Merge branch 'develop' into custom_mask

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -63,6 +63,7 @@ body:
         - "3.10"
         - "3.11"
         - "3.12"
+        - "3.13"
     validations:
       required: true
   - type: dropdown

.github/ISSUE_TEMPLATE/static_typing.yml

@@ -30,6 +30,7 @@ body:
         - "3.10"
         - "3.11"
         - "3.12"
+        - "3.13"
     validations:
       required: true
   - type: input

.github/workflows/bootstrap_region.yml

@@ -0,0 +1,109 @@
+# bootstraps new regions
+#
+# PURPOSE
+# Ensures new regions are deployable in future releases
+#
+# JOB 1 PROCESS
+#
+# 1. Installs CDK
+# 2. Bootstraps region
+#
+# JOB 2 PROCESS
+# 1. Sets up Go
+# 2. Installs the balance script
+# 3. Runs balance script to copy layers between aws regions
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        type: choice
+        options:
+          - beta
+          - prod
+        description: Deployment environment
+      region:
+        type: string
+        required: true
+        description: AWS region to bootstrap (i.e. eu-west-1)
+
+name: Region Bootstrap
+run-name: Region Bootstrap ${{ inputs.region }}
+
+permissions:
+  contents: read
+
+jobs:
+  cdk:
+    name: Install CDK
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+    environment: layer-${{ inputs.environment }}
+    steps:
+      - id: credentials
+        name: AWS Credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
+        with:
+          aws-region: ${{ inputs.region }}
+          role-to-assume: ${{ secrets.REGION_IAM_ROLE }}
+          mask-aws-account-id: true
+      - id: workdir
+        name: Create Workdir
+        run: |
+          mkdir -p build/project
+      - id: cdk-install
+        name: Install CDK
+        working-directory: build
+        run: |
+          npm i aws-cdk
+      - id: cdk-project
+        name: CDK Project
+        working-directory: build/project
+        run: |
+          npx cdk init app --language=typescript
+          AWS_REGION="${{ inputs.region }}" npx cdk bootstrap
+
+  copy_layers:
+    name: Copy Layers
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+    strategy:
+      matrix:
+        layer:
+          - AWSLambdaPowertoolsPythonV3-python38-arm64
+          - AWSLambdaPowertoolsPythonV3-python39-arm64
+          - AWSLambdaPowertoolsPythonV3-python310-arm64
+          - AWSLambdaPowertoolsPythonV3-python311-arm64
+          - AWSLambdaPowertoolsPythonV3-python312-arm64
+          - AWSLambdaPowertoolsPythonV3-python313-arm64
+          - AWSLambdaPowertoolsPythonV3-python38-x86_64
+          - AWSLambdaPowertoolsPythonV3-python39-x86_64
+          - AWSLambdaPowertoolsPythonV3-python310-x86_64
+          - AWSLambdaPowertoolsPythonV3-python311-x86_64
+          - AWSLambdaPowertoolsPythonV3-python312-x86_64
+          - AWSLambdaPowertoolsPythonV3-python313-x86_64
+    environment: layer-${{ inputs.environment }}
+    steps:
+      - id: credentials
+        name: AWS Credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
+        with:
+          aws-region: us-east-1
+          role-to-assume: ${{ secrets.REGION_IAM_ROLE }}
+          mask-aws-account-id: true
+      - id: go-setup
+        name: Setup Go
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+      - id: go-env
+        name: Go Env
+        run: go env
+      - id: go-install-pkg
+        name: Install
+        run: go install github.com/aws-powertools/actions/layer-balancer/cmd/balance@latest
+      - id: run-balance
+        name: Run Balance
+        run: balance -read-region us-east-1 -write-region ${{ inputs.region }} -write-role ${{ secrets.BALANCE_ROLE_ARN }} -layer-name ${{ matrix.layer }} -dry-run=false

.github/workflows/codeql-analysis.yml

@@ -28,7 +28,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL

.github/workflows/dependency-review.yml

@@ -17,6 +17,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Checkout Repository'
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4
+        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0

.github/workflows/label_pr_on_title.yml

@@ -50,7 +50,7 @@ jobs:
       pull-requests: write  # label respective PR
     steps:
       - name: Checkout repository
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
       - name: "Label PR based on title"
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         env:

.github/workflows/layer_govcloud.yml

@@ -0,0 +1,220 @@
+# GovCloud Layer Publish
+# ---
+# This workflow publishes a specific layer version in an AWS account based on the environment input.
+#
+# Using a matrix, we pull each architecture and python version of the layer and store them as artifacts
+# we upload them to each of the GovCloud AWS accounts.
+#
+# A number of safety checks are performed to ensure safety.
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: Deployment environment
+        type: choice
+        options:
+          - Gamma
+          - Prod
+        required: true
+      version:
+        description: Layer version to duplicate
+        type: string
+        required: true
+  workflow_call:
+    inputs:
+      environment:
+        description: Deployment environment
+        type: string
+        required: true
+      version:
+        description: Layer version to duplicate
+        type: string
+        required: true
+
+name: Layer Deployment (GovCloud)
+run-name: Layer Deployment (GovCloud) - ${{ inputs.environment }}
+
+jobs:
+  download:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    strategy:
+      matrix:
+        layer:
+          - AWSLambdaPowertoolsPythonV3-python38
+          - AWSLambdaPowertoolsPythonV3-python39
+          - AWSLambdaPowertoolsPythonV3-python310
+          - AWSLambdaPowertoolsPythonV3-python311
+          - AWSLambdaPowertoolsPythonV3-python312
+          - AWSLambdaPowertoolsPythonV3-python313
+        arch:
+          - arm64
+          - x86_64
+    environment: Prod (Readonly)
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        with:
+          role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
+          aws-region: us-east-1
+          mask-aws-account-id: true
+      - name: Grab Zip
+        run: |
+          aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:017000801446:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ inputs.version }} --query 'Content.Location' | xargs curl -L -o ${{ matrix.layer }}_${{ matrix.arch }}.zip
+          aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:017000801446:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ inputs.version }} > ${{ matrix.layer }}_${{ matrix.arch }}.json
+      - name: Store Zip
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        with:
+          name: ${{ matrix.layer }}_${{ matrix.arch }}.zip
+          path: ${{ matrix.layer }}_${{ matrix.arch }}.zip
+          retention-days: 1
+          if-no-files-found: error
+      - name: Store Metadata
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        with:
+          name: ${{ matrix.layer }}_${{ matrix.arch }}.json
+          path: ${{ matrix.layer }}_${{ matrix.arch }}.json
+          retention-days: 1
+          if-no-files-found: error
+
+  copy_east:
+    name: Copy (East)
+    needs: download
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    strategy:
+      matrix:
+        layer:
+          - AWSLambdaPowertoolsPythonV3-python38
+          - AWSLambdaPowertoolsPythonV3-python39
+          - AWSLambdaPowertoolsPythonV3-python310
+          - AWSLambdaPowertoolsPythonV3-python311
+          - AWSLambdaPowertoolsPythonV3-python312
+          - AWSLambdaPowertoolsPythonV3-python313
+        arch:
+          - arm64
+          - x86_64
+    environment: GovCloud ${{ inputs.environment }} (East)
+    steps:
+      - name: Download Zip
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: ${{ matrix.layer }}_${{ matrix.arch }}.zip
+      - name: Download Metadata
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: ${{ matrix.layer }}_${{ matrix.arch }}.json
+      - name: Verify Layer Signature
+        run: |
+          SHA=$(jq -r '.Content.CodeSha256' '${{ matrix.layer }}_${{ matrix.arch }}.json')
+          test "$(openssl dgst -sha256 -binary ${{ matrix.layer }}_${{ matrix.arch }}.zip | openssl enc -base64)" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        with:
+          role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
+          aws-region: us-gov-east-1
+          mask-aws-account-id: true
+      - name: Create Layer
+        id: create-layer
+        run: |
+          LAYER_VERSION=$(aws --region us-gov-east-1 lambda publish-layer-version \
+            --layer-name ${{ matrix.layer }}-${{ matrix.arch }} \
+            --zip-file fileb://./${{ matrix.layer }}_${{ matrix.arch }}.zip \
+            --compatible-runtimes "$(jq -r '.CompatibleRuntimes[0]' '${{ matrix.layer }}_${{ matrix.arch }}.json')" \
+            --compatible-architectures "$(jq  -r '.CompatibleArchitectures[0]' '${{ matrix.layer }}_${{ matrix.arch }}.json')" \
+            --license-info "MIT-0" \
+            --description "$(jq -r '.Description' '${{ matrix.layer }}_${{ matrix.arch }}.json')" \
+            --query 'Version' \
+            --output text)
+
+          echo "LAYER_VERSION=$LAYER_VERSION" >> "$GITHUB_OUTPUT"
+
+          aws --region us-gov-east-1 lambda add-layer-version-permission \
+            --layer-name '${{ matrix.layer }}-${{ matrix.arch }}' \
+            --statement-id 'PublicLayer' \
+            --action lambda:GetLayerVersion \
+            --principal '*' \
+            --version-number "$LAYER_VERSION"
+      - name: Verify Layer
+        env:
+          LAYER_VERSION: ${{ steps.create-layer.outputs.LAYER_VERSION }}
+        run: |
+          REMOTE_SHA=$(aws --region us-gov-east-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-east-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ env.LAYER_VERSION }}' --query 'Content.CodeSha256' --output text)
+          SHA=$(jq -r '.Content.CodeSha256' '${{ matrix.layer }}_${{ matrix.arch }}.json')
+          test "$REMOTE_SHA" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1
+          aws --region us-gov-east-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-east-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ env.LAYER_VERSION }}' --output table
+
+  copy_west:
+    name: Copy (West)
+    needs: download
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    strategy:
+      matrix:
+        layer:
+          - AWSLambdaPowertoolsPythonV3-python38
+          - AWSLambdaPowertoolsPythonV3-python39
+          - AWSLambdaPowertoolsPythonV3-python310
+          - AWSLambdaPowertoolsPythonV3-python311
+          - AWSLambdaPowertoolsPythonV3-python312
+          - AWSLambdaPowertoolsPythonV3-python313
+        arch:
+          - arm64
+          - x86_64
+    environment:
+      name: GovCloud ${{ inputs.environment }} (West)
+    steps:
+      - name: Download Zip
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: ${{ matrix.layer }}_${{ matrix.arch }}.zip
+      - name: Download Metadata
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: ${{ matrix.layer }}_${{ matrix.arch }}.json
+      - name: Verify Layer Signature
+        run: |
+          SHA=$(jq -r '.Content.CodeSha256' '${{ matrix.layer }}_${{ matrix.arch }}.json')
+          test "$(openssl dgst -sha256 -binary ${{ matrix.layer }}_${{ matrix.arch }}.zip | openssl enc -base64)" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        with:
+          role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
+          aws-region: us-gov-west-1
+          mask-aws-account-id: true
+      - name: Create Layer
+        id: create-layer
+        run: |
+          LAYER_VERSION=$(aws --region us-gov-west-1 lambda publish-layer-version \
+            --layer-name ${{ matrix.layer }}-${{ matrix.arch }} \
+            --zip-file fileb://./${{ matrix.layer }}_${{ matrix.arch }}.zip \
+            --compatible-runtimes "$(jq -r '.CompatibleRuntimes[0]' '${{ matrix.layer }}_${{ matrix.arch }}.json')" \
+            --compatible-architectures "$(jq  -r '.CompatibleArchitectures[0]' '${{ matrix.layer }}_${{ matrix.arch }}.json')" \
+            --license-info "MIT-0" \
+            --description "$(jq -r '.Description' '${{ matrix.layer }}_${{ matrix.arch }}.json')" \
+            --query 'Version' \
+            --output text)
+
+          echo "LAYER_VERSION=$LAYER_VERSION" >> "$GITHUB_OUTPUT"
+
+          aws --region us-gov-west-1 lambda add-layer-version-permission \
+            --layer-name '${{ matrix.layer }}-${{ matrix.arch }}' \
+            --statement-id 'PublicLayer' \
+            --action lambda:GetLayerVersion \
+            --principal '*' \
+            --version-number "$LAYER_VERSION"
+      - name: Verify Layer
+        env:
+          LAYER_VERSION: ${{ steps.create-layer.outputs.LAYER_VERSION }}
+        run: |
+          REMOTE_SHA=$(aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ env.LAYER_VERSION }}' --query 'Content.CodeSha256' --output text)
+          SHA=$(jq -r '.Content.CodeSha256' '${{ matrix.layer }}_${{ matrix.arch }}.json')
+          test "$REMOTE_SHA" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1
+          aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ env.LAYER_VERSION }}' --output table