Skip to content

Commit 25d6404

Browse files
sthulbSimon Thulbournleandrodamascena
authored
chore(ci): Add dump of govcloud layer info in verify step (#5415)
* chore(ci): Add dump of govcloud layer info in verify step * shellcheck updates * add manual verification * Update .github/workflows/layer_govcloud_verify.yml Co-authored-by: Leandro Damascena <lcdama@amazon.pt> Signed-off-by: Simon Thulbourn <sthulb@users.noreply.github.com> * Update .github/workflows/layer_govcloud_verify.yml Co-authored-by: Leandro Damascena <lcdama@amazon.pt> Signed-off-by: Simon Thulbourn <sthulb@users.noreply.github.com> --------- Signed-off-by: Simon Thulbourn <sthulb@users.noreply.github.com> Co-authored-by: Simon Thulbourn <sthulb@@users.noreply.github.com> Co-authored-by: Leandro Damascena <lcdama@amazon.pt>
1 parent 0f6f543 commit 25d6404

File tree

2 files changed

+136
-24
lines changed

2 files changed

+136
-24
lines changed

.github/workflows/layer_govcloud.yml

Lines changed: 25 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -16,22 +16,20 @@ on:
1616
options:
1717
- Gamma
1818
- Prod
19-
default: Gamma
2019
required: true
2120
version:
2221
description: Layer version to duplicate
23-
type: number
22+
type: string
2423
required: true
2524
workflow_call:
2625
inputs:
2726
environment:
2827
description: Deployment environment
2928
type: string
30-
default: Gamma
3129
required: true
3230
version:
3331
description: Layer version to duplicate
34-
type: number
32+
type: string
3533
required: true
3634

3735
name: Layer Deployment (GovCloud)
@@ -111,8 +109,8 @@ jobs:
111109
name: ${{ matrix.layer }}_${{ matrix.arch }}.json
112110
- name: Verify Layer Signature
113111
run: |
114-
SHA=$(jq -r '.Content.CodeSha256' ${{ matrix.layer }}_${{ matrix.arch }}.json)
115-
test $(openssl dgst -sha256 -binary ${{ matrix.layer }}_${{ matrix.arch }}.zip | openssl enc -base64) == $SHA && echo "SHA OK: ${SHA}" || exit 1
112+
SHA=$(jq -r '.Content.CodeSha256' '${{ matrix.layer }}_${{ matrix.arch }}.json')
113+
test "$(openssl dgst -sha256 -binary ${{ matrix.layer }}_${{ matrix.arch }}.zip | openssl enc -base64)" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1
116114
- name: Configure AWS Credentials
117115
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
118116
with:
@@ -125,27 +123,29 @@ jobs:
125123
LAYER_VERSION=$(aws --region us-gov-east-1 lambda publish-layer-version \
126124
--layer-name ${{ matrix.layer }}-${{ matrix.arch }} \
127125
--zip-file fileb://./${{ matrix.layer }}_${{ matrix.arch }}.zip \
128-
--compatible-runtimes $(jq -r ".CompatibleRuntimes[0]" ${{ matrix.layer }}_${{ matrix.arch }}.json) \
129-
--compatible-architectures $(jq -r ".CompatibleArchitectures[0]" ${{ matrix.layer }}_${{ matrix.arch }}.json) \
126+
--compatible-runtimes "$(jq -r '.CompatibleRuntimes[0]' '${{ matrix.layer }}_${{ matrix.arch }}.json')" \
127+
--compatible-architectures "$(jq -r '.CompatibleArchitectures[0]' '${{ matrix.layer }}_${{ matrix.arch }}.json')" \
130128
--license-info "MIT-0" \
131-
--description "$(jq -r '.Description' ${{ matrix.layer }}_${{ matrix.arch }}.json)" \
129+
--description "$(jq -r '.Description' '${{ matrix.layer }}_${{ matrix.arch }}.json')" \
132130
--query 'Version' \
133131
--output text)
132+
134133
echo "LAYER_VERSION=$LAYER_VERSION" >> "$GITHUB_OUTPUT"
135134
136135
aws --region us-gov-east-1 lambda add-layer-version-permission \
137-
--layer-name ${{ matrix.layer }}-${{ matrix.arch }} \
136+
--layer-name '${{ matrix.layer }}-${{ matrix.arch }}' \
138137
--statement-id 'PublicLayer' \
139138
--action lambda:GetLayerVersion \
140139
--principal '*' \
141-
--version-number $LAYER_VERSION
140+
--version-number "$LAYER_VERSION"
142141
- name: Verify Layer
143142
env:
144143
LAYER_VERSION: ${{ steps.create-layer.outputs.LAYER_VERSION }}
145144
run: |
146-
REMOTE_SHA=$(aws --region us-gov-east-1 lambda get-layer-version-by-arn --arn arn:aws-us-gov:lambda:us-gov-east-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ env.LAYER_VERSION }} --query 'Content.CodeSha256' --output text)
147-
SHA=$(jq -r '.Content.CodeSha256' ${{ matrix.layer }}_${{ matrix.arch }}.json)
148-
test $REMOTE_SHA == $SHA && echo "SHA OK: ${SHA}" || exit 1
145+
REMOTE_SHA=$(aws --region us-gov-east-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-east-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ env.LAYER_VERSION }}' --query 'Content.CodeSha256' --output text)
146+
SHA=$(jq -r '.Content.CodeSha256' '${{ matrix.layer }}_${{ matrix.arch }}.json')
147+
test "$REMOTE_SHA" == "$SHA "&& echo "SHA OK: ${SHA}" || exit 1
148+
aws --region us-gov-east-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-east-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ env.LAYER_VERSION }}' --output text
149149
150150
copy_west:
151151
name: Copy (West)
@@ -178,8 +178,8 @@ jobs:
178178
name: ${{ matrix.layer }}_${{ matrix.arch }}.json
179179
- name: Verify Layer Signature
180180
run: |
181-
SHA=$(jq -r '.Content.CodeSha256' ${{ matrix.layer }}_${{ matrix.arch }}.json)
182-
test $(openssl dgst -sha256 -binary ${{ matrix.layer }}_${{ matrix.arch }}.zip | openssl enc -base64) == $SHA && echo "SHA OK: ${SHA}" || exit 1
181+
SHA=$(jq -r '.Content.CodeSha256' '${{ matrix.layer }}_${{ matrix.arch }}.json')
182+
test "$(openssl dgst -sha256 -binary ${{ matrix.layer }}_${{ matrix.arch }}.zip | openssl enc -base64)" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1
183183
- name: Configure AWS Credentials
184184
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
185185
with:
@@ -192,25 +192,26 @@ jobs:
192192
LAYER_VERSION=$(aws --region us-gov-west-1 lambda publish-layer-version \
193193
--layer-name ${{ matrix.layer }}-${{ matrix.arch }} \
194194
--zip-file fileb://./${{ matrix.layer }}_${{ matrix.arch }}.zip \
195-
--compatible-runtimes $(jq -r ".CompatibleRuntimes[0]" ${{ matrix.layer }}_${{ matrix.arch }}.json) \
196-
--compatible-architectures $(jq -r ".CompatibleArchitectures[0]" ${{ matrix.layer }}_${{ matrix.arch }}.json) \
195+
--compatible-runtimes "$(jq -r '.CompatibleRuntimes[0]' '${{ matrix.layer }}_${{ matrix.arch }}.json')" \
196+
--compatible-architectures "$(jq -r '.CompatibleArchitectures[0]' '${{ matrix.layer }}_${{ matrix.arch }}.json')" \
197197
--license-info "MIT-0" \
198-
--description "$(jq -r '.Description' ${{ matrix.layer }}_${{ matrix.arch }}.json)" \
198+
--description "$(jq -r '.Description' '${{ matrix.layer }}_${{ matrix.arch }}.json')" \
199199
--query 'Version' \
200200
--output text)
201201
202202
echo "LAYER_VERSION=$LAYER_VERSION" >> "$GITHUB_OUTPUT"
203203
204204
aws --region us-gov-west-1 lambda add-layer-version-permission \
205-
--layer-name ${{ matrix.layer }}-${{ matrix.arch }} \
205+
--layer-name '${{ matrix.layer }}-${{ matrix.arch }}' \
206206
--statement-id 'PublicLayer' \
207207
--action lambda:GetLayerVersion \
208208
--principal '*' \
209-
--version-number $LAYER_VERSION
209+
--version-number "$LAYER_VERSION"
210210
- name: Verify Layer
211211
env:
212212
LAYER_VERSION: ${{ steps.create-layer.outputs.LAYER_VERSION }}
213213
run: |
214-
REMOTE_SHA=$(aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ env.LAYER_VERSION }} --query 'Content.CodeSha256' --output text)
215-
SHA=$(jq -r '.Content.CodeSha256' ${{ matrix.layer }}_${{ matrix.arch }}.json)
216-
test $REMOTE_SHA == $SHA && echo "SHA OK: ${SHA}" || exit 1
214+
REMOTE_SHA=$(aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ env.LAYER_VERSION }}' --query 'Content.CodeSha256' --output text)
215+
SHA=$(jq -r '.Content.CodeSha256' '${{ matrix.layer }}_${{ matrix.arch }}.json')
216+
test "$REMOTE_SHA" == "$SHA "&& echo "SHA OK: ${SHA}" || exit 1
217+
aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ env.LAYER_VERSION }}' --output text

.github/workflows/layer_govcloud_verify.yml

Lines changed: 111 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,111 @@
1+
# GovCloud Layer Verification
2+
# ---
3+
# This workflow queries the GovCloud layer info in production only
4+
5+
on:
6+
workflow_dispatch:
7+
inputs:
8+
version:
9+
description: Layer version to verify information
10+
type: string
11+
required: true
12+
workflow_call:
13+
inputs:
14+
version:
15+
description: Layer version to verify information
16+
type: string
17+
required: true
18+
19+
name: Layer Verification (GovCloud)
20+
run-name: Layer Verification (GovCloud)
21+
22+
jobs:
23+
commercial:
24+
runs-on: ubuntu-latest
25+
permissions:
26+
id-token: write
27+
contents: read
28+
strategy:
29+
matrix:
30+
layer:
31+
- AWSLambdaPowertoolsPythonV3-python38
32+
- AWSLambdaPowertoolsPythonV3-python39
33+
- AWSLambdaPowertoolsPythonV3-python310
34+
- AWSLambdaPowertoolsPythonV3-python311
35+
- AWSLambdaPowertoolsPythonV3-python312
36+
arch:
37+
- arm64
38+
- x86_64
39+
environment: Prod (Readonly)
40+
steps:
41+
- name: Configure AWS Credentials
42+
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
43+
with:
44+
role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
45+
aws-region: us-east-1
46+
mask-aws-account-id: true
47+
- name: Output ${{ matrix.layer }}-${{ matrix.arch }}
48+
run: |
49+
aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:017000801446:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ inputs.version }} --output text
50+
51+
gov_east:
52+
name: Verify (East)
53+
needs: commercial
54+
runs-on: ubuntu-latest
55+
permissions:
56+
id-token: write
57+
contents: read
58+
strategy:
59+
matrix:
60+
layer:
61+
- AWSLambdaPowertoolsPythonV3-python38
62+
- AWSLambdaPowertoolsPythonV3-python39
63+
- AWSLambdaPowertoolsPythonV3-python310
64+
- AWSLambdaPowertoolsPythonV3-python311
65+
- AWSLambdaPowertoolsPythonV3-python312
66+
arch:
67+
- arm64
68+
- x86_64
69+
environment: GovCloud Prod (East)
70+
steps:
71+
- name: Configure AWS Credentials
72+
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
73+
with:
74+
role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
75+
aws-region: us-gov-east-1
76+
mask-aws-account-id: true
77+
- name: Verify Layer ${{ matrix.layer }}-${{ matrix.arch }}
78+
id: verify-layer
79+
run: |
80+
aws --region us-gov-east-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-east-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ inputs.version }}' --output text
81+
82+
gov_west:
83+
name: Verify (West)
84+
needs: commercial
85+
runs-on: ubuntu-latest
86+
permissions:
87+
id-token: write
88+
contents: read
89+
strategy:
90+
matrix:
91+
layer:
92+
- AWSLambdaPowertoolsPythonV3-python38
93+
- AWSLambdaPowertoolsPythonV3-python39
94+
- AWSLambdaPowertoolsPythonV3-python310
95+
- AWSLambdaPowertoolsPythonV3-python311
96+
- AWSLambdaPowertoolsPythonV3-python312
97+
arch:
98+
- arm64
99+
- x86_64
100+
environment: GovCloud Prod (West)
101+
steps:
102+
- name: Configure AWS Credentials
103+
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
104+
with:
105+
role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
106+
aws-region: us-gov-east-1
107+
mask-aws-account-id: true
108+
- name: Verify Layer ${{ matrix.layer }}-${{ matrix.arch }}
109+
id: verify-layer
110+
run: |
111+
aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ inputs.version }}' --output text

0 commit comments

Comments
 (0)