diff --git a/scripts/publish_prod.sh b/scripts/publish_prod.sh index c5c49d7e..1e11f08c 100755 --- a/scripts/publish_prod.sh +++ b/scripts/publish_prod.sh @@ -57,22 +57,26 @@ then [[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1 fi -echo "" +echo echo "Replacing __version__ in ./datadog_lambda/__init__.py" -echo "" +echo sed -i "" -E "s/\"(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\"/\"$NEW_VERSION\"/" ./datadog_lambda/__init__.py git commit ./datadog_lambda/__init__.py -m "Update module version to ${NEW_VERSION}" -echo "" +echo echo "Building layers..." ./scripts/build_layers.sh -echo "" +echo +echo "Signing layers..." +./scripts/sign_layers.sh prod + +echo echo "Publishing layers to AWS regions..." ./scripts/publish_layers.sh -echo "" +echo echo 'Pushing updates to github' MINOR_VERSION=$(echo $NEW_VERSION | cut -d '.' -f 2) git push origin master @@ -89,14 +93,14 @@ if [[ ! $REPLY =~ ^[Yy]$ ]] then [[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1 fi -echo "" +echo echo "Publishing to https://pypi.org/project/datadog-lambda/" ./scripts/pypi.sh -echo "" +echo echo "Now create a new release with the tag v${MINOR_VERSION} created" echo "https://github.com/DataDog/datadog-lambda-python/releases/new" -echo "" +echo echo "Then publish a new serverless-plugin-datadog version with the new layer versions!" -echo "" +echo diff --git a/scripts/publish_sandbox.sh b/scripts/publish_sandbox.sh new file mode 100755 index 00000000..9b921cd4 --- /dev/null +++ b/scripts/publish_sandbox.sh @@ -0,0 +1,6 @@ +#!/bin/bash +set -e + +./scripts/build_layers.sh +./scripts/sign_layers.sh sandbox +./scripts/publish_layers.sh sa-east-1 \ No newline at end of file diff --git a/scripts/publish_staging.sh b/scripts/publish_staging.sh deleted file mode 100755 index 4d4787ed..00000000 --- a/scripts/publish_staging.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash -set -e - -./scripts/build_layers.sh -./scripts/publish_layers.sh us-east-1 \ No newline at end of file diff --git a/scripts/sign_layers.sh b/scripts/sign_layers.sh new file mode 100755 index 00000000..554e406d --- /dev/null +++ b/scripts/sign_layers.sh @@ -0,0 +1,110 @@ +#!/bin/bash + +# Unless explicitly stated otherwise all files in this repository are licensed +# under the Apache License Version 2.0. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019 Datadog, Inc. + +set -e + +LAYER_DIR=".layers" +LAYER_FILES=( + "datadog_lambda_py2.7.zip" + "datadog_lambda_py3.6.zip" + "datadog_lambda_py3.7.zip" + "datadog_lambda_py3.8.zip" +) +SIGNING_PROFILE_NAME="DatadogLambdaSigningProfile" + +# Check account parameter +VALID_ACCOUNTS=("sandbox" "prod") +if [ -z "$1" ]; then + echo "ERROR: You must pass an account parameter to sign the layers" + exit 1 +fi +if [[ ! "${VALID_ACCOUNTS[@]}" =~ $1 ]]; then + echo "ERROR: The account parameter was invalid. Please choose sandbox or prod." + exit 1 +fi +if [ "$1" = "sandbox" ]; then + REGION="sa-east-1" + S3_BUCKET_NAME="dd-lambda-signing-bucket-sandbox" +fi +if [ "$1" = "prod" ]; then + REGION="us-east-1" + S3_BUCKET_NAME="dd-lambda-signing-bucket" +fi + +for LAYER_FILE in "${LAYER_FILES[@]}" +do + echo + echo "${LAYER_FILE}" + echo "-------------------------" + + LAYER_LOCAL_PATH="${LAYER_DIR}/${LAYER_FILE}" + + # Upload the layer to S3 for signing + echo "Uploading layer to S3 for signing..." + UUID=$(uuidgen) + S3_UNSIGNED_ZIP_KEY="${UUID}.zip" + S3_UNSIGNED_ZIP_URI="s3://${S3_BUCKET_NAME}/${S3_UNSIGNED_ZIP_KEY}" + aws s3 cp $LAYER_LOCAL_PATH $S3_UNSIGNED_ZIP_URI + + # Start a signing job + echo "Starting the signing job..." + SIGNING_JOB_ID=$(aws signer start-signing-job \ + --source "s3={bucketName=${S3_BUCKET_NAME},key=${S3_UNSIGNED_ZIP_KEY},version=null}" \ + --destination "s3={bucketName=${S3_BUCKET_NAME}}" \ + --profile-name $SIGNING_PROFILE_NAME \ + --region $REGION \ + | jq -r '.jobId'\ + ) + + # Wait for the signing job to complete + echo "Waiting for the signing job to complete..." + SECONDS_WAITED_SO_FAR=0 + while : + do + sleep 3 + SECONDS_WAITED_SO_FAR=$((SECONDS_WAITED_SO_FAR + 3)) + + SIGNING_JOB_DESCRIPTION=$(aws signer describe-signing-job \ + --job-id $SIGNING_JOB_ID \ + --region $REGION\ + ) + SIGNING_JOB_STATUS=$(echo $SIGNING_JOB_DESCRIPTION | jq -r '.status') + SIGNING_JOB_STATUS_REASON=$(echo $SIGNING_JOB_DESCRIPTION | jq -r '.statusReason') + + if [ $SIGNING_JOB_STATUS = "Succeeded" ]; then + echo "Signing job succeeded!" + break + fi + + if [ $SIGNING_JOB_STATUS = "Failed" ]; then + echo "ERROR: Signing job failed" + echo $SIGNING_JOB_STATUS_REASON + exit 1 + fi + + if [ $SECONDS_WAITED_SO_FAR -ge 60 ]; then + echo "ERROR: Timed out waiting for the signing job to complete" + exit 1 + fi + + echo "Signing job still in progress..." + done + + # Download the signed ZIP, overwriting the original ZIP + echo "Replacing the local layer with the signed layer from S3..." + S3_SIGNED_ZIP_KEY="${SIGNING_JOB_ID}.zip" + S3_SIGNED_ZIP_URI="s3://${S3_BUCKET_NAME}/${S3_SIGNED_ZIP_KEY}" + aws s3 cp $S3_SIGNED_ZIP_URI $LAYER_LOCAL_PATH + + # Delete the signed and unsigned ZIPs in S3 + echo "Cleaning up the S3 bucket..." + aws s3api delete-object --bucket $S3_BUCKET_NAME --key $S3_UNSIGNED_ZIP_KEY + aws s3api delete-object --bucket $S3_BUCKET_NAME --key $S3_SIGNED_ZIP_KEY +done + +echo +echo "Successfully signed all layers!"