Merge pull request #13 from DataDog/aleksandr.pasechnik/govcloud-publish-script

chore: govcloud publish script

Author: apiarian-datadog

.gitlab-ci.yml

@@ -6,7 +6,7 @@ variables:
   VERSION: dev
   # Manual trigger variables
   TRACER_BRANCH:
-    description: "Branch of the dd-trace-dotnet repository to use (default empty)."
+    description: "Branch of the dd-trace-dotnet repository to use (default empty). For a basic testing, you can use master or something."
     value: ""
   TRACER_VERSION:
     description: "Latest release version of the dd-trace-dotnet to tag the build with (default empty)."

.gitlab/datasources/environments.yaml

@@ -1,9 +1,9 @@
 environments:
-  - name: sandbox
+  sandbox:
     external_id: sandbox-publish-externalid
     role_to_assume: sandbox-layer-deployer
     account: 425362996713
-  - name: prod
+  prod:
     external_id: prod-publish-externalid
     role_to_assume: dd-serverless-layer-deployer-role
     account: 464622532012

.gitlab/scripts/publish_layers.sh

@@ -8,7 +8,7 @@
 set -e
 
 LAYER_DIR=".layers"
-VALID_ACCOUNTS=("sandbox" "prod")
+VALID_ACCOUNTS=("sandbox" "prod" "gov-staging" "gov-prod")
 
 publish_layer() {
     region=$1
@@ -101,7 +101,7 @@ else
     LAYER_NAME="${LAYER_NAME}-${LAYER_SUFFIX}"
 fi
 
-if [[ "$STAGE" =~ ^(staging|sandbox)$ ]]; then
+if [[ "$STAGE" =~ ^(staging|sandbox|gov-staging)$ ]]; then
     # Deploy latest version
     latest_version=$(aws lambda list-layer-versions --region $REGION --layer-name $LAYER_NAME --query 'LayerVersions[0].Version || `0`')
     VERSION=$(($latest_version + 1))

.gitlab/template.yaml.tpl

@@ -44,9 +44,6 @@ build layer ({{ $architecture.name }}):
   script:
     - .gitlab/scripts/build_layer.sh
 
-{{ range $environment := (ds "environments").environments }}
-
-{{ if or (eq $environment.name "prod") }}
 sign layer ({{ $architecture.name }}):
   stage: sign
   tags: ["arch:amd64"]
@@ -65,28 +62,31 @@ sign layer ({{ $architecture.name }}):
   variables:
     LAYER_FILE: dd_trace_dotnet_{{ $architecture.name }}.zip
   before_script:
+    {{ with $environment := (ds "environments").environments.prod }}
     - EXTERNAL_ID_NAME={{ $environment.external_id }} ROLE_TO_ASSUME={{ $environment.role_to_assume }} AWS_ACCOUNT={{ $environment.account }} source .gitlab/scripts/get_secrets.sh
+    {{ end }}
   script:
-    - .gitlab/scripts/sign_layers.sh {{ $environment.name }}
-{{ end }}
+    - .gitlab/scripts/sign_layers.sh prod
+
+{{ range $environment_name, $environment := (ds "environments").environments }}
 
-publish layer {{ $environment.name }} ({{ $architecture.name }}):
+publish layer {{ $environment_name }} ({{ $architecture.name }}):
   stage: publish
   tags: ["arch:amd64"]
   image: ${CI_DOCKER_TARGET_IMAGE}:${CI_DOCKER_TARGET_VERSION}
   rules:
-    - if: '"{{ $environment.name }}" =~ /^(sandbox|staging)/'
+    - if: '"{{ $environment_name }}" =~ "sandbox"'
       when: manual
       allow_failure: true
     - if: '$CI_COMMIT_TAG =~ /^v.*/'
   needs:
-{{ if or (eq $environment.name "prod") }}
+{{ if eq $environment_name "prod" }}
       - sign layer ({{ $architecture.name }})
 {{ else }}
       - build layer ({{ $architecture.name }})
 {{ end }}
   dependencies:
-{{ if or (eq $environment.name "prod") }}
+{{ if eq $environment_name "prod" }}
       - sign layer ({{ $architecture.name }})
 {{ else }}
       - build layer ({{ $architecture.name }})
@@ -99,12 +99,58 @@ publish layer {{ $environment.name }} ({{ $architecture.name }}):
   variables:
     ARCHITECTURE: {{ $architecture.name }}
     LAYER_FILE: dd_trace_dotnet_{{ $architecture.name }}.zip
-    STAGE: {{ $environment.name }}
+    STAGE: {{ $environment_name }}
   before_script:
     - EXTERNAL_ID_NAME={{ $environment.external_id }} ROLE_TO_ASSUME={{ $environment.role_to_assume }} AWS_ACCOUNT={{ $environment.account }} source .gitlab/scripts/get_secrets.sh
   script:
     - .gitlab/scripts/publish_layers.sh
 
 {{- end }} # environments end
 
-{{- end }} # architectures end
+{{- end }} # architectures end
+
+layer bundle:
+  stage: build
+  tags: ["arch:amd64"]
+  image: ${CI_DOCKER_TARGET_IMAGE}:${CI_DOCKER_TARGET_VERSION}
+  needs:
+    {{ range (ds "architectures").architectures }}
+    - build layer ({{ .name }})
+    {{ end }}
+  dependencies:
+    {{ range (ds "architectures").architectures }}
+    - build layer ({{ .name }})
+    {{ end }}
+  artifacts:
+    expire_in: 1 hr
+    paths:
+      - dd_trace_dotnet-bundle-${CI_JOB_ID}/
+    name: dd_trace_dotnet-bundle-${CI_JOB_ID}
+  script:
+    - rm -rf dd_trace_dotnet-bundle-${CI_JOB_ID}
+    - mkdir -p dd_trace_dotnet-bundle-${CI_JOB_ID}
+    - cp .layers/dd_trace_dotnet_*.zip dd_trace_dotnet-bundle-${CI_JOB_ID}
+
+signed layer bundle:
+  stage: sign
+  image: ${CI_DOCKER_TARGET_IMAGE}:${CI_DOCKER_TARGET_VERSION}
+  tags: ["arch:amd64"]
+  rules:
+    - if: '$CI_COMMIT_TAG =~ /^v.*/'
+  needs:
+    {{ range (ds "architectures").architectures }}
+    - sign layer ({{ .name }})
+    {{ end }}
+  dependencies:
+    {{ range (ds "architectures").architectures }}
+    - sign layer ({{ .name }})
+    {{ end }}
+  artifacts:
+    expire_in: 1 day
+    paths:
+      - dd_trace_dotnet-signed-bundle-${CI_JOB_ID}/
+    name: dd_trace_dotnet-signed-bundle-${CI_JOB_ID}
+  script:
+    - rm -rf dd_trace_dotnet-signed-bundle-${CI_JOB_ID}
+    - mkdir -p dd_trace_dotnet-signed-bundle-${CI_JOB_ID}
+    - cp .layers/dd_trace_dotnet_*.zip dd_trace_dotnet-signed-bundle-${CI_JOB_ID}

scripts/publish_govcloud.sh

@@ -1,110 +1,102 @@
-#!/bin/bash
-
-# Download layer from your prod release artifacts in Gitlab. Put layers in .layers
-# Use with `VERSION=<version> REGION=<govcloud region> ./publish_govcloud.sh <DESIRED_NEW_VERSION>
-
-if [ ! -f "../.layers/dd_trace_dotnet_amd64.zip" ]; then
-    printf "[ERROR]: Could not find .layers/dd_trace_dotnet_amd64.zip. Download from prod release artifacts.\n"
+#! /usr/bin/env bash
+
+# Unless explicitly stated otherwise all files in this repository are licensed
+# under the Apache License Version 2.0.
+# This product includes software developed at Datadog (https://www.datadoghq.com/).
+# Copyright 2025 Datadog, Inc.
+#
+# USAGE: download the layer bundle from the build pipeline in gitlab. Use the
+# Download button on the `layer bundle` job. This will be a zip file containing
+# all of the required layers. Run this script as follows:
+#
+# ENVIRONMENT=[us1-staging-fed or us1-fed] [LAYER_NAME_SUFFIX=optional-layer-suffix] [REGIONS=us-gov-west-1] ./scripts/publish_govcloud.sh <layer-bundle.zip>
+#
+# protip: you can drag the zip file from finder into your terminal to insert
+# its path.
+
+set -e
+
+LAYER_PACKAGE=$1
+
+if [ -z "$LAYER_PACKAGE" ]; then
+    printf "[ERROR]: layer package not provided\n"
     exit 1
 fi
 
-if [ ! -f "../.layers/dd_trace_dotnet_arm64.zip" ]; then
-    printf "[ERROR]: Could not find .layers/dd_trace_dotnet_arm64.zip. Download from prod release artifacts.\n"
-    exit 1
-fi
+PACKAGE_NAME=$(basename "$LAYER_PACKAGE" .zip)
 
-if [ -z "$VERSION" ]; then
-    printf "Must specify a desired version number using VERSION env var\n"
+if [ -z "$ENVIRONMENT" ]; then
+    printf "[ERROR]: ENVIRONMENT not specified\n"
     exit 1
 fi
 
-if [ -z "$REGION" ]; then
-  printf "Must specify region using REGION env var\n"
-  exit 1
-fi
+if [ "$ENVIRONMENT" = "us1-staging-fed" ]; then
+    AWS_VAULT_ROLE=sso-govcloud-us1-staging-fed-power-user
 
-echo "Ensuring you have access to the AWS GovCloud account..."
-aws-vault exec sso-govcloud-us1-fed-engineering -- aws sts get-caller-identity
+    export STAGE=gov-staging
 
-AVAILABLE_REGIONS=$(aws-vault exec sso-govcloud-us1-fed-engineering -- aws ec2 describe-regions | jq -r '.[] | .[] | .RegionName')
-echo "Available regions:"
-echo "$AVAILABLE_REGIONS"
-REGION_VALID=false
-echo
+    if [[ ! "$PACKAGE_NAME" =~ ^dd_trace_dotnet-(signed-)?bundle-[0-9]+$ ]]; then
+        echo "[ERROR]: Unexpected package name: $PACKAGE_NAME"
+        exit 1
+    fi
 
-for available_region in $AVAILABLE_REGIONS; do
-    if [ "$REGION" == "$available_region" ]; then
-        REGION_VALID=true
-        break
+elif [ $ENVIRONMENT = "us1-fed" ]; then
+    AWS_VAULT_ROLE=sso-govcloud-us1-fed-engineering
+
+    export STAGE=gov-prod
+
+    if [[ ! "$PACKAGE_NAME" =~ ^dd_trace_dotnet-signed-bundle-[0-9]+$ ]]; then
+        echo "[ERROR]: Unexpected package name: $PACKAGE_NAME"
+        exit 1
     fi
-done
 
-if [ "$REGION_VALID" != "true" ]; then
-    echo "[ERROR]: Invalid region '$REGION'. Available regions are:"
-    echo "$AVAILABLE_REGIONS"
-    echo
+else
+    printf "[ERROR]: ENVIRONMENT not supported, must be us1-staging-fed or us1-fed.\n"
     exit 1
 fi
 
-LATEST_VERSION=$(aws-vault exec sso-govcloud-us1-fed-engineering \
- -- aws lambda list-layer-versions \
- --region $REGION --layer-name dd-trace-dotnet \
- --query 'LayerVersions[0].Version || `0`')
-EXPECTED_VERSION=$((LATEST_VERSION + 1))
+TEMP_DIR=$(mktemp -d)
+unzip $LAYER_PACKAGE -d $TEMP_DIR
+mkdir -p .layers
+cp -v $TEMP_DIR/$PACKAGE_NAME/*.zip .layers/
 
 
-if [ "$VERSION" != "$EXPECTED_VERSION" ]; then
-    echo "[ERROR]: Version must be sequential. Latest version is $LATEST_VERSION, so next version must be $EXPECTED_VERSION"
-    echo
-    exit 1
-fi
+AWS_VAULT_PREFIX="aws-vault exec $AWS_VAULT_ROLE --"
 
-echo "Publishing tracer layer version $VERSION to region $REGION"
-read -p "Continue? (y/n): " CONFIRM
-if [[ $CONFIRM != "y" ]]; then
-    echo "Aborting."
-    echo
-    exit 1
+echo "Checking that you have access to the GovCloud AWS account"
+$AWS_VAULT_PREFIX aws sts get-caller-identity
+
+
+AVAILABLE_REGIONS=$($AWS_VAULT_PREFIX aws ec2 describe-regions | jq -r '.[] | .[] | .RegionName')
+
+# Determine the target regions
+if [ -z "$REGIONS" ]; then
+    echo "Region not specified, running for all available regions."
+    REGIONS=$AVAILABLE_REGIONS
+else
+    echo "Region specified: $REGIONS"
+    if [[ ! "$AVAILABLE_REGIONS" == *"$REGIONS"* ]]; then
+        echo "Could not find $REGIONS in available regions: $AVAILABLE_REGIONS"
+        echo ""
+        echo "EXITING SCRIPT."
+        exit 1
+    fi
 fi
 
-printf "Publishing dd-trace-dotnet...\n"
-NEW_VERSION=$(aws-vault exec sso-govcloud-us1-fed-engineering -- \
-    aws lambda publish-layer-version --layer-name dd-trace-dotnet \
-    --description "dd-trace-dotnet" \
-    --compatible-runtimes "dotnet6" "dotnet8" \
-    --compatible-architectures "x86_64" \
-    --zip-file "fileb://../.layers/dd_trace_dotnet_amd64.zip" \
-    --region $REGION \
-    | jq -r '.Version')
-
-printf "Publishing dd-trace-dotnet-ARM...\n"
-NEW_VERSION=$(aws-vault exec sso-govcloud-us1-fed-engineering -- \
-    aws lambda publish-layer-version --layer-name dd-trace-dotnet-ARM \
-    --description "dd-trace-dotnet" \
-    --compatible-runtimes "dotnet6" "dotnet8" \
-    --compatible-architectures "arm64" \
-    --zip-file "fileb://../.layers/dd_trace_dotnet_arm64.zip" \
-    --region $REGION \
-    | jq -r '.Version')
-
-printf "Setting permission for dd-trace-dotnet...\n"
-permission=$(aws-vault exec sso-govcloud-us1-fed-engineering -- \
-    aws lambda add-layer-version-permission --layer-name dd-trace-dotnet \
-    --version-number $NEW_VERSION \
-    --statement-id "release-$NEW_VERSION" \
-    --action lambda:GetLayerVersion \
-    --principal "*" \
-    --region $REGION
-)
-
-printf "Setting permission for dd-trace-dotnet-ARM...\n"
-permission=$(aws-vault exec sso-govcloud-us1-fed-engineering -- \
-    aws lambda add-layer-version-permission --layer-name dd-trace-dotnet-ARM \
-    --version-number $NEW_VERSION \
-    --statement-id "release-$NEW_VERSION" \
-    --action lambda:GetLayerVersion \
-    --principal "*" \
-    --region $REGION
-)
-
-echo "Published layer v$NEW_VERSION to $REGION!"
+for region in $REGIONS
+do
+    echo "Starting publishing layers for region $region..."
+
+    export REGION=$region
+
+    for arch in "amd64" "arm64"; do
+        export ARCHITECTURE=$arch
+        export LAYER_FILE="dd_trace_dotnet_${ARCHITECTURE}.zip"
+
+        echo "Publishing layer $LAYER_FILE for $ARCHITECTURE"
+
+        $AWS_VAULT_PREFIX .gitlab/scripts/publish_layers.sh
+    done
+done
+
+echo "Done !"