From d8e71654ed0e339e1b08c9b59573694ca46e4cf9 Mon Sep 17 00:00:00 2001
From: Jordan Gonzalez <30836115+duncanista@users.noreply.github.com>
Date: Mon, 13 Apr 2026 16:48:10 -0400
Subject: [PATCH] Publish private extension images to serverless-testing
 account

Update build_private_image.sh to push to 093468662994
(serverless-testing) instead of 425362996713 (sandbox).

The self-monitoring container runtimes (LOD, LMI) run in
093468662994, so co-locating the extension images there
removes the need for cross-account ECR pulls during CDK
Docker builds.
---
 .gitlab/datasources/environments.yaml  |  4 ++++
 .gitlab/scripts/build_private_image.sh | 23 +++++++++++++----------
 .gitlab/templates/pipeline.yaml.tpl    |  2 +-
 3 files changed, 18 insertions(+), 11 deletions(-)

diff --git a/.gitlab/datasources/environments.yaml b/.gitlab/datasources/environments.yaml
index c3fbc14ec..79d2ad802 100644
--- a/.gitlab/datasources/environments.yaml
+++ b/.gitlab/datasources/environments.yaml
@@ -5,6 +5,10 @@ environments:
     account: 425362996713
     add_layer_version_permissions: 0
     automatically_bump_version: 1
+  serverless_testing:
+    external_id: serverless-testing-publish-externalid
+    role_to_assume: lambda-extension-image-publisher
+    account: 093468662994
   prod:
     external_id: prod-publish-externalid
     role_to_assume: dd-serverless-layer-deployer-role
diff --git a/.gitlab/scripts/build_private_image.sh b/.gitlab/scripts/build_private_image.sh
index 066ca2d74..ada17a87c 100755
--- a/.gitlab/scripts/build_private_image.sh
+++ b/.gitlab/scripts/build_private_image.sh
@@ -7,17 +7,17 @@
 
 set -e
 
-DOCKER_TARGET_IMAGE="425362996713.dkr.ecr.us-east-1.amazonaws.com/self-monitoring-lambda-extension"
+# ECR target for private extension images, used by self-monitoring container runtimes.
+# Defaults to the serverless-testing account's datadog-lambda-extension repo.
+PRIVATE_IMAGE_ECR_ACCOUNT="${PRIVATE_IMAGE_ECR_ACCOUNT:-093468662994}"
+PRIVATE_IMAGE_ECR_REPO="${PRIVATE_IMAGE_ECR_REPO:-datadog-lambda-extension}"
+DOCKER_TARGET_IMAGE="${PRIVATE_IMAGE_ECR_ACCOUNT}.dkr.ecr.us-east-1.amazonaws.com/${PRIVATE_IMAGE_ECR_REPO}"
 EXTENSION_DIR=".layers"
 IMAGE_TAG="latest"
 
-printf "Authenticating Docker to ECR...\n"
-aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 425362996713.dkr.ecr.us-east-1.amazonaws.com
+printf "Authenticating Docker to ECR (%s)...\n" "$PRIVATE_IMAGE_ECR_ACCOUNT"
+aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin "${PRIVATE_IMAGE_ECR_ACCOUNT}.dkr.ecr.us-east-1.amazonaws.com"
 
-# NOTE: this probably does not work the way that we expect it to, especially
-# when suffixes are involved. This is a known bug but we don't really check
-# anything other than the basic `self-monitoring-lambda-extension:latest` image
-# in our self-monitoring, so it's not a thing we're going to fix right now.
 LAYER_NAME="Datadog-Extension"
 if [ -z "$PIPELINE_LAYER_SUFFIX" ]; then
     printf "Building container images tagged without suffix\n"
@@ -26,8 +26,11 @@ else
     LAYER_NAME="${LAYER_NAME}-${PIPELINE_LAYER_SUFFIX}"
 fi
 
-# Increment last version
-latest_version=$(aws lambda list-layer-versions --region us-east-1 --layer-name $LAYER_NAME --query 'LayerVersions[0].Version || `0`')
+# Get the latest published layer version to derive the image tag.
+# Layers are published in the sandbox account (425362996713), so query there
+# regardless of which account we're pushing images to.
+SANDBOX_ACCOUNT="425362996713"
+latest_version=$(aws lambda list-layer-versions --region us-east-1 --layer-name "arn:aws:lambda:us-east-1:${SANDBOX_ACCOUNT}:layer:${LAYER_NAME}" --query 'LayerVersions[0].Version || `0`')
 VERSION=$(($latest_version + 1))
 printf "Tagging container image with version: $VERSION and latest\n"
 
@@ -39,4 +42,4 @@ docker buildx build \
     --tag "$DOCKER_TARGET_IMAGE:${VERSION}${SUFFIX}" \
     --push .
 
-printf "Image built and pushed to $DOCKER_TARGET_IMAGE:${IMAGE_TAG}${SUFFIX} for ${PLATFORM}\n"
+printf "Image built and pushed to $DOCKER_TARGET_IMAGE:${IMAGE_TAG}${SUFFIX}\n"
diff --git a/.gitlab/templates/pipeline.yaml.tpl b/.gitlab/templates/pipeline.yaml.tpl
index 6b2938221..cbd683ce1 100644
--- a/.gitlab/templates/pipeline.yaml.tpl
+++ b/.gitlab/templates/pipeline.yaml.tpl
@@ -235,7 +235,7 @@ publish private images ({{ $multi_arch_image_flavor.name }}):
   variables:
     SUFFIX: {{ $multi_arch_image_flavor.suffix }}
   before_script:
-    {{ with $environment := (ds "environments").environments.sandbox }}
+    {{ with $environment := (ds "environments").environments.serverless_testing }}
     - EXTERNAL_ID_NAME={{ $environment.external_id }} ROLE_TO_ASSUME={{ $environment.role_to_assume }} AWS_ACCOUNT={{ $environment.account }} source .gitlab/scripts/get_secrets.sh
     {{ end }}
   script: