aws-powertools · heitorlessa · Jul 7, 2022 · Jul 4, 2022 · Jul 4, 2022 · Jul 4, 2022
@@ -0,0 +1,207 @@
+name: Deploy layer to all regions
+
+permissions:
+  id-token: write
+  contents: read
+
+on:
+  # TODO: remove after setup is finished
+  workflow_dispatch: { }
+  workflow_run:
+    workflows: [ "Publish to PyPi" ]
+    types:
+      - completed
+
+
+jobs:
+  build-layer:
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout
+        uses: actions/checkout@v2
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+      - name: Setup Node.js
+        uses: actions/setup-node@v2
+        with:
+          node-version: '16.12'
+      - name: Setup python
+        uses: actions/setup-python@v4
+      - name: Cache dependencies
+        uses: actions/cache@v2
+        with:
+          path: ~/.npm
+          key: npm-${{ hashFiles('package-lock.json') }}
+          restore-keys: npm-
+      - name: Set release notes tag
+        run: |
+          RELEASE_TAG_VERSION=${{ github.event.release.tag_name }}
+          echo "RELEASE_TAG_VERSION=${RELEASE_TAG_VERSION:1}" >> $GITHUB_ENV
+      - name: install cdk and deps
+        run: |
+          npm install -g [email protected]
+          cdk --version
+      - name: install deps
+        run: |
+          cd layer
+          pip install -r requirements.txt
+      - name: CDK build
+        run: cdk synth --context version=$RELEASE_TAG_VERSION -o cdk.out
+      - name: zip output
+        run: zip -r cdk.out.zip cdk.out
+      - name: Archive CDK artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: cdk.out
+          path: cdk.out.zip
+
+  deploy-beta:
+    runs-on: ubuntu-latest
+    needs:
+      - build-layer
+    strategy:
+      fail-fast: false
+      matrix:
+        region: [
+          "af-south-1",
+#          "eu-central-1",
+#          "us-east-1",
+#          "us-east-2",
+#          "us-west-1",
+#          "us-west-2",
+#          "ap-east-1",
+#          "ap-south-1",
+#          "ap-northeast-1",
+#          "ap-northeast-2",
+#          "ap-southeast-1",
+#          "ap-southeast-2",
+#          "ca-central-1",
+#          "eu-west-1",
+#          "eu-west-2",
+#          "eu-west-3",
+#          "eu-south-1",
+#          "eu-north-1",
+#          "sa-east-1",
+#          "ap-southeast-3",
+#          "ap-northeast-3",
+#          "me-south-1"
+        ]
+    steps:
+      - name: checkout
+        uses: actions/checkout@v2
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+      - name: aws credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-region: ${{ matrix.region }}
+          role-to-assume: arn:aws:iam::${{ secrets.LAYERS_BETA_ACCOUNT }}:role/${{ secrets.AWS_GITHUB_OIDC_ROLE }}
+      - name: Print assumed role
+        run: aws sts get-caller-identity
+      - name: Setup Node.js
+        uses: actions/setup-node@v2
+        with:
+          node-version: '16.12'
+      - name: Setup python
+        uses: actions/setup-python@v4
+      - name: Cache dependencies
+        uses: actions/cache@v2
+        with:
+          path: ~/.npm
+          key: npm-${{ hashFiles('package-lock.json') }}
+          restore-keys: npm-
+      - name: install cdk and deps
+        run: |
+          npm install -g [email protected]
+          cdk --version
+      - name: install deps
+        run: |
+          cd layer
+          pip install -r requirements.txt
+      - name: Download a single artifact
+        uses: actions/download-artifact@v3
+        with:
+          name: cdk.out
+      - name: unzip cdk.out.zip
+        run: unzip cdk.out.zip
+      - name: CDK Deploy Layer
+        run: cdk deploy --app cdk.out --context region=${{ matrix.region }} 'PowertoolsLayerStack' --require-approval never --verbose
+      - name: CDK Deploy Canary
+        run: cdk deploy --app cdk.out --context region=${{ matrix.region}} --parameters DeployStage="BETA" 'CanaryStack' --require-approval never --verbose
+
+  deploy-prod:
+    runs-on: ubuntu-latest
+    needs:
+      - deploy-beta
+    strategy:
+      fail-fast: false
+      matrix:
+        region: [
+          "af-south-1",
+#          "eu-central-1",
+#          "us-east-1",
+#          "us-east-2",
+#          "us-west-1",
+#          "us-west-2",
+#          "ap-east-1",
+#          "ap-south-1",
+#          "ap-northeast-1",
+#          "ap-northeast-2",
+#          "ap-southeast-1",
+#          "ap-southeast-2",
+#          "ca-central-1",
+#          "eu-west-1",
+#          "eu-west-2",
+#          "eu-west-3",
+#          "eu-south-1",
+#          "eu-north-1",
+#          "sa-east-1",
+#          "ap-southeast-3",
+#          "ap-northeast-3",
+#          "me-south-1"
+        ]
+    steps:
+      - name: checkout
+        uses: actions/checkout@v2
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+      - name: aws credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-region: ${{ matrix.region }}
+          role-to-assume: arn:aws:iam::${{ secrets.LAYERS_PROD_ACCOUNT }}:role/${{ secrets.AWS_GITHUB_OIDC_ROLE }}
+      - name: Print assumed role
+        run: aws sts get-caller-identity
+      - name: Setup Node.js
+        uses: actions/setup-node@v2
+        with:
+          node-version: '16.12'
+      - name: Setup python
+        uses: actions/setup-python@v4
+      - name: Cache dependencies
+        uses: actions/cache@v2
+        with:
+          path: ~/.npm
+          key: npm-${{ hashFiles('package-lock.json') }}
+          restore-keys: npm-
+      - name: install cdk and deps
+        run: |
+          npm install -g [email protected]
+          cdk --version
+      - name: install deps
+        run: |
+          cd layer
+          pip install -r requirements.txt
+      - name: Download a single artifact
+        uses: actions/download-artifact@v3
+        with:
+          name: cdk.out
+      - name: unzip cdk.out.zip
+        run: unzip cdk.out.zip
+      - name: CDK Deploy Layer
+        run: cdk deploy --app cdk.out --context region=${{ matrix.region }} 'PowertoolsLayerStack' --require-approval never --verbose
+      - name: CDK Deploy Canary
+        run: cdk deploy --app cdk.out --context region=${{ matrix.region}} --parameters DeployStage="PROD" 'CanaryStack' --require-approval never --verbose
@@ -0,0 +1,10 @@
+*.swp
+package-lock.json
+__pycache__
+.pytest_cache
+.venv
+*.egg-info
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out
@@ -0,0 +1,26 @@
+<!-- markdownlint-disable MD041 MD043-->
+# CDK Powertools layer
+
+This is a CDK project to build and deploy AWS Lambda Powertools layer to multiple commercial regions.
+
+## Build the layer
+
+To build the layer construct you need to provide the powertools version.
+You can pass it as a context variable when running `synth` or `deploy`,
+
+```shell
+cdk synth --context version=1.25.1
+```
+
+## Canary stack
+
+We use a canary stack to verify that the deployment is successful and we can use the layer by adding it to a newly created Lambda function.
+The canary is deployed after the layer construct. Because the layer ARN is created during the deploy we need to pass this information async via SSM parameter.
+To achieve that, we establish a naming convention for the SSM key. The layer construct knows where to write the layer ARN after the deployment and the Canary stacks know where to read this information.
+
+## Version tracking
+
+AWS Lambda versions the layers by incrementing a number at the end of the arn.
+This means it's hard to tell which powertools version is inside the layer.
+For better tracking of the ARNs and the corresponding version we need to keep track which powertools version was deployed to which layer.
+To achieve that we created two components. First, we created a version tracking app which receives evnets via Event Bridge. Second, after a successful canary deployment we send the layer ARN, powertools version, and the region to this Event Bridge.
@@ -0,0 +1,31 @@
+#!/usr/bin/env python3
+
+import aws_cdk as cdk
+
+from layer.canary_stack import CanaryStack
+from layer.layer_stack import LayerStack
+
+app = cdk.App()
+
+POWERTOOLS_VERSION: str = app.node.try_get_context("version")
+SSM_PARAM_LAYER_ARN: str = "/layers/powertools-layer-arn"
+
+VERSION_TRACKING_EVENT_BUS_ARN: str = "arn:aws:events:eu-central-1:027876851704:event-bus/VersionTrackingEventBus"
+
+if not POWERTOOLS_VERSION:
+    raise ValueError(
+        "Please set the version for Powertools by passing the '--context=version:<version>' parameter to the CDK "
+        "synth step."
+    )
+
+LayerStack(app, "LayerStack", powertools_version=POWERTOOLS_VERSION, ssm_paramter_layer_arn=SSM_PARAM_LAYER_ARN)
+
+CanaryStack(
+    app,
+    "CanaryStack",
+    powertools_version=POWERTOOLS_VERSION,
+    ssm_paramter_layer_arn=SSM_PARAM_LAYER_ARN,
+    version_tracking_event_bus_arn=VERSION_TRACKING_EVENT_BUS_ARN,
+)
+
+app.synth()
@@ -0,0 +1,35 @@
+{
+  "app": "python3 app.py",
+  "watch": {
+    "include": [
+      "**"
+    ],
+    "exclude": [
+      "README.md",
+      "cdk*.json",
+      "requirements*.txt",
+      "source.bat",
+      "**/__init__.py",
+      "python/__pycache__",
+      "tests"
+    ]
+  },
+  "context": {
+    "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": true,
+    "@aws-cdk/core:stackRelativeExports": true,
+    "@aws-cdk/aws-rds:lowercaseDbIdentifier": true,
+    "@aws-cdk/aws-lambda:recognizeVersionProps": true,
+    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
+    "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": true,
+    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
+    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
+    "@aws-cdk/core:checkSecretUsage": true,
+    "@aws-cdk/aws-iam:minimizePolicies": true,
+    "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
+    "@aws-cdk/core:target-partitions": [
+      "aws",
+      "aws-cn"
+    ]
+  }
+}