Skip to content

feat(layers): add parameterised layer deployment and verification #4033

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Jun 11, 2025
Merged

feat(layers): add parameterised layer deployment and verification #4033

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
3404eb4
feat(china): Create parameterised layer deployment and verification
sthulb Jun 10, 2025
9ef836f
Update .github/workflows/layers_partition_verify.yml
sthulb Jun 10, 2025
9a1b3c8
Merge branch 'main' into china-layers
sthulb Jun 10, 2025
8d7c11a
empty
sthulb Jun 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
132 changes: 132 additions & 0 deletions .github/workflows/layers_partition_verify.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,132 @@
# Parition Layer Verification
# ---
# This workflow queries the Parition layer info in production only

on:
workflow_dispatch:
inputs:
environment:
description: Deployment environment
type: choice
options:
- Gamma
- Prod
required: true
version:
description: Layer version to verify
type: string
required: true
partition_version:
description: Layer version to verify, this is mostly used in Gamma where a version mismatch might exist
type: string
required: false
partition:
description: Partition to deploy to
type: choice
options:
- China
- GovCloud
workflow_call:
inputs:
environment:
description: Deployment environment
type: string
required: true
version:
description: Layer version to verify
type: string
required: true
partition_version:
description: Partition Layer version to verify, this is mostly used in Gamma where a version mismatch might exist
type: string
required: false

name: Layer Verification (Partition)
run-name: Layer Verification (${{ inputs.partition }}) - ${{ inputs.environment }} / Version - ${{ inputs.version }}

permissions: {}

jobs:
setup:
runs-on: ubuntu-latest
outputs:
regions: ${{ format('{0}{1}', steps.regions_china.outputs.regions, steps.regions_govcloud.outputs.regions) }}
parition: ${{ format('{0}{1}', steps.regions_china.outputs.partition, steps.regions_govcloud.outputs.parition) }}
steps:
- id: regions_china
name: Parition (China)
if: ${{ inputs.partition == 'China' }}
run: |
echo regions='["cn-north-1", "cn-northwest-1"]'>> "$GITHUB_OUTPUT"
echo partition='aws-cn'>> "$GITHUB_OUTPUT"
- id: regions_govcloud
name: Partition (GovCloud)
if: ${{ inputs.partition == 'GovCloud' }}
run: |
echo regions='["us-gov-east-1", "us-gov-west-1"]'>> "$GITHUB_OUTPUT"
echo partition='aws-us-gov'>> "$GITHUB_OUTPUT"
commercial:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
environment: Prod (Readonly)
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1
with:
role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
aws-region: us-east-1
mask-aws-account-id: true
- name: Output AWSLambdaPowertoolsTypeScriptV2
# fetch the specific layer version information from the us-east-1 commercial region
run: |
aws --region us-east-1 lambda get-layer-version-by-arn --arn 'arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }}' > AWSLambdaPowertoolsTypeScriptV2.json
- name: Store Metadata
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: AWSLambdaPowertoolsTypeScriptV2.json
path: AWSLambdaPowertoolsTypeScriptV2.json
retention-days: 1
if-no-files-found: error

verify:
name: Verify
needs:
- setup
- commercial
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
# Environment should interperlate as "GovCloud Prod" or "China Beta"
environment: ${{ inputs.partition }} ${{ inputs.environment }}
strategy:
matrix:
region: ${{ fromJson(needs.setup.outputs.regions) }}
steps:
- name: Download Metadata
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: AWSLambdaPowertoolsTypeScriptV2.json
- id: transform
run: |
echo 'CONVERTED_REGION=${{ matrix.region }}' | tr 'a-z\-' 'A-Z_' >> "$GITHUB_OUTPUT"
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1
with:
role-to-assume: ${{ secrets[format('IAM_ROLE_{0}', steps.transform.outputs.CONVERTED_REGION)] }}
aws-region: ${{ matrix.region}}
mask-aws-account-id: true
- id: partition_version
name: Partition Layer Version
run: |
echo 'partition_version=$([[ -n "${{ inputs.partition_version}}" ]] && echo ${{ inputs.partition_version}} || echo ${{ inputs.version }} )' >> "$GITHUB_OUTPUT"
- name: Verify Layer
run: |
export layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json'
aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn "arn:${{ needs.setup.outputs.parition }}:lambda:${{ matrix.region}}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ steps.partition_version.outputs.partition_version }}" > $layer_output
REMOTE_SHA=$(jq -r '.Content.CodeSha256' $layer_output)
LOCAL_SHA=$(jq -r '.Content.CodeSha256' AWSLambdaPowertoolsTypeScriptV2.json)
test "$REMOTE_SHA" == "$LOCAL_SHA" && echo "SHA OK: ${LOCAL_SHA}" || exit 1
jq -s -r '["Layer Arn", "Runtimes", "Version", "Description", "SHA256"], ([.[0], .[1]] | .[] | [.LayerArn, (.CompatibleRuntimes | join("/")), .Version, .Description, .Content.CodeSha256]) |@tsv' AWSLambdaPowertoolsTypeScriptV2.json $layer_output | column -t -s $'\t'
169 changes: 169 additions & 0 deletions .github/workflows/layers_partitions.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,169 @@
# Partitioned Layer Publish
# ---
# This workflow publishes a specific layer version in an AWS account based on the environment input.
#
# We pull each the version of the layer and store them as artifacts, the we upload them to each of the Partitioned AWS accounts.
#
# A number of safety checks are performed to ensure safety.

on:
workflow_dispatch:
inputs:
environment:
description: Deployment environment
type: choice
options:
- Gamma
- Prod
required: true
version:
description: Layer version to duplicate
type: string
required: true
partition:
description: Partition to deploy to
type: choice
options:
- China
- GovCloud
workflow_call:
inputs:
environment:
description: Deployment environment
type: string
required: true
version:
description: Layer version to duplicate
type: string
required: true

name: Layer Deployment (Partitions)
run-name: Layer Deployment (${{ inputs.partition }}) - ${{ inputs.environment }} / Version - ${{ inputs.version }}

permissions:
contents: read

jobs:
setup:
runs-on: ubuntu-latest
outputs:
regions: ${{ format('{0}{1}', steps.regions_china.outputs.regions, steps.regions_govcloud.outputs.regions) }}
parition: ${{ format('{0}{1}', steps.regions_china.outputs.partition, steps.regions_govcloud.outputs.parition) }}
steps:
- id: regions_china
name: Parition (China)
if: ${{ inputs.partition == 'China' }}
run: |
echo regions='["cn-north-1", "cn-northwest-1"]'>> "$GITHUB_OUTPUT"
echo partition='aws-cn'>> "$GITHUB_OUTPUT"
- id: regions_govcloud
name: Partition (GovCloud)
if: ${{ inputs.partition == 'GovCloud' }}
run: |
echo regions='["us-gov-east-1", "us-gov-west-1"]'>> "$GITHUB_OUTPUT"
echo partition='aws-us-gov'>> "$GITHUB_OUTPUT"
download:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
environment: Prod (Readonly)
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1
with:
role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
aws-region: us-east-1
mask-aws-account-id: true
- name: Grab Zip
run: |
aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }} --query 'Content.Location' | xargs curl -L -o AWSLambdaPowertoolsTypeScriptV2.zip
aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }} > AWSLambdaPowertoolsTypeScriptV2.json
- name: Store Zip
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: AWSLambdaPowertoolsTypeScriptV2.zip
path: AWSLambdaPowertoolsTypeScriptV2.zip
retention-days: 1
if-no-files-found: error
- name: Store Metadata
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: AWSLambdaPowertoolsTypeScriptV2.json
path: AWSLambdaPowertoolsTypeScriptV2.json
retention-days: 1
if-no-files-found: error

copy:
name: Copy
needs:
- setup
- download
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
# Environment should interperlate as "GovCloud Prod" or "China Beta"
environment: ${{ inputs.partition }} ${{ inputs.environment }}
strategy:
matrix:
region: ${{ fromJson(needs.setup.outputs.regions) }}
steps:
- name: Download Zip
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: AWSLambdaPowertoolsTypeScriptV2.zip
- name: Download Metadata
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: AWSLambdaPowertoolsTypeScriptV2.json
- name: Verify Layer Signature
run: |
SHA=$(jq -r '.Content.CodeSha256' 'AWSLambdaPowertoolsTypeScriptV2.json')
test "$(openssl dgst -sha256 -binary AWSLambdaPowertoolsTypeScriptV2.zip | openssl enc -base64)" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1
- id: transform
run: |
echo 'CONVERTED_REGION=${{ matrix.region }}' | tr 'a-z\-' 'A-Z_' >> "$GITHUB_OUTPUT"
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1
with:
role-to-assume: ${{ secrets[format('IAM_ROLE_{0}', steps.transform.outputs.CONVERTED_REGION)] }}
aws-region: ${{ matrix.region}}
mask-aws-account-id: true
- name: Create Layer
id: create-layer
run: |
cat AWSLambdaPowertoolsTypeScriptV2.json | jq '{"LayerName": "AWSLambdaPowertoolsTypeScriptV2", "Description": .Description, "CompatibleRuntimes": .CompatibleRuntimes, "LicenseInfo": .LicenseInfo}' > input.json

LAYER_VERSION=$(aws --region ${{ matrix.region}} lambda publish-layer-version \
--zip-file fileb://./AWSLambdaPowertoolsTypeScriptV2.zip \
--cli-input-json file://./input.json \
--query 'Version' \
--output text)

echo "LAYER_VERSION=$LAYER_VERSION" >> "$GITHUB_OUTPUT"

aws --region ${{ matrix.region}} lambda add-layer-version-permission \
--layer-name 'AWSLambdaPowertoolsTypeScriptV2' \
--statement-id 'PublicLayer' \
--action lambda:GetLayerVersion \
--principal '*' \
--version-number "$LAYER_VERSION"
- name: Verify Layer
env:
LAYER_VERSION: ${{ steps.create-layer.outputs.LAYER_VERSION }}
run: |
export layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json'
aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn 'arn:${{ needs.setup.outputs.parition }}:lambda:${{ matrix.region}}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ env.LAYER_VERSION }}' > $layer_output
REMOTE_SHA=$(jq -r '.Content.CodeSha256' $layer_output)
LOCAL_SHA=$(jq -r '.Content.CodeSha256' AWSLambdaPowertoolsTypeScriptV2.json)
test "$REMOTE_SHA" == "$LOCAL_SHA" && echo "SHA OK: ${LOCAL_SHA}" || exit 1
jq -s -r '["Layer Arn", "Runtimes", "Version", "Description", "SHA256"], ([.[0], .[1]] | .[] | [.LayerArn, (.CompatibleRuntimes | join("/")), .Version, .Description, .Content.CodeSha256]) |@tsv' AWSLambdaPowertoolsTypeScriptV2.json $layer_output | column -t -s $'\t'

- name: Store Metadata - ${{ matrix.region }}
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: AWSLambdaPowertoolsTypeScriptV2-${{ matrix.region }}.json
path: AWSLambdaPowertoolsTypeScriptV2-${{ matrix.region }}.json
retention-days: 1
if-no-files-found: error