release layer

serkan-ozal · serkan-ozal · commit 7d1c00061e05 · 2025-02-04T21:24:32.000+03:00
diff --git a/.github/workflows/build-collector.yml b/.github/workflows/build-collector.yml
@@ -4,65 +4,71 @@ on:
   workflow_dispatch:
     inputs:
       architecture:
+        description: 'Architecture of the layer to be published'
+        required: true
         type: choice
-        description: Architecture
         options:
           - all
           - amd64
           - arm64
         default: all
-      aws_region:
+      aws-region:
+        description: 'AWS Region(s) where layer will be published'
+        required: true
         type: choice
-        description: AWS Region
         options:
           - all
-          - ap-northeast-1
-          - ap-northeast-2
-          - ap-south-1
-          - ap-southeast-1
-          - ap-southeast-2
-          - ca-central-1
-          - eu-central-1
-          - eu-north-1
-          - eu-west-1
-          - eu-west-2
-          - eu-west-3
-          - sa-east-1
-          - us-east-1
-          - us-east-2
+#          - ap-northeast-1
+#          - ap-northeast-2
+#          - ap-south-1
+#          - ap-southeast-1
+#          - ap-southeast-2
+#          - ca-central-1
+#          - eu-central-1
+#          - eu-north-1
+#          - eu-west-1
+#          - eu-west-2
+#          - eu-west-3
+#          - sa-east-1
+#          - us-east-1
+#          - us-east-2
           - us-west-1
           - us-west-2
         default: all
+      role-arn:
+        description: 'AWS IAM Role ARN to be assumed for publishing layer'
+        required: false
+        type: string
+      layer-version:
+        description: 'Layer version to be appended into the layer name'
+        required: false
+        type: string
+      build-tags:
+        description: 'Build tags to customize collector build'
+        required: false
+        type: string
 
 jobs:
-  include-jobs:
+  prepare-build-jobs:
     runs-on: ubuntu-latest
     outputs:
-      jobs: ${{ steps.include-jobs.outputs.jobs }}
+      build_jobs: ${{ steps.prepare-build-jobs.outputs.build_jobs }}
     steps:
-      - id: include-jobs
-        name: Include jobs
+      - id: prepare-build-jobs
+        name: Prepare Build Jobs
         run: |
           architectures=''
           if [ ${{ github.event.inputs.architecture }} == 'all' ]; then
             architectures='["amd64", "arm64"]'
           else
             architectures='["${{ github.event.inputs.architecture }}"]'
           fi
-          aws_regions=''
-          if [ ${{ github.event.inputs.aws_region }} == 'all' ]; then
-            aws_regions='["ap-northeast-1", "ap-northeast-2", "ap-south-1", "ap-southeast-1", "ap-southeast-2", "ca-central-1", "eu-central-1", "eu-north-1", "eu-west-1", "eu-west-2", "eu-west-3", "sa-east-1", "us-east-1", "us-east-2", "us-west-1", "us-west-2"]'
-          else
-            aws_regions='["${{ github.event.inputs.aws_region }}"]'
-          fi
-          echo "jobs={"architecture": ${architectures}, "aws_region": ${aws_regions}}" | tr -d '[:space:]' >> $GITHUB_OUTPUT
-  build:
-    needs: include-jobs
+          echo "build_jobs={"architecture": ${architectures}}" | tr -d '[:space:]' >> $GITHUB_OUTPUT
+  build-layer:
+    needs: prepare-build-jobs
     runs-on: ubuntu-latest
     strategy:
-      matrix: ${{ fromJSON(needs.include-jobs.outputs.jobs) }}
-    outputs:
-      COLLECTOR_VERSION: ${{ steps.save-collector-version.outputs.COLLECTOR_VERSION }}
+      matrix: ${{ fromJSON(needs.prepare-build-jobs.outputs.build_jobs) }}
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v4
@@ -71,9 +77,55 @@ jobs:
         with:
           go-version: '~1.21.9'
       - name: Build Collector
-        run: make -C collector package GOARCH=${{ matrix.architecture }}
+        run: |
+          if [[ -n "${{ inputs.build-tags }}" ]]; then
+            BUILDTAGS="${{ inputs.build-tags }}"
+            if [[ "$BUILDTAGS" != "lambdacomponents.custom"* ]]; then
+              BUILDTAGS="lambdacomponents.custom,$BUILDTAGS"
+            fi
+          fi
+          echo "Build tags: $BUILDTAGS"
+          make -C collector package GOARCH=${{ matrix.architecture }} BUILDTAGS=$BUILDTAGS
       - name: Upload Collector Artifact
         uses: actions/upload-artifact@v4
         with:
-          name: opentelemetry-collector-layer-${{ matrix.architecture }}-${{ matrix.aws_region }}.zip
+          name: opentelemetry-collector-layer-${{ matrix.architecture }}.zip
           path: ${{ github.workspace }}/collector/build/opentelemetry-collector-layer-${{ matrix.architecture }}.zip
+  prepare-release-jobs:
+    needs: build-layer
+    runs-on: ubuntu-latest
+    outputs:
+      release_jobs: ${{ steps.prepare-release-jobs.outputs.release_jobs }}
+    steps:
+      - id: prepare-release-jobs
+        name: Prepare Release Jobs
+        run: |
+          architectures=''
+          if [ ${{ github.event.inputs.architecture }} == 'all' ]; then
+            architectures='["amd64", "arm64"]'
+          else
+            architectures='["${{ github.event.inputs.architecture }}"]'
+          fi
+          aws_regions=''
+          if [ ${{ github.event.inputs.aws-region }} == 'all' ]; then
+            aws_regions='["us-west-1", "us-west-2"]'
+          else
+            aws_regions='["${{ github.event.inputs.aws-region }}"]'
+          fi
+          echo "release_jobs={"architecture": ${architectures}, "aws_region": ${aws_regions}}" | tr -d '[:space:]' >> $GITHUB_OUTPUT
+  release-layer:
+    uses: ./.github/workflows/layer-publish.yml
+    needs: prepare-release-jobs
+    strategy:
+      matrix: ${{ fromJSON(needs.prepare-release-jobs.outputs.release_jobs) }}
+    with:
+      artifact-name: opentelemetry-collector-layer-${{ matrix.architecture }}.zip
+      layer-name: opentelemetry-collector
+      architecture: ${{ matrix.architecture }}
+      runtimes: "nodejs16.x nodejs18.x nodejs20.x nodejs22.x java11 java17 java21 python3.8 python3.9 python3.10 python3.11 python3.12"
+      release-group: prod
+      aws_region: ${{ matrix.aws_region }}
+      role-arn: ${{ github.event.inputs.role-arn }}
+      component-version: 'NA'
+      layer-version: ${{ github.event.inputs.layer-version }}
+    secrets: inherit
diff --git a/.github/workflows/layer-publish.yml b/.github/workflows/layer-publish.yml
@@ -32,7 +32,14 @@ on:
         description: 'Publish to which AWS region?'
         required: true
         type: string
-
+      role-arn:
+        description: '(optional) AWS IAM Role ARN to be assumed for publishing layer. If no input is given, defaults to `PROD_LAMBDA_ROLE_ARN` secret.'
+        required: false
+        type: string
+      layer-version:
+        description: '(optional) Layer version to be used in the layer name. If no input is given, its value is tried to be extracted from the `GITHUB_REF_NAME` variable'
+        required: false
+        type: string
 
 permissions:
   id-token: write
@@ -58,18 +65,24 @@ jobs:
           echo "ARCH=$ARCH" >> $GITHUB_ENV
           
           if [[ -n "${{ inputs.runtimes }}" ]]; then
-            RUNTIMES="--compatible-runtimes ${{ inputs.runtimes }}"
+            COMPATIBLE_RUNTIMES="--compatible-runtimes ${{ inputs.runtimes }}"
           fi
-          echo "RUNTIMES=$RUNTIMES" >> $GITHUB_ENV
+          echo "COMPATIBLE_RUNTIMES=$COMPATIBLE_RUNTIMES" >> $GITHUB_ENV
           
           if [[ "${{ inputs.release-group }}" != "prod" ]]; then
             LAYER_NAME=$LAYER_NAME-${{ inputs.release-group }}
           fi
           
-          LAYER_VERSION=$(echo "$GITHUB_REF_NAME" | sed -r 's/.*\/[^0-9\.]*//g')
-          LAYER_VERSION_CLEANED=$(echo "$LAYER_VERSION" | sed -r 's/\./_/g')
+          if [[ -n "${{ inputs.layer-version }}" ]]; then
+            LAYER_VERSION="${{ inputs.layer-version }}"
+          else
+            LAYER_VERSION=$(echo "$GITHUB_REF_NAME" | sed -r 's/.*\/[^0-9\.]*//g')
+          fi
+          LAYER_VERSION_CLEANED=$(echo "$LAYER_VERSION" | sed -r 's/\./_/g')          
           
-          LAYER_NAME=$LAYER_NAME-$LAYER_VERSION_CLEANED
+          if [[ -n "$LAYER_VERSION_CLEANED" ]]; then
+            LAYER_NAME=$LAYER_NAME-$LAYER_VERSION_CLEANED
+          fi
           echo "LAYER_NAME=$LAYER_NAME" >> $GITHUB_ENV
           
           echo GITHUB_ENV:
@@ -82,7 +95,7 @@ jobs:
 
       - uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: ${{ secrets.PROD_LAMBDA_ROLE_ARN }}
+          role-to-assume: ${{ inputs.role-arn || secrets.OTEL_LAMBDA_LAYER_PUBLISH_ROLE_ARN || secrets.PROD_LAMBDA_ROLE_ARN }}
           role-duration-seconds: 1200
           aws-region: ${{ inputs.aws_region }}
           mask-aws-account-id: false
@@ -93,7 +106,8 @@ jobs:
             aws lambda publish-layer-version \
               --layer-name $LAYER_NAME \
               --license-info "Apache 2.0" \
-              --compatible-architectures $ARCH $RUNTIMES \
+              --compatible-architectures $ARCH \
+              $COMPATIBLE_RUNTIMES \
               --zip-file fileb://${{ inputs.artifact-name }} \
               --query 'LayerVersionArn' \
               --output text
diff --git a/utils/aws-cloudformation/aws-cf-stack-for-layer-publish.yml b/utils/aws-cloudformation/aws-cf-stack-for-layer-publish.yml
@@ -0,0 +1,53 @@
+Parameters:
+  GitHubOrgName:
+    Description: Name of the GitHub organization/user
+    Type: String
+  RepositoryName:
+    Description: Name of the GitHub repository
+    Type: String
+    Default: "opentelemetry-lambda"
+
+Resources:
+  Role:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: "github-otel-lambda-layer-publish-role"
+      AssumeRolePolicyDocument:
+        Statement:
+          - Effect: Allow
+            Action: sts:AssumeRoleWithWebIdentity
+            Principal:
+              Federated: !Ref GithubOIDC
+            Condition:
+              StringEquals:
+                token.actions.githubusercontent.com:aud: "sts.amazonaws.com"
+              StringLike:
+                token.actions.githubusercontent.com:sub: !Sub "repo:${GitHubOrgName}/${RepositoryName}:*"
+      Policies:
+        - PolicyName: "github-otel-lambda-layer-publish-policy"
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action:
+                  - "lambda:GetLayer*"
+                  - "lambda:ListLayer*"
+                  - "lambda:AddLayer*"
+                  - "lambda:PublishLayer*"
+                Resource:
+                  - !Sub "arn:aws:lambda:*:${AWS::AccountId}:layer:opentelemetry-*"
+                  - !Sub "arn:aws:lambda:*:${AWS::AccountId}:layer:opentelemetry-*:*"
+
+  GithubOIDC:
+    Type: AWS::IAM::OIDCProvider
+    Properties:
+      Url: "https://token.actions.githubusercontent.com"
+      ClientIdList: 
+        - "sts.amazonaws.com"
+      ThumbprintList:
+        - "ffffffffffffffffffffffffffffffffffffffff"
+
+Outputs:
+  RoleARN:
+    Description: "ARN of the AWS IAM role to be assumed by Github for the OpenTelemetry Layer publishing"
+    Value: !GetAtt Role.Arn
