1+ # Parition Layer Verification
2+ # ---
3+ # This workflow queries the Parition layer info in production only
4+
5+ on :
6+ workflow_dispatch :
7+ inputs :
8+ environment :
9+ description : Deployment environment
10+ type : choice
11+ options :
12+ - Gamma
13+ - Prod
14+ required : true
15+ version :
16+ description : Layer version to verify
17+ type : string
18+ required : true
19+ partition_version :
20+ description : Layer version to verify, this is mostly used in Gamma where a version mismatch might exist
21+ type : string
22+ required : false
23+ partition :
24+ description : Partition to deploy to
25+ type : choice
26+ options :
27+ - China
28+ - GovCloud
29+ workflow_call :
30+ inputs :
31+ environment :
32+ description : Deployment environment
33+ type : string
34+ required : true
35+ version :
36+ description : Layer version to verify
37+ type : string
38+ required : true
39+ partition_version :
40+ description : Partition Layer version to verify, this is mostly used in Gamma where a version mismatch might exist
41+ type : string
42+ required : false
43+
44+ name : Layer Verification (Partition)
45+ run-name : Layer Verification (${{ inputs.partition }}) - ${{ inputs.environment }} / Version - ${{ inputs.version }}
46+
47+ permissions : {}
48+
49+ jobs :
50+ setup :
51+ runs-on : ubuntu-latest
52+ outputs :
53+ regions : ${{ format('{0}{1}', steps.regions_china.outputs.regions, steps.regions_govcloud.outputs.regions) }}
54+ parition : ${{ format('{0}{1}', steps.regions_china.outputs.partition, steps.regions_govcloud.outputs.parition) }}
55+ steps :
56+ - id : regions_china
57+ name : Parition (China)
58+ if : ${{ inputs.partition == 'China' }}
59+ run : |
60+ echo regions='["cn-north-1", "cn-northwest-1"]'>> "$GITHUB_OUTPUT"
61+ echo partition='aws-cn'>> "$GITHUB_OUTPUT"
62+ id : regions_govcloud
63+ name : Partition (GovCloud)
64+ if : ${{ inputs.partition == 'GovCloud' }}
65+ run : |
66+ echo regions='["us-gov-east-1", "us-gov-west-1"]'>> "$GITHUB_OUTPUT"
67+ echo partition='aws-us-gov'>> "$GITHUB_OUTPUT"
68+ commercial :
69+ runs-on : ubuntu-latest
70+ permissions :
71+ id-token : write
72+ contents : read
73+ environment : Prod (Readonly)
74+ steps :
75+ - name : Configure AWS Credentials
76+ uses : aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1
77+ with :
78+ role-to-assume : ${{ secrets.AWS_IAM_ROLE }}
79+ aws-region : us-east-1
80+ mask-aws-account-id : true
81+ - name : Output AWSLambdaPowertoolsTypeScriptV2
82+ # fetch the specific layer version information from the us-east-1 commercial region
83+ run : |
84+ aws --region us-east-1 lambda get-layer-version-by-arn --arn 'arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }}' > AWSLambdaPowertoolsTypeScriptV2.json
85+ name : Store Metadata
86+ uses : actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
87+ with :
88+ name : AWSLambdaPowertoolsTypeScriptV2.json
89+ path : AWSLambdaPowertoolsTypeScriptV2.json
90+ retention-days : 1
91+ if-no-files-found : error
92+
93+ verify :
94+ name : Verify
95+ needs :
96+ - setup
97+ - commercial
98+ runs-on : ubuntu-latest
99+ permissions :
100+ id-token : write
101+ contents : read
102+ # Environment should interperlate as "GovCloud Prod" or "China Beta"
103+ environment : ${{ inputs.partition }} ${{ inputs.environment }}
104+ strategy :
105+ matrix :
106+ region : ${{ fromJson(needs.setup.outputs.regions) }}
107+ steps :
108+ - name : Download Metadata
109+ uses : actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
110+ with :
111+ name : AWSLambdaPowertoolsTypeScriptV2.json
112+ - id : transform
113+ run : |
114+ echo 'CONVERTED_REGION=${{ matrix.region }}' | tr 'a-z\-' 'A-Z_' >> "$GITHUB_OUTPUT"
115+ name : Configure AWS Credentials
116+ uses : aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1
117+ with :
118+ role-to-assume : ${{ secrets[format('IAM_ROLE_{0}', steps.transform.outputs.CONVERTED_REGION)] }}
119+ aws-region : ${{ matrix.region}}
120+ mask-aws-account-id : true
121+ - id : partition_version
122+ name : Partition Layer Version
123+ run : |
124+ echo 'partition_version=$([[ -n "${{ inputs.partition_version}}" ]] && echo ${{ inputs.partition_version}} || echo ${{ inputs.version }} )' >> "$GITHUB_OUTPUT"
125+ name : Verify Layer
126+ run : |
127+ export layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json'
128+ aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn "arn:${{ needs.setup.outputs.parition }}:lambda:${{ matrix.region}}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ steps.partition_version.outputs.partition_version }}" > $layer_output
129+ REMOTE_SHA=$(jq -r '.Content.CodeSha256' $layer_output)
130+ LOCAL_SHA=$(jq -r '.Content.CodeSha256' AWSLambdaPowertoolsTypeScriptV2.json)
131+ test "$REMOTE_SHA" == "$LOCAL_SHA" && echo "SHA OK: ${LOCAL_SHA}" || exit 1
132+ jq -s -r '["Layer Arn", "Runtimes", "Version", "Description", "SHA256"], ([.[0], .[1]] | .[] | [.LayerArn, (.CompatibleRuntimes | join("/")), .Version, .Description, .Content.CodeSha256]) |@tsv' AWSLambdaPowertoolsTypeScriptV2.json $layer_output | column -t -s $'\t'
0 commit comments