powertools-lambda-python/.github/workflows/layers_partition_verify.yml at 0f659fc9422f4099eacfdc6e48cf6aa1717f74ac · aws-powertools/powertools-lambda-python · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
# Partition Layer Verification
# ---
# This workflow queries the Partition layer info in production only

on:
  workflow_dispatch:
    inputs:
      environment:
        description: Deployment environment
        type: choice
        options:
          - Gamma
          - Prod
        required: true
      version:
        description: Layer version to verify
        type: string
        required: true
      partition_version:
        description: Layer version to verify, this is mostly used in Gamma where a version mismatch might exist
        type: string
        required: false
      partition:
        description: Partition to deploy to
        type: choice
        options:
          - China
          - GovCloud
  workflow_call:
    inputs:
      environment:
        description: Deployment environment
        type: string
        required: true
      version:
        description: Layer version to verify
        type: string
        required: true
      partition_version:
        description: Partition Layer version to verify, this is mostly used in Gamma where a version mismatch might exist
        type: string
        required: false

name: Layer Verification (Partition)
run-name: Layer Verification (${{ inputs.partition }}) - ${{ inputs.environment }} / Version - ${{ inputs.version }}

permissions: {}

jobs:
  setup:
    runs-on: ubuntu-latest
    outputs:
      regions: ${{ format('{0}{1}', steps.regions_china.outputs.regions, steps.regions_govcloud.outputs.regions) }}
      partition: ${{ format('{0}{1}', steps.regions_china.outputs.partition, steps.regions_govcloud.outputs.partition) }}
      aud: ${{ format('{0}{1}', steps.regions_china.outputs.aud, steps.regions_govcloud.outputs.aud) }}
    steps:
      - id: regions_china
        name: Partition (China)
        if: ${{ inputs.partition == 'China' }}
        run: |
          echo regions='["cn-north-1"]'>> "$GITHUB_OUTPUT"
          echo partition='aws-cn'>> "$GITHUB_OUTPUT"
          echo aud='sts.amazonaws.com.cn'>> "$GITHUB_OUTPUT"
      - id: regions_govcloud
        name: Partition (GovCloud)
        if: ${{ inputs.partition == 'GovCloud' }}
        run: |
          echo regions='["us-gov-east-1", "us-gov-west-1"]'>> "$GITHUB_OUTPUT"
          echo partition='aws-us-gov'>> "$GITHUB_OUTPUT"
          echo aud='sts.amazonaws.com'>> "$GITHUB_OUTPUT"
  commercial:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    environment: Prod (Readonly)
    strategy:
      matrix:
        layer:
          - AWSLambdaPowertoolsPythonV3-python39
          - AWSLambdaPowertoolsPythonV3-python310
          - AWSLambdaPowertoolsPythonV3-python311
          - AWSLambdaPowertoolsPythonV3-python312
          - AWSLambdaPowertoolsPythonV3-python313
          - AWSLambdaPowertoolsPythonV3-python314
        arch:
          - arm64
          - x86_64
    steps:
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v4.3.0
        with:
          role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
          aws-region: us-east-1
          mask-aws-account-id: true
      - name: Output ${{ matrix.layer }}-${{ matrix.arch }}
        # fetch the specific layer version information from the us-east-1 commercial region
        run: |
          aws --region us-east-1 lambda get-layer-version-by-arn --arn 'arn:aws:lambda:us-east-1:017000801446:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ inputs.version }}' > '${{ matrix.layer }}-${{ matrix.arch }}.json'
      - name: Store Metadata
        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: ${{ matrix.layer }}-${{ matrix.arch }}.json
          path: ${{ matrix.layer }}-${{ matrix.arch }}.json
          retention-days: 1
          if-no-files-found: error

  verify:
    name: Verify
    needs:
      - setup
      - commercial
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    # Environment should interperlate as "GovCloud Prod" or "China Beta"
    environment: ${{ inputs.partition }} ${{ inputs.environment }}
    strategy:
      matrix:
        region: ${{ fromJson(needs.setup.outputs.regions) }}
        layer:
          - AWSLambdaPowertoolsPythonV3-python39
          - AWSLambdaPowertoolsPythonV3-python310
          - AWSLambdaPowertoolsPythonV3-python311
          - AWSLambdaPowertoolsPythonV3-python312
          - AWSLambdaPowertoolsPythonV3-python313
          - AWSLambdaPowertoolsPythonV3-python314
        arch:
          - arm64
          - x86_64
    steps:
      - name: Download Metadata
        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
        with:
          name: ${{ matrix.layer }}-${{ matrix.arch }}.json
      - id: transform
        run: |
          echo 'CONVERTED_REGION=${{ matrix.region }}' | tr 'a-z\-' 'A-Z_' >> "$GITHUB_OUTPUT"
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v4.3.0
        with:
          role-to-assume: ${{ secrets[format('IAM_ROLE_{0}', steps.transform.outputs.CONVERTED_REGION)] }}
          aws-region: ${{ matrix.region}}
          mask-aws-account-id: true
          audience: ${{ needs.setup.outputs.aud }}
      - id: partition_version
        name: Partition Layer Version
        run: |
          echo 'partition_version=$([[ -n "${{ inputs.partition_version}}" ]] && echo ${{ inputs.partition_version}} || echo ${{ inputs.version }} )' >> "$GITHUB_OUTPUT"
      - name: Verify Layer
        run: |
          export layer_output='${{ matrix.layer }}-${{ matrix.arch }}-${{matrix.region}}.json'
          aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn "arn:${{ needs.setup.outputs.partition }}:lambda:${{ matrix.region}}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ steps.partition_version.outputs.partition_version }}" > $layer_output
          REMOTE_SHA=$(jq -r '.Content.CodeSha256' $layer_output)
          LOCAL_SHA=$(jq -r '.Content.CodeSha256' ${{ matrix.layer }}-${{ matrix.arch }}.json)
          test "$REMOTE_SHA" == "$LOCAL_SHA" && echo "SHA OK: ${LOCAL_SHA}" || exit 1
          jq -s -r '["Layer Arn", "Runtimes", "Version", "Description", "SHA256"], ([.[0], .[1]] | .[] | [.LayerArn, (.CompatibleRuntimes | join("/")), .Version, .Description, .Content.CodeSha256]) |@tsv' ${{ matrix.layer }}-${{ matrix.arch }}.json $layer_output | column -t -s $'\t'