Skip to content
SSM Parameters

SSM Parameters - TypeScript #35

Sign in to view logs

SSM Parameters - TypeScript

SSM Parameters - TypeScript #35

Workflow file for this run

.github/workflows/update_ssm.yml at 90c1ed3
# SSM Parameters update
#
# PROCESS
# Creates parameters in regional AWS accounts for each layer we create, using the inputs to target specific releases
# * environment: will prefix /beta/ into the parameter
# * write_latest: will create a latest alias instead of a version number in the parameter
# * package_version: semantic version number of the released layer (3.x.y)
#
# A successful parameter would look similar to:
# /aws/service/powertools/python/arm64/python3.8/3.1.0
# And will have a value of:
# arn:aws:lambda:eu-west-1:094274105915:layer:AWSLambdaPowertoolsPythonV3-python38-arm64:4
#
# CodeQL Security Note:
# This workflow uses dynamic secret access via secrets[format(...)] which triggers
# an "Excessive Secrets Exposure" alert. However, this is safe because:
# - Secrets are scoped per environment (SSM)
# - Each job only accesses secrets for SSM
# - No global secrets array containing mixed credentials (API keys, PEM files, etc.)
# - The secrets object is already minimally scoped to the environment being used
on:
workflow_dispatch:
inputs:
environment:
description: Environment to deploy to
type: choice
options:
- beta
- prod
required: true
write_latest:
description: Write to the latest path
type: boolean
required: false
package_version:
description: Semantic Version of published layer
type: string
required: true
layer-version:
description: Layer version of the published layer
type: string
required: true
workflow_call:
inputs:
environment:
description: Environment to deploy to
type: string
required: true
write_latest:
description: Write to the latest path
type: boolean
required: false
package_version:
description: Semantic Version of published layer
type: string
required: true
layer-version:
description: Layer version of the published layer
type: string
required: true
name: SSM Parameters
run-name: SSM Parameters - TypeScript
permissions:
contents: read
jobs:
typescript:
runs-on: ubuntu-latest
environment: SSM
strategy:
matrix:
region: [
"af-south-1",
"eu-central-1",
"eu-central-2",
"us-east-1",
"us-east-2",
"us-west-1",
"us-west-2",
"ap-east-1",
"ap-south-1",
"ap-south-2",
"ap-northeast-1",
"ap-northeast-2",
"ap-northeast-3",
"ap-southeast-1",
"ap-southeast-2",
"ap-southeast-3",
"ap-southeast-4",
"ap-southeast-5",
"ap-southeast-7",
"ca-central-1",
"ca-west-1",
"eu-west-1",
"eu-west-2",
"eu-west-3",
"eu-south-1",
"eu-south-2",
"eu-north-1",
"sa-east-1",
"me-south-1",
"me-central-1",
"il-central-1",
"mx-central-1"
]
permissions:
contents: write
id-token: write
steps:
- id: transform
run: |
echo 'CONVERTED_REGION=${{ matrix.region }}' | tr 'a-z\-' 'A-Z_' >> "$GITHUB_OUTPUT"
- id: creds
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a
with:
aws-region: ${{ matrix.region }}
# Dynamic secret access is safe here - secrets are scoped per environment
role-to-assume: ${{ secrets[format('{0}', steps.transform.outputs.CONVERTED_REGION)] }}
mask-aws-account-id: true
- id: write-version
env:
prefix: ${{ inputs.environment == 'beta' && '/aws/service/powertools/beta' || '/aws/service/powertools' }}
run: |
aws ssm put-parameter --name ${{ env.prefix }}/typescript/generic/all/${{ inputs.package_version }} --value "arn:aws:lambda:${{ matrix.region }}:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.layer-version }}" --type String --overwrite
- id: write-latest
if: inputs.write_latest == true
env:
prefix: ${{ inputs.environment == 'beta' && '/aws/service/powertools/beta' || '/aws/service/powertools' }}
run: |
aws ssm put-parameter --name ${{ env.prefix }}/typescript/generic/all/latest --value "arn:aws:lambda:${{ matrix.region }}:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.layer-version }}" --type String --overwrite