From 1758376116502193a4295e631ac459d1dcb293bd Mon Sep 17 00:00:00 2001 From: Alexander Schueren Date: Wed, 19 Mar 2025 14:55:48 +0100 Subject: [PATCH 1/6] chore: add workflows for govloud layers --- .github/workflows/layer_govcloud_verify.yml | 91 +++++++++ .github/workflows/layers_govcloud.yml | 200 ++++++++++++++++++++ 2 files changed, 291 insertions(+) create mode 100644 .github/workflows/layer_govcloud_verify.yml create mode 100644 .github/workflows/layers_govcloud.yml diff --git a/.github/workflows/layer_govcloud_verify.yml b/.github/workflows/layer_govcloud_verify.yml new file mode 100644 index 0000000000..00826a59d0 --- /dev/null +++ b/.github/workflows/layer_govcloud_verify.yml @@ -0,0 +1,91 @@ +# GovCloud Layer Verification +# --- +# This workflow queries the GovCloud layer info in production only + +on: + workflow_dispatch: + inputs: + version: + description: Layer version to verify information + type: string + required: true + workflow_call: + inputs: + version: + description: Layer version to verify information + type: string + required: true + +name: Layer Verification (GovCloud) +run-name: Layer Verification (GovCloud) + +jobs: + commercial: + runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + strategy: + matrix: + layer: + - AWSLambdaPowertoolsTypeScriptV2 + environment: Prod (Readonly) + steps: + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 + with: + role-to-assume: ${{ secrets.AWS_IAM_ROLE }} + aws-region: us-east-1 + mask-aws-account-id: true + - name: Output ${{ matrix.layer }} + run: | + aws --region us-east-1 lambda get-layer-version-by-arn --arn 'arn:aws:lambda:us-east-1:094274105915:layer:${{ matrix.layer }}:${{ inputs.version }}' | jq -r '{"Layer Version Arn": .LayerVersionArn, "Version": .Version, "Description": .Description, "Compatible Runtimes": .CompatibleRuntimes[0], "Compatible Architectures": .CompatibleArchitectures[0], "SHA": .Content.CodeSha256} | keys[] as $k | [$k, .[$k]] | @tsv' | column -t -s $'\t' + + gov_east: + name: Verify (East) + needs: commercial + runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + strategy: + matrix: + layer: + - AWSLambdaPowertoolsTypeScriptV2 + environment: GovCloud Prod (East) + steps: + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 + with: + role-to-assume: ${{ secrets.AWS_IAM_ROLE }} + aws-region: us-gov-east-1 + mask-aws-account-id: true + - name: Verify Layer ${{ matrix.layer }} + id: verify-layer + run: | + aws --region us-gov-east-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-east-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}:${{ inputs.version }}' | jq -r '{"Layer Version Arn": .LayerVersionArn, "Version": .Version, "Description": .Description, "Compatible Runtimes": .CompatibleRuntimes[0], "Compatible Architectures": .CompatibleArchitectures[0], "SHA": .Content.CodeSha256} | keys[] as $k | [$k, .[$k]] | @tsv' | column -t -s $'\t' + + gov_west: + name: Verify (West) + needs: commercial + runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + strategy: + matrix: + layer: + - AWSLambdaPowertoolsTypeScriptV2 + + environment: GovCloud Prod (West) + steps: + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 + with: + role-to-assume: ${{ secrets.AWS_IAM_ROLE }} + aws-region: us-gov-east-1 + mask-aws-account-id: true + - name: Verify Layer ${{ matrix.layer }} + id: verify-layer + run: | + aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ inputs.version }}' | jq -r '{"Layer Version Arn": .LayerVersionArn, "Version": .Version, "Description": .Description, "Compatible Runtimes": .CompatibleRuntimes[0], "Compatible Architectures": .CompatibleArchitectures[0], "SHA": .Content.CodeSha256} | keys[] as $k | [$k, .[$k]] | @tsv' | column -t -s $'\t' \ No newline at end of file diff --git a/.github/workflows/layers_govcloud.yml b/.github/workflows/layers_govcloud.yml new file mode 100644 index 0000000000..42e2b3ee8c --- /dev/null +++ b/.github/workflows/layers_govcloud.yml @@ -0,0 +1,200 @@ +name: Layer Deployment (GovCloud) + +# GovCloud Layer Publish +# --- +# This workflow publishes a specific layer version in an AWS account based on the environment input. +# +# Using a matrix, we pull each architecture and python version of the layer and store them as artifacts +# we upload them to each of the GovCloud AWS accounts. +# +# A number of safety checks are performed to ensure safety. + +on: + workflow_dispatch: + inputs: + environment: + description: Deployment environment + type: choice + options: + - Gamma + - Prod + required: true + version: + description: Layer version to duplicate + type: string + required: true + workflow_call: + inputs: + environment: + description: Deployment environment + type: string + required: true + version: + description: Layer version to duplicate + type: string + required: true + +run-name: Layer Deployment (GovCloud) - ${{ inputs.environment }} + +permissions: + contents: read + +jobs: + download: + runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + strategy: + matrix: + layer: + - AWSLambdaPowertoolsTypeScriptV2 + environment: Prod (Readonly) + steps: + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 + with: + role-to-assume: ${{ secrets.AWS_IAM_ROLE }} + aws-region: us-east-1 + mask-aws-account-id: true + - name: Grab Zip + run: | + aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:094274105915:layer:${{ matrix.layer }}:${{ inputs.version }} --query 'Content.Location' | xargs curl -L -o ${{ matrix.layer }}.zip + aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:094274105915:layer:${{ matrix.layer }}:${{ inputs.version }} > ${{ matrix.layer }}.json + - name: Store Zip + uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1 + with: + name: ${{ matrix.layer }}.zip + path: ${{ matrix.layer }}.zip + retention-days: 1 + if-no-files-found: error + - name: Store Metadata + uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1 + with: + name: ${{ matrix.layer }}.json + path: ${{ matrix.layer }}.json + retention-days: 1 + if-no-files-found: error + + copy_east: + name: Copy (East) + needs: download + runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + strategy: + matrix: + layer: + - AWSLambdaPowertoolsTypeScriptV2 + environment: GovCloud ${{ inputs.environment }} (East) + steps: + - name: Download Zip + uses: actions/download-artifact@b14cf4c92620c250e1c074ab0a5800e37df86765 # v4.2.0 + with: + name: ${{ matrix.layer }}.zip + - name: Download Metadata + uses: actions/download-artifact@b14cf4c92620c250e1c074ab0a5800e37df86765 # v4.2.0 + with: + name: ${{ matrix.layer }}.json + - name: Verify Layer Signature + run: | + SHA=$(jq -r '.Content.CodeSha256' '${{ matrix.layer }}.json') + test "$(openssl dgst -sha256 -binary ${{ matrix.layer }}.zip | openssl enc -base64)" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1 + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 + with: + role-to-assume: ${{ secrets.AWS_IAM_ROLE }} + aws-region: us-gov-east-1 + mask-aws-account-id: true + - name: Create Layer + id: create-layer + run: | + LAYER_VERSION=$(aws --region us-gov-east-1 lambda publish-layer-version \ + --layer-name ${{ matrix.layer }} \ + --zip-file fileb://./${{ matrix.layer }}.zip \ + --compatible-runtimes "$(jq -r '.CompatibleRuntimes[0]' '${{ matrix.layer }}.json')" \ + --compatible-architectures "$(jq -r '.CompatibleArchitectures[0]' '${{ matrix.layer }}.json')" \ + --license-info "MIT-0" \ + --description "$(jq -r '.Description' '${{ matrix.layer }}.json')" \ + --query 'Version' \ + --output text) + + echo "LAYER_VERSION=$LAYER_VERSION" >> "$GITHUB_OUTPUT" + + aws --region us-gov-east-1 lambda add-layer-version-permission \ + --layer-name '${{ matrix.layer }}' \ + --statement-id 'PublicLayer' \ + --action lambda:GetLayerVersion \ + --principal '*' \ + --version-number "$LAYER_VERSION" + - name: Verify Layer + env: + LAYER_VERSION: ${{ steps.create-layer.outputs.LAYER_VERSION }} + run: | + REMOTE_SHA=$(aws --region us-gov-east-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-east-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}:${{ env.LAYER_VERSION }}' --query 'Content.CodeSha256' --output text) + SHA=$(jq -r '.Content.CodeSha256' '${{ matrix.layer }}.json') + test "$REMOTE_SHA" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1 + aws --region us-gov-east-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-east-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}:${{ env.LAYER_VERSION }}' --output table + + copy_west: + name: Copy (West) + needs: download + runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + strategy: + matrix: + layer: + - AWSLambdaPowertoolsTypeScriptV2 + environment: + name: GovCloud ${{ inputs.environment }} (West) + steps: + - name: Download Zip + uses: actions/download-artifact@b14cf4c92620c250e1c074ab0a5800e37df86765 # v4.2.0 + with: + name: ${{ matrix.layer }}.zip + - name: Download Metadata + uses: actions/download-artifact@b14cf4c92620c250e1c074ab0a5800e37df86765 # v4.2.0 + with: + name: ${{ matrix.layer }}.json + - name: Verify Layer Signature + run: | + SHA=$(jq -r '.Content.CodeSha256' '${{ matrix.layer }}.json') + test "$(openssl dgst -sha256 -binary ${{ matrix.layer }}.zip | openssl enc -base64)" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1 + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 + with: + role-to-assume: ${{ secrets.AWS_IAM_ROLE }} + aws-region: us-gov-west-1 + mask-aws-account-id: true + - name: Create Layer + id: create-layer + run: | + LAYER_VERSION=$(aws --region us-gov-west-1 lambda publish-layer-version \ + --layer-name ${{ matrix.layer }} \ + --zip-file fileb://./${{ matrix.layer }}.zip \ + --compatible-runtimes "$(jq -r '.CompatibleRuntimes[0]' '${{ matrix.layer }}.json')" \ + --compatible-architectures "$(jq -r '.CompatibleArchitectures[0]' '${{ matrix.layer }}.json')" \ + --license-info "MIT-0" \ + --description "$(jq -r '.Description' '${{ matrix.layer }}.json')" \ + --query 'Version' \ + --output text) + + echo "LAYER_VERSION=$LAYER_VERSION" >> "$GITHUB_OUTPUT" + + aws --region us-gov-west-1 lambda add-layer-version-permission \ + --layer-name '${{ matrix.layer }}' \ + --statement-id 'PublicLayer' \ + --action lambda:GetLayerVersion \ + --principal '*' \ + --version-number "$LAYER_VERSION" + - name: Verify Layer + env: + LAYER_VERSION: ${{ steps.create-layer.outputs.LAYER_VERSION }} + run: | + REMOTE_SHA=$(aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}:${{ env.LAYER_VERSION }}' --query 'Content.CodeSha256' --output text) + SHA=$(jq -r '.Content.CodeSha256' '${{ matrix.layer }}.json') + test "$REMOTE_SHA" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1 + aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}:${{ env.LAYER_VERSION }}' --output table \ No newline at end of file From 4ac7f9ff04b3b9a906891207c5b147e9c58e272f Mon Sep 17 00:00:00 2001 From: Alexander Schueren Date: Wed, 19 Mar 2025 19:49:57 +0100 Subject: [PATCH 2/6] chore: remove matrix and address other review comments --- .github/workflows/layer_govcloud_verify.yml | 24 +++---- .github/workflows/layers_govcloud.yml | 78 +++++++++------------ 2 files changed, 41 insertions(+), 61 deletions(-) diff --git a/.github/workflows/layer_govcloud_verify.yml b/.github/workflows/layer_govcloud_verify.yml index 00826a59d0..bcdf4f49fa 100644 --- a/.github/workflows/layer_govcloud_verify.yml +++ b/.github/workflows/layer_govcloud_verify.yml @@ -17,7 +17,7 @@ on: required: true name: Layer Verification (GovCloud) -run-name: Layer Verification (GovCloud) +run-name: Layer Verification (GovCloud) - version ${{ inputs.version }} jobs: commercial: @@ -37,9 +37,10 @@ jobs: role-to-assume: ${{ secrets.AWS_IAM_ROLE }} aws-region: us-east-1 mask-aws-account-id: true - - name: Output ${{ matrix.layer }} + - name: Output AWSLambdaPowertoolsTypeScriptV2 + # fetch the specific layer version information from the us-east-1 commercial region run: | - aws --region us-east-1 lambda get-layer-version-by-arn --arn 'arn:aws:lambda:us-east-1:094274105915:layer:${{ matrix.layer }}:${{ inputs.version }}' | jq -r '{"Layer Version Arn": .LayerVersionArn, "Version": .Version, "Description": .Description, "Compatible Runtimes": .CompatibleRuntimes[0], "Compatible Architectures": .CompatibleArchitectures[0], "SHA": .Content.CodeSha256} | keys[] as $k | [$k, .[$k]] | @tsv' | column -t -s $'\t' + aws --region us-east-1 lambda get-layer-version-by-arn --arn 'arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }}' | jq -r '{"Layer Version Arn": .LayerVersionArn, "Version": .Version, "Description": .Description, "Compatible Runtimes": .CompatibleRuntimes[0], "Compatible Architectures": .CompatibleArchitectures[0], "SHA": .Content.CodeSha256} | keys[] as $k | [$k, .[$k]] | @tsv' | column -t -s $'\t' gov_east: name: Verify (East) @@ -48,10 +49,6 @@ jobs: permissions: id-token: write contents: read - strategy: - matrix: - layer: - - AWSLambdaPowertoolsTypeScriptV2 environment: GovCloud Prod (East) steps: - name: Configure AWS Credentials @@ -60,10 +57,10 @@ jobs: role-to-assume: ${{ secrets.AWS_IAM_ROLE }} aws-region: us-gov-east-1 mask-aws-account-id: true - - name: Verify Layer ${{ matrix.layer }} + - name: Verify Layer AWSLambdaPowertoolsTypeScriptV2 id: verify-layer run: | - aws --region us-gov-east-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-east-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}:${{ inputs.version }}' | jq -r '{"Layer Version Arn": .LayerVersionArn, "Version": .Version, "Description": .Description, "Compatible Runtimes": .CompatibleRuntimes[0], "Compatible Architectures": .CompatibleArchitectures[0], "SHA": .Content.CodeSha256} | keys[] as $k | [$k, .[$k]] | @tsv' | column -t -s $'\t' + aws --region us-gov-east-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-east-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }}' | jq -r '{"Layer Version Arn": .LayerVersionArn, "Version": .Version, "Description": .Description, "Compatible Runtimes": .CompatibleRuntimes[0], "Compatible Architectures": .CompatibleArchitectures[0], "SHA": .Content.CodeSha256} | keys[] as $k | [$k, .[$k]] | @tsv' | column -t -s $'\t' gov_west: name: Verify (West) @@ -72,11 +69,6 @@ jobs: permissions: id-token: write contents: read - strategy: - matrix: - layer: - - AWSLambdaPowertoolsTypeScriptV2 - environment: GovCloud Prod (West) steps: - name: Configure AWS Credentials @@ -85,7 +77,7 @@ jobs: role-to-assume: ${{ secrets.AWS_IAM_ROLE }} aws-region: us-gov-east-1 mask-aws-account-id: true - - name: Verify Layer ${{ matrix.layer }} + - name: Verify Layer AWSLambdaPowertoolsTypeScriptV2 id: verify-layer run: | - aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ inputs.version }}' | jq -r '{"Layer Version Arn": .LayerVersionArn, "Version": .Version, "Description": .Description, "Compatible Runtimes": .CompatibleRuntimes[0], "Compatible Architectures": .CompatibleArchitectures[0], "SHA": .Content.CodeSha256} | keys[] as $k | [$k, .[$k]] | @tsv' | column -t -s $'\t' \ No newline at end of file + aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:AWSLambdaPowertoolsTypeScriptV2-${{ matrix.arch }}:${{ inputs.version }}' | jq -r '{"Layer Version Arn": .LayerVersionArn, "Version": .Version, "Description": .Description, "Compatible Runtimes": .CompatibleRuntimes[0], "Compatible Architectures": .CompatibleArchitectures[0], "SHA": .Content.CodeSha256} | keys[] as $k | [$k, .[$k]] | @tsv' | column -t -s $'\t' \ No newline at end of file diff --git a/.github/workflows/layers_govcloud.yml b/.github/workflows/layers_govcloud.yml index 42e2b3ee8c..29629b2bce 100644 --- a/.github/workflows/layers_govcloud.yml +++ b/.github/workflows/layers_govcloud.yml @@ -34,7 +34,7 @@ on: type: string required: true -run-name: Layer Deployment (GovCloud) - ${{ inputs.environment }} +run-name: Layer Deployment (GovCloud) - ${{ inputs.environment }} - version - ${{ inputs.version }} permissions: contents: read @@ -45,10 +45,6 @@ jobs: permissions: id-token: write contents: read - strategy: - matrix: - layer: - - AWSLambdaPowertoolsTypeScriptV2 environment: Prod (Readonly) steps: - name: Configure AWS Credentials @@ -59,20 +55,20 @@ jobs: mask-aws-account-id: true - name: Grab Zip run: | - aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:094274105915:layer:${{ matrix.layer }}:${{ inputs.version }} --query 'Content.Location' | xargs curl -L -o ${{ matrix.layer }}.zip - aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:094274105915:layer:${{ matrix.layer }}:${{ inputs.version }} > ${{ matrix.layer }}.json + aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }} --query 'Content.Location' | xargs curl -L -o AWSLambdaPowertoolsTypeScriptV2.zip + aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }} > AWSLambdaPowertoolsTypeScriptV2.json - name: Store Zip uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1 with: - name: ${{ matrix.layer }}.zip - path: ${{ matrix.layer }}.zip + name: AWSLambdaPowertoolsTypeScriptV2.zip + path: AWSLambdaPowertoolsTypeScriptV2.zip retention-days: 1 if-no-files-found: error - name: Store Metadata uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1 with: - name: ${{ matrix.layer }}.json - path: ${{ matrix.layer }}.json + name: AWSLambdaPowertoolsTypeScriptV2.json + path: AWSLambdaPowertoolsTypeScriptV2.json retention-days: 1 if-no-files-found: error @@ -83,24 +79,20 @@ jobs: permissions: id-token: write contents: read - strategy: - matrix: - layer: - - AWSLambdaPowertoolsTypeScriptV2 environment: GovCloud ${{ inputs.environment }} (East) steps: - name: Download Zip uses: actions/download-artifact@b14cf4c92620c250e1c074ab0a5800e37df86765 # v4.2.0 with: - name: ${{ matrix.layer }}.zip + name: AWSLambdaPowertoolsTypeScriptV2.zip - name: Download Metadata uses: actions/download-artifact@b14cf4c92620c250e1c074ab0a5800e37df86765 # v4.2.0 with: - name: ${{ matrix.layer }}.json + name: AWSLambdaPowertoolsTypeScriptV2.json - name: Verify Layer Signature run: | - SHA=$(jq -r '.Content.CodeSha256' '${{ matrix.layer }}.json') - test "$(openssl dgst -sha256 -binary ${{ matrix.layer }}.zip | openssl enc -base64)" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1 + SHA=$(jq -r '.Content.CodeSha256' 'AWSLambdaPowertoolsTypeScriptV2.json') + test "$(openssl dgst -sha256 -binary AWSLambdaPowertoolsTypeScriptV2.zip | openssl enc -base64)" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1 - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 with: @@ -111,19 +103,19 @@ jobs: id: create-layer run: | LAYER_VERSION=$(aws --region us-gov-east-1 lambda publish-layer-version \ - --layer-name ${{ matrix.layer }} \ - --zip-file fileb://./${{ matrix.layer }}.zip \ - --compatible-runtimes "$(jq -r '.CompatibleRuntimes[0]' '${{ matrix.layer }}.json')" \ - --compatible-architectures "$(jq -r '.CompatibleArchitectures[0]' '${{ matrix.layer }}.json')" \ + --layer-name AWSLambdaPowertoolsTypeScriptV2 \ + --zip-file fileb://./AWSLambdaPowertoolsTypeScriptV2.zip \ + --compatible-runtimes "$(jq -r '.CompatibleRuntimes[0]' 'AWSLambdaPowertoolsTypeScriptV2.json')" \ + --compatible-architectures "$(jq -r '.CompatibleArchitectures[0]' 'AWSLambdaPowertoolsTypeScriptV2.json')" \ --license-info "MIT-0" \ - --description "$(jq -r '.Description' '${{ matrix.layer }}.json')" \ + --description "$(jq -r '.Description' 'AWSLambdaPowertoolsTypeScriptV2.json')" \ --query 'Version' \ --output text) echo "LAYER_VERSION=$LAYER_VERSION" >> "$GITHUB_OUTPUT" aws --region us-gov-east-1 lambda add-layer-version-permission \ - --layer-name '${{ matrix.layer }}' \ + --layer-name 'AWSLambdaPowertoolsTypeScriptV2' \ --statement-id 'PublicLayer' \ --action lambda:GetLayerVersion \ --principal '*' \ @@ -132,10 +124,10 @@ jobs: env: LAYER_VERSION: ${{ steps.create-layer.outputs.LAYER_VERSION }} run: | - REMOTE_SHA=$(aws --region us-gov-east-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-east-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}:${{ env.LAYER_VERSION }}' --query 'Content.CodeSha256' --output text) - SHA=$(jq -r '.Content.CodeSha256' '${{ matrix.layer }}.json') + REMOTE_SHA=$(aws --region us-gov-east-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-east-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ env.LAYER_VERSION }}' --query 'Content.CodeSha256' --output text) + SHA=$(jq -r '.Content.CodeSha256' 'AWSLambdaPowertoolsTypeScriptV2.json') test "$REMOTE_SHA" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1 - aws --region us-gov-east-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-east-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}:${{ env.LAYER_VERSION }}' --output table + aws --region us-gov-east-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-east-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ env.LAYER_VERSION }}' --output table copy_west: name: Copy (West) @@ -144,25 +136,21 @@ jobs: permissions: id-token: write contents: read - strategy: - matrix: - layer: - - AWSLambdaPowertoolsTypeScriptV2 environment: name: GovCloud ${{ inputs.environment }} (West) steps: - name: Download Zip uses: actions/download-artifact@b14cf4c92620c250e1c074ab0a5800e37df86765 # v4.2.0 with: - name: ${{ matrix.layer }}.zip + name: AWSLambdaPowertoolsTypeScriptV2.zip - name: Download Metadata uses: actions/download-artifact@b14cf4c92620c250e1c074ab0a5800e37df86765 # v4.2.0 with: - name: ${{ matrix.layer }}.json + name: AWSLambdaPowertoolsTypeScriptV2.json - name: Verify Layer Signature run: | - SHA=$(jq -r '.Content.CodeSha256' '${{ matrix.layer }}.json') - test "$(openssl dgst -sha256 -binary ${{ matrix.layer }}.zip | openssl enc -base64)" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1 + SHA=$(jq -r '.Content.CodeSha256' 'AWSLambdaPowertoolsTypeScriptV2.json') + test "$(openssl dgst -sha256 -binary AWSLambdaPowertoolsTypeScriptV2.zip | openssl enc -base64)" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1 - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 with: @@ -173,19 +161,19 @@ jobs: id: create-layer run: | LAYER_VERSION=$(aws --region us-gov-west-1 lambda publish-layer-version \ - --layer-name ${{ matrix.layer }} \ - --zip-file fileb://./${{ matrix.layer }}.zip \ - --compatible-runtimes "$(jq -r '.CompatibleRuntimes[0]' '${{ matrix.layer }}.json')" \ - --compatible-architectures "$(jq -r '.CompatibleArchitectures[0]' '${{ matrix.layer }}.json')" \ + --layer-name AWSLambdaPowertoolsTypeScriptV2 \ + --zip-file fileb://./AWSLambdaPowertoolsTypeScriptV2.zip \ + --compatible-runtimes "$(jq -r '.CompatibleRuntimes[0]' 'AWSLambdaPowertoolsTypeScriptV2.json')" \ + --compatible-architectures "$(jq -r '.CompatibleArchitectures[0]' 'AWSLambdaPowertoolsTypeScriptV2.json')" \ --license-info "MIT-0" \ - --description "$(jq -r '.Description' '${{ matrix.layer }}.json')" \ + --description "$(jq -r '.Description' 'AWSLambdaPowertoolsTypeScriptV2.json')" \ --query 'Version' \ --output text) echo "LAYER_VERSION=$LAYER_VERSION" >> "$GITHUB_OUTPUT" aws --region us-gov-west-1 lambda add-layer-version-permission \ - --layer-name '${{ matrix.layer }}' \ + --layer-name 'AWSLambdaPowertoolsTypeScriptV2' \ --statement-id 'PublicLayer' \ --action lambda:GetLayerVersion \ --principal '*' \ @@ -194,7 +182,7 @@ jobs: env: LAYER_VERSION: ${{ steps.create-layer.outputs.LAYER_VERSION }} run: | - REMOTE_SHA=$(aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}:${{ env.LAYER_VERSION }}' --query 'Content.CodeSha256' --output text) - SHA=$(jq -r '.Content.CodeSha256' '${{ matrix.layer }}.json') + REMOTE_SHA=$(aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ env.LAYER_VERSION }}' --query 'Content.CodeSha256' --output text) + SHA=$(jq -r '.Content.CodeSha256' 'AWSLambdaPowertoolsTypeScriptV2.json') test "$REMOTE_SHA" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1 - aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}:${{ env.LAYER_VERSION }}' --output table \ No newline at end of file + aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ env.LAYER_VERSION }}' --output table \ No newline at end of file From cc249e9d47a5e11914fd58427ff2c7d63ec75964 Mon Sep 17 00:00:00 2001 From: Alexander Schueren Date: Wed, 19 Mar 2025 20:09:16 +0100 Subject: [PATCH 3/6] fix comment and removed another matrix conf --- .github/workflows/layer_govcloud_verify.yml | 6 +----- .github/workflows/layers_govcloud.yml | 3 +-- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/.github/workflows/layer_govcloud_verify.yml b/.github/workflows/layer_govcloud_verify.yml index bcdf4f49fa..473fc67bd3 100644 --- a/.github/workflows/layer_govcloud_verify.yml +++ b/.github/workflows/layer_govcloud_verify.yml @@ -25,10 +25,6 @@ jobs: permissions: id-token: write contents: read - strategy: - matrix: - layer: - - AWSLambdaPowertoolsTypeScriptV2 environment: Prod (Readonly) steps: - name: Configure AWS Credentials @@ -80,4 +76,4 @@ jobs: - name: Verify Layer AWSLambdaPowertoolsTypeScriptV2 id: verify-layer run: | - aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:AWSLambdaPowertoolsTypeScriptV2-${{ matrix.arch }}:${{ inputs.version }}' | jq -r '{"Layer Version Arn": .LayerVersionArn, "Version": .Version, "Description": .Description, "Compatible Runtimes": .CompatibleRuntimes[0], "Compatible Architectures": .CompatibleArchitectures[0], "SHA": .Content.CodeSha256} | keys[] as $k | [$k, .[$k]] | @tsv' | column -t -s $'\t' \ No newline at end of file + aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }}' | jq -r '{"Layer Version Arn": .LayerVersionArn, "Version": .Version, "Description": .Description, "Compatible Runtimes": .CompatibleRuntimes[0], "Compatible Architectures": .CompatibleArchitectures[0], "SHA": .Content.CodeSha256} | keys[] as $k | [$k, .[$k]] | @tsv' | column -t -s $'\t' \ No newline at end of file diff --git a/.github/workflows/layers_govcloud.yml b/.github/workflows/layers_govcloud.yml index 29629b2bce..222219e4af 100644 --- a/.github/workflows/layers_govcloud.yml +++ b/.github/workflows/layers_govcloud.yml @@ -4,8 +4,7 @@ name: Layer Deployment (GovCloud) # --- # This workflow publishes a specific layer version in an AWS account based on the environment input. # -# Using a matrix, we pull each architecture and python version of the layer and store them as artifacts -# we upload them to each of the GovCloud AWS accounts. +# We pull each the version of the layer and store them as artifacts, the we upload them to each of the GovCloud AWS accounts. # # A number of safety checks are performed to ensure safety. From 970dfa218d56ceda9810143ec182eb29d14b4876 Mon Sep 17 00:00:00 2001 From: Alexander Schueren Date: Wed, 19 Mar 2025 20:31:40 +0100 Subject: [PATCH 4/6] chore: add layer arn in docs: WIP - need acc numbers --- docs/index.md | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/docs/index.md b/docs/index.md index 680d346464..e68f77ec1d 100644 --- a/docs/index.md +++ b/docs/index.md @@ -69,7 +69,9 @@ You can use Powertools for AWS Lambda (TypeScript) by installing it with your fa For the latter, make sure to replace `{region}` with your AWS region, e.g., `eu-west-1`. - __arn:aws:lambda:{region}:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:22__{: .copyMe}:clipboard: + !!! abstract "" + + __arn:aws:lambda:{region}:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:22__{: .copyMe}:clipboard: ???+ note "Code snippets for popular infrastructure as code frameworks" @@ -264,6 +266,15 @@ You can use Powertools for AWS Lambda (TypeScript) by installing it with your fa }); ``` +=== "Layer in GovCloud" + + We also provide layers in two GovCloud regions: + + !!! abstract "" + + * __arn:aws-us-gov:lambda:us-gov-east-1:ACCOUNT_NUMBER:layer:AWSLambdaPowertoolsTypeScriptV2:22__{: .copyMe}:clipboard: + * __arn:aws-us-gov:lambda:us-gov-west-1:ACCOUNT_NUMBER:layer:AWSLambdaPowertoolsTypeScriptV2:22__{: .copyMe}:clipboard: + ### Lambda Layer [Lambda Layer](https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html){target="_blank"} is a `.zip` file archive that can contain additional code, pre-packaged dependencies, data, or configuration files. We compile and optimize [all dependencies](#install) to achieve an optimal build. From 541cf0641be117cc5c23971c64c6f9ff63f3e7a0 Mon Sep 17 00:00:00 2001 From: Alexander Schueren Date: Thu, 20 Mar 2025 17:09:12 +0100 Subject: [PATCH 5/6] chore: add govcloud accounts --- docs/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/index.md b/docs/index.md index e68f77ec1d..f73c751f07 100644 --- a/docs/index.md +++ b/docs/index.md @@ -272,8 +272,8 @@ You can use Powertools for AWS Lambda (TypeScript) by installing it with your fa !!! abstract "" - * __arn:aws-us-gov:lambda:us-gov-east-1:ACCOUNT_NUMBER:layer:AWSLambdaPowertoolsTypeScriptV2:22__{: .copyMe}:clipboard: - * __arn:aws-us-gov:lambda:us-gov-west-1:ACCOUNT_NUMBER:layer:AWSLambdaPowertoolsTypeScriptV2:22__{: .copyMe}:clipboard: + * __arn:aws-us-gov:lambda:us-gov-east-1:165087284144:layer:AWSLambdaPowertoolsTypeScriptV2:22__{: .copyMe}:clipboard: + * __arn:aws-us-gov:lambda:us-gov-west-1:165093116878:layer:AWSLambdaPowertoolsTypeScriptV2:22__{: .copyMe}:clipboard: ### Lambda Layer From c665256fe4597c42402117551ed6e5ae356ee1f1 Mon Sep 17 00:00:00 2001 From: Alexander Schueren Date: Thu, 20 Mar 2025 20:59:14 +0100 Subject: [PATCH 6/6] chore: set permission to none explictly for ossf --- .github/workflows/layer_govcloud_verify.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/layer_govcloud_verify.yml b/.github/workflows/layer_govcloud_verify.yml index 473fc67bd3..3a4b5f32eb 100644 --- a/.github/workflows/layer_govcloud_verify.yml +++ b/.github/workflows/layer_govcloud_verify.yml @@ -19,6 +19,8 @@ on: name: Layer Verification (GovCloud) run-name: Layer Verification (GovCloud) - version ${{ inputs.version }} +permissions: {} + jobs: commercial: runs-on: ubuntu-latest