IABTechLab
diff --git a/‎.github/actions/build_aws_eif/action.yaml‎
Lines changed: 2 additions & 0 deletions b/‎.github/actions/build_aws_eif/action.yaml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎scripts/aws/UID_CloudFormation.template.yml‎
Lines changed: 56 additions & 0 deletions b/‎scripts/aws/UID_CloudFormation.template.yml‎
Lines changed: 56 additions & 0 deletions
@@ -97,6 +97,7 @@ runs:
         cp ${{ steps.buildFolder.outputs.BUILD_FOLDER }}/identity_scope.txt                                       ${ARTIFACTS_OUTPUT_DIR}/
         cp ${{ steps.buildFolder.outputs.BUILD_FOLDER }}/version_number.txt                                       ${ARTIFACTS_OUTPUT_DIR}/
         cp ./scripts/aws/ec2.py                                                                                   ${ARTIFACTS_OUTPUT_DIR}/
+        cp ./scripts/aws/autoupdate.py                                                                            ${ARTIFACTS_OUTPUT_DIR}/
         cp ./scripts/confidential_compute.py                                                                      ${ARTIFACTS_OUTPUT_DIR}/
         cp ./scripts/aws/requirements.txt                                                                         ${ARTIFACTS_OUTPUT_DIR}/
         cp ./scripts/aws/proxies.host.yaml                                                                        ${ARTIFACTS_OUTPUT_DIR}/
@@ -112,6 +113,7 @@ runs:
         cp ./scripts/aws/logrotate/operator-logrotate.conf                                                        ${ARTIFACTS_OUTPUT_DIR}/
         cp ./scripts/aws/logrotate/logrotate                                                                      ${ARTIFACTS_OUTPUT_DIR}/
         cp ./scripts/aws/logrotate/logrotateDaily                                                                 ${ARTIFACTS_OUTPUT_DIR}/
+        cp ./scripts/aws/logrotate/autoupdate                                                                     ${ARTIFACTS_OUTPUT_DIR}/
         cp -r ./scripts/aws/config-server                                                                         ${ARTIFACTS_OUTPUT_DIR}/
 
         docker cp amazonlinux:/sockd                                    ${ARTIFACTS_OUTPUT_DIR}/
 
@@ -136,6 +136,9 @@ Resources:
               - 'kms:GenerateDataKey*'
               - 'kms:Describe*'
             Resource: '*'
+      Tags:
+        - Key: Project
+          Value: UID2
   SSMKEYAlias:
     Type: AWS::KMS::Alias
     Properties:
@@ -164,6 +167,9 @@ Resources:
           - Ref: DeployToEnvironment
           - '"'
           - '}'
+      Tags:
+        - Key: Project
+          Value: UID2
   WorkerRole:
     Type: 'AWS::IAM::Role'
     Properties:
@@ -190,14 +196,46 @@ Resources:
               - Effect: Allow
                 Action: 'secretsmanager:GetSecretValue'
                 Resource: !Sub 'arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:uid2-config-stack-${AWS::StackName}*'
+              - Sid: EC2LaunchTemplateWrite
+                Effect: Allow
+                Action:
+                  - 'ec2:CreateLaunchTemplateVersion'
+                Resource:
+                  - 'arn:aws:ec2:*:*:launch-template/*'
+                Condition:
+                  StringEquals:
+                    'aws:ResourceTag/Project': 'UID2'
+              - Sid: AutoScalingReadPermissions
+                Effect: Allow
+                Action:
+                  - 'autoscaling:DescribeAutoScalingInstances'
+                  - 'autoscaling:DescribeAutoScalingGroups'
+                  - 'autoscaling:DescribeInstanceRefreshes'
+                Resource: '*'
+              - Sid: AutoScalingWritePermissions
+                Effect: Allow
+                Action:
+                  - 'autoscaling:UpdateAutoScalingGroup'
+                  - 'autoscaling:StartInstanceRefresh'
+                Resource:
+                  - 'arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/*'
+                Condition:
+                  StringEquals:
+                    'aws:ResourceTag/Project': 'UID2'
       ManagedPolicyArns:
         - 'arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy'
+      Tags:
+        - Key: Project
+          Value: UID2
   WorkerInstanceProfile:
     Type: 'AWS::IAM::InstanceProfile'
     Properties:
       Path: /
       Roles:
         - !Ref WorkerRole
+      Tags:
+        - Key: Project
+          Value: UID2
   SecurityGroup:
     Type: 'AWS::EC2::SecurityGroup'
     Properties:
@@ -230,6 +268,9 @@ Resources:
           CidrIp: 0.0.0.0/0
           Description: "Allow Outbound DNS"
       VpcId: !Ref VpcId
+      Tags:
+        - Key: Project
+          Value: UID2
   LaunchTemplate:
     Type: AWS::EC2::LaunchTemplate
     Properties:
@@ -261,6 +302,18 @@ Resources:
           HttpTokens: required # Enforces IMDSv2
           HttpPutResponseHopLimit: 1
           InstanceMetadataTags: enabled
+        TagSpecifications:
+          - ResourceType: instance
+            Tags:
+              - Key: Project
+                Value: UID2
+          - ResourceType: volume
+            Tags:
+              - Key: Project
+                Value: UID2
+      Tags:
+        - Key: Project
+          Value: UID2
   AutoScalingGroup:
     Type: AWS::AutoScaling::AutoScalingGroup
     DependsOn:
@@ -283,6 +336,9 @@ Resources:
       - Key: Name
         Value: 'UID2 Instance'
         PropagateAtLaunch: true
+      - Key: Project
+        Value: UID2
+        PropagateAtLaunch: true
     CreationPolicy:
       ResourceSignal:
         Count: 1