reusable_deploy_v2_layer_stack.yml

name: Deploy CDK Layer v2 stack

# PROCESS
#
# 1. Split what AWS regions support ARM vs regions that Lambda support ARM
# 2. Deploy previously built layer for each AWS commercial region
# 3. Export all published Layers as JSON
# 4. Deploy Canaries to every deployed region to test whether Powertools can be imported etc.

# USAGE
#
# NOTE: meant to be used with ./.github/workflows/publish_v2_layer.yml
#
# beta:
#   needs: build-layer
#   # lower privilege propagated from parent workflow (release.yml)
#   permissions:
#     id-token: write
#     contents: read
#     pages: write             # docs will be updated with latest Layer ARNs
#     pull-requests: write     # creation-action will create a PR with Layer ARN updates
#   uses: ./.github/workflows/reusable_deploy_v2_layer_stack.yml
#   secrets: inherit
#   with:
#     stage: "BETA"
#     artefact-name: "cdk-layer-artefact"
#     environment: "layer-beta"
#     latest_published_version: ${{ inputs.latest_published_version }}

on:
  workflow_call:
    inputs:
      stage:
        description: "Deployment stage (BETA, PROD)"
        required: true
        type: string
      artefact-name:
        description: "CDK Layer Artefact name to download"
        required: true
        type: string
      environment:
        description: "GitHub Environment to use for encrypted secrets"
        required: true
        type: string
      latest_published_version:
        description: "Latest version that is published"
        required: true
        type: string
      source_code_artifact_name:
        description: "Artifact name to restore sealed source code"
        type: string
        required: true
      source_code_integrity_hash:
        description: "Sealed source code integrity hash"
        type: string
        required: true

permissions:
  contents: read

env:
  RELEASE_COMMIT: ${{ github.sha }}  # it gets propagated from the caller for security reasons

jobs:
  deploy-cdk-stack:
    runs-on: ubuntu-latest
    environment: ${{ inputs.environment }}
    # lower privilege propagated from parent workflow (publish_v2_layer.yml)
    permissions:
      id-token: write
      pull-requests: none
      contents: read
      pages: none
    defaults:
      run:
        working-directory: ./layer
    strategy:
      fail-fast: false
      matrix:
        # To get a list of current regions, use:
        # aws ec2 describe-regions --all-regions --query "Regions[].RegionName" --output text | tr "\t" "\n" | sort
        include:
          - region: "af-south-1"
            has_arm64_support: "true"
          - region: "ap-east-1"
            has_arm64_support: "true"
          - region: "ap-northeast-1"
            has_arm64_support: "true"
          - region: "ap-northeast-2"
            has_arm64_support: "true"
          - region: "ap-northeast-3"
            has_arm64_support: "true"
          - region: "ap-south-1"
            has_arm64_support: "true"
          - region: "ap-south-2"
            has_arm64_support: "true"
          - region: "ap-southeast-1"
            has_arm64_support: "true"
          - region: "ap-southeast-2"
            has_arm64_support: "true"
          - region: "ap-southeast-3"
            has_arm64_support: "true"
          - region: "ap-southeast-4"
            has_arm64_support: "true"
          - region: "ca-central-1"
            has_arm64_support: "true"
          - region: "ca-west-1"
            has_arm64_support: "false"
          - region: "eu-central-1"
            has_arm64_support: "true"
          - region: "eu-central-2"
            has_arm64_support: "true"
          - region: "eu-north-1"
            has_arm64_support: "true"
          - region: "eu-south-1"
            has_arm64_support: "true"
          - region: "eu-south-2"
            has_arm64_support: "true"
          - region: "eu-west-1"
            has_arm64_support: "true"
          - region: "eu-west-2"
            has_arm64_support: "true"
          - region: "eu-west-3"
            has_arm64_support: "true"
          - region: "il-central-1"
            has_arm64_support: "true"
          - region: "me-central-1"
            has_arm64_support: "true"
          - region: "me-south-1"
            has_arm64_support: "true"
          - region: "sa-east-1"
            has_arm64_support: "true"
          - region: "us-east-1"
            has_arm64_support: "true"
          - region: "us-east-2"
            has_arm64_support: "true"
          - region: "us-west-1"
            has_arm64_support: "true"
          - region: "us-west-2"
            has_arm64_support: "true"
    steps:
      - name: checkout
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
        with:
          ref: ${{ env.RELEASE_COMMIT }}

      - name: Restore sealed source code
        uses: ./.github/actions/seal-restore
        with:
          integrity_hash: ${{ inputs.source_code_integrity_hash }}
          artifact_name: ${{ inputs.source_code_artifact_name }}

      - name: Install poetry
        run: pipx install git+https://github.com/python-poetry/poetry@68b88e5390720a3dd84f02940ec5200bfce39ac6 # v1.5.0
      - name: aws credentials
        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
        with:
          aws-region: ${{ matrix.region }}
          role-to-assume: ${{ secrets.AWS_LAYERS_ROLE_ARN }}
      - name: Setup Node.js
        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
        with:
          node-version: "16.12"
      - name: Setup python
        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
        with:
          python-version: "3.12"
          cache: "pip"
      - name: Resolve and install project dependencies
        # CDK spawns system python when compiling stack
        # therefore it ignores both activated virtual env and cached interpreter by GH
        run: |
          poetry export --format requirements.txt --output requirements.txt
          pip install --require-hashes -r requirements.txt
      - name: install cdk and deps
        working-directory: ./
        run: |
          npm ci
          npx cdk --version
      - name: install deps
        run: poetry install
      - name: Download artifact
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: ${{ inputs.artefact-name }}
          path: layer
      - name: unzip artefact
        run: unzip cdk.out.zip
      - name: CDK Deploy Layer
        run: npx cdk deploy --app cdk.out --context region=${{ matrix.region }} --parameters HasARM64Support=${{ matrix.has_arm64_support }} 'LayerV2Stack' --require-approval never --verbose --outputs-file cdk-outputs.json
      - name: Store latest Layer ARN
        if: ${{ inputs.stage == 'PROD' }}
        run: |
          mkdir cdk-layer-stack
          jq -r -c '.LayerV2Stack.LatestLayerArn' cdk-outputs.json > cdk-layer-stack/${{ matrix.region }}-layer-version.txt
          jq -r -c '.LayerV2Stack.LatestLayerArm64Arn' cdk-outputs.json >> cdk-layer-stack/${{ matrix.region }}-layer-version.txt
          cat cdk-layer-stack/${{ matrix.region }}-layer-version.txt
      - name: Save Layer ARN artifact
        if: ${{ inputs.stage == 'PROD' }}
        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
        with:
          name: cdk-layer-stack-${{ matrix.region }}
          path: ./layer/cdk-layer-stack/* # NOTE: upload-artifact does not inherit working-directory setting.
          if-no-files-found: error
          retention-days: 1
      - name: CDK Deploy Canary
        run: npx cdk deploy --app cdk.out --context region=${{ matrix.region }} --parameters DeployStage="${{ inputs.stage }}" --parameters HasARM64Support=${{ matrix.has_arm64_support }} 'CanaryV2Stack' --require-approval never --verbose