chore(ci): enable SAR deployment (#6104)

* Enabling SAR deployment * Enabling SAR deployment * Making SAR version works as expected * Making SAR version works as expected * Making SAR version works as expected * Making SAR version works as expected * Modify arch name
aws-powertools · Feb 28, 2025 · b046352 · b046352
1 parent 3b7f297
commit b046352
Show file tree

Hide file tree

Showing 3 changed files with 58 additions and 45 deletions.
diff --git a/.github/workflows/publish_v3_layer.yml b/.github/workflows/publish_v3_layer.yml
@@ -49,6 +49,11 @@ on:
         default: false
         type: boolean
         required: false
+      skip_lambda_layer:
+        description: "Skip publishing Lambda Layers as it can publish duplicated versions of the same layer. Useful for semi-failed releases"
+        type: boolean
+        required: false
+
   workflow_call:
     inputs:
       latest_published_version:
@@ -72,6 +77,11 @@ on:
         description: "Sealed source code integrity hash"
         type: string
         required: true
+      skip_lambda_layer:
+        description: "Skip publishing Lambda Layers as it can publish duplicated versions of the same layer. Useful for semi-failed releases"
+        default: false
+        type: boolean
+        required: false
 
 permissions:
   contents: read
@@ -180,6 +190,7 @@ jobs:
       source_code_integrity_hash: ${{ inputs.source_code_integrity_hash }}
 
   prod:
+    if: ${{ !inputs.skip_lambda_layer }}
     needs: beta
     # lower privilege propagated from parent workflow (release-v3.yml)
     permissions:
@@ -195,41 +206,39 @@ jobs:
       source_code_artifact_name: ${{ inputs.source_code_artifact_name }}
       source_code_integrity_hash: ${{ inputs.source_code_integrity_hash }}
 
-  # UNCOMMENT sar-beta JOB
-  #sar-beta:
-  #  needs: beta  # canaries run on Layer Beta env
-  #  permissions:
+  sar-beta:
+    needs: beta  # canaries run on Layer Beta env
+    permissions:
       # lower privilege propagated from parent workflow (release.yml)
-  #    id-token: write
-  #    contents: read
-  #    pull-requests: none
-  #    pages: none
-  #  uses: ./.github/workflows/reusable_deploy_v3_sar.yml
-  #  secrets: inherit
-  #  with:
-  #    stage: "BETA"
-  #    environment: "layer-beta"
-  #    package-version: ${{ inputs.latest_published_version }}
-  #    source_code_artifact_name: ${{ inputs.source_code_artifact_name }}
-  #    source_code_integrity_hash: ${{ inputs.source_code_integrity_hash }}
+      id-token: write
+      contents: read
+      pull-requests: none
+      pages: none
+    uses: ./.github/workflows/reusable_deploy_v3_sar.yml
+    secrets: inherit
+    with:
+      stage: "BETA"
+      environment: "layer-beta"
+      package-version: ${{ inputs.latest_published_version }}
+      source_code_artifact_name: ${{ inputs.source_code_artifact_name }}
+      source_code_integrity_hash: ${{ inputs.source_code_integrity_hash }}
 
-  # UNCOMMENT sar-prod JOB
-  #sar-prod:
-  #  needs: sar-beta
-  #  permissions:
+  sar-prod:
+    needs: sar-beta
+    permissions:
       # lower privilege propagated from parent workflow (release.yml)
-  #    id-token: write
-  #    contents: read
-  #    pull-requests: none
-  #    pages: none
-  #  uses: ./.github/workflows/reusable_deploy_v3_sar.yml
-  #  secrets: inherit
-  #  with:
-  #    stage: "PROD"
-  #    environment: "layer-prod"
-  #    package-version: ${{ inputs.latest_published_version }}
-  #    source_code_artifact_name: ${{ inputs.source_code_artifact_name }}
-  #    source_code_integrity_hash: ${{ inputs.source_code_integrity_hash }}
+      id-token: write
+      contents: read
+      pull-requests: none
+      pages: none
+    uses: ./.github/workflows/reusable_deploy_v3_sar.yml
+    secrets: inherit
+    with:
+      stage: "PROD"
+      environment: "layer-prod"
+      package-version: ${{ inputs.latest_published_version }}
+      source_code_artifact_name: ${{ inputs.source_code_artifact_name }}
+      source_code_integrity_hash: ${{ inputs.source_code_integrity_hash }}
 
 
   # Updating the documentation with the latest Layer ARNs is a two-phase process

diff --git a/.github/workflows/release-v3.yml b/.github/workflows/release-v3.yml
@@ -48,6 +48,11 @@ on:
         default: false
         type: boolean
         required: false
+      skip_lambda_layer:
+        description: "Skip publishing Lambda Layers as it can publish duplicated versions of the same layer. Useful for semi-failed releases"
+        default: false
+        type: boolean
+        required: false
       skip_code_quality:
         description: "Skip tests, linting, and baseline. Only use if release fail for reasons beyond our control and you need a quick release."
         default: false
@@ -350,6 +355,7 @@ jobs:
       pre_release: ${{ inputs.pre_release }}
       source_code_artifact_name: ${{ needs.seal.outputs.artifact_name }}
       source_code_integrity_hash: ${{ needs.seal.outputs.integrity_hash }}
+      skip_lambda_layer: ${{ inputs.skip_lambda_layer }}
 
   post_release:
     needs: [seal, release, publish_layer]

diff --git a/.github/workflows/reusable_deploy_v3_sar.yml b/.github/workflows/reusable_deploy_v3_sar.yml
@@ -106,7 +106,7 @@ jobs:
           aws-session-token: ${{ env.AWS_SESSION_TOKEN }}
           role-duration-seconds: 1200
           aws-region: ${{ env.AWS_REGION }}
-          role-to-assume: ${{ secrets.AWS_SAR_V2_ROLE_ARN }}
+          role-to-assume: ${{ secrets.AWS_SAR_V3_ROLE_ARN }}
           mask-aws-account-id: true
       - name: Setup Node.js
         uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
@@ -127,25 +127,22 @@ jobs:
           if [[ "${{ inputs.stage }}" == "BETA" ]]; then
             SAR_NAME="test-${SAR_NAME}"
           fi
-          ARCH_NAME=$(echo ${{ matrix.architecture }} | tr -d '_')
+          ARCH_NAME=$(echo ${{ matrix.architecture }} | tr '_' '-')
           SAR_NAME="${SAR_NAME}-python${{env.PYTHON_VERSION}}-${ARCH_NAME}"
           echo SAR_NAME="${SAR_NAME}" >> "$GITHUB_ENV"
-      - name: Normalize semantic version
-        id: semantic-version # v2.0.0a0 -> v2.0.0-a0
-        env:
-          VERSION: ${{ inputs.package-version }}
-        run: |
-          # VERSION="${VERSION/a/-a}"
-          VERSION="3.0.0"
-          echo "VERSION=${VERSION}" >> "$GITHUB_OUTPUT"
       - name: Prepare SAR App
-        env:
-          VERSION: ${{ steps.semantic-version.outputs.VERSION }}
         run: |
           # From the generated LayerStack cdk.out artifact, find the layer asset path for the correct architecture.
           # We'll use this as the source directory of our SAR. This way we are re-using the same layer asset for our SAR.
           PYTHON_VERSION=$(echo ${{ matrix.python-version }} | tr -d '.')
-          asset=$(jq -jc '.Resources[] | select(.Properties.CompatibleArchitectures == ["${{ matrix.architecture }}"]) | .Metadata."aws:asset:path"' "cdk.out/LayerV3Stack-python${PYTHON_VERSION}.template.json")
+          asset_cdk=$(jq -jc '.Resources[] | select(.Properties.CompatibleArchitectures == ["${{ matrix.architecture }}"]) | .Metadata."aws:asset:path"' "cdk.out/LayerV3Stack-python${PYTHON_VERSION}.template.json")
+
+          echo "Normalizing the asset variable"
+          asset=$(echo $asset_cdk | sed -E 's/^(asset\.[^.]+).*\1/\1/')
+
+          VERSION=$(echo ${{ inputs.package-version }} | sed 's/^v//')
+          echo $asset
+          echo $VERSION
 
           # fill in the SAR SAM template
           sed \
@@ -165,6 +162,7 @@ jobs:
 
           # Package the SAR to our SAR S3 bucket, and publish it
           sam package --template-file template.yml --output-template-file packaged.yml --s3-bucket ${{ secrets.AWS_SAR_S3_BUCKET_V3 }}
+          cat packaged.yml
           sam publish --template packaged.yml --region "$AWS_REGION"
       - name: Deploy BETA canary
         if: ${{ inputs.stage == 'BETA' }}