Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(ci): Add advanced automation #3438

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+179 −0
Open

feat(ci): Add advanced automation #3438

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
94 changes: 94 additions & 0 deletions .github/workflows/bootstrap_region.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
# bootstraps new regions
#
# PURPOSE
# Ensures new regions are deployable in future releases
#
# JOB 1 PROCESS
#
# 1. Installs CDK
# 2. Bootstraps region
#
# JOB 2 PROCESS
# 1. Sets up Go
# 2. Installs the balance script
# 3. Runs balance script to copy layers between aws regions

on:
workflow_dispatch:
inputs:
environment:
type: choice
options:
- beta
- prod
description: Deployment environment
region:
type: string
required: true
description: AWS region to bootstrap (i.e. eu-west-1)

name: Region Bootstrap
run-name: Region Bootstrap ${{ inputs.region }}

permissions:
contents: read

jobs:
cdk:
name: Install CDK
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write
environment: layer-${{ inputs.environment }}
steps:
- id: credentials
name: AWS Credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
with:
aws-region: ${{ inputs.region }}
role-to-assume: ${{ secrets.REGION_IAM_ROLE }}
mask-aws-account-id: true
- id: workdir
name: Create Workdir
run: |
mkdir -p build/project
- id: cdk-install
name: Install CDK
working-directory: build
run: |
npm i aws-cdk
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we use the version we already have installed in the workspace to avoid inconsistency issues?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I deliberately didn't do it since I didn't want to get into a situation where we're always running a old version by accident

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd rather run an older version that we know works both because of e2e tests and release process, than a new one that might be broken when running this specific workflow.

Regardless, not pinning any version and pulling from the remote is not a great idea. If we're gonna pin it here, we might as well use the one defined in the lock file, so Dependabot updates it once a week

- id: cdk-project
name: CDK Project
working-directory: build/project
run: |
npx cdk init app --language=typescript
AWS_REGION="${{ inputs.region }}" npx cdk bootstrap

copy_layers:
name: Copy Layers
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write
environment: layer-${{ inputs.environment }}
steps:
- id: credentials
name: AWS Credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
with:
aws-region: us-east-1
role-to-assume: ${{ secrets.REGION_IAM_ROLE }}
mask-aws-account-id: true
- id: go-setup
name: Setup Go
uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to pin a Go version?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dependabot will update this, no? I don't know if we need to worry.

- id: go-env
name: Go Env
run: go env
- id: go-install-pkg
name: Install
run: go install github.com/aws-powertools/actions/layer-balancer/cmd/balance@latest
- id: run-balance
name: Run Balance
run: balance -read-region us-east-1 -write-region ${{ inputs.region }} -write-role ${{ secrets.BALANCE_ROLE_ARN }} -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false
85 changes: 85 additions & 0 deletions .github/workflows/update_ssm.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
# SSM Parameters update
#
# PROCESS
# Creates parameters in regional AWS accounts for each layer we create, using the inputs to target specific releases
# * environment: will prefix /beta/ into the parameter
# * write_latest: will create a latest alias instead of a version number in the parameter
# * package_version: semantic version number of the released layer (3.x.y)
# * layer_version: this is sequential layer version from the ARN
#
# A successful parameter would look similar to:
# /aws/service/powertools/python/arm64/python3.8/3.1.0
# And will have a value of:
# arn:aws:lambda:eu-west-1:094274105915:layer:AWSLambdaPowertoolsPythonV3-python38-arm64:4

on:
workflow_dispatch:
inputs:
environment:
description: Environment to deploy to
type: choice
options:
- Beta
- Prod
required: true

write_latest:
description: Write to the latest path
type: boolean
required: false

package_version:
description: Semantic Version of published layer
type: string
required: true

layer_version:
description: Layer version
type: string
required: true

name: SSM Parameters
run-name: SSM Parameters - TypeScript

permissions:
contents: read

jobs:
typescript:
runs-on: ubuntu-latest
environment: SSM
strategy:
matrix:
region: ["af-south-1", "ap-east-1", "ap-northeast-1", "ap-northeast-2", "ap-northeast-3",
"ap-south-1", "ap-south-2", "ap-southeast-1", "ap-southeast-2", "ap-southeast-3",
"ap-southeast-4", "ca-central-1", "ca-west-1", "eu-central-1", "eu-central-2",
"eu-north-1", "eu-south-1", "eu-south-2", "eu-west-1", "eu-west-2", "eu-west-3",
"il-central-1", "me-central-1", "me-south-1", "sa-east-1", "us-east-1",
"us-east-2", "us-west-1", "us-west-2", "ap-southeast-5"
]

permissions:
contents: write
id-token: write
steps:
- id: transform
run: |
echo 'CONVERTED_REGION=${{ matrix.region }}' | tr 'a-z\-' 'A-Z_' >> "$GITHUB_OUTPUT"
- id: creds
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
with:
aws-region: ${{ matrix.region }}
role-to-assume: ${{ secrets[format('{0}', steps.transform.outputs.CONVERTED_REGION)] }}
mask-aws-account-id: true
- id: write-version
env:
prefix: ${{ inputs.environment == 'beta' && '/aws/service/powertools/beta' || '/aws/service/powertools' }}
run: |
aws ssm put-parameter --name ${{ env.prefix }}/typescript/generic/all/${{ inputs.package_version }} --value "arn:aws:lambda:${{ matrix.region }}:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.layer_version }}" --type String --overwrite

- id: write-latest
if: inputs.write_latest == true
env:
prefix: ${{ inputs.environment == 'beta' && '/aws/service/powertools/beta' || '/aws/service/powertools' }}
run: |
aws ssm put-parameter --name ${{ env.prefix }}/generic/all/latest --value "arn:aws:lambda:${{ matrix.region }}:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.layer_version }}" --type String --overwrite
Loading