chore(layers): add workflows for govcloud layers (#3747)

Author: am29d

.github/workflows/layer_govcloud_verify.yml

@@ -0,0 +1,81 @@
+# GovCloud Layer Verification
+# ---
+# This workflow queries the GovCloud layer info in production only
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: Layer version to verify information
+        type: string
+        required: true
+  workflow_call:
+    inputs:
+      version:
+        description: Layer version to verify information
+        type: string
+        required: true
+
+name: Layer Verification (GovCloud)
+run-name: Layer Verification (GovCloud) - version ${{ inputs.version }}
+
+permissions: {}
+
+jobs:
+  commercial:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    environment: Prod (Readonly)
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        with:
+          role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
+          aws-region: us-east-1
+          mask-aws-account-id: true
+      - name: Output AWSLambdaPowertoolsTypeScriptV2
+        # fetch the specific layer version information from the us-east-1 commercial region
+        run: |
+          aws --region us-east-1 lambda get-layer-version-by-arn --arn 'arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }}' | jq -r '{"Layer Version Arn": .LayerVersionArn, "Version": .Version, "Description": .Description, "Compatible Runtimes": .CompatibleRuntimes[0], "Compatible Architectures": .CompatibleArchitectures[0], "SHA": .Content.CodeSha256} | keys[] as $k | [$k, .[$k]] | @tsv' | column -t -s $'\t'
+
+  gov_east:
+    name: Verify (East)
+    needs: commercial
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    environment: GovCloud Prod (East)
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        with:
+          role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
+          aws-region: us-gov-east-1
+          mask-aws-account-id: true
+      - name: Verify Layer AWSLambdaPowertoolsTypeScriptV2
+        id: verify-layer
+        run: |
+          aws --region us-gov-east-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-east-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }}' | jq -r '{"Layer Version Arn": .LayerVersionArn, "Version": .Version, "Description": .Description, "Compatible Runtimes": .CompatibleRuntimes[0], "Compatible Architectures": .CompatibleArchitectures[0], "SHA": .Content.CodeSha256} | keys[] as $k | [$k, .[$k]] | @tsv' | column -t -s $'\t'
+
+  gov_west:
+    name: Verify (West)
+    needs: commercial
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    environment: GovCloud Prod (West)
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        with:
+          role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
+          aws-region: us-gov-east-1
+          mask-aws-account-id: true
+      - name: Verify Layer AWSLambdaPowertoolsTypeScriptV2
+        id: verify-layer
+        run: |
+          aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }}' | jq -r '{"Layer Version Arn": .LayerVersionArn, "Version": .Version, "Description": .Description, "Compatible Runtimes": .CompatibleRuntimes[0], "Compatible Architectures": .CompatibleArchitectures[0], "SHA": .Content.CodeSha256} | keys[] as $k | [$k, .[$k]] | @tsv' | column -t -s $'\t'

.github/workflows/layers_govcloud.yml

@@ -0,0 +1,187 @@
+name: Layer Deployment (GovCloud)
+
+# GovCloud Layer Publish
+# ---
+# This workflow publishes a specific layer version in an AWS account based on the environment input.
+#
+# We pull each the version of the layer and store them as artifacts, the we upload them to each of the GovCloud AWS accounts.
+#
+# A number of safety checks are performed to ensure safety.
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: Deployment environment
+        type: choice
+        options:
+          - Gamma
+          - Prod
+        required: true
+      version:
+        description: Layer version to duplicate
+        type: string
+        required: true
+  workflow_call:
+    inputs:
+      environment:
+        description: Deployment environment
+        type: string
+        required: true
+      version:
+        description: Layer version to duplicate
+        type: string
+        required: true
+
+run-name: Layer Deployment (GovCloud) - ${{ inputs.environment }} - version - ${{ inputs.version }}
+
+permissions:
+  contents: read
+
+jobs:
+  download:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    environment: Prod (Readonly)
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        with:
+          role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
+          aws-region: us-east-1
+          mask-aws-account-id: true
+      - name: Grab Zip
+        run: |
+          aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }} --query 'Content.Location' | xargs curl -L -o AWSLambdaPowertoolsTypeScriptV2.zip
+          aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }} > AWSLambdaPowertoolsTypeScriptV2.json
+      - name: Store Zip
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+        with:
+          name: AWSLambdaPowertoolsTypeScriptV2.zip
+          path: AWSLambdaPowertoolsTypeScriptV2.zip
+          retention-days: 1
+          if-no-files-found: error
+      - name: Store Metadata
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+        with:
+          name: AWSLambdaPowertoolsTypeScriptV2.json
+          path: AWSLambdaPowertoolsTypeScriptV2.json
+          retention-days: 1
+          if-no-files-found: error
+
+  copy_east:
+    name: Copy (East)
+    needs: download
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    environment: GovCloud ${{ inputs.environment }} (East)
+    steps:
+      - name: Download Zip
+        uses: actions/download-artifact@b14cf4c92620c250e1c074ab0a5800e37df86765 # v4.2.0
+        with:
+          name: AWSLambdaPowertoolsTypeScriptV2.zip
+      - name: Download Metadata
+        uses: actions/download-artifact@b14cf4c92620c250e1c074ab0a5800e37df86765 # v4.2.0
+        with:
+          name: AWSLambdaPowertoolsTypeScriptV2.json
+      - name: Verify Layer Signature
+        run: |
+          SHA=$(jq -r '.Content.CodeSha256' 'AWSLambdaPowertoolsTypeScriptV2.json')
+          test "$(openssl dgst -sha256 -binary AWSLambdaPowertoolsTypeScriptV2.zip | openssl enc -base64)" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        with:
+          role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
+          aws-region: us-gov-east-1
+          mask-aws-account-id: true
+      - name: Create Layer
+        id: create-layer
+        run: |
+          LAYER_VERSION=$(aws --region us-gov-east-1 lambda publish-layer-version \
+            --layer-name AWSLambdaPowertoolsTypeScriptV2 \
+            --zip-file fileb://./AWSLambdaPowertoolsTypeScriptV2.zip \
+            --compatible-runtimes "$(jq -r '.CompatibleRuntimes[0]' 'AWSLambdaPowertoolsTypeScriptV2.json')" \
+            --compatible-architectures "$(jq  -r '.CompatibleArchitectures[0]' 'AWSLambdaPowertoolsTypeScriptV2.json')" \
+            --license-info "MIT-0" \
+            --description "$(jq -r '.Description' 'AWSLambdaPowertoolsTypeScriptV2.json')" \
+            --query 'Version' \
+            --output text)
+
+          echo "LAYER_VERSION=$LAYER_VERSION" >> "$GITHUB_OUTPUT"
+
+          aws --region us-gov-east-1 lambda add-layer-version-permission \
+            --layer-name 'AWSLambdaPowertoolsTypeScriptV2' \
+            --statement-id 'PublicLayer' \
+            --action lambda:GetLayerVersion \
+            --principal '*' \
+            --version-number "$LAYER_VERSION"
+      - name: Verify Layer
+        env:
+          LAYER_VERSION: ${{ steps.create-layer.outputs.LAYER_VERSION }}
+        run: |
+          REMOTE_SHA=$(aws --region us-gov-east-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-east-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ env.LAYER_VERSION }}' --query 'Content.CodeSha256' --output text)
+          SHA=$(jq -r '.Content.CodeSha256' 'AWSLambdaPowertoolsTypeScriptV2.json')
+          test "$REMOTE_SHA" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1
+          aws --region us-gov-east-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-east-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ env.LAYER_VERSION }}' --output table
+
+  copy_west:
+    name: Copy (West)
+    needs: download
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    environment:
+      name: GovCloud ${{ inputs.environment }} (West)
+    steps:
+      - name: Download Zip
+        uses: actions/download-artifact@b14cf4c92620c250e1c074ab0a5800e37df86765 # v4.2.0
+        with:
+          name: AWSLambdaPowertoolsTypeScriptV2.zip
+      - name: Download Metadata
+        uses: actions/download-artifact@b14cf4c92620c250e1c074ab0a5800e37df86765 # v4.2.0
+        with:
+          name: AWSLambdaPowertoolsTypeScriptV2.json
+      - name: Verify Layer Signature
+        run: |
+          SHA=$(jq -r '.Content.CodeSha256' 'AWSLambdaPowertoolsTypeScriptV2.json')
+          test "$(openssl dgst -sha256 -binary AWSLambdaPowertoolsTypeScriptV2.zip | openssl enc -base64)" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        with:
+          role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
+          aws-region: us-gov-west-1
+          mask-aws-account-id: true
+      - name: Create Layer
+        id: create-layer
+        run: |
+          LAYER_VERSION=$(aws --region us-gov-west-1 lambda publish-layer-version \
+            --layer-name AWSLambdaPowertoolsTypeScriptV2 \
+            --zip-file fileb://./AWSLambdaPowertoolsTypeScriptV2.zip \
+            --compatible-runtimes "$(jq -r '.CompatibleRuntimes[0]' 'AWSLambdaPowertoolsTypeScriptV2.json')" \
+            --compatible-architectures "$(jq  -r '.CompatibleArchitectures[0]' 'AWSLambdaPowertoolsTypeScriptV2.json')" \
+            --license-info "MIT-0" \
+            --description "$(jq -r '.Description' 'AWSLambdaPowertoolsTypeScriptV2.json')" \
+            --query 'Version' \
+            --output text)
+
+          echo "LAYER_VERSION=$LAYER_VERSION" >> "$GITHUB_OUTPUT"
+
+          aws --region us-gov-west-1 lambda add-layer-version-permission \
+            --layer-name 'AWSLambdaPowertoolsTypeScriptV2' \
+            --statement-id 'PublicLayer' \
+            --action lambda:GetLayerVersion \
+            --principal '*' \
+            --version-number "$LAYER_VERSION"
+      - name: Verify Layer
+        env:
+          LAYER_VERSION: ${{ steps.create-layer.outputs.LAYER_VERSION }}
+        run: |
+          REMOTE_SHA=$(aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ env.LAYER_VERSION }}' --query 'Content.CodeSha256' --output text)
+          SHA=$(jq -r '.Content.CodeSha256' 'AWSLambdaPowertoolsTypeScriptV2.json')
+          test "$REMOTE_SHA" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1
+          aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ env.LAYER_VERSION }}' --output table

docs/index.md

@@ -69,7 +69,9 @@ You can use Powertools for AWS Lambda (TypeScript) by installing it with your fa
 
     For the latter, make sure to replace `{region}` with your AWS region, e.g., `eu-west-1`.
 
-    __arn:aws:lambda:{region}:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:22__{: .copyMe}:clipboard:
+    !!! abstract ""
+        
+        __arn:aws:lambda:{region}:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:22__{: .copyMe}:clipboard:
 
     ???+ note "Code snippets for popular infrastructure as code frameworks"
 
@@ -264,6 +266,15 @@ You can use Powertools for AWS Lambda (TypeScript) by installing it with your fa
             });
             ```
 
+=== "Layer in GovCloud"
+
+    We also provide layers in two GovCloud regions:
+
+    !!! abstract ""
+
+        * __arn:aws-us-gov:lambda:us-gov-east-1:165087284144:layer:AWSLambdaPowertoolsTypeScriptV2:22__{: .copyMe}:clipboard:
+        * __arn:aws-us-gov:lambda:us-gov-west-1:165093116878:layer:AWSLambdaPowertoolsTypeScriptV2:22__{: .copyMe}:clipboard:
+
 ### Lambda Layer
 
 [Lambda Layer](https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html){target="_blank"} is a `.zip` file archive that can contain additional code, pre-packaged dependencies, data, or configuration files. We compile and optimize [all dependencies](#install) to achieve an optimal build.