fixed the partition in the arn

Author: sdangol

.github/workflows/layers_partitions.yml

@@ -2,7 +2,7 @@
 # ---
 # This workflow publishes a specific layer version in an AWS account based on the partition input.
 #
-# We pull the version of the layer and store them as artifacts, the we upload them to each of the Partitioned AWS accounts.
+# We pull the version of the layer and store them as artifacts, then we upload them to each of the Partitioned AWS accounts.
 #
 # A number of safety checks are performed to ensure safety.
 #
@@ -112,17 +112,19 @@ jobs:
     with:
       environment: Gamma
       partition: ${{ inputs.partition }}
+      arn_partition: ${{ needs.setup.outputs.partition }}
       regions: ${{ needs.setup.outputs.regions }}
       aud: ${{ needs.setup.outputs.aud }}
     secrets: inherit
-  # Copies the Layer to the Gamma Environment in the selected partition
+  # Copies the Layer to the Prod Environment in the selected partition
   deploy-prod:
     name: Deploy Prod Layer
     needs: [setup, download, deploy-gamma]
     uses: ./.github/workflows/layers_partitions_deploy.yml
     with:
       environment: Prod
       partition: ${{ inputs.partition }}
+      arn_partition: ${{ needs.setup.outputs.partition }}
       regions: ${{ needs.setup.outputs.regions }}
       aud: ${{ needs.setup.outputs.aud }}
     secrets: inherit

.github/workflows/layers_partitions_deploy.yml

@@ -9,6 +9,9 @@ on:
       partition:
         required: true
         type: string
+      arn_partition:
+        required: true
+        type: string
       regions:
         required: true
         type: string
@@ -30,12 +33,12 @@ jobs:
         region: ${{ fromJson(inputs.regions) }}
     steps:
       - name: Download Zip
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: AWSLambdaPowertoolsTypeScriptV2.zip
 
       - name: Download Metadata
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: AWSLambdaPowertoolsTypeScriptV2.json
 
@@ -45,10 +48,11 @@ jobs:
           test "$(openssl dgst -sha256 -binary AWSLambdaPowertoolsTypeScriptV2.zip | openssl enc -base64)" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1
       
       - id: transform
-        run: echo "CONVERTED_REGION=$(echo '${{ matrix.region }}' | tr 'a-z\-' 'A-Z_')" >> "$GITHUB_OUTPUT"
+        run: |
+          echo 'CONVERTED_REGION=${{ matrix.region }}' | tr 'a-z\-' 'A-Z_' >> "$GITHUB_OUTPUT"
       
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
         with:
           role-to-assume: ${{ secrets[format('IAM_ROLE_{0}', steps.transform.outputs.CONVERTED_REGION)] }}
           aws-region: ${{ matrix.region }}
@@ -59,12 +63,13 @@ jobs:
         id: create-layer
         run: |
           set -euo pipefail
-          jq '{"LayerName": "AWSLambdaPowertoolsTypeScriptV2", "Description": .Description, "CompatibleRuntimes": .CompatibleRuntimes, "LicenseInfo": .LicenseInfo}' AWSLambdaPowertoolsTypeScriptV2.json > input.json
+          cat AWSLambdaPowertoolsTypeScriptV2.json | jq '{"LayerName": "AWSLambdaPowertoolsTypeScriptV2", "Description": .Description, "CompatibleRuntimes": .CompatibleRuntimes, "LicenseInfo": .LicenseInfo}' > input.json
           
           LAYER_VERSION=$(aws --region "${{ matrix.region }}" lambda publish-layer-version \
             --zip-file fileb://./AWSLambdaPowertoolsTypeScriptV2.zip \
             --cli-input-json file://./input.json \
-            --query 'Version' --output text)
+            --query 'Version' \
+            --output text)
           
           echo "LAYER_VERSION=$LAYER_VERSION" >> "$GITHUB_OUTPUT"
           
@@ -75,40 +80,42 @@ jobs:
             --principal '*' \
             --version-number "$LAYER_VERSION"
       
+      # This step retrieves the newly deployed layer metadata and compares it against the original source layer:
+      # 1. SHA256 hash verification - ensures the layer content is identical to the source
+      # 2. Description validation - confirms the version number in the description matches the source
+      # 3. Layer Version number verification - validates that the layer version numbers match between source and target
+      # 4. Tabular comparison output - displays side-by-side comparison of key layer properties
       - name: Verify Layer
         env:
           LAYER_VERSION: ${{ steps.create-layer.outputs.LAYER_VERSION }}
           ENVIRONMENT: ${{ inputs.environment }}
-          PARTITION: ${{ inputs.partition }}
+          PARTITION: ${{ inputs.arn_partition }}
         run: |
           set -euo pipefail
-          layer_output="AWSLambdaPowertoolsTypeScriptV2-${{ matrix.region }}.json"
-          
-          aws --region "${{ matrix.region }}" lambda get-layer-version-by-arn \
-            --arn "arn:${PARTITION}:lambda:${{ matrix.region }}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${LAYER_VERSION}" \
-            > "$layer_output"
+          export layer_output="AWSLambdaPowertoolsTypeScriptV2-${{ matrix.region }}.json"
+          # Dynamic secret access is safe here - secrets are scoped per environment
+          aws --region "${{ matrix.region }}" lambda get-layer-version-by-arn --arn "arn:${PARTITION}:lambda:${{ matrix.region }}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${LAYER_VERSION}" > "$layer_output"
           
           REMOTE_SHA=$(jq -r '.Content.CodeSha256' "$layer_output")
           LOCAL_SHA=$(jq -r '.Content.CodeSha256' AWSLambdaPowertoolsTypeScriptV2.json)
           test "$REMOTE_SHA" == "$LOCAL_SHA" && echo "SHA OK: ${LOCAL_SHA}" || exit 1
           
           REMOTE_DESCRIPTION=$(jq -r '.Description' "$layer_output")
           LOCAL_DESCRIPTION=$(jq -r '.Description' AWSLambdaPowertoolsTypeScriptV2.json)
-          test "$REMOTE_DESCRIPTION" == "$LOCAL_DESCRIPTION" && echo "Version number OK: ${LOCAL_DESCRIPTION}" || exit 1
+          test "$REMOTE_DESCRIPTION" == "$LOCAL_DESCRIPTION" && echo "Description OK: ${LOCAL_DESCRIPTION}" || exit 1
           
           if [ "$ENVIRONMENT" == "Prod" ]; then
             REMOTE_LAYER_VERSION=$(jq -r '.LayerVersionArn' "$layer_output" | sed 's/.*://')
             LOCAL_LAYER_VERSION=$(jq -r '.LayerVersionArn' AWSLambdaPowertoolsTypeScriptV2.json | sed 's/.*://')
             test "$REMOTE_LAYER_VERSION" == "$LOCAL_LAYER_VERSION" && echo "Layer Version number OK: ${LOCAL_LAYER_VERSION}" || exit 1
           fi
           
-          jq -s -r '["Layer Arn", "Runtimes", "Version", "Description", "SHA256"], ([.[0], .[1]] | .[] | [.LayerArn, (.CompatibleRuntimes | join("/")), .Version, .Description, .Content.CodeSha256]) |@tsv' \
-            AWSLambdaPowertoolsTypeScriptV2.json "$layer_output" | column -t -s $'\t'
+          jq -s -r '["Layer Arn", "Runtimes", "Version", "Description", "SHA256"], ([.[0], .[1]] | .[] | [.LayerArn, (.CompatibleRuntimes | join("/")), .Version, .Description, .Content.CodeSha256]) |@tsv' AWSLambdaPowertoolsTypeScriptV2.json "$layer_output" | column -t -s $'\t'
 
-      - name: Store Metadata
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4
+      - name: Store Metadata - ${{ matrix.region }}
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
-          name: AWSLambdaPowertoolsTypeScriptV2-${{ inputs.environment }}-${{ matrix.region }}.json
+          name: AWSLambdaPowertoolsTypeScriptV2-${{ matrix.region }}.json
           path: AWSLambdaPowertoolsTypeScriptV2-${{ matrix.region }}.json
           retention-days: 1
           if-no-files-found: error