From 00bd9c0a22b86476b26aaafccb78988d40dda1ef Mon Sep 17 00:00:00 2001 From: Simon Thulbourn Date: Mon, 21 Oct 2024 14:16:43 +0000 Subject: [PATCH 1/5] chore(ci): Add dump of govcloud layer info in verify step --- .github/workflows/layer_govcloud.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/layer_govcloud.yml b/.github/workflows/layer_govcloud.yml index 43c5961bd4b..95cad1113fa 100644 --- a/.github/workflows/layer_govcloud.yml +++ b/.github/workflows/layer_govcloud.yml @@ -16,22 +16,20 @@ on: options: - Gamma - Prod - default: Gamma required: true version: description: Layer version to duplicate - type: number + type: string required: true workflow_call: inputs: environment: description: Deployment environment type: string - default: Gamma required: true version: description: Layer version to duplicate - type: number + type: string required: true name: Layer Deployment (GovCloud) @@ -146,6 +144,7 @@ jobs: REMOTE_SHA=$(aws --region us-gov-east-1 lambda get-layer-version-by-arn --arn arn:aws-us-gov:lambda:us-gov-east-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ env.LAYER_VERSION }} --query 'Content.CodeSha256' --output text) SHA=$(jq -r '.Content.CodeSha256' ${{ matrix.layer }}_${{ matrix.arch }}.json) test $REMOTE_SHA == $SHA && echo "SHA OK: ${SHA}" || exit 1 + aws --region us-gov-east-1 lambda get-layer-version-by-arn --arn arn:aws-us-gov:lambda:us-gov-east-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ env.LAYER_VERSION }} --output text copy_west: name: Copy (West) @@ -214,3 +213,4 @@ jobs: REMOTE_SHA=$(aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ env.LAYER_VERSION }} --query 'Content.CodeSha256' --output text) SHA=$(jq -r '.Content.CodeSha256' ${{ matrix.layer }}_${{ matrix.arch }}.json) test $REMOTE_SHA == $SHA && echo "SHA OK: ${SHA}" || exit 1 + aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ env.LAYER_VERSION }} --output text \ No newline at end of file From f88dd765dfad3c995003726a78c07098f15643b0 Mon Sep 17 00:00:00 2001 From: Simon Thulbourn Date: Mon, 21 Oct 2024 14:40:40 +0000 Subject: [PATCH 2/5] shellcheck updates --- .github/workflows/layer_govcloud.yml | 45 ++++++++++++++-------------- 1 file changed, 23 insertions(+), 22 deletions(-) diff --git a/.github/workflows/layer_govcloud.yml b/.github/workflows/layer_govcloud.yml index 95cad1113fa..e318e68f1b2 100644 --- a/.github/workflows/layer_govcloud.yml +++ b/.github/workflows/layer_govcloud.yml @@ -109,8 +109,8 @@ jobs: name: ${{ matrix.layer }}_${{ matrix.arch }}.json - name: Verify Layer Signature run: | - SHA=$(jq -r '.Content.CodeSha256' ${{ matrix.layer }}_${{ matrix.arch }}.json) - test $(openssl dgst -sha256 -binary ${{ matrix.layer }}_${{ matrix.arch }}.zip | openssl enc -base64) == $SHA && echo "SHA OK: ${SHA}" || exit 1 + SHA=$(jq -r '.Content.CodeSha256' '${{ matrix.layer }}_${{ matrix.arch }}.json') + test "$(openssl dgst -sha256 -binary ${{ matrix.layer }}_${{ matrix.arch }}.zip | openssl enc -base64)" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1 - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: @@ -123,28 +123,29 @@ jobs: LAYER_VERSION=$(aws --region us-gov-east-1 lambda publish-layer-version \ --layer-name ${{ matrix.layer }}-${{ matrix.arch }} \ --zip-file fileb://./${{ matrix.layer }}_${{ matrix.arch }}.zip \ - --compatible-runtimes $(jq -r ".CompatibleRuntimes[0]" ${{ matrix.layer }}_${{ matrix.arch }}.json) \ - --compatible-architectures $(jq -r ".CompatibleArchitectures[0]" ${{ matrix.layer }}_${{ matrix.arch }}.json) \ + --compatible-runtimes "$(jq -r '.CompatibleRuntimes[0]' '${{ matrix.layer }}_${{ matrix.arch }}.json')" \ + --compatible-architectures "$(jq -r '.CompatibleArchitectures[0]' '${{ matrix.layer }}_${{ matrix.arch }}.json')" \ --license-info "MIT-0" \ - --description "$(jq -r '.Description' ${{ matrix.layer }}_${{ matrix.arch }}.json)" \ + --description "$(jq -r '.Description' '${{ matrix.layer }}_${{ matrix.arch }}.json')" \ --query 'Version' \ --output text) + echo "LAYER_VERSION=$LAYER_VERSION" >> "$GITHUB_OUTPUT" aws --region us-gov-east-1 lambda add-layer-version-permission \ - --layer-name ${{ matrix.layer }}-${{ matrix.arch }} \ + --layer-name '${{ matrix.layer }}-${{ matrix.arch }}' \ --statement-id 'PublicLayer' \ --action lambda:GetLayerVersion \ --principal '*' \ - --version-number $LAYER_VERSION + --version-number "$LAYER_VERSION" - name: Verify Layer env: LAYER_VERSION: ${{ steps.create-layer.outputs.LAYER_VERSION }} run: | - REMOTE_SHA=$(aws --region us-gov-east-1 lambda get-layer-version-by-arn --arn arn:aws-us-gov:lambda:us-gov-east-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ env.LAYER_VERSION }} --query 'Content.CodeSha256' --output text) - SHA=$(jq -r '.Content.CodeSha256' ${{ matrix.layer }}_${{ matrix.arch }}.json) - test $REMOTE_SHA == $SHA && echo "SHA OK: ${SHA}" || exit 1 - aws --region us-gov-east-1 lambda get-layer-version-by-arn --arn arn:aws-us-gov:lambda:us-gov-east-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ env.LAYER_VERSION }} --output text + REMOTE_SHA=$(aws --region us-gov-east-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-east-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ env.LAYER_VERSION }}' --query 'Content.CodeSha256' --output text) + SHA=$(jq -r '.Content.CodeSha256' '${{ matrix.layer }}_${{ matrix.arch }}.json') + test "$REMOTE_SHA" == "$SHA "&& echo "SHA OK: ${SHA}" || exit 1 + aws --region us-gov-east-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-east-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ env.LAYER_VERSION }}' --output text copy_west: name: Copy (West) @@ -177,8 +178,8 @@ jobs: name: ${{ matrix.layer }}_${{ matrix.arch }}.json - name: Verify Layer Signature run: | - SHA=$(jq -r '.Content.CodeSha256' ${{ matrix.layer }}_${{ matrix.arch }}.json) - test $(openssl dgst -sha256 -binary ${{ matrix.layer }}_${{ matrix.arch }}.zip | openssl enc -base64) == $SHA && echo "SHA OK: ${SHA}" || exit 1 + SHA=$(jq -r '.Content.CodeSha256' '${{ matrix.layer }}_${{ matrix.arch }}.json') + test "$(openssl dgst -sha256 -binary ${{ matrix.layer }}_${{ matrix.arch }}.zip | openssl enc -base64)" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1 - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: @@ -191,26 +192,26 @@ jobs: LAYER_VERSION=$(aws --region us-gov-west-1 lambda publish-layer-version \ --layer-name ${{ matrix.layer }}-${{ matrix.arch }} \ --zip-file fileb://./${{ matrix.layer }}_${{ matrix.arch }}.zip \ - --compatible-runtimes $(jq -r ".CompatibleRuntimes[0]" ${{ matrix.layer }}_${{ matrix.arch }}.json) \ - --compatible-architectures $(jq -r ".CompatibleArchitectures[0]" ${{ matrix.layer }}_${{ matrix.arch }}.json) \ + --compatible-runtimes "$(jq -r '.CompatibleRuntimes[0]' '${{ matrix.layer }}_${{ matrix.arch }}.json')" \ + --compatible-architectures "$(jq -r '.CompatibleArchitectures[0]' '${{ matrix.layer }}_${{ matrix.arch }}.json')" \ --license-info "MIT-0" \ - --description "$(jq -r '.Description' ${{ matrix.layer }}_${{ matrix.arch }}.json)" \ + --description "$(jq -r '.Description' '${{ matrix.layer }}_${{ matrix.arch }}.json')" \ --query 'Version' \ --output text) echo "LAYER_VERSION=$LAYER_VERSION" >> "$GITHUB_OUTPUT" aws --region us-gov-west-1 lambda add-layer-version-permission \ - --layer-name ${{ matrix.layer }}-${{ matrix.arch }} \ + --layer-name '${{ matrix.layer }}-${{ matrix.arch }}' \ --statement-id 'PublicLayer' \ --action lambda:GetLayerVersion \ --principal '*' \ - --version-number $LAYER_VERSION + --version-number "$LAYER_VERSION" - name: Verify Layer env: LAYER_VERSION: ${{ steps.create-layer.outputs.LAYER_VERSION }} run: | - REMOTE_SHA=$(aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ env.LAYER_VERSION }} --query 'Content.CodeSha256' --output text) - SHA=$(jq -r '.Content.CodeSha256' ${{ matrix.layer }}_${{ matrix.arch }}.json) - test $REMOTE_SHA == $SHA && echo "SHA OK: ${SHA}" || exit 1 - aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ env.LAYER_VERSION }} --output text \ No newline at end of file + REMOTE_SHA=$(aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ env.LAYER_VERSION }}' --query 'Content.CodeSha256' --output text) + SHA=$(jq -r '.Content.CodeSha256' '${{ matrix.layer }}_${{ matrix.arch }}.json') + test "$REMOTE_SHA" == "$SHA "&& echo "SHA OK: ${SHA}" || exit 1 + aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ env.LAYER_VERSION }}' --output text \ No newline at end of file From 50a1ad3faacd2fe153244c1b045fe22e113692fd Mon Sep 17 00:00:00 2001 From: Simon Thulbourn Date: Mon, 21 Oct 2024 15:08:13 +0000 Subject: [PATCH 3/5] add manual verification --- .github/workflows/layer_govcloud_verify.yml | 111 ++++++++++++++++++++ 1 file changed, 111 insertions(+) create mode 100644 .github/workflows/layer_govcloud_verify.yml diff --git a/.github/workflows/layer_govcloud_verify.yml b/.github/workflows/layer_govcloud_verify.yml new file mode 100644 index 00000000000..56938197405 --- /dev/null +++ b/.github/workflows/layer_govcloud_verify.yml @@ -0,0 +1,111 @@ +# GovCloud Layer Verification +# --- +# This workflow queries the GovCloud layer info in production only + +on: + workflow_dispatch: + inputs: + version: + description: Layer version to duplicate + type: string + required: true + workflow_call: + inputs: + version: + description: Layer version to duplicate + type: string + required: true + +name: Layer Verification (GovCloud) +run-name: Layer Verification (GovCloud) + +jobs: + commercial: + runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + strategy: + matrix: + layer: + - AWSLambdaPowertoolsPythonV3-python38 + - AWSLambdaPowertoolsPythonV3-python39 + - AWSLambdaPowertoolsPythonV3-python310 + - AWSLambdaPowertoolsPythonV3-python311 + - AWSLambdaPowertoolsPythonV3-python312 + arch: + - arm64 + - x86_64 + environment: Prod (Readonly) + steps: + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 + with: + role-to-assume: ${{ secrets.AWS_IAM_ROLE }} + aws-region: us-east-1 + mask-aws-account-id: true + - name: Output ${{ matrix.layer }}-${{ matrix.arch }} + run: | + aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:017000801446:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ inputs.version }} --output text + + gov_east: + name: Verify (East) + needs: commercial + runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + strategy: + matrix: + layer: + - AWSLambdaPowertoolsPythonV3-python38 + - AWSLambdaPowertoolsPythonV3-python39 + - AWSLambdaPowertoolsPythonV3-python310 + - AWSLambdaPowertoolsPythonV3-python311 + - AWSLambdaPowertoolsPythonV3-python312 + arch: + - arm64 + - x86_64 + environment: GovCloud Prod (East) + steps: + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 + with: + role-to-assume: ${{ secrets.AWS_IAM_ROLE }} + aws-region: us-gov-east-1 + mask-aws-account-id: true + - name: Verify Layer ${{ matrix.layer }}-${{ matrix.arch }} + id: verify-layer + run: | + aws --region us-gov-east-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-east-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ inputs.version }}' --output text + + gov_west: + name: Verify (West) + needs: commercial + runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + strategy: + matrix: + layer: + - AWSLambdaPowertoolsPythonV3-python38 + - AWSLambdaPowertoolsPythonV3-python39 + - AWSLambdaPowertoolsPythonV3-python310 + - AWSLambdaPowertoolsPythonV3-python311 + - AWSLambdaPowertoolsPythonV3-python312 + arch: + - arm64 + - x86_64 + environment: GovCloud Prod (West) + steps: + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 + with: + role-to-assume: ${{ secrets.AWS_IAM_ROLE }} + aws-region: us-gov-east-1 + mask-aws-account-id: true + - name: Verify Layer ${{ matrix.layer }}-${{ matrix.arch }} + id: verify-layer + run: | + aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ inputs.version }}' --output text From c3f88f69d4177045f2abb04cce184119f2eddc0c Mon Sep 17 00:00:00 2001 From: Simon Thulbourn Date: Mon, 21 Oct 2024 17:10:39 +0200 Subject: [PATCH 4/5] Update .github/workflows/layer_govcloud_verify.yml Co-authored-by: Leandro Damascena Signed-off-by: Simon Thulbourn --- .github/workflows/layer_govcloud_verify.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/layer_govcloud_verify.yml b/.github/workflows/layer_govcloud_verify.yml index 56938197405..4b04ca3f9bc 100644 --- a/.github/workflows/layer_govcloud_verify.yml +++ b/.github/workflows/layer_govcloud_verify.yml @@ -6,7 +6,7 @@ on: workflow_dispatch: inputs: version: - description: Layer version to duplicate + description: Layer version to verify information type: string required: true workflow_call: From 671a0d62f0bbb608c603076f201be36761fdc55d Mon Sep 17 00:00:00 2001 From: Simon Thulbourn Date: Mon, 21 Oct 2024 17:10:47 +0200 Subject: [PATCH 5/5] Update .github/workflows/layer_govcloud_verify.yml Co-authored-by: Leandro Damascena Signed-off-by: Simon Thulbourn --- .github/workflows/layer_govcloud_verify.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/layer_govcloud_verify.yml b/.github/workflows/layer_govcloud_verify.yml index 4b04ca3f9bc..86bab1ac1d5 100644 --- a/.github/workflows/layer_govcloud_verify.yml +++ b/.github/workflows/layer_govcloud_verify.yml @@ -12,7 +12,7 @@ on: workflow_call: inputs: version: - description: Layer version to duplicate + description: Layer version to verify information type: string required: true