From 3927738a2c7d5463d6bf6dfae6bade50e4fa8bc0 Mon Sep 17 00:00:00 2001 From: Alexander Melnyk Date: Thu, 7 Jul 2022 12:54:00 +0200 Subject: [PATCH] chore(layers): add release pipeline in GitHub Actions (#1278) * chore: add layer project * reduce to 1 region for dev * chore: shorter name for the workflow * fix ignore markdown lint for now * fix: more f strings * ignore mdlint * add reusable workflow for both beta and prod * Update layer/layer/canary/app.py Co-authored-by: Heitor Lessa * Update layer/layer/canary/app.py Co-authored-by: Heitor Lessa * readme review * rephrase canary stack ssm parameter usage * add default RELEASE_TAG_VERSION assignment based on the input (release or manual trigger) * add reference to layer docs * wording * move version trackign arn to canary stack * remove outdated npm caching, add release tag resolution for manual workflow trigger * review: fix layer name and remove dependencies from reusable workflow * remove debug statement, add default working dir * pin versions and hashes for requirements with pip-compile * rename reusable workflow * pass artefact name to the reusable workflow to prevent potential future conflicts Co-authored-by: Heitor Lessa --- .github/workflows/publish_layer.yml | 79 +++++++++++++++ .../workflows/reusable_deploy_layer_stack.yml | 87 ++++++++++++++++ layer/.gitignore | 10 ++ layer/README.md | 27 +++++ layer/app.py | 23 +++++ layer/cdk.json | 35 +++++++ layer/layer/__init__.py | 0 layer/layer/canary/app.py | 99 +++++++++++++++++++ layer/layer/canary_stack.py | 75 ++++++++++++++ layer/layer/layer_stack.py | 19 ++++ layer/requirements-dev.txt | 2 + layer/requirements.txt | 76 ++++++++++++++ 12 files changed, 532 insertions(+) create mode 100644 .github/workflows/publish_layer.yml create mode 100644 .github/workflows/reusable_deploy_layer_stack.yml create mode 100644 layer/.gitignore create mode 100644 layer/README.md create mode 100644 layer/app.py create mode 100644 layer/cdk.json create mode 100644 layer/layer/__init__.py create mode 100644 layer/layer/canary/app.py create mode 100644 layer/layer/canary_stack.py create mode 100644 layer/layer/layer_stack.py create mode 100644 layer/requirements-dev.txt create mode 100644 layer/requirements.txt diff --git a/.github/workflows/publish_layer.yml b/.github/workflows/publish_layer.yml new file mode 100644 index 00000000000..b4814fbb98a --- /dev/null +++ b/.github/workflows/publish_layer.yml @@ -0,0 +1,79 @@ +name: Deploy layer to all regions + +permissions: + id-token: write + contents: read + +on: + workflow_dispatch: + inputs: + latest_published_version: + description: "Latest PyPi published version to rebuild latest docs for, e.g. v1.22.0" + default: "v1.22.0" + required: true + workflow_run: + workflows: [ "Publish to PyPi" ] + types: + - completed + + +jobs: + build-layer: + runs-on: ubuntu-latest + defaults: + run: + working-directory: ./layer + steps: + - name: checkout + uses: actions/checkout@v2 + - name: Setup Node.js + uses: actions/setup-node@v2 + with: + node-version: '16.12' + - name: Setup python + uses: actions/setup-python@v4 + with: + python-version: '3.9' + cache: 'pip' + - name: Set release notes tag + run: | + RELEASE_INPUT=${{ inputs.latest_published_version }} + GITHUB_EVENT_RELEASE_TAG=${{ github.event.release.tag_name }} + RELEASE_TAG_VERSION=${GITHUB_EVENT_RELEASE_TAG:-$RELEASE_INPUT} + echo "RELEASE_TAG_VERSION=${RELEASE_TAG_VERSION:1}" >> $GITHUB_ENV + - name: install cdk and deps + run: | + npm install -g aws-cdk@2.29.0 + cdk --version + - name: install deps + run: | + pip install -r requirements.txt + - name: CDK build + run: cdk synth --context version=$RELEASE_TAG_VERSION -o cdk.out + - name: zip output + run: zip -r cdk.out.zip cdk.out + - name: Archive CDK artifacts + uses: actions/upload-artifact@v3 + with: + name: cdk-layer-artefact + path: layer/cdk.out.zip + + deploy-beta: + needs: + - build-layer + uses: ./.github/workflows/reusable_deploy_layer_stack.yml + with: + stage: "BETA" + artefact-name: "cdk-layer-artefact" + secrets: + target-account-role: arn:aws:iam::${{ secrets.LAYERS_BETA_ACCOUNT }}:role/${{ secrets.AWS_GITHUB_OIDC_ROLE }} + + deploy-prod: + needs: + - deploy-beta + uses: ./.github/workflows/reusable_deploy_layer_stack.yml + with: + stage: "PROD" + artefact-name: "cdk-layer-artefact" + secrets: + target-account-role: arn:aws:iam::${{ secrets.LAYERS_PROD_ACCOUNT }}:role/${{ secrets.AWS_GITHUB_OIDC_ROLE }} diff --git a/.github/workflows/reusable_deploy_layer_stack.yml b/.github/workflows/reusable_deploy_layer_stack.yml new file mode 100644 index 00000000000..6ac646f2bd8 --- /dev/null +++ b/.github/workflows/reusable_deploy_layer_stack.yml @@ -0,0 +1,87 @@ +name: Deploy cdk stack + +permissions: + id-token: write + contents: read + +on: + workflow_call: + inputs: + stage: + required: true + type: string + artefact-name: + required: true + type: string + secrets: + target-account-role: + required: true + +jobs: + deploy-cdk-stack: + runs-on: ubuntu-latest + defaults: + run: + working-directory: ./layer + strategy: + fail-fast: false + matrix: + region: [ + "af-south-1", + # "eu-central-1", + # "us-east-1", + # "us-east-2", + # "us-west-1", + # "us-west-2", + # "ap-east-1", + # "ap-south-1", + # "ap-northeast-1", + # "ap-northeast-2", + # "ap-southeast-1", + # "ap-southeast-2", + # "ca-central-1", + # "eu-west-1", + # "eu-west-2", + # "eu-west-3", + # "eu-south-1", + # "eu-north-1", + # "sa-east-1", + # "ap-southeast-3", + # "ap-northeast-3", + # "me-south-1" + ] + steps: + - name: checkout + uses: actions/checkout@v2 + - name: aws credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-region: ${{ matrix.region }} + role-to-assume: ${{ secrets.target-account-role }} + - name: Setup Node.js + uses: actions/setup-node@v2 + with: + node-version: '16.12' + - name: Setup python + uses: actions/setup-python@v4 + with: + python-version: '3.9' + cache: 'pip' + - name: install cdk and deps + run: | + npm install -g aws-cdk@2.29.0 + cdk --version + - name: install deps + run: | + pip install -r requirements.txt + - name: Download artifact + uses: actions/download-artifact@v3 + with: + name: ${{ inputs.artefact-name }} + path: layer + - name: unzip artefact + run: unzip ${{ inputs.artefact-name }} + - name: CDK Deploy Layer + run: cdk deploy --app cdk.out --context region=${{ matrix.region }} 'LayerStack ' --require-approval never --verbose + - name: CDK Deploy Canary + run: cdk deploy --app cdk.out --context region=${{ matrix.region}} --parameters DeployStage="${{ inputs.stage }}" 'CanaryStack' --require-approval never --verbose diff --git a/layer/.gitignore b/layer/.gitignore new file mode 100644 index 00000000000..37833f8beb2 --- /dev/null +++ b/layer/.gitignore @@ -0,0 +1,10 @@ +*.swp +package-lock.json +__pycache__ +.pytest_cache +.venv +*.egg-info + +# CDK asset staging directory +.cdk.staging +cdk.out diff --git a/layer/README.md b/layer/README.md new file mode 100644 index 00000000000..99da0083ffc --- /dev/null +++ b/layer/README.md @@ -0,0 +1,27 @@ + +# CDK Powertools layer + +This is a CDK project to build and deploy AWS Lambda Powertools [Lambda layer](https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-concepts.html#gettingstarted-concepts-layer) to multiple commercial regions. + +## Build the layer + +To build the layer construct you need to provide the Powertools version that is [available in PyPi](https://pypi.org/project/aws-lambda-powertools/). +You can pass it as a context variable when running `synth` or `deploy`, + +```shell +cdk synth --context version=1.25.1 +``` + +## Canary stack + +We use a canary stack to verify that the deployment is successful and we can use the layer by adding it to a newly created Lambda function. +The canary is deployed after the layer construct. Because the layer ARN is created during the deploy we need to pass this information async via SSM parameter. +To achieve that we use SSM parameter store to pass the layer ARN to the canary. +The layer stack writes the layer ARN after the deployment as SSM parameter and the canary stacks reads this information and adds the layer to the function. + +## Version tracking + +AWS Lambda versions Lambda layers by incrementing a number at the end of the ARN. +This makes it challenging to know which Powertools version a layer contains. +For better tracking of the ARNs and the corresponding version we need to keep track which powertools version was deployed to which layer. +To achieve that we created two components. First, we created a version tracking app which receives events via EventBridge. Second, after a successful canary deployment we send the layer ARN, Powertools version, and the region to this EventBridge. diff --git a/layer/app.py b/layer/app.py new file mode 100644 index 00000000000..78e99b17654 --- /dev/null +++ b/layer/app.py @@ -0,0 +1,23 @@ +#!/usr/bin/env python3 + +import aws_cdk as cdk + +from layer.canary_stack import CanaryStack +from layer.layer_stack import LayerStack + +app = cdk.App() + +POWERTOOLS_VERSION: str = app.node.try_get_context("version") +SSM_PARAM_LAYER_ARN: str = "/layers/powertools-layer-arn" + +if not POWERTOOLS_VERSION: + raise ValueError( + "Please set the version for Powertools by passing the '--context=version:' parameter to the CDK " + "synth step." + ) + +LayerStack(app, "LayerStack", powertools_version=POWERTOOLS_VERSION, ssm_paramter_layer_arn=SSM_PARAM_LAYER_ARN) + +CanaryStack(app, "CanaryStack", powertools_version=POWERTOOLS_VERSION, ssm_paramter_layer_arn=SSM_PARAM_LAYER_ARN) + +app.synth() diff --git a/layer/cdk.json b/layer/cdk.json new file mode 100644 index 00000000000..c120c5f4765 --- /dev/null +++ b/layer/cdk.json @@ -0,0 +1,35 @@ +{ + "app": "python3 app.py", + "watch": { + "include": [ + "**" + ], + "exclude": [ + "README.md", + "cdk*.json", + "requirements*.txt", + "source.bat", + "**/__init__.py", + "python/__pycache__", + "tests" + ] + }, + "context": { + "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": true, + "@aws-cdk/core:stackRelativeExports": true, + "@aws-cdk/aws-rds:lowercaseDbIdentifier": true, + "@aws-cdk/aws-lambda:recognizeVersionProps": true, + "@aws-cdk/aws-lambda:recognizeLayerVersion": true, + "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": true, + "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true, + "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true, + "@aws-cdk/core:checkSecretUsage": true, + "@aws-cdk/aws-iam:minimizePolicies": true, + "@aws-cdk/core:validateSnapshotRemovalPolicy": true, + "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true, + "@aws-cdk/core:target-partitions": [ + "aws", + "aws-cn" + ] + } +} diff --git a/layer/layer/__init__.py b/layer/layer/__init__.py new file mode 100644 index 00000000000..e69de29bb2d diff --git a/layer/layer/canary/app.py b/layer/layer/canary/app.py new file mode 100644 index 00000000000..31db94dd92b --- /dev/null +++ b/layer/layer/canary/app.py @@ -0,0 +1,99 @@ +import datetime +import json +import os +from importlib.metadata import version + +import boto3 + +from aws_lambda_powertools import Logger, Metrics, Tracer + +logger = Logger(service="version-track") +tracer = Tracer() +metrics = Metrics(namespace="powertools-layer-canary", service="PowertoolsLayerCanary") + +layer_arn = os.getenv("POWERTOOLS_LAYER_ARN") +powertools_version = os.getenv("POWERTOOLS_VERSION") +stage = os.getenv("LAYER_PIPELINE_STAGE") +event_bus_arn = os.getenv("VERSION_TRACKING_EVENT_BUS_ARN") + + +def handler(event): + logger.info("Running checks") + check_envs() + verify_powertools_version() + send_notification() + return True + + +@logger.inject_lambda_context(log_event=True) +def on_event(event, context): + request_type = event["RequestType"] + # we handle only create events, because we recreate the canary on each run + if request_type == "Create": + return on_create(event) + + return "Nothing to be processed" + + +def on_create(event): + props = event["ResourceProperties"] + logger.info("create new resource with properties %s" % props) + handler(event) + + +def check_envs(): + logger.info('Checking required envs ["POWERTOOLS_LAYER_ARN", "AWS_REGION", "STAGE"]') + if not layer_arn: + raise ValueError("POWERTOOLS_LAYER_ARN is not set. Aborting...") + if not powertools_version: + raise ValueError("POWERTOOLS_VERSION is not set. Aborting...") + if not stage: + raise ValueError("LAYER_PIPELINE_STAGE is not set. Aborting...") + if not event_bus_arn: + raise ValueError("VERSION_TRACKING_EVENT_BUS_ARN is not set. Aborting...") + logger.info("All envs configured, continue...") + + +def verify_powertools_version() -> None: + """ + fetches the version that we import from the powertools layer and compares + it with expected version set in environment variable, which we pass during deployment. + :raise ValueError if the expected version is not the same as the version we get from the layer + """ + logger.info("Checking Powertools version in library...") + current_version = version("aws_lambda_powertools") + if powertools_version != current_version: + raise ValueError( + f'Expected powertoosl version is "{powertools_version}", but layer contains version "{current_version}"' + ) + logger.info(f"Current Powertools version is: {current_version}") + + +def send_notification(): + """ + sends an event to version tracking event bridge + """ + event = { + "Time": datetime.datetime.now(), + "Source": "powertools.layer.canary", + "EventBusName": event_bus_arn, + "DetailType": "deployment", + "Detail": json.dumps( + { + "id": "powertools-python", + "stage": stage, + "region": os.environ["AWS_REGION"], + "version": powertools_version, + "layerArn": layer_arn, + } + ), + } + + logger.info(f"sending notification event: {event}") + + client = boto3.client("events", region_name="eu-central-1") + resp = client.put_events(Entries=[event]) + logger.info(resp) + if resp["FailedEntryCount"] != 0: + logger.error(resp) + raise ValueError("Failed to send deployment notification to version tracking") diff --git a/layer/layer/canary_stack.py b/layer/layer/canary_stack.py new file mode 100644 index 00000000000..15bc80214d3 --- /dev/null +++ b/layer/layer/canary_stack.py @@ -0,0 +1,75 @@ +import uuid + +from aws_cdk import CfnParameter, CustomResource, Duration, Stack +from aws_cdk.aws_iam import Effect, ManagedPolicy, PolicyStatement, Role, ServicePrincipal +from aws_cdk.aws_lambda import Code, Function, LayerVersion, Runtime +from aws_cdk.aws_logs import RetentionDays +from aws_cdk.aws_ssm import StringParameter +from aws_cdk.custom_resources import Provider +from constructs import Construct + + +class CanaryStack(Stack): + def __init__( + self, + scope: Construct, + construct_id: str, + powertools_version: str, + ssm_paramter_layer_arn: str, + **kwargs, + ) -> None: + super().__init__(scope, construct_id, **kwargs) + + VERSION_TRACKING_EVENT_BUS_ARN: str = ( + "arn:aws:events:eu-central-1:027876851704:event-bus/VersionTrackingEventBus" + ) + + layer_arn = StringParameter.from_string_parameter_attributes( + self, "LayerVersionArnParam", parameter_name=ssm_paramter_layer_arn + ).string_value + + layer = LayerVersion.from_layer_version_arn(self, "PowertoolsLayer", layer_version_arn=layer_arn) + deploy_stage = CfnParameter(self, "DeployStage", description="Deployment stage for canary").value_as_string + + execution_role = Role(self, "LambdaExecutionRole", assumed_by=ServicePrincipal("lambda.amazonaws.com")) + + execution_role.add_managed_policy( + ManagedPolicy.from_aws_managed_policy_name("service-role/AWSLambdaBasicExecutionRole") + ) + + execution_role.add_to_policy( + PolicyStatement(effect=Effect.ALLOW, actions=["lambda:GetFunction"], resources=["*"]) + ) + + canary_lambda = Function( + self, + "CanaryLambdaFunction", + function_name="CanaryLambdaFunction", + code=Code.from_asset("layer/canary"), + handler="app.on_event", + layers=[layer], + memory_size=512, + timeout=Duration.seconds(10), + runtime=Runtime.PYTHON_3_9, + log_retention=RetentionDays.ONE_MONTH, + role=execution_role, + environment={ + "POWERTOOLS_VERSION": powertools_version, + "POWERTOOLS_LAYER_ARN": layer_arn, + "VERSION_TRACKING_EVENT_BUS_ARN": VERSION_TRACKING_EVENT_BUS_ARN, + "LAYER_PIPELINE_STAGE": deploy_stage, + }, + ) + + canary_lambda.add_to_role_policy( + PolicyStatement( + effect=Effect.ALLOW, actions=["events:PutEvents"], resources=[VERSION_TRACKING_EVENT_BUS_ARN] + ) + ) + + # custom resource provider configuration + provider = Provider( + self, "CanaryCustomResource", on_event_handler=canary_lambda, log_retention=RetentionDays.ONE_MONTH + ) + # force to recreate resource on each deployment with randomized name + CustomResource(self, f"CanaryTrigger-{str(uuid.uuid4())[0:7]}", service_token=provider.service_token) diff --git a/layer/layer/layer_stack.py b/layer/layer/layer_stack.py new file mode 100644 index 00000000000..8b32de9c206 --- /dev/null +++ b/layer/layer/layer_stack.py @@ -0,0 +1,19 @@ +from aws_cdk import Stack +from aws_cdk.aws_ssm import StringParameter +from cdk_lambda_powertools_python_layer import LambdaPowertoolsLayer +from constructs import Construct + + +class LayerStack(Stack): + def __init__( + self, scope: Construct, construct_id: str, powertools_version: str, ssm_paramter_layer_arn: str, **kwargs + ) -> None: + super().__init__(scope, construct_id, **kwargs) + + layer = LambdaPowertoolsLayer( + self, "Layer", layer_version_name="AWSLambdaPowertoolsPython", version=powertools_version + ) + + layer.add_permission("PublicLayerAccess", account_id="*") + + StringParameter(self, "VersionArn", parameter_name=ssm_paramter_layer_arn, string_value=layer.layer_version_arn) diff --git a/layer/requirements-dev.txt b/layer/requirements-dev.txt new file mode 100644 index 00000000000..f3ec7d732b5 --- /dev/null +++ b/layer/requirements-dev.txt @@ -0,0 +1,2 @@ +pytest==6.2.5 +boto3==1.24.22 diff --git a/layer/requirements.txt b/layer/requirements.txt new file mode 100644 index 00000000000..0484892d321 --- /dev/null +++ b/layer/requirements.txt @@ -0,0 +1,76 @@ +# +# This file is autogenerated by pip-compile with python 3.9 +# To update, run: +# +# pip-compile --generate-hashes requirements.txt +# +attrs==21.4.0 \ + --hash=sha256:2d27e3784d7a565d36ab851fe94887c5eccd6a463168875832a1be79c82828b4 \ + --hash=sha256:626ba8234211db98e869df76230a137c4c40a12d72445c45d5f5b716f076e2fd + # via + # -r requirements.txt + # cattrs + # jsii +aws-cdk-lib==2.29.0 \ + --hash=sha256:4f852105cafd28a2bbd9bd2c6d24a2e1ab503bba923fd49a1782390b235af999 \ + --hash=sha256:53a78788219d9bf3a998211223225b34a10f066124e2812adcd40fd0a2058572 + # via + # -r requirements.txt + # cdk-lambda-powertools-python-layer +cattrs==22.1.0 \ + --hash=sha256:94b67b64cf92c994f8784c40c082177dc916e0489a73a9a36b24eb18a9db40c6 \ + --hash=sha256:d55c477b4672f93606e992049f15d526dc7867e6c756cd6256d4af92e2b1e364 + # via + # -r requirements.txt + # jsii +cdk-lambda-powertools-python-layer==2.0.48 \ + --hash=sha256:7bdd5a196e74b48d403223722f2838d1d10064d02e960a5565482cc0b7aad18d \ + --hash=sha256:9afeacea31eba14d67360db71af385c654c9e0af9b29a0d4e0922b52f862ae03 + # via -r requirements.txt +constructs==10.1.43 \ + --hash=sha256:69fd6da574c9506f44ca61e112af7d5db08ebb29b4bedc67b6d200b616f4abce \ + --hash=sha256:f37e8c3432f94f403b50bf69476bea55719bcc3fa0d3a0e60bf0975dfe492867 + # via + # -r requirements.txt + # aws-cdk-lib + # cdk-lambda-powertools-python-layer +exceptiongroup==1.0.0rc8 \ + --hash=sha256:6990c24f06b8d33c8065cfe43e5e8a4bfa384e0358be036af9cc60b6321bd11a \ + --hash=sha256:ab0a968e1ef769e55d9a596f4a89f7be9ffedbc9fdefdb77cc68cf5c33ce1035 + # via + # -r requirements.txt + # cattrs +jsii==1.61.0 \ + --hash=sha256:542a72cd1a144d36fa530dc359b5295b82d9e7ecdd76d5c7b4b61195f132a746 \ + --hash=sha256:b2899f24bcc95ce009bc256558c81cde8cff9f830eddbe9b0d581c40558a1ff0 + # via + # -r requirements.txt + # aws-cdk-lib + # cdk-lambda-powertools-python-layer + # constructs +publication==0.0.3 \ + --hash=sha256:0248885351febc11d8a1098d5c8e3ab2dabcf3e8c0c96db1e17ecd12b53afbe6 \ + --hash=sha256:68416a0de76dddcdd2930d1c8ef853a743cc96c82416c4e4d3b5d901c6276dc4 + # via + # -r requirements.txt + # aws-cdk-lib + # cdk-lambda-powertools-python-layer + # constructs +python-dateutil==2.8.2 \ + --hash=sha256:0123cacc1627ae19ddf3c27a5de5bd67ee4586fbdd6440d9748f8abb483d3e86 \ + --hash=sha256:961d03dc3453ebbc59dbdea9e4e11c5651520a876d0f4db161e8674aae935da9 + # via + # -r requirements.txt + # jsii +six==1.16.0 \ + --hash=sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926 \ + --hash=sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254 + # via + # -r requirements.txt + # python-dateutil +typing-extensions==4.3.0 \ + --hash=sha256:25642c956049920a5aa49edcdd6ab1e06d7e5d467fc00e0506c44ac86fbfca02 \ + --hash=sha256:e6d2677a32f47fc7eb2795db1dd15c1f34eff616bcaf2cfb5e997f854fa1c4a6 + # via + # -r requirements.txt + # jsii