Skip to content

Commit 870b8c7

Browse files
apiarian-datadogapiarian-datadog
committed
chore: new govcloud publish script
1 parent a0e828d commit 870b8c7

File tree

2 files changed

+84
-92
lines changed

2 files changed

+84
-92
lines changed

.gitlab/scripts/publish_layers.sh

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
set -e
99

1010
LAYER_DIR=".layers"
11-
VALID_ACCOUNTS=("sandbox" "prod")
11+
VALID_ACCOUNTS=("sandbox" "prod" "gov-staging" "gov-prod")
1212

1313
publish_layer() {
1414
region=$1
@@ -101,7 +101,7 @@ else
101101
LAYER_NAME="${LAYER_NAME}-${LAYER_SUFFIX}"
102102
fi
103103

104-
if [[ "$STAGE" =~ ^(staging|sandbox)$ ]]; then
104+
if [[ "$STAGE" =~ ^(staging|sandbox|gov-staging)$ ]]; then
105105
# Deploy latest version
106106
latest_version=$(aws lambda list-layer-versions --region $REGION --layer-name $LAYER_NAME --query 'LayerVersions[0].Version || `0`')
107107
VERSION=$(($latest_version + 1))

scripts/publish_govcloud.sh

Lines changed: 82 additions & 90 deletions
Original file line numberDiff line numberDiff line change
@@ -1,110 +1,102 @@
1-
#!/bin/bash
2-
3-
# Download layer from your prod release artifacts in Gitlab. Put layers in .layers
4-
# Use with `VERSION=<version> REGION=<govcloud region> ./publish_govcloud.sh <DESIRED_NEW_VERSION>
5-
6-
if [ ! -f "../.layers/dd_trace_dotnet_amd64.zip" ]; then
7-
printf "[ERROR]: Could not find .layers/dd_trace_dotnet_amd64.zip. Download from prod release artifacts.\n"
1+
#! /usr/bin/env bash
2+
3+
# Unless explicitly stated otherwise all files in this repository are licensed
4+
# under the Apache License Version 2.0.
5+
# This product includes software developed at Datadog (https://www.datadoghq.com/).
6+
# Copyright 2025 Datadog, Inc.
7+
#
8+
# USAGE: download the layer bundle from the build pipeline in gitlab. Use the
9+
# Download button on the `layer bundle` job. This will be a zip file containing
10+
# all of the required layers. Run this script as follows:
11+
#
12+
# ENVIRONMENT=[us1-staging-fed or us1-fed] [LAYER_NAME_SUFFIX=optional-layer-suffix] [REGIONS=us-gov-west-1] ./scripts/publish_govcloud.sh <layer-bundle.zip>
13+
#
14+
# protip: you can drag the zip file from finder into your terminal to insert
15+
# its path.
16+
17+
set -e
18+
19+
LAYER_PACKAGE=$1
20+
21+
if [ -z "$LAYER_PACKAGE" ]; then
22+
printf "[ERROR]: layer package not provided\n"
823
exit 1
924
fi
1025

11-
if [ ! -f "../.layers/dd_trace_dotnet_arm64.zip" ]; then
12-
printf "[ERROR]: Could not find .layers/dd_trace_dotnet_arm64.zip. Download from prod release artifacts.\n"
13-
exit 1
14-
fi
26+
PACKAGE_NAME=$(basename "$LAYER_PACKAGE" .zip)
1527

16-
if [ -z "$VERSION" ]; then
17-
printf "Must specify a desired version number using VERSION env var\n"
28+
if [ -z "$ENVIRONMENT" ]; then
29+
printf "[ERROR]: ENVIRONMENT not specified\n"
1830
exit 1
1931
fi
2032

21-
if [ -z "$REGION" ]; then
22-
printf "Must specify region using REGION env var\n"
23-
exit 1
24-
fi
33+
if [ "$ENVIRONMENT" = "us1-staging-fed" ]; then
34+
AWS_VAULT_ROLE=sso-govcloud-us1-staging-fed-power-user
2535

26-
echo "Ensuring you have access to the AWS GovCloud account..."
27-
aws-vault exec sso-govcloud-us1-fed-engineering -- aws sts get-caller-identity
36+
export STAGE=gov-staging
2837

29-
AVAILABLE_REGIONS=$(aws-vault exec sso-govcloud-us1-fed-engineering -- aws ec2 describe-regions | jq -r '.[] | .[] | .RegionName')
30-
echo "Available regions:"
31-
echo "$AVAILABLE_REGIONS"
32-
REGION_VALID=false
33-
echo
38+
if [[ ! "$PACKAGE_NAME" =~ ^dd_trace_dotnet-(signed-)?bundle-[0-9]+$ ]]; then
39+
echo "[ERROR]: Unexpected package name: $PACKAGE_NAME"
40+
exit 1
41+
fi
3442

35-
for available_region in $AVAILABLE_REGIONS; do
36-
if [ "$REGION" == "$available_region" ]; then
37-
REGION_VALID=true
38-
break
43+
elif [ $ENVIRONMENT = "us1-fed" ]; then
44+
AWS_VAULT_ROLE=sso-govcloud-us1-fed-engineering
45+
46+
export STAGE=gov-prod
47+
48+
if [[ ! "$PACKAGE_NAME" =~ ^dd_trace_dotnet-signed-bundle-[0-9]+$ ]]; then
49+
echo "[ERROR]: Unexpected package name: $PACKAGE_NAME"
50+
exit 1
3951
fi
40-
done
4152

42-
if [ "$REGION_VALID" != "true" ]; then
43-
echo "[ERROR]: Invalid region '$REGION'. Available regions are:"
44-
echo "$AVAILABLE_REGIONS"
45-
echo
53+
else
54+
printf "[ERROR]: ENVIRONMENT not supported, must be us1-staging-fed or us1-fed.\n"
4655
exit 1
4756
fi
4857

49-
LATEST_VERSION=$(aws-vault exec sso-govcloud-us1-fed-engineering \
50-
-- aws lambda list-layer-versions \
51-
--region $REGION --layer-name dd-trace-dotnet \
52-
--query 'LayerVersions[0].Version || `0`')
53-
EXPECTED_VERSION=$((LATEST_VERSION + 1))
58+
TEMP_DIR=$(mktemp -d)
59+
unzip $LAYER_PACKAGE -d $TEMP_DIR
60+
mkdir -p .layers
61+
cp -v $TEMP_DIR/$PACKAGE_NAME/*.zip .layers/
5462

5563

56-
if [ "$VERSION" != "$EXPECTED_VERSION" ]; then
57-
echo "[ERROR]: Version must be sequential. Latest version is $LATEST_VERSION, so next version must be $EXPECTED_VERSION"
58-
echo
59-
exit 1
60-
fi
64+
AWS_VAULT_PREFIX="aws-vault exec $AWS_VAULT_ROLE --"
6165

62-
echo "Publishing tracer layer version $VERSION to region $REGION"
63-
read -p "Continue? (y/n): " CONFIRM
64-
if [[ $CONFIRM != "y" ]]; then
65-
echo "Aborting."
66-
echo
67-
exit 1
66+
echo "Checking that you have access to the GovCloud AWS account"
67+
$AWS_VAULT_PREFIX aws sts get-caller-identity
68+
69+
70+
AVAILABLE_REGIONS=$($AWS_VAULT_PREFIX aws ec2 describe-regions | jq -r '.[] | .[] | .RegionName')
71+
72+
# Determine the target regions
73+
if [ -z "$REGIONS" ]; then
74+
echo "Region not specified, running for all available regions."
75+
REGIONS=$AVAILABLE_REGIONS
76+
else
77+
echo "Region specified: $REGIONS"
78+
if [[ ! "$AVAILABLE_REGIONS" == *"$REGIONS"* ]]; then
79+
echo "Could not find $REGIONS in available regions: $AVAILABLE_REGIONS"
80+
echo ""
81+
echo "EXITING SCRIPT."
82+
exit 1
83+
fi
6884
fi
6985

70-
printf "Publishing dd-trace-dotnet...\n"
71-
NEW_VERSION=$(aws-vault exec sso-govcloud-us1-fed-engineering -- \
72-
aws lambda publish-layer-version --layer-name dd-trace-dotnet \
73-
--description "dd-trace-dotnet" \
74-
--compatible-runtimes "dotnet6" "dotnet8" \
75-
--compatible-architectures "x86_64" \
76-
--zip-file "fileb://../.layers/dd_trace_dotnet_amd64.zip" \
77-
--region $REGION \
78-
| jq -r '.Version')
79-
80-
printf "Publishing dd-trace-dotnet-ARM...\n"
81-
NEW_VERSION=$(aws-vault exec sso-govcloud-us1-fed-engineering -- \
82-
aws lambda publish-layer-version --layer-name dd-trace-dotnet-ARM \
83-
--description "dd-trace-dotnet" \
84-
--compatible-runtimes "dotnet6" "dotnet8" \
85-
--compatible-architectures "arm64" \
86-
--zip-file "fileb://../.layers/dd_trace_dotnet_arm64.zip" \
87-
--region $REGION \
88-
| jq -r '.Version')
89-
90-
printf "Setting permission for dd-trace-dotnet...\n"
91-
permission=$(aws-vault exec sso-govcloud-us1-fed-engineering -- \
92-
aws lambda add-layer-version-permission --layer-name dd-trace-dotnet \
93-
--version-number $NEW_VERSION \
94-
--statement-id "release-$NEW_VERSION" \
95-
--action lambda:GetLayerVersion \
96-
--principal "*" \
97-
--region $REGION
98-
)
99-
100-
printf "Setting permission for dd-trace-dotnet-ARM...\n"
101-
permission=$(aws-vault exec sso-govcloud-us1-fed-engineering -- \
102-
aws lambda add-layer-version-permission --layer-name dd-trace-dotnet-ARM \
103-
--version-number $NEW_VERSION \
104-
--statement-id "release-$NEW_VERSION" \
105-
--action lambda:GetLayerVersion \
106-
--principal "*" \
107-
--region $REGION
108-
)
109-
110-
echo "Published layer v$NEW_VERSION to $REGION!"
86+
for region in $REGIONS
87+
do
88+
echo "Starting publishing layers for region $region..."
89+
90+
export REGION=$region
91+
92+
for arch in "amd64" "arm64"; do
93+
export ARCHITECTURE=$arch
94+
export LAYER_FILE="dd_trace_dotnet_${ARCHITECTURE}.zip"
95+
96+
echo "Publishing layer $LAYER_FILE for $ARCHITECTURE"
97+
98+
$AWS_VAULT_PREFIX .gitlab/scripts/publish_layers.sh
99+
done
100+
done
101+
102+
echo "Done !"

0 commit comments

Comments
 (0)