From 8f0274625fe716d89aff2211fbf91f63c69b7b4c Mon Sep 17 00:00:00 2001 From: Nick Hinsch Date: Wed, 2 Dec 2020 18:34:47 -0500 Subject: [PATCH 1/2] Add script --- scripts/publish_prod.sh | 22 ++++---- scripts/publish_sandbox.sh | 6 +++ scripts/publish_staging.sh | 5 -- scripts/sign_layers.sh | 105 +++++++++++++++++++++++++++++++++++++ 4 files changed, 124 insertions(+), 14 deletions(-) create mode 100755 scripts/publish_sandbox.sh delete mode 100755 scripts/publish_staging.sh create mode 100644 scripts/sign_layers.sh diff --git a/scripts/publish_prod.sh b/scripts/publish_prod.sh index c5c49d7e..a63e9bdd 100755 --- a/scripts/publish_prod.sh +++ b/scripts/publish_prod.sh @@ -57,22 +57,26 @@ then [[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1 fi -echo "" +echo echo "Replacing __version__ in ./datadog_lambda/__init__.py" -echo "" +echo sed -i "" -E "s/\"(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\"/\"$NEW_VERSION\"/" ./datadog_lambda/__init__.py git commit ./datadog_lambda/__init__.py -m "Update module version to ${NEW_VERSION}" -echo "" +echo echo "Building layers..." ./scripts/build_layers.sh -echo "" +echo +echo "Signing layers..." +./scripts/sign_layers.sh us-east-1 + +echo echo "Publishing layers to AWS regions..." ./scripts/publish_layers.sh -echo "" +echo echo 'Pushing updates to github' MINOR_VERSION=$(echo $NEW_VERSION | cut -d '.' -f 2) git push origin master @@ -89,14 +93,14 @@ if [[ ! $REPLY =~ ^[Yy]$ ]] then [[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1 fi -echo "" +echo echo "Publishing to https://pypi.org/project/datadog-lambda/" ./scripts/pypi.sh -echo "" +echo echo "Now create a new release with the tag v${MINOR_VERSION} created" echo "https://github.com/DataDog/datadog-lambda-python/releases/new" -echo "" +echo echo "Then publish a new serverless-plugin-datadog version with the new layer versions!" -echo "" +echo diff --git a/scripts/publish_sandbox.sh b/scripts/publish_sandbox.sh new file mode 100755 index 00000000..7f766cc2 --- /dev/null +++ b/scripts/publish_sandbox.sh @@ -0,0 +1,6 @@ +#!/bin/bash +set -e + +./scripts/build_layers.sh +./scripts/sign_layers.sh sa-east-1 +./scripts/publish_layers.sh sa-east-1 \ No newline at end of file diff --git a/scripts/publish_staging.sh b/scripts/publish_staging.sh deleted file mode 100755 index 4d4787ed..00000000 --- a/scripts/publish_staging.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash -set -e - -./scripts/build_layers.sh -./scripts/publish_layers.sh us-east-1 \ No newline at end of file diff --git a/scripts/sign_layers.sh b/scripts/sign_layers.sh new file mode 100644 index 00000000..73deba43 --- /dev/null +++ b/scripts/sign_layers.sh @@ -0,0 +1,105 @@ +#!/bin/bash + +# Unless explicitly stated otherwise all files in this repository are licensed +# under the Apache License Version 2.0. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019 Datadog, Inc. + +set -e + +LAYER_DIR=".layers" +LAYER_FILES=( + "datadog_lambda_py2.5.zip" + "datadog_lambda_py3.6.zip" + "datadog_lambda_py3.7.zip" + "datadog_lambda_py3.8.zip" +) +S3_BUCKET_NAME="dd-lambda-signing-bucket" +SIGNING_PROFILE_NAME="DatadogLambdaSigningProfile" + +# Check region arg +VALID_REGIONS=("us-east-1" "sa-east-1") +if [ -z "$1" ]; then + echo "ERROR: You must pass a region parameter to sign the layers" + exit 1 +else + if [[ ! "${VALID_REGIONS[@]}" =~ $1 ]]; then + echo "ERROR: The region parameter was invalid. Please choose us-east-1 or sa-east-1." + exit 1 + fi + REGION=$1 +fi + +for LAYER_FILE in "${LAYER_FILES[@]}" +do + echo + echo "${LAYER_FILE}" + echo "-------------------------" + + LAYER_LOCAL_PATH="${LAYER_DIR}/${LAYER_FILE}" + + # Upload the layer to S3 for signing + echo "Uploading layer to S3 for signing..." + UUID=$(uuidgen) + S3_UNSIGNED_ZIP_KEY="${UUID}.zip" + S3_UNSIGNED_ZIP_URI="s3://${S3_BUCKET_NAME}/${S3_UNSIGNED_ZIP_KEY}" + aws s3 cp $LAYER_LOCAL_PATH $S3_UNSIGNED_ZIP_URI + + # Start a signing job + echo "Starting the signing job..." + SIGNING_JOB_ID=$(aws signer start-signing-job \ + --source "s3={bucketName=${S3_BUCKET_NAME},key=${S3_UNSIGNED_ZIP_KEY},version=null}" \ + --destination "s3={bucketName=${S3_BUCKET_NAME}}" \ + --profile-name $SIGNING_PROFILE_NAME \ + --region $REGION \ + | jq -r '.jobId'\ + ) + + # Wait for the signing job to complete + echo "Waiting for the signing job to complete..." + SECONDS_WAITED_SO_FAR=0 + while : + do + sleep 3 + SECONDS_WAITED_SO_FAR=$((SECONDS_WAITED_SO_FAR + 3)) + + SIGNING_JOB_DESCRIPTION=$(aws signer describe-signing-job \ + --job-id $SIGNING_JOB_ID \ + --region $REGION\ + ) + SIGNING_JOB_STATUS=$(echo $SIGNING_JOB_DESCRIPTION | jq -r '.status') + SIGNING_JOB_STATUS_REASON=$(echo $SIGNING_JOB_DESCRIPTION | jq -r '.statusReason') + + if [ $SIGNING_JOB_STATUS = "Succeeded" ]; then + echo "Signing job succeeded!" + break + fi + + if [ $SIGNING_JOB_STATUS = "Failed" ]; then + echo "ERROR: Signing job failed" + echo $SIGNING_JOB_STATUS_REASON + exit 1 + fi + + if [ $SECONDS_WAITED_SO_FAR -ge 60 ]; then + echo "ERROR: Timed out waiting for the signing job to complete" + exit 1 + fi + + echo "Signing job still in progress..." + done + + # Download the signed ZIP, overwriting the original ZIP + echo "Replacing the local layer with the signed layer from S3..." + S3_SIGNED_ZIP_KEY="${SIGNING_JOB_ID}.zip" + S3_SIGNED_ZIP_URI="s3://${S3_BUCKET_NAME}/${S3_SIGNED_ZIP_KEY}" + aws s3 cp $S3_SIGNED_ZIP_URI $LAYER_LOCAL_PATH + + # Delete the signed and unsigned ZIPs in S3 + echo "Cleaning up the S3 bucket..." + aws s3api delete-object --bucket $S3_BUCKET_NAME --key $S3_UNSIGNED_ZIP_KEY + aws s3api delete-object --bucket $S3_BUCKET_NAME --key $S3_SIGNED_ZIP_KEY +done + +echo +echo "Successfully signed all layers!" From 670f37ce6df2b56dd0f55537a87e2202131eeb12 Mon Sep 17 00:00:00 2001 From: Nick Hinsch Date: Thu, 3 Dec 2020 12:57:44 -0500 Subject: [PATCH 2/2] Finish --- scripts/publish_prod.sh | 2 +- scripts/publish_sandbox.sh | 2 +- scripts/sign_layers.sh | 27 ++++++++++++++++----------- 3 files changed, 18 insertions(+), 13 deletions(-) mode change 100644 => 100755 scripts/sign_layers.sh diff --git a/scripts/publish_prod.sh b/scripts/publish_prod.sh index a63e9bdd..1e11f08c 100755 --- a/scripts/publish_prod.sh +++ b/scripts/publish_prod.sh @@ -70,7 +70,7 @@ echo "Building layers..." echo echo "Signing layers..." -./scripts/sign_layers.sh us-east-1 +./scripts/sign_layers.sh prod echo echo "Publishing layers to AWS regions..." diff --git a/scripts/publish_sandbox.sh b/scripts/publish_sandbox.sh index 7f766cc2..9b921cd4 100755 --- a/scripts/publish_sandbox.sh +++ b/scripts/publish_sandbox.sh @@ -2,5 +2,5 @@ set -e ./scripts/build_layers.sh -./scripts/sign_layers.sh sa-east-1 +./scripts/sign_layers.sh sandbox ./scripts/publish_layers.sh sa-east-1 \ No newline at end of file diff --git a/scripts/sign_layers.sh b/scripts/sign_layers.sh old mode 100644 new mode 100755 index 73deba43..554e406d --- a/scripts/sign_layers.sh +++ b/scripts/sign_layers.sh @@ -9,25 +9,30 @@ set -e LAYER_DIR=".layers" LAYER_FILES=( - "datadog_lambda_py2.5.zip" + "datadog_lambda_py2.7.zip" "datadog_lambda_py3.6.zip" "datadog_lambda_py3.7.zip" "datadog_lambda_py3.8.zip" ) -S3_BUCKET_NAME="dd-lambda-signing-bucket" SIGNING_PROFILE_NAME="DatadogLambdaSigningProfile" -# Check region arg -VALID_REGIONS=("us-east-1" "sa-east-1") +# Check account parameter +VALID_ACCOUNTS=("sandbox" "prod") if [ -z "$1" ]; then - echo "ERROR: You must pass a region parameter to sign the layers" + echo "ERROR: You must pass an account parameter to sign the layers" exit 1 -else - if [[ ! "${VALID_REGIONS[@]}" =~ $1 ]]; then - echo "ERROR: The region parameter was invalid. Please choose us-east-1 or sa-east-1." - exit 1 - fi - REGION=$1 +fi +if [[ ! "${VALID_ACCOUNTS[@]}" =~ $1 ]]; then + echo "ERROR: The account parameter was invalid. Please choose sandbox or prod." + exit 1 +fi +if [ "$1" = "sandbox" ]; then + REGION="sa-east-1" + S3_BUCKET_NAME="dd-lambda-signing-bucket-sandbox" +fi +if [ "$1" = "prod" ]; then + REGION="us-east-1" + S3_BUCKET_NAME="dd-lambda-signing-bucket" fi for LAYER_FILE in "${LAYER_FILES[@]}"