Layer Rename - beta #1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Rename Layer | |
| # --- | |
| # This workflow copies a specific layer version in an AWS account, renaming it in the process | |
| # | |
| # Using a matrix, we pull each architecture and python version of the layer and store them as artifacts | |
| # we upload them to each of the AWS accounts. | |
| # | |
| # A number of safety checks are performed to ensure safety. | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| environment: | |
| description: Deployment environment | |
| type: choice | |
| options: | |
| - beta | |
| - prod | |
| default: Gamma | |
| required: true | |
| version: | |
| description: Layer version to duplicate | |
| type: number | |
| required: true | |
| workflow_call: | |
| inputs: | |
| environment: | |
| description: Deployment environment | |
| type: string | |
| default: Gamma | |
| required: true | |
| version: | |
| description: Layer version to duplicate | |
| type: number | |
| required: true | |
| name: Layer Rename | |
| run-name: Layer Rename - ${{ inputs.environment }} | |
| jobs: | |
| download: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| contents: read | |
| strategy: | |
| matrix: | |
| layer: | |
| - AWSLambdaPowertoolsPythonV3-python38 | |
| - AWSLambdaPowertoolsPythonV3-python39 | |
| - AWSLambdaPowertoolsPythonV3-python310 | |
| - AWSLambdaPowertoolsPythonV3-python311 | |
| - AWSLambdaPowertoolsPythonV3-python312 | |
| environment: layer-prod | |
| steps: | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_LAYERS_ROLE_ARN }} | |
| aws-region: us-east-1 | |
| mask-aws-account-id: true | |
| - name: Grab Zip | |
| run: | | |
| aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:017000801446:layer:${{ matrix.layer }}-x86:${{ inputs.version }} --query 'Content.Location' | xargs curl -L -o ${{ matrix.layer }}_x86_64.zip | |
| aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:017000801446:layer:${{ matrix.layer }}-x86:${{ inputs.version }} > ${{ matrix.layer }}_x86_64.json | |
| - name: Store Zip | |
| uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
| with: | |
| name: ${{ matrix.layer }}_x86_64.zip | |
| path: ${{ matrix.layer }}_x86_64.zip | |
| retention-days: 1 | |
| if-no-files-found: error | |
| - name: Store Metadata | |
| uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
| with: | |
| name: ${{ matrix.layer }}_x86_64.json | |
| path: ${{ matrix.layer }}_x86_64.json | |
| retention-days: 1 | |
| if-no-files-found: error | |
| copy: | |
| name: Copy | |
| needs: download | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| contents: read | |
| strategy: | |
| matrix: | |
| layer: | |
| - AWSLambdaPowertoolsPythonV3-python38 | |
| - AWSLambdaPowertoolsPythonV3-python39 | |
| - AWSLambdaPowertoolsPythonV3-python310 | |
| - AWSLambdaPowertoolsPythonV3-python311 | |
| - AWSLambdaPowertoolsPythonV3-python312 | |
| region: | |
| - "af-south-1" | |
| - "ap-east-1" | |
| - "ap-northeast-1" | |
| - "ap-northeast-2" | |
| - "ap-northeast-3" | |
| - "ap-south-1" | |
| - "ap-south-2" | |
| - "ap-southeast-1" | |
| - "ap-southeast-2" | |
| - "ap-southeast-3" | |
| - "ap-southeast-4" | |
| - "ca-central-1" | |
| - "ca-west-1" | |
| - "eu-central-1" | |
| - "eu-central-2" | |
| - "eu-north-1" | |
| - "eu-south-1" | |
| - "eu-south-2" | |
| - "eu-west-1" | |
| - "eu-west-2" | |
| - "eu-west-3" | |
| - "il-central-1" | |
| - "me-central-1" | |
| - "me-south-1" | |
| - "sa-east-1" | |
| - "us-east-1" | |
| - "us-east-2" | |
| - "us-west-1" | |
| - "us-west-2" | |
| environment: layer-${{ inputs.environment }} | |
| steps: | |
| - name: Download Zip | |
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| name: ${{ matrix.layer }}_x86_64.zip | |
| - name: Download Metadata | |
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| name: ${{ matrix.layer }}_x86_64.json | |
| - name: Verify Layer Signature | |
| run: | | |
| SHA=$(jq -r '.Content.CodeSha256' ${{ matrix.layer }}_x86_64.json) | |
| test $(openssl dgst -sha256 -binary ${{ matrix.layer }}_x86_64.zip | openssl enc -base64) == $SHA && echo "SHA OK: ${SHA}" || exit 1 | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_LAYERS_ROLE_ARN }} | |
| aws-region: ${{ matrix.region }} | |
| mask-aws-account-id: true | |
| - name: Create Layer | |
| run: | | |
| aws --region ${{ matrix.region }} lambda publish-layer-version \ | |
| --layer-name ${{ matrix.layer }}-x86_64 \ | |
| --zip-file fileb://./${{ matrix.layer }}_x86_64.zip \ | |
| --compatible-runtimes $(jq -r ".CompatibleRuntimes[0]" ${{ matrix.layer }}_x86_64.json) \ | |
| --compatible-architectures $(jq -r ".CompatibleArchitectures[0]" ${{ matrix.layer }}_x86_64.json) \ | |
| --license-info "MIT-0" \ | |
| --description "$(jq -r \".Description\" ${{ matrix.layer }}_x86_64.json)" \ | |
| --query 'Version' | \ | |
| xargs aws --region ${{ matrix.region }} lambda add-layer-version-permission \ | |
| --layer-name ${{ matrix.layer }}-x86_64 \ | |
| --statement-id 'PublicLayer' \ | |
| --action lambda:GetLayerVersion \ | |
| --principal '*' \ | |
| --version-number |