Skip to content

Commit e3eed1c

Browse files
sthulbleandrodamascena
sthulb
and
leandrodamascena
authored
fix(ci): layer rename (#5283)
fix: layer rename Co-authored-by: Leandro Damascena <[email protected]>
1 parent e3b6505 commit e3eed1c

File tree

1 file changed

+161
-0
lines changed

1 file changed

+161
-0
lines changed

.github/workflows/layer_rename.yml

Lines changed: 161 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,161 @@
1+
# Rename Layer
2+
# ---
3+
# This workflow copies a specific layer version in an AWS account, renaming it in the process
4+
#
5+
# Using a matrix, we pull each architecture and python version of the layer and store them as artifacts
6+
# we upload them to each of the AWS accounts.
7+
#
8+
# A number of safety checks are performed to ensure safety.
9+
10+
on:
11+
workflow_dispatch:
12+
inputs:
13+
environment:
14+
description: Deployment environment
15+
type: choice
16+
options:
17+
- beta
18+
- prod
19+
default: Gamma
20+
required: true
21+
version:
22+
description: Layer version to duplicate
23+
type: number
24+
required: true
25+
workflow_call:
26+
inputs:
27+
environment:
28+
description: Deployment environment
29+
type: string
30+
default: Gamma
31+
required: true
32+
version:
33+
description: Layer version to duplicate
34+
type: number
35+
required: true
36+
37+
name: Layer Rename
38+
run-name: Layer Rename - ${{ inputs.environment }}
39+
40+
jobs:
41+
download:
42+
runs-on: ubuntu-latest
43+
permissions:
44+
id-token: write
45+
contents: read
46+
strategy:
47+
matrix:
48+
layer:
49+
- AWSLambdaPowertoolsPythonV3-python38
50+
- AWSLambdaPowertoolsPythonV3-python39
51+
- AWSLambdaPowertoolsPythonV3-python310
52+
- AWSLambdaPowertoolsPythonV3-python311
53+
- AWSLambdaPowertoolsPythonV3-python312
54+
environment: layer-prod
55+
steps:
56+
- name: Configure AWS Credentials
57+
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
58+
with:
59+
role-to-assume: ${{ secrets.AWS_LAYERS_ROLE_ARN }}
60+
aws-region: us-east-1
61+
mask-aws-account-id: true
62+
- name: Grab Zip
63+
run: |
64+
aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:017000801446:layer:${{ matrix.layer }}-x86:${{ inputs.version }} --query 'Content.Location' | xargs curl -L -o ${{ matrix.layer }}_x86_64.zip
65+
aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:017000801446:layer:${{ matrix.layer }}-x86:${{ inputs.version }} > ${{ matrix.layer }}_x86_64.json
66+
- name: Store Zip
67+
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
68+
with:
69+
name: ${{ matrix.layer }}_x86_64.zip
70+
path: ${{ matrix.layer }}_x86_64.zip
71+
retention-days: 1
72+
if-no-files-found: error
73+
- name: Store Metadata
74+
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
75+
with:
76+
name: ${{ matrix.layer }}_x86_64.json
77+
path: ${{ matrix.layer }}_x86_64.json
78+
retention-days: 1
79+
if-no-files-found: error
80+
81+
copy:
82+
name: Copy
83+
needs: download
84+
runs-on: ubuntu-latest
85+
permissions:
86+
id-token: write
87+
contents: read
88+
strategy:
89+
matrix:
90+
layer:
91+
- AWSLambdaPowertoolsPythonV3-python38
92+
- AWSLambdaPowertoolsPythonV3-python39
93+
- AWSLambdaPowertoolsPythonV3-python310
94+
- AWSLambdaPowertoolsPythonV3-python311
95+
- AWSLambdaPowertoolsPythonV3-python312
96+
region:
97+
- "af-south-1"
98+
- "ap-east-1"
99+
- "ap-northeast-1"
100+
- "ap-northeast-2"
101+
- "ap-northeast-3"
102+
- "ap-south-1"
103+
- "ap-south-2"
104+
- "ap-southeast-1"
105+
- "ap-southeast-2"
106+
- "ap-southeast-3"
107+
- "ap-southeast-4"
108+
- "ca-central-1"
109+
- "ca-west-1"
110+
- "eu-central-1"
111+
- "eu-central-2"
112+
- "eu-north-1"
113+
- "eu-south-1"
114+
- "eu-south-2"
115+
- "eu-west-1"
116+
- "eu-west-2"
117+
- "eu-west-3"
118+
- "il-central-1"
119+
- "me-central-1"
120+
- "me-south-1"
121+
- "sa-east-1"
122+
- "us-east-1"
123+
- "us-east-2"
124+
- "us-west-1"
125+
- "us-west-2"
126+
environment: layer-${{ inputs.environment }}
127+
steps:
128+
- name: Download Zip
129+
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
130+
with:
131+
name: ${{ matrix.layer }}_x86_64.zip
132+
- name: Download Metadata
133+
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
134+
with:
135+
name: ${{ matrix.layer }}_x86_64.json
136+
- name: Verify Layer Signature
137+
run: |
138+
SHA=$(jq -r '.Content.CodeSha256' ${{ matrix.layer }}_x86_64.json)
139+
test $(openssl dgst -sha256 -binary ${{ matrix.layer }}_x86_64.zip | openssl enc -base64) == $SHA && echo "SHA OK: ${SHA}" || exit 1
140+
- name: Configure AWS Credentials
141+
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
142+
with:
143+
role-to-assume: ${{ secrets.AWS_LAYERS_ROLE_ARN }}
144+
aws-region: ${{ matrix.region }}
145+
mask-aws-account-id: true
146+
- name: Create Layer
147+
run: |
148+
aws --region ${{ matrix.region }} lambda publish-layer-version \
149+
--layer-name ${{ matrix.layer }}-x86_64 \
150+
--zip-file fileb://./${{ matrix.layer }}_x86_64.zip \
151+
--compatible-runtimes $(jq -r ".CompatibleRuntimes[0]" ${{ matrix.layer }}_x86_64.json) \
152+
--compatible-architectures $(jq -r ".CompatibleArchitectures[0]" ${{ matrix.layer }}_x86_64.json) \
153+
--license-info "MIT-0" \
154+
--description "$(jq -r \".Description\" ${{ matrix.layer }}_x86_64.json)" \
155+
--query 'Version' | \
156+
xargs aws --region ${{ matrix.region }} lambda add-layer-version-permission \
157+
--layer-name ${{ matrix.layer }}-x86_64 \
158+
--statement-id 'PublicLayer' \
159+
--action lambda:GetLayerVersion \
160+
--principal '*' \
161+
--version-number

0 commit comments

Comments
 (0)