Publish private extension images to serverless-testing account

Update build_private_image.sh to push to 093468662994
(serverless-testing) instead of 425362996713 (sandbox).

The self-monitoring container runtimes (LOD, LMI) run in
093468662994, so co-locating the extension images there
removes the need for cross-account ECR pulls during CDK
Docker builds.

Author: duncanista

.gitlab/datasources/environments.yaml

@@ -5,6 +5,10 @@ environments:
     account: 425362996713
     add_layer_version_permissions: 0
     automatically_bump_version: 1
+  serverless_testing:
+    external_id: serverless-testing-publish-externalid
+    role_to_assume: lambda-extension-image-publisher
+    account: 093468662994
   prod:
     external_id: prod-publish-externalid
     role_to_assume: dd-serverless-layer-deployer-role

.gitlab/scripts/build_private_image.sh

@@ -7,17 +7,17 @@
 
 set -e
 
-DOCKER_TARGET_IMAGE="425362996713.dkr.ecr.us-east-1.amazonaws.com/self-monitoring-lambda-extension"
+# ECR target for private extension images, used by self-monitoring container runtimes.
+# Defaults to the serverless-testing account's datadog-lambda-extension repo.
+PRIVATE_IMAGE_ECR_ACCOUNT="${PRIVATE_IMAGE_ECR_ACCOUNT:-093468662994}"
+PRIVATE_IMAGE_ECR_REPO="${PRIVATE_IMAGE_ECR_REPO:-datadog-lambda-extension}"
+DOCKER_TARGET_IMAGE="${PRIVATE_IMAGE_ECR_ACCOUNT}.dkr.ecr.us-east-1.amazonaws.com/${PRIVATE_IMAGE_ECR_REPO}"
 EXTENSION_DIR=".layers"
 IMAGE_TAG="latest"
 
-printf "Authenticating Docker to ECR...\n"
-aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 425362996713.dkr.ecr.us-east-1.amazonaws.com
+printf "Authenticating Docker to ECR (%s)...\n" "$PRIVATE_IMAGE_ECR_ACCOUNT"
+aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin "${PRIVATE_IMAGE_ECR_ACCOUNT}.dkr.ecr.us-east-1.amazonaws.com"
 
-# NOTE: this probably does not work the way that we expect it to, especially
-# when suffixes are involved. This is a known bug but we don't really check
-# anything other than the basic `self-monitoring-lambda-extension:latest` image
-# in our self-monitoring, so it's not a thing we're going to fix right now.
 LAYER_NAME="Datadog-Extension"
 if [ -z "$PIPELINE_LAYER_SUFFIX" ]; then
     printf "Building container images tagged without suffix\n"
@@ -26,8 +26,11 @@ else
     LAYER_NAME="${LAYER_NAME}-${PIPELINE_LAYER_SUFFIX}"
 fi
 
-# Increment last version
-latest_version=$(aws lambda list-layer-versions --region us-east-1 --layer-name $LAYER_NAME --query 'LayerVersions[0].Version || `0`')
+# Get the latest published layer version to derive the image tag.
+# Layers are published in the sandbox account (425362996713), so query there
+# regardless of which account we're pushing images to.
+SANDBOX_ACCOUNT="425362996713"
+latest_version=$(aws lambda list-layer-versions --region us-east-1 --layer-name "arn:aws:lambda:us-east-1:${SANDBOX_ACCOUNT}:layer:${LAYER_NAME}" --query 'LayerVersions[0].Version || `0`')
 VERSION=$(($latest_version + 1))
 printf "Tagging container image with version: $VERSION and latest\n"
 
@@ -39,4 +42,4 @@ docker buildx build \
     --tag "$DOCKER_TARGET_IMAGE:${VERSION}${SUFFIX}" \
     --push .
 
-printf "Image built and pushed to $DOCKER_TARGET_IMAGE:${IMAGE_TAG}${SUFFIX} for ${PLATFORM}\n"
+printf "Image built and pushed to $DOCKER_TARGET_IMAGE:${IMAGE_TAG}${SUFFIX}\n"

.gitlab/templates/pipeline.yaml.tpl

@@ -235,7 +235,7 @@ publish private images ({{ $multi_arch_image_flavor.name }}):
   variables:
     SUFFIX: {{ $multi_arch_image_flavor.suffix }}
   before_script:
-    {{ with $environment := (ds "environments").environments.sandbox }}
+    {{ with $environment := (ds "environments").environments.serverless_testing }}
     - EXTERNAL_ID_NAME={{ $environment.external_id }} ROLE_TO_ASSUME={{ $environment.role_to_assume }} AWS_ACCOUNT={{ $environment.account }} source .gitlab/scripts/get_secrets.sh
     {{ end }}
   script: