From c73b5ee9bb495919de07ef8cdb11f180fcf86ea1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=BAben=20Fonseca?= <fonseka@gmail.com>
Date: Tue, 11 Oct 2022 10:32:21 +0200
Subject: [PATCH] feat(sar): add support for publishing SAR via Github Actions

---
 .github/workflows/publish_v2_layer.yml       | 26 +++++++
 .github/workflows/reusable_deploy_v2_sar.yml | 76 ++++++++++++++++++++
 layer/sar/template.txt                       | 38 ++++++++++
 3 files changed, 140 insertions(+)
 create mode 100644 .github/workflows/reusable_deploy_v2_sar.yml
 create mode 100644 layer/sar/template.txt

diff --git a/.github/workflows/publish_v2_layer.yml b/.github/workflows/publish_v2_layer.yml
index 469a94ad876..08d56d61ec4 100644
--- a/.github/workflows/publish_v2_layer.yml
+++ b/.github/workflows/publish_v2_layer.yml
@@ -23,6 +23,8 @@ jobs:
     defaults:
       run:
         working-directory: ./layer
+    outputs:
+      release-tag-version: ${{ steps.release-notes-tag.outputs.release-tag-version }}
     steps:
       - name: checkout
         uses: actions/checkout@v3
@@ -46,11 +48,13 @@ jobs:
           poetry export --format requirements.txt --output requirements.txt
           pip install -r requirements.txt
       - name: Set release notes tag
+        id: release-notes-tag
         run: |
           RELEASE_INPUT=${{ inputs.latest_published_version }}
           LATEST_TAG=$(git describe --tag --abbrev=0)
           RELEASE_TAG_VERSION=${RELEASE_INPUT:-$LATEST_TAG}
           echo RELEASE_TAG_VERSION="${RELEASE_TAG_VERSION:1}" >> "$GITHUB_ENV"
+          echo "::set-output name=release-tag-version::$RELEASE_TAG_VERSION"
       - name: Set up QEMU
         uses: docker/setup-qemu-action@8b122486cedac8393e77aa9734c3528886e4a1a8 # v2.0.0
         # NOTE: we need QEMU to build Layer against a different architecture (e.g., ARM)
@@ -81,6 +85,17 @@ jobs:
       artefact-name: "cdk-layer-artefact"
       environment: "layer-beta"
 
+  deploy-sar-beta:
+    needs:
+      - build-layer
+    uses: ./.github/workflows/reusable_deploy_v2_sar.yml
+    secrets: inherit
+    with:
+      stage: "BETA"
+      artefact-name: "cdk-layer-artefact"
+      environment: "layer-beta"
+      package-version: ${{ needs.build-layer.outputs.release-tag-version }}
+
   # deploy-prod:
   #   needs:
   #     - deploy-beta
@@ -90,3 +105,14 @@ jobs:
   #     stage: "PROD"
   #     artefact-name: "cdk-layer-artefact"
   #     environment: "layer-prod"
+
+  # deploy-sar-prod:
+  #   needs:
+  #     - build-layer
+  #   uses: ./.github/workflows/reusable_deploy_v2_sar.yml
+  #   secrets: inherit
+  #   with:
+  #     stage: "PROD"
+  #     artefact-name: "cdk-layer-artefact"
+  #     environment: "layer-beta"
+  #     package-version: ${{ needs.build-layer.outputs.release-tag-version }}
diff --git a/.github/workflows/reusable_deploy_v2_sar.yml b/.github/workflows/reusable_deploy_v2_sar.yml
new file mode 100644
index 00000000000..7e7883715a4
--- /dev/null
+++ b/.github/workflows/reusable_deploy_v2_sar.yml
@@ -0,0 +1,76 @@
+name: Deploy V2 SAR
+
+permissions:
+  id-token: write
+  contents: read
+
+env:
+  SAM_VERSION: 2.44.0
+  NODE_VERSION: 16.12
+  AWS_REGION: eu-central-1
+
+on:
+  workflow_call:
+    inputs:
+      stage:
+        description: "Deployment stage (BETA, PROD)"
+        required: true
+        type: string
+      artefact-name:
+        description: "CDK Layer Artefact name to download"
+        required: true
+        type: string
+      package-version:
+        description: "The version of the package to deploy"
+        required: true
+        type: string
+      environment:
+        description: "GitHub Environment to use for encrypted secrets"
+        required: true
+        type: string
+
+jobs:
+  deploy-cdk-stack:
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+    defaults:
+      run:
+        working-directory: ./layer
+    steps:
+      - name: checkout
+        uses: actions/checkout@v3
+      - name: aws credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-region: $AWS_REGION
+          role-to-assume: ${{ secrets.AWS_SAR_ROLE_ARN }}
+      - name: Setup Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: $NODE_VERSION
+      - name: install cdk and deps
+        run: |
+          npm install -g "aws-cdk@$CDK_VERSION"
+          cdk --version
+      - name: Download artifact
+        uses: actions/download-artifact@v3
+        with:
+          name: ${{ inputs.artefact-name }}
+          path: layer
+      - name: unzip artefact
+        run: |
+          unzip cdk.out.zip
+      - name: Deploy x86_64 SAR
+        run: |
+          asset=$(jq -jc '.Resources[] | select(.Properties.CompatibleArchitectures == ["x86_64"]) | .Metadata."aws:asset:path"' cdk.out/LayerStack.template.json)
+          sed -e "s/<VERSION>/${{ inputs.package-version }}/g" -e "s/<SAR_APP_NAME>/aws-lambda-powertools-python-layer-v2/g" -e "s/<LAYER_CONTENT_PATH>/.\/cdk.out\/$asset/g" sar/template.txt > sar/template.yml
+          cp ../README.md ../LICENSE "./cdk.out/$asset/"
+          pipx run sam=="$SAM_VERSION" package --template-file sar/template.yml --output-template-file packaged.yml --s3-bucket ${{ secrets.AWS_SAR_S3_BUCKET }}
+          pipx run sam=="$SAM_VERSION" publish --template packaged.yml --region "$AWS_REGION"
+      - name: Deploy arm64 SAR
+        run: |
+          asset=$(jq -jc '.Resources[] | select(.Properties.CompatibleArchitectures == ["arm64"]) | .Metadata."aws:asset:path"' cdk.out/LayerStack.template.json)
+          sed -e "s/<VERSION>/${{ inputs.package-version }}/g" -e "s/<SAR_APP_NAME>/aws-lambda-powertools-python-layer-v2-arm64/g" -e "s/<LAYER_CONTENT_PATH>/.\/cdk.out\/$asset/g" sar/template.txt > sar/template.yml
+          cp ../README.md ../LICENSE "./cdk.out/$asset/"
+          pipx run sam=="$SAM_VERSION" package --template-file sar/template.yml --output-template-file packaged.yml --s3-bucket ${{ secrets.AWS_SAR_S3_BUCKET }}
+          pipx run sam=="$SAM_VERSION" publish --template packaged.yml --region "$AWS_REGION"
diff --git a/layer/sar/template.txt b/layer/sar/template.txt
new file mode 100644
index 00000000000..8f8ea9085cf
--- /dev/null
+++ b/layer/sar/template.txt
@@ -0,0 +1,38 @@
+AWSTemplateFormatVersion: '2010-09-09'
+
+Metadata:
+  AWS::ServerlessRepo::Application:
+    Name: <SAR_APP_NAME>
+    Description: "AWS Lambda Layer for aws-lambda-powertools "
+    Author: AWS
+    SpdxLicenseId: Apache-2.0
+    LicenseUrl: LICENSE
+    ReadmeUrl: README.md
+    Labels: ['layer','lambda','powertools','python', 'aws']
+    HomePageUrl: https://github.com/awslabs/aws-lambda-powertools-python
+    SemanticVersion: <VERSION>
+    SourceCodeUrl: https://github.com/awslabs/aws-lambda-powertools-python
+
+Transform: AWS::Serverless-2016-10-31
+Description: AWS Lambda Layer for aws-lambda-powertools with python 3.9, 3.8 or 3.7
+
+Resources:
+  LambdaLayer:
+    Type: AWS::Serverless::LayerVersion
+    Properties:
+      Description: "AWS Lambda Layer for aws-lambda-powertools version <VERSION>"
+      LayerName: <SAR_APP_NAME>
+      ContentUri: <LAYER_CONTENT_PATH>
+      CompatibleRuntimes:
+        - python3.9
+        - python3.8
+        - python3.7
+      LicenseInfo: 'Available under the Apache-2.0 license.'
+      RetentionPolicy: Retain
+
+Outputs:
+  LayerVersionArn:
+    Description: ARN for the published Layer version
+    Value: !Ref LambdaLayer
+    Export:
+      Name: !Sub 'LayerVersionArn-${AWS::StackName}'