From cc19cc36423b8e8113dcede7203a61b13440da29 Mon Sep 17 00:00:00 2001 From: mbfreder <117131783+mbfreder@users.noreply.github.com> Date: Wed, 9 Aug 2023 01:36:39 -0700 Subject: [PATCH] Update github actions to deploy LWA layer in china regions (#266) * Update github actions to deploy LWA layer in china regions * deploy LWA layer in gamma accounts in china --- .github/workflows/cn-gamma.json | 20 +++ .github/workflows/cn-prod.json | 18 ++ .github/workflows/pipeline.yaml | 297 ++++++++++++++++++++++++++++++++ 3 files changed, 335 insertions(+) create mode 100644 .github/workflows/cn-gamma.json create mode 100644 .github/workflows/cn-prod.json diff --git a/.github/workflows/cn-gamma.json b/.github/workflows/cn-gamma.json new file mode 100644 index 00000000..48f6e540 --- /dev/null +++ b/.github/workflows/cn-gamma.json @@ -0,0 +1,20 @@ +[ + { + "artifacts_bucket": "aws-sam-cli-managed-gamma-pipelin-artifactsbucket-1pmml6dfys0rx", + "cloudformation_execution_role": "arn:aws-cn:iam::336678493554:role/aws-sam-cli-managed-gamma-CloudFormationExecutionR-1CDG186WIXL49", + "image_repository": "336678493554.dkr.ecr.cn-north-1.amazonaws.com.cn/aws-sam-cli-managed-gamma-pipeline-resources-imagerepository-jfceoqzu6uhe", + "pipeline_execution_role": "arn:aws-cn:iam::336678493554:role/aws-sam-cli-managed-gamma-pi-PipelineExecutionRole-ZO7FHGWQREIE", + "arm64_supported": false, + "region": "cn-north-1" + }, + { + "artifacts_bucket": "aws-sam-cli-managed-gamma-pipelin-artifactsbucket-3fvfgiibxbkf", + "cloudformation_execution_role": "arn:aws-cn:iam::336815664844:role/aws-sam-cli-managed-gamma-CloudFormationExecutionR-GLTF2A1D149Y", + "image_repository": "336815664844.dkr.ecr.cn-northwest-1.amazonaws.com.cn/aws-sam-cli-managed-gamma-pipeline-resources-imagerepository-yhde61uzmjpx", + "pipeline_execution_role": "arn:aws-cn:iam::336815664844:role/aws-sam-cli-managed-gamma-pi-PipelineExecutionRole-1ANKMP1054CRU", + "arm64_supported": false, + "region": "cn-northwest-1" + } + ] + + \ No newline at end of file diff --git a/.github/workflows/cn-prod.json b/.github/workflows/cn-prod.json new file mode 100644 index 00000000..fa599fd9 --- /dev/null +++ b/.github/workflows/cn-prod.json @@ -0,0 +1,18 @@ +[ + { + "artifacts_bucket": "aws-sam-cli-managed-bjs-pipeline-artifactsbucket-1pmpo0vg2orma", + "cloudformation_execution_role": "arn:aws-cn:iam::041581134020:role/aws-sam-cli-managed-bjs-p-CloudFormationExecutionR-FIBRJ5SR32TU", + "image_repository": "041581134020.dkr.ecr.cn-north-1.amazonaws.com.cn/aws-sam-cli-managed-bjs-pipeline-resources-imagerepository-fyybklhlqavr", + "pipeline_execution_role": "arn:aws-cn:iam::041581134020:role/aws-sam-cli-managed-bjs-pipe-PipelineExecutionRole-1K7Y9PGEBE79R", + "arm64_supported": false, + "region": "cn-north-1" + }, + { + "artifacts_bucket": "aws-sam-cli-managed-zhy-pipeline-artifactsbucket-1nxecxf5j1cmy", + "cloudformation_execution_role": "arn:aws-cn:iam::069767869989:role/aws-sam-cli-managed-zhy-p-CloudFormationExecutionR-17JWICM90EHQY", + "image_repository": "069767869989.dkr.ecr.cn-northwest-1.amazonaws.com.cn/aws-sam-cli-managed-zhy-pipeline-resources-imagerepository-eadb6wulxfhl", + "pipeline_execution_role": "arn:aws-cn:iam::069767869989:role/aws-sam-cli-managed-zhy-pipe-PipelineExecutionRole-JG1BG5I3CXDB", + "arm64_supported": false, + "region": "cn-northwest-1" + } +] diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 8f90549c..f1a9f2c9 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -15,6 +15,8 @@ env: CARGO_TERM_COLOR: always PIPELINE_USER_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} PIPELINE_USER_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + PIPELINE_CN_USER_ACCESS_KEY_ID: ${{ secrets.AWS_CN_ACCESS_KEY_ID }} + PIPELINE_CN_USER_SECRET_ACCESS_KEY: ${{ secrets.AWS_CN_SECRET_ACCESS_KEY }} SAM_TEMPLATE_X86_64: template-x86_64.yaml SAM_TEMPLATE_ARM64: template-arm64.yaml BETA_STACK_NAME: lambda-adapter-beta @@ -349,6 +351,28 @@ jobs: - uses: actions/checkout@v3 - id: set-matrix run: echo "matrix={\"include\":$(jq -r tostring .github/workflows/prod.json)}" >> $GITHUB_OUTPUT + + load-china-prod-matrix: + if: ${{ github.ref == 'refs/heads/main' || github.event_name == 'release' }} + needs: [ e2e-test ] + runs-on: ubuntu-20.04 + outputs: + matrix: ${{ steps.set-matrix.outputs.matrix }} + steps: + - uses: actions/checkout@v3 + - id: set-matrix + run: echo "matrix={\"include\":$(jq -r tostring .github/workflows/cn-prod.json)}" >> $GITHUB_OUTPUT + + load-china-gamma-matrix: + if: ${{ github.ref == 'refs/heads/main' || github.event_name == 'release' }} + needs: [ e2e-test ] + runs-on: ubuntu-20.04 + outputs: + matrix: ${{ steps.set-matrix.outputs.matrix }} + steps: + - uses: actions/checkout@v3 + - id: set-matrix + run: echo "matrix={\"include\":$(jq -r tostring .github/workflows/cn-gamma.json)}" >> $GITHUB_OUTPUT package-gamma: if: ${{ github.ref == 'refs/heads/main' || github.event_name == 'release' }} @@ -486,6 +510,143 @@ jobs: name: packaged-prod-arm64-${{ matrix.region }}.yaml path: packaged-prod-arm64-${{ matrix.region }}.yaml + package-china-gamma: + if: ${{ github.ref == 'refs/heads/main' || github.event_name == 'release' }} + needs: [ build, load-china-gamma-matrix ] + runs-on: ubuntu-20.04 + strategy: + matrix: ${{fromJSON(needs.load-china-gamma-matrix.outputs.matrix)}} + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-python@v4 + with: + python-version: "3.8" + - uses: aws-actions/setup-sam@v2 + + - name: Assume the china pipeline user role + uses: aws-actions/configure-aws-credentials@v1-node16 + with: + aws-access-key-id: ${{ env.PIPELINE_CN_USER_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ env.PIPELINE_CN_USER_SECRET_ACCESS_KEY }} + aws-region: ${{ matrix.region }} + role-to-assume: ${{ matrix.pipeline_execution_role }} + role-session-name: china-gamma-packaging + role-duration-seconds: 3600 + role-skip-session-tagging: true + + - uses: actions/download-artifact@v3 + with: + name: aws-sam-build-x86_64 + + - name: extract build_x86_64 + run: | + tar -xvf build-x86_64.tar + + - name: Upload x86_64 layer to gamma artifact buckets + run: | + sam package \ + --template build-x86_64/template.yaml \ + --s3-bucket ${{ matrix.artifacts_bucket }} \ + --image-repository ${{ matrix.image_repository }} \ + --region ${{ matrix.region }} \ + --output-template-file packaged-china-gamma-x86_64-${{ matrix.region }}.yaml + + - uses: actions/upload-artifact@v3 + with: + name: packaged-china-gamma-x86_64-${{ matrix.region }}.yaml + path: packaged-china-gamma-x86_64-${{ matrix.region }}.yaml + + - uses: actions/download-artifact@v3 + with: + name: aws-sam-build-arm64 + + - name: extract build_arm64 + run: | + tar -xvf build-arm64.tar + + - name: Upload arm64 layer to gamma artifact buckets + run: | + sam package \ + --template build-arm64/template.yaml \ + --s3-bucket ${{ matrix.artifacts_bucket }} \ + --image-repository ${{ matrix.image_repository }} \ + --region ${{ matrix.region }} \ + --output-template-file packaged-china-gamma-arm64-${{ matrix.region }}.yaml + + - uses: actions/upload-artifact@v3 + with: + name: packaged-china-gamma-arm64-${{ matrix.region }}.yaml + path: packaged-china-gamma-arm64-${{ matrix.region }}.yaml + + + package-china-prod: + if: ${{ github.ref == 'refs/heads/main' || github.event_name == 'release' }} + needs: [ build, load-china-prod-matrix ] + runs-on: ubuntu-20.04 + strategy: + matrix: ${{fromJSON(needs.load-china-prod-matrix.outputs.matrix)}} + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-python@v4 + with: + python-version: "3.8" + - uses: aws-actions/setup-sam@v2 + + - name: Assume the china pipeline user role + uses: aws-actions/configure-aws-credentials@v1-node16 + with: + aws-access-key-id: ${{ env.PIPELINE_CN_USER_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ env.PIPELINE_CN_USER_SECRET_ACCESS_KEY }} + aws-region: ${{ matrix.region }} + role-to-assume: ${{ matrix.pipeline_execution_role }} + role-session-name: china-prod-packaging + role-duration-seconds: 3600 + role-skip-session-tagging: true + + - uses: actions/download-artifact@v3 + with: + name: aws-sam-build-x86_64 + + - name: extract build_x86_64 + run: | + tar -xvf build-x86_64.tar + + - name: Upload x86_64 layer to prod artifact buckets + run: | + sam package \ + --template build-x86_64/template.yaml \ + --s3-bucket ${{ matrix.artifacts_bucket }} \ + --image-repository ${{ matrix.image_repository }} \ + --region ${{ matrix.region }} \ + --output-template-file packaged-china-prod-x86_64-${{ matrix.region }}.yaml + + - uses: actions/upload-artifact@v3 + with: + name: packaged-china-prod-x86_64-${{ matrix.region }}.yaml + path: packaged-china-prod-x86_64-${{ matrix.region }}.yaml + + - uses: actions/download-artifact@v3 + with: + name: aws-sam-build-arm64 + + - name: extract build_arm64 + run: | + tar -xvf build-arm64.tar + + - name: Upload arm64 layer to prod artifact buckets + run: | + sam package \ + --template build-arm64/template.yaml \ + --s3-bucket ${{ matrix.artifacts_bucket }} \ + --image-repository ${{ matrix.image_repository }} \ + --region ${{ matrix.region }} \ + --output-template-file packaged-china-prod-arm64-${{ matrix.region }}.yaml + + - uses: actions/upload-artifact@v3 + with: + name: packaged-china-prod-arm64-${{ matrix.region }}.yaml + path: packaged-china-prod-arm64-${{ matrix.region }}.yaml + load-gamma-matrix2: if: ${{ github.ref == 'refs/heads/main' || github.event_name == 'release' }} needs: [ e2e-test, package-gamma ] @@ -619,6 +780,142 @@ jobs: --no-fail-on-empty-changeset \ --role-arn ${{ matrix.cloudformation_execution_role }} + load-china-gamma-matrix2: + if: ${{ github.ref == 'refs/heads/main' || github.event_name == 'release' }} + needs: [ e2e-test ] + runs-on: ubuntu-20.04 + outputs: + matrix: ${{ steps.set-matrix.outputs.matrix }} + steps: + - uses: actions/checkout@v3 + - id: set-matrix + run: echo "matrix={\"include\":$(jq -r tostring .github/workflows/cn-gamma.json)}" >> $GITHUB_OUTPUT + + deploy-china-gamma: + if: ${{ github.event_name == 'release' }} + needs: [load-china-gamma-matrix2] + runs-on: ubuntu-20.04 + environment: prod + strategy: + matrix: ${{fromJSON(needs.load-china-gamma-matrix2.outputs.matrix)}} + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-python@v4 + with: + python-version: "3.8" + - uses: aws-actions/setup-sam@v2 + + - name: Assume the china pipeline user role + uses: aws-actions/configure-aws-credentials@v1-node16 + with: + aws-access-key-id: ${{ env.PIPELINE_CN_USER_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ env.PIPELINE_CN_USER_SECRET_ACCESS_KEY }} + aws-region: ${{ matrix.region }} + role-to-assume: ${{ matrix.pipeline_execution_role }} + role-session-name: china-deployment + role-duration-seconds: 3600 + role-skip-session-tagging: true + + - uses: actions/download-artifact@v3 + with: + name: packaged-china-gamma-x86_64-${{ matrix.region }}.yaml + + - name: Deploy x86_64 Layer to all regions in china + run: | + sam deploy --stack-name lambda-adapter-gamma-x86-${{ matrix.region }} \ + --template packaged-china-gamma-x86_64-${{ matrix.region }}.yaml \ + --capabilities CAPABILITY_IAM \ + --region ${{ matrix.region }} \ + --s3-bucket ${{ matrix.artifacts_bucket }} \ + --image-repository ${{ matrix.image_repository }} \ + --no-fail-on-empty-changeset \ + --role-arn ${{ matrix.cloudformation_execution_role }} + + - uses: actions/download-artifact@v3 + with: + name: packaged-china-gamma-arm64-${{ matrix.region }}.yaml + + - name: Deploy arm64 Layer to supported china regions + if: ${{ matrix.arm64_supported }} + run: | + sam deploy --stack-name lambda-adapter-gamma-arm64-${{ matrix.region }} \ + --template packaged-china-gamma-arm64-${{ matrix.region }}.yaml \ + --capabilities CAPABILITY_IAM \ + --region ${{ matrix.region }} \ + --s3-bucket ${{ matrix.artifacts_bucket }} \ + --image-repository ${{ matrix.image_repository }} \ + --no-fail-on-empty-changeset \ + --role-arn ${{ matrix.cloudformation_execution_role }} + + + load-china-prod-matrix2: + if: ${{ github.ref == 'refs/heads/main' || github.event_name == 'release' }} + needs: [ e2e-test, package-china-prod] + runs-on: ubuntu-20.04 + outputs: + matrix: ${{ steps.set-matrix.outputs.matrix }} + steps: + - uses: actions/checkout@v3 + - id: set-matrix + run: echo "matrix={\"include\":$(jq -r tostring .github/workflows/china.json)}" >> $GITHUB_OUTPUT + + deploy-china-prod: + if: ${{ github.event_name == 'release' }} + needs: [load-china-prod-matrix2] + runs-on: ubuntu-20.04 + environment: prod + strategy: + matrix: ${{fromJSON(needs.load-china-prod-matrix2.outputs.matrix)}} + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-python@v4 + with: + python-version: "3.8" + - uses: aws-actions/setup-sam@v2 + + - name: Assume the china pipeline user role + uses: aws-actions/configure-aws-credentials@v1-node16 + with: + aws-access-key-id: ${{ env.PIPELINE_CN_USER_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ env.PIPELINE_CN_USER_SECRET_ACCESS_KEY }} + aws-region: ${{ matrix.region }} + role-to-assume: ${{ matrix.pipeline_execution_role }} + role-session-name: china-deployment + role-duration-seconds: 3600 + role-skip-session-tagging: true + + - uses: actions/download-artifact@v3 + with: + name: packaged-china-prod-x86_64-${{ matrix.region }}.yaml + + - name: Deploy x86_64 Layer to all regions in china + run: | + sam deploy --stack-name lambda-adapter-prod-x86-${{ matrix.region }} \ + --template packaged-china-prod-x86_64-${{ matrix.region }}.yaml \ + --capabilities CAPABILITY_IAM \ + --region ${{ matrix.region }} \ + --s3-bucket ${{ matrix.artifacts_bucket }} \ + --image-repository ${{ matrix.image_repository }} \ + --no-fail-on-empty-changeset \ + --role-arn ${{ matrix.cloudformation_execution_role }} + + - uses: actions/download-artifact@v3 + with: + name: packaged-china-prod-arm64-${{ matrix.region }}.yaml + + - name: Deploy arm64 Layer to supported china regions + if: ${{ matrix.arm64_supported }} + run: | + sam deploy --stack-name lambda-adapter-prod-arm64-${{ matrix.region }} \ + --template packaged-china-prod-arm64-${{ matrix.region }}.yaml \ + --capabilities CAPABILITY_IAM \ + --region ${{ matrix.region }} \ + --s3-bucket ${{ matrix.artifacts_bucket }} \ + --image-repository ${{ matrix.image_repository }} \ + --no-fail-on-empty-changeset \ + --role-arn ${{ matrix.cloudformation_execution_role }} + + publish-to-public-ecr: if: ${{ github.event_name == 'release' }} needs: [deploy-prod]