounts. | ||
| # | ||
| # A number of safety checks are performed to ensure safety. | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| inputs: | ||
| environment: | ||
| description: Deployment environment | ||
| type: choice | ||
| options: | ||
| - Gamma | ||
| - Prod | ||
| required: true | ||
| version: | ||
| description: Layer version to duplicate | ||
| type: string | ||
| required: true | ||
| workflow_call: | ||
| inputs: | ||
| environment: | ||
| description: Deployment environment | ||
| type: string | ||
| required: true | ||
| version: | ||
| description: Layer version to duplicate | ||
| type: string | ||
| required: true | ||
|
|
||
| name: Layer Deployment (GovCloud) - Temporary for Python 3.13 | ||
| run-name: Layer Deployment (GovCloud) - ${{ inputs.environment }} | ||
|
|
||
| jobs: | ||
| download: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| id-token: write | ||
| contents: read | ||
| strategy: | ||
| matrix: | ||
| layer: | ||
| - AWSLambdaPowertoolsPythonV3-python313 | ||
| arch: | ||
| - arm64 | ||
| - x86_64 | ||
| environment: Prod (Readonly) | ||
| steps: | ||
| - name: Configure AWS Credentials | ||
| uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | ||
| with: | ||
| role-to-assume: ${{ secrets.AWS_IAM_ROLE }} | ||
| aws-region: us-east-1 | ||
| mask-aws-account-id: true | ||
| - name: Grab Zip | ||
| run: | | ||
| aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:017000801446:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ inputs.version }} --query 'Content.Location' | xargs curl -L -o ${{ matrix.layer }}_${{ matrix.arch }}.zip | ||
| aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:017000801446:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ inputs.version }} > ${{ matrix.layer }}_${{ matrix.arch }}.json | ||
| - name: Store Zip | ||
| uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | ||
| with: | ||
| name: ${{ matrix.layer }}_${{ matrix.arch }}.zip | ||
| path: ${{ matrix.layer }}_${{ matrix.arch }}.zip | ||
| retention-days: 1 | ||
| if-no-files-found: error | ||
| - name: Store Metadata | ||
| uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | ||
| with: | ||
| name: ${{ matrix.layer }}_${{ matrix.arch }}.json | ||
| path: ${{ matrix.layer }}_${{ matrix.arch }}.json | ||
| retention-days: 1 | ||
| if-no-files-found: error | ||
|
|
||
| copy_east: | ||
| name: Copy (East) | ||
| needs: download | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| id-token: write | ||
| contents: read | ||
| strategy: | ||
| matrix: | ||
| layer: | ||
| - AWSLambdaPowertoolsPythonV3-python313 | ||
| arch: | ||
| - arm64 | ||
| - x86_64 | ||
| environment: GovCloud ${{ inputs.environment }} (East) | ||
| steps: | ||
| - name: Download Zip | ||
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | ||
| with: | ||
| name: ${{ matrix.layer }}_${{ matrix.arch }}.zip | ||
| - name: Download Metadata | ||
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | ||
| with: | ||
| name: ${{ matrix.layer }}_${{ matrix.arch }}.json | ||
| - name: Verify Layer Signature | ||
| run: | | ||
| SHA=$(jq -r '.Content.CodeSha256' '${{ matrix.layer }}_${{ matrix.arch }}.json') | ||
| test "$(openssl dgst -sha256 -binary ${{ matrix.layer }}_${{ matrix.arch }}.zip | openssl enc -base64)" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1 | ||
| - name: Configure AWS Credentials | ||
| uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | ||
| with: | ||
| role-to-assume: ${{ secrets.AWS_IAM_ROLE }} | ||
| aws-region: us-gov-east-1 | ||
| mask-aws-account-id: true | ||
| - name: Create Layer | ||
| id: create-layer | ||
| run: | | ||
| LAYER_VERSION=$(aws --region us-gov-east-1 lambda publish-layer-version \ | ||
| --layer-name ${{ matrix.layer }}-${{ matrix.arch }} \ | ||
| --zip-file fileb://./${{ matrix.layer }}_${{ matrix.arch }}.zip \ | ||
| --compatible-runtimes "$(jq -r '.CompatibleRuntimes[0]' '${{ matrix.layer }}_${{ matrix.arch }}.json')" \ | ||
| --compatible-architectures "$(jq -r '.CompatibleArchitectures[0]' '${{ matrix.layer }}_${{ matrix.arch }}.json')" \ | ||
| --license-info "MIT-0" \ | ||
| --description "$(jq -r '.Description' '${{ matrix.layer }}_${{ matrix.arch }}.json')" \ | ||
| --query 'Version' \ | ||
| --output text) | ||
| echo "LAYER_VERSION=$LAYER_VERSION" >> "$GITHUB_OUTPUT" | ||
| aws --region us-gov-east-1 lambda add-layer-version-permission \ | ||
| --layer-name '${{ matrix.layer }}-${{ matrix.arch }}' \ | ||
| --statement-id 'PublicLayer' \ | ||
| --action lambda:GetLayerVersion \ | ||
| --principal '*' \ | ||
| --version-number "$LAYER_VERSION" | ||
| - name: Verify Layer | ||
| env: | ||
| LAYER_VERSION: ${{ steps.create-layer.outputs.LAYER_VERSION }} | ||
| run: | | ||
| REMOTE_SHA=$(aws --region us-gov-east-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-east-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ env.LAYER_VERSION }}' --query 'Content.CodeSha256' --output text) | ||
| SHA=$(jq -r '.Content.CodeSha256' '${{ matrix.layer }}_${{ matrix.arch }}.json') | ||
| test "$REMOTE_SHA" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1 | ||
| aws --region us-gov-east-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-east-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ env.LAYER_VERSION }}' --output table | ||
| copy_west: | ||
| name: Copy (West) | ||
| needs: download | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| id-token: write | ||
| contents: read | ||
| strategy: | ||
| matrix: | ||
| layer: | ||
| - AWSLambdaPowertoolsPythonV3-python313 | ||
| arch: | ||
| - arm64 | ||
| - x86_64 | ||
| environment: | ||
| name: GovCloud ${{ inputs.environment }} (West) | ||
| steps: | ||
| - name: Download Zip | ||
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | ||
| with: | ||
| name: ${{ matrix.layer }}_${{ matrix.arch }}.zip | ||
| - name: Download Metadata | ||
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | ||
| with: | ||
| name: ${{ matrix.layer }}_${{ matrix.arch }}.json | ||
| - name: Verify Layer Signature | ||
| run: | | ||
| SHA=$(jq -r '.Content.CodeSha256' '${{ matrix.layer }}_${{ matrix.arch }}.json') | ||
| test "$(openssl dgst -sha256 -binary ${{ matrix.layer }}_${{ matrix.arch }}.zip | openssl enc -base64)" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1 | ||
| - name: Configure AWS Credentials | ||
| uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | ||
| with: | ||
| role-to-assume: ${{ secrets.AWS_IAM_ROLE }} | ||
| aws-region: us-gov-west-1 | ||
| mask-aws-account-id: true | ||
| - name: Create Layer | ||
| id: create-layer | ||
| run: | | ||
| LAYER_VERSION=$(aws --region us-gov-west-1 lambda publish-layer-version \ | ||
| --layer-name ${{ matrix.layer }}-${{ matrix.arch }} \ | ||
| --zip-file fileb://./${{ matrix.layer }}_${{ matrix.arch }}.zip \ | ||
| --compatible-runtimes "$(jq -r '.CompatibleRuntimes[0]' '${{ matrix.layer }}_${{ matrix.arch }}.json')" \ | ||
| --compatible-architectures "$(jq -r '.CompatibleArchitectures[0]' '${{ matrix.layer }}_${{ matrix.arch }}.json')" \ | ||
| --license-info "MIT-0" \ | ||
| --description "$(jq -r '.Description' '${{ matrix.layer }}_${{ matrix.arch }}.json')" \ | ||
| --query 'Version' \ | ||
| --output text) | ||
| echo "LAYER_VERSION=$LAYER_VERSION" >> "$GITHUB_OUTPUT" | ||
| aws --region us-gov-west-1 lambda add-layer-version-permission \ | ||
| --layer-name '${{ matrix.layer }}-${{ matrix.arch }}' \ | ||
| --statement-id 'PublicLayer' \ | ||
| --action lambda:GetLayerVersion \ | ||
| --principal '*' \ | ||
| --version-number "$LAYER_VERSION" | ||
| - name: Verify Layer | ||
| env: | ||
| LAYER_VERSION: ${{ steps.create-layer.outputs.LAYER_VERSION }} | ||
| run: | | ||
| REMOTE_SHA=$(aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ env.LAYER_VERSION }}' --query 'Content.CodeSha256' --output text) | ||
| SHA=$(jq -r '.Content.CodeSha256' '${{ matrix.layer }}_${{ matrix.arch }}.json') | ||
| test "$REMOTE_SHA" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1 | ||
| aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ env.LAYER_VERSION }}' --output table |