aws-powertools · Jul 7, 2022
diff --git a/‎.github/workflows/publish_layer.yml
+80 b/‎.github/workflows/publish_layer.yml
+80
diff --git a/‎.github/workflows/reusable_deploy_layer_stack.yml
+87 b/‎.github/workflows/reusable_deploy_layer_stack.yml
+87
diff --git a/‎layer/.gitignore
+10 b/‎layer/.gitignore
+10
diff --git a/‎layer/README.md
+27 b/‎layer/README.md
+27
diff --git a/‎layer/app.py
+23 b/‎layer/app.py
+23
diff --git a/‎layer/cdk.json
+35 b/‎layer/cdk.json
+35
diff --git a/‎layer/layer/__init__.py b/‎layer/layer/__init__.py
diff --git a/‎layer/layer/canary/app.py
+99 b/‎layer/layer/canary/app.py
+99
diff --git a/‎layer/layer/canary_stack.py
+75 b/‎layer/layer/canary_stack.py
+75
diff --git a/‎layer/layer/layer_stack.py
+19 b/‎layer/layer/layer_stack.py
+19
diff --git a/‎layer/requirements-dev.txt
+2 b/‎layer/requirements-dev.txt
+2
diff --git a/‎layer/requirements.txt
+76 b/‎layer/requirements.txt
+76
@@ -0,0 +1,80 @@
+name: Deploy layer to all regions
+
+permissions:
+  id-token: write
+  contents: read
+
+on:
+  workflow_dispatch:
+    inputs:
+      latest_published_version:
+        description: "Latest PyPi published version to rebuild latest docs for, e.g. v1.22.0"
+        default: "v1.22.0"
+        required: true
+  workflow_run:
+    workflows: [ "Publish to PyPi" ]
+    types:
+      - completed
+
+
+jobs:
+  build-layer:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./layer
+    steps:
+      - name: checkout
+        uses: actions/checkout@v2
+      - name: Setup Node.js
+        uses: actions/setup-node@v2
+        with:
+          node-version: '16.12'
+          cache: 'npm'
+      - name: Setup python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.9'
+          cache: 'pip'
+      - name: Set release notes tag
+        run: |
+          RELEASE_INPUT=${{ inputs.latest_published_version }}
+          GITHUB_EVENT_RELEASE_TAG=${{ github.event.release.tag_name }}
+          RELEASE_TAG_VERSION=${GITHUB_EVENT_RELEASE_TAG:-$RELEASE_INPUT}
+          echo "RELEASE_TAG_VERSION=${RELEASE_TAG_VERSION:1}" >> $GITHUB_ENV
+      - name: install cdk and deps
+        run: |
+          npm install -g aws-cdk@2.29.0
+          cdk --version
+      - name: install deps
+        run: |
+          pip install -r requirements.txt
+      - name: CDK build
+        run: cdk synth --context version=$RELEASE_TAG_VERSION -o cdk.out
+      - name: zip output
+        run: zip -r cdk.out.zip cdk.out
+      - name: Archive CDK artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: cdk-layer-artefact
+          path: cdk.out.zip
+
+  deploy-beta:
+    needs:
+      - build-layer
+    uses: ./.github/workflows/reusable_deploy_layer_stack.yml
+    with:
+      stage: "BETA"
+      artifact-name: "cdk-layer-artefact"
+    secrets:
+      target-account: ${{ secrets.LAYERS_BETA_ACCOUNT }}
+
+  deploy-prod:
+    needs:
+      - deploy-beta
+    uses: ./.github/workflows/reusable_deploy_layer_stack.yml
+    with:
+      stage: "PROD"
+      artifact-name: "cdk-layer-artefact"
+    secrets:
+      target-account: ${{ secrets.LAYERS_PROD_ACCOUNT }}
@@ -0,0 +1,87 @@
+name: Deploy cdk stack
+
+permissions:
+  id-token: write
+  contents: read
+
+on:
+  workflow_call:
+    inputs:
+      stage:
+        required: true
+        type: string
+      artefact-name:
+        required: true
+        type: string
+    secrets:
+      target-account:
+        required: true
+
+jobs:
+  deploy-cdk-stack:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./layer
+    strategy:
+      fail-fast: false
+      matrix:
+        region: [
+          "af-south-1",
+          #          "eu-central-1",
+          #          "us-east-1",
+          #          "us-east-2",
+          #          "us-west-1",
+          #          "us-west-2",
+          #          "ap-east-1",
+          #          "ap-south-1",
+          #          "ap-northeast-1",
+          #          "ap-northeast-2",
+          #          "ap-southeast-1",
+          #          "ap-southeast-2",
+          #          "ca-central-1",
+          #          "eu-west-1",
+          #          "eu-west-2",
+          #          "eu-west-3",
+          #          "eu-south-1",
+          #          "eu-north-1",
+          #          "sa-east-1",
+          #          "ap-southeast-3",
+          #          "ap-northeast-3",
+          #          "me-south-1"
+        ]
+    steps:
+      - name: checkout
+        uses: actions/checkout@v2
+      - name: aws credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-region: ${{ matrix.region }}
+          role-to-assume: arn:aws:iam::${{ secrets.target-account }}:role/${{ secrets.AWS_GITHUB_OIDC_ROLE }}
+      - name: Setup Node.js
+        uses: actions/setup-node@v2
+        with:
+          node-version: '16.12'
+          cache: 'npm'
+      - name: Setup python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.9'
+          cache: 'pip'
+      - name: install cdk and deps
+        run: |
+          npm install -g aws-cdk@2.29.0
+          cdk --version
+      - name: install deps
+        run: |
+          pip install -r requirements.txt
+      - name: Download artifact
+        uses: actions/download-artifact@v3
+        with:
+          name: ${{ inputs.artefact-name }}
+      - name: unzip artefact
+        run: unzip cdk.out.zip
+      - name: CDK Deploy Layer
+        run: cdk deploy --app cdk.out --context region=${{ matrix.region }} 'LayerStack ' --require-approval never --verbose
+      - name: CDK Deploy Canary
+        run: cdk deploy --app cdk.out --context region=${{ matrix.region}} --parameters DeployStage="${{ input.stage }}" 'CanaryStack' --require-approval never --verbose
@@ -0,0 +1,10 @@
+*.swp
+package-lock.json
+__pycache__
+.pytest_cache
+.venv
+*.egg-info
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out
@@ -0,0 +1,27 @@
+<!-- markdownlint-disable MD041 MD043-->
+# CDK Powertools layer
+
+This is a CDK project to build and deploy AWS Lambda Powertools [Lambda layer](https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-concepts.html#gettingstarted-concepts-layer) to multiple commercial regions.
+
+## Build the layer
+
+To build the layer construct you need to provide the Powertools version that is [available in PyPi](https://pypi.org/project/aws-lambda-powertools/).
+You can pass it as a context variable when running `synth` or `deploy`,
+
+```shell
+cdk synth --context version=1.25.1
+```
+
+## Canary stack
+
+We use a canary stack to verify that the deployment is successful and we can use the layer by adding it to a newly created Lambda function.
+The canary is deployed after the layer construct. Because the layer ARN is created during the deploy we need to pass this information async via SSM parameter.
+To achieve that we use SSM parameter store to pass the layer ARN to the canary.
+The layer stack writes the layer ARN after the deployment as SSM parameter and the canary stacks reads this information and adds the layer to the function.
+
+## Version tracking
+
+AWS Lambda versions Lambda layers by incrementing a number at the end of the ARN.
+This makes it challenging to know which Powertools version a layer contains.
+For better tracking of the ARNs and the corresponding version we need to keep track which powertools version was deployed to which layer.
+To achieve that we created two components. First, we created a version tracking app which receives events via EventBridge. Second, after a successful canary deployment we send the layer ARN, Powertools version, and the region to this EventBridge.
@@ -0,0 +1,23 @@
+#!/usr/bin/env python3
+
+import aws_cdk as cdk
+
+from layer.canary_stack import CanaryStack
+from layer.layer_stack import LayerStack
+
+app = cdk.App()
+
+POWERTOOLS_VERSION: str = app.node.try_get_context("version")
+SSM_PARAM_LAYER_ARN: str = "/layers/powertools-layer-arn"
+
+if not POWERTOOLS_VERSION:
+    raise ValueError(
+        "Please set the version for Powertools by passing the '--context=version:<version>' parameter to the CDK "
+        "synth step."
+    )
+
+LayerStack(app, "LayerStack", powertools_version=POWERTOOLS_VERSION, ssm_paramter_layer_arn=SSM_PARAM_LAYER_ARN)
+
+CanaryStack(app, "CanaryStack", powertools_version=POWERTOOLS_VERSION, ssm_paramter_layer_arn=SSM_PARAM_LAYER_ARN)
+
+app.synth()
@@ -0,0 +1,35 @@
+{
+  "app": "python3 app.py",
+  "watch": {
+    "include": [
+      "**"
+    ],
+    "exclude": [
+      "README.md",
+      "cdk*.json",
+      "requirements*.txt",
+      "source.bat",
+      "**/__init__.py",
+      "python/__pycache__",
+      "tests"
+    ]
+  },
+  "context": {
+    "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": true,
+    "@aws-cdk/core:stackRelativeExports": true,
+    "@aws-cdk/aws-rds:lowercaseDbIdentifier": true,
+    "@aws-cdk/aws-lambda:recognizeVersionProps": true,
+    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
+    "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": true,
+    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
+    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
+    "@aws-cdk/core:checkSecretUsage": true,
+    "@aws-cdk/aws-iam:minimizePolicies": true,
+    "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
+    "@aws-cdk/core:target-partitions": [
+      "aws",
+      "aws-cn"
+    ]
+  }
+}
@@ -0,0 +1,99 @@
+import datetime
+import json
+import os
+from importlib.metadata import version
+
+import boto3
+
+from aws_lambda_powertools import Logger, Metrics, Tracer
+
+logger = Logger(service="version-track")
+tracer = Tracer()
+metrics = Metrics(namespace="powertools-layer-canary", service="PowertoolsLayerCanary")
+
+layer_arn = os.getenv("POWERTOOLS_LAYER_ARN")
+powertools_version = os.getenv("POWERTOOLS_VERSION")
+stage = os.getenv("LAYER_PIPELINE_STAGE")
+event_bus_arn = os.getenv("VERSION_TRACKING_EVENT_BUS_ARN")
+
+
+def handler(event):
+    logger.info("Running checks")
+    check_envs()
+    verify_powertools_version()
+    send_notification()
+    return True
+
+
+@logger.inject_lambda_context(log_event=True)
+def on_event(event, context):
+    request_type = event["RequestType"]
+    # we handle only create events, because we recreate the canary on each run
+    if request_type == "Create":
+        return on_create(event)
+
+    return "Nothing to be processed"
+
+
+def on_create(event):
+    props = event["ResourceProperties"]
+    logger.info("create new resource with properties %s" % props)
+    handler(event)
+
+
+def check_envs():
+    logger.info('Checking required envs ["POWERTOOLS_LAYER_ARN", "AWS_REGION", "STAGE"]')
+    if not layer_arn:
+        raise ValueError("POWERTOOLS_LAYER_ARN is not set. Aborting...")
+    if not powertools_version:
+        raise ValueError("POWERTOOLS_VERSION is not set. Aborting...")
+    if not stage:
+        raise ValueError("LAYER_PIPELINE_STAGE is not set. Aborting...")
+    if not event_bus_arn:
+        raise ValueError("VERSION_TRACKING_EVENT_BUS_ARN is not set. Aborting...")
+    logger.info("All envs configured, continue...")
+
+
+def verify_powertools_version() -> None:
+    """
+    fetches the version that we import from the powertools layer and compares
+    it with expected version set in environment variable, which we pass during deployment.
+    :raise ValueError if the expected version is not the same as the version we get from the layer
+    """
+    logger.info("Checking Powertools version in library...")
+    current_version = version("aws_lambda_powertools")
+    if powertools_version != current_version:
+        raise ValueError(
+            f'Expected powertoosl version is "{powertools_version}", but layer contains version "{current_version}"'
+        )
+    logger.info(f"Current Powertools version is: {current_version}")
+
+
+def send_notification():
+    """
+    sends an event to version tracking event bridge
+    """
+    event = {
+        "Time": datetime.datetime.now(),
+        "Source": "powertools.layer.canary",
+        "EventBusName": event_bus_arn,
+        "DetailType": "deployment",
+        "Detail": json.dumps(
+            {
+                "id": "powertools-python",
+                "stage": stage,
+                "region": os.environ["AWS_REGION"],
+                "version": powertools_version,
+                "layerArn": layer_arn,
+            }
+        ),
+    }
+
+    logger.info(f"sending notification event: {event}")
+
+    client = boto3.client("events", region_name="eu-central-1")
+    resp = client.put_events(Entries=[event])
+    logger.info(resp)
+    if resp["FailedEntryCount"] != 0:
+        logger.error(resp)
+        raise ValueError("Failed to send deployment notification to version tracking")
@@ -0,0 +1,75 @@
+import uuid
+
+from aws_cdk import CfnParameter, CustomResource, Duration, Stack
+from aws_cdk.aws_iam import Effect, ManagedPolicy, PolicyStatement, Role, ServicePrincipal
+from aws_cdk.aws_lambda import Code, Function, LayerVersion, Runtime
+from aws_cdk.aws_logs import RetentionDays
+from aws_cdk.aws_ssm import StringParameter
+from aws_cdk.custom_resources import Provider
+from constructs import Construct
+
+
+class CanaryStack(Stack):
+    def __init__(
+        self,
+        scope: Construct,
+        construct_id: str,
+        powertools_version: str,
+        ssm_paramter_layer_arn: str,
+        **kwargs,
+    ) -> None:
+        super().__init__(scope, construct_id, **kwargs)
+
+        VERSION_TRACKING_EVENT_BUS_ARN: str = (
+            "arn:aws:events:eu-central-1:027876851704:event-bus/VersionTrackingEventBus"
+        )
+
+        layer_arn = StringParameter.from_string_parameter_attributes(
+            self, "LayerVersionArnParam", parameter_name=ssm_paramter_layer_arn
+        ).string_value
+
+        layer = LayerVersion.from_layer_version_arn(self, "PowertoolsLayer", layer_version_arn=layer_arn)
+        deploy_stage = CfnParameter(self, "DeployStage", description="Deployment stage for canary").value_as_string
+
+        execution_role = Role(self, "LambdaExecutionRole", assumed_by=ServicePrincipal("lambda.amazonaws.com"))
+
+        execution_role.add_managed_policy(
+            ManagedPolicy.from_aws_managed_policy_name("service-role/AWSLambdaBasicExecutionRole")
+        )
+
+        execution_role.add_to_policy(
+            PolicyStatement(effect=Effect.ALLOW, actions=["lambda:GetFunction"], resources=["*"])
+        )
+
+        canary_lambda = Function(
+            self,
+            "CanaryLambdaFunction",
+            function_name="CanaryLambdaFunction",
+            code=Code.from_asset("layer/canary"),
+            handler="app.on_event",
+            layers=[layer],
+            memory_size=512,
+            timeout=Duration.seconds(10),
+            runtime=Runtime.PYTHON_3_9,
+            log_retention=RetentionDays.ONE_MONTH,
+            role=execution_role,
+            environment={
+                "POWERTOOLS_VERSION": powertools_version,
+                "POWERTOOLS_LAYER_ARN": layer_arn,
+                "VERSION_TRACKING_EVENT_BUS_ARN": VERSION_TRACKING_EVENT_BUS_ARN,
+                "LAYER_PIPELINE_STAGE": deploy_stage,
+            },
+        )
+
+        canary_lambda.add_to_role_policy(
+            PolicyStatement(
+                effect=Effect.ALLOW, actions=["events:PutEvents"], resources=[VERSION_TRACKING_EVENT_BUS_ARN]
+            )
+        )
+
+        # custom resource provider configuration
+        provider = Provider(
+            self, "CanaryCustomResource", on_event_handler=canary_lambda, log_retention=RetentionDays.ONE_MONTH
+        )
+        # force to recreate resource on each deployment with randomized name
+        CustomResource(self, f"CanaryTrigger-{str(uuid.uuid4())[0:7]}", service_token=provider.service_token)
@@ -0,0 +1,19 @@
+from aws_cdk import Stack
+from aws_cdk.aws_ssm import StringParameter
+from cdk_lambda_powertools_python_layer import LambdaPowertoolsLayer
+from constructs import Construct
+
+
+class LayerStack(Stack):
+    def __init__(
+        self, scope: Construct, construct_id: str, powertools_version: str, ssm_paramter_layer_arn: str, **kwargs
+    ) -> None:
+        super().__init__(scope, construct_id, **kwargs)
+
+        layer = LambdaPowertoolsLayer(
+            self, "Layer", layer_version_name="AWSLambdaPowertoolsPython", version=powertools_version
+        )
+
+        layer.add_permission("PublicLayerAccess", account_id="*")
+
+        StringParameter(self, "VersionArn", parameter_name=ssm_paramter_layer_arn, string_value=layer.layer_version_arn)
@@ -0,0 +1,2 @@
+pytest==6.2.5
+boto3==1.24.22
@@ -0,0 +1,76 @@
+#
+# This file is autogenerated by pip-compile with python 3.9
+# To update, run:
+#
+#    pip-compile --generate-hashes requirements.txt
+#
+attrs==21.4.0 \
+    --hash=sha256:2d27e3784d7a565d36ab851fe94887c5eccd6a463168875832a1be79c82828b4 \
+    --hash=sha256:626ba8234211db98e869df76230a137c4c40a12d72445c45d5f5b716f076e2fd
+    # via
+    #   -r requirements.txt
+    #   cattrs
+    #   jsii
+aws-cdk-lib==2.29.0 \
+    --hash=sha256:4f852105cafd28a2bbd9bd2c6d24a2e1ab503bba923fd49a1782390b235af999 \
+    --hash=sha256:53a78788219d9bf3a998211223225b34a10f066124e2812adcd40fd0a2058572
+    # via
+    #   -r requirements.txt
+    #   cdk-lambda-powertools-python-layer
+cattrs==22.1.0 \
+    --hash=sha256:94b67b64cf92c994f8784c40c082177dc916e0489a73a9a36b24eb18a9db40c6 \
+    --hash=sha256:d55c477b4672f93606e992049f15d526dc7867e6c756cd6256d4af92e2b1e364
+    # via
+    #   -r requirements.txt
+    #   jsii
+cdk-lambda-powertools-python-layer==2.0.48 \
+    --hash=sha256:7bdd5a196e74b48d403223722f2838d1d10064d02e960a5565482cc0b7aad18d \
+    --hash=sha256:9afeacea31eba14d67360db71af385c654c9e0af9b29a0d4e0922b52f862ae03
+    # via -r requirements.txt
+constructs==10.1.43 \
+    --hash=sha256:69fd6da574c9506f44ca61e112af7d5db08ebb29b4bedc67b6d200b616f4abce \
+    --hash=sha256:f37e8c3432f94f403b50bf69476bea55719bcc3fa0d3a0e60bf0975dfe492867
+    # via
+    #   -r requirements.txt
+    #   aws-cdk-lib
+    #   cdk-lambda-powertools-python-layer
+exceptiongroup==1.0.0rc8 \
+    --hash=sha256:6990c24f06b8d33c8065cfe43e5e8a4bfa384e0358be036af9cc60b6321bd11a \
+    --hash=sha256:ab0a968e1ef769e55d9a596f4a89f7be9ffedbc9fdefdb77cc68cf5c33ce1035
+    # via
+    #   -r requirements.txt
+    #   cattrs
+jsii==1.61.0 \
+    --hash=sha256:542a72cd1a144d36fa530dc359b5295b82d9e7ecdd76d5c7b4b61195f132a746 \
+    --hash=sha256:b2899f24bcc95ce009bc256558c81cde8cff9f830eddbe9b0d581c40558a1ff0
+    # via
+    #   -r requirements.txt
+    #   aws-cdk-lib
+    #   cdk-lambda-powertools-python-layer
+    #   constructs
+publication==0.0.3 \
+    --hash=sha256:0248885351febc11d8a1098d5c8e3ab2dabcf3e8c0c96db1e17ecd12b53afbe6 \
+    --hash=sha256:68416a0de76dddcdd2930d1c8ef853a743cc96c82416c4e4d3b5d901c6276dc4
+    # via
+    #   -r requirements.txt
+    #   aws-cdk-lib
+    #   cdk-lambda-powertools-python-layer
+    #   constructs
+python-dateutil==2.8.2 \
+    --hash=sha256:0123cacc1627ae19ddf3c27a5de5bd67ee4586fbdd6440d9748f8abb483d3e86 \
+    --hash=sha256:961d03dc3453ebbc59dbdea9e4e11c5651520a876d0f4db161e8674aae935da9
+    # via
+    #   -r requirements.txt
+    #   jsii
+six==1.16.0 \
+    --hash=sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926 \
+    --hash=sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254
+    # via
+    #   -r requirements.txt
+    #   python-dateutil
+typing-extensions==4.3.0 \
+    --hash=sha256:25642c956049920a5aa49edcdd6ab1e06d7e5d467fc00e0506c44ac86fbfca02 \
+    --hash=sha256:e6d2677a32f47fc7eb2795db1dd15c1f34eff616bcaf2cfb5e997f854fa1c4a6
+    # via
+    #   -r requirements.txt
+    #   jsii