Skip to content

Commit 7b1ffbd

Browse files
josecorellajosecorella
authored
chore(CFN): add staging CB cfn (#210)
1 parent 013af5c commit 7b1ffbd

File tree

3 files changed

+271
-0
lines changed

3 files changed

+271
-0
lines changed

cfn/CB-Staging.yml

Lines changed: 243 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,243 @@
1+
# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
2+
# SPDX-License-Identifier: Apache-2.0
3+
AWSTemplateFormatVersion: 2010-09-09
4+
Description: >-
5+
Template to build a CodeBuild Project, assumes that GitHub credentials are
6+
already set up.
7+
Parameters:
8+
ProjectName:
9+
Type: String
10+
Description: The name of the CodeBuild Project
11+
Default: AWS-DBESDK-DDB-Java
12+
ProjectDescription:
13+
Type: String
14+
Description: The description for the CodeBuild Project
15+
Default: CFN stack for managing CodeBuild projects for the AWS DBESDK DDB Java
16+
SourceLocation:
17+
Type: String
18+
Description: The https GitHub URL for the project
19+
Default: "https://github.com/awslabs/aws-dynamodb-encryption-dafny.git"
20+
NumberOfBuildsInBatch:
21+
Type: Number
22+
MaxValue: 100
23+
MinValue: 1
24+
Default: 16
25+
Description: The number of builds you expect to run in a batch
26+
Metadata:
27+
"AWS::CloudFormation::Interface":
28+
ParameterGroups:
29+
- Label:
30+
default: Crypto Tools CodeBuild Project Template
31+
Parameters:
32+
- ProjectName
33+
- ProjectDescription
34+
- SourceLocation
35+
Resources:
36+
CodeBuildProjectRelease:
37+
Type: "AWS::CodeBuild::Project"
38+
Properties:
39+
Name: !Sub "${ProjectName}-Release"
40+
Description: !Sub "CodeBuild project for ${ProjectName} to release to Sonatype."
41+
Source:
42+
Location: !Ref SourceLocation
43+
BuildSpec: codebuild/release/release.yml
44+
## https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codebuild-project-source.html#cfn-codebuild-project-source-gitclonedepth
45+
## If this value is 0, greater than 25, or not provided then the full history is downloaded with each build project.
46+
GitCloneDepth: 0
47+
GitSubmodulesConfig:
48+
FetchSubmodules: true
49+
InsecureSsl: false
50+
ReportBuildStatus: false
51+
Type: GITHUB
52+
Artifacts:
53+
Type: NO_ARTIFACTS
54+
Cache:
55+
Type: NO_CACHE
56+
Environment:
57+
ComputeType: BUILD_GENERAL1_LARGE
58+
Image: "aws/codebuild/standard:5.0"
59+
ImagePullCredentialsType: CODEBUILD
60+
PrivilegedMode: false
61+
Type: LINUX_CONTAINER
62+
ServiceRole: !GetAtt CodeBuildServiceRoleRelease.Arn
63+
TimeoutInMinutes: 60
64+
QueuedTimeoutInMinutes: 480
65+
EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3"
66+
BadgeEnabled: false
67+
BuildBatchConfig:
68+
ServiceRole: !GetAtt CodeBuildServiceRoleRelease.Arn
69+
Restrictions:
70+
MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch
71+
ComputeTypesAllowed:
72+
- BUILD_GENERAL1_SMALL
73+
- BUILD_GENERAL1_MEDIUM
74+
- BUILD_GENERAL1_LARGE
75+
TimeoutInMins: 480
76+
LogsConfig:
77+
CloudWatchLogs:
78+
Status: ENABLED
79+
S3Logs:
80+
Status: DISABLED
81+
EncryptionDisabled: false
82+
83+
CodeBuildServiceRoleRelease:
84+
Type: "AWS::IAM::Role"
85+
Properties:
86+
Path: /service-role/
87+
RoleName: !Sub "codebuild-${ProjectName}-service-role-release"
88+
AssumeRolePolicyDocument: >-
89+
{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"codebuild.amazonaws.com"},"Action":"sts:AssumeRole"}]}
90+
MaxSessionDuration: 3600
91+
ManagedPolicyArns:
92+
- !Ref CodeBuildBatchPolicyRelease
93+
- !Ref CodeBuildBasePolicy
94+
- !Ref SecretsManagerPolicyRelease
95+
- !Ref ParameterStorePolicy
96+
- "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess"
97+
- "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess"
98+
99+
CodeBuildBatchPolicy:
100+
Type: "AWS::IAM::ManagedPolicy"
101+
Properties:
102+
ManagedPolicyName: !Sub >-
103+
CodeBuildBuildBatchPolicy-${ProjectName}-${AWS::Region}-codebuild-${ProjectName}-service-role
104+
Path: /service-role/
105+
PolicyDocument: !Sub |
106+
{
107+
"Version": "2012-10-17",
108+
"Statement": [
109+
{
110+
"Effect": "Allow",
111+
"Resource": [
112+
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-Release",
113+
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}"
114+
],
115+
"Action": [
116+
"codebuild:StartBuild",
117+
"codebuild:StopBuild",
118+
"codebuild:RetryBuild",
119+
"codebuild:BatchGetBuilds"
120+
]
121+
}
122+
]
123+
}
124+
125+
CodeBuildBatchPolicyRelease:
126+
Type: "AWS::IAM::ManagedPolicy"
127+
Properties:
128+
ManagedPolicyName: !Sub >-
129+
CodeBuildBuildBatchPolicy-${ProjectName}-Release-${AWS::Region}-codebuild-${ProjectName}-release-service-role
130+
Path: /service-role/
131+
PolicyDocument: !Sub |
132+
{
133+
"Version": "2012-10-17",
134+
"Statement": [
135+
{
136+
"Effect": "Allow",
137+
"Resource": [
138+
"arn:aws:codebuild:us-west-2:${AWS::AccountId}:project/${ProjectName}-Release"
139+
],
140+
"Action": [
141+
"codebuild:StartBuild",
142+
"codebuild:StopBuild",
143+
"codebuild:RetryBuild"
144+
]
145+
}
146+
]
147+
}
148+
149+
CodeBuildBasePolicy:
150+
Type: "AWS::IAM::ManagedPolicy"
151+
Properties:
152+
ManagedPolicyName: !Sub "CodeBuildBasePolicy-${ProjectName}-${AWS::Region}"
153+
Path: /service-role/
154+
PolicyDocument: !Sub |
155+
{
156+
"Version": "2012-10-17",
157+
"Statement": [
158+
{
159+
"Effect": "Allow",
160+
"Resource": [
161+
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}",
162+
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}:*",
163+
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-Release",
164+
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-Release:*"
165+
],
166+
"Action": [
167+
"logs:CreateLogGroup",
168+
"logs:CreateLogStream",
169+
"logs:PutLogEvents",
170+
"logs:GetLogEvents"
171+
]
172+
},
173+
{
174+
"Effect": "Allow",
175+
"Resource": [
176+
"arn:aws:s3:::codepipeline-${AWS::Region}-*"
177+
],
178+
"Action": [
179+
"s3:PutObject",
180+
"s3:GetObject",
181+
"s3:GetObjectVersion",
182+
"s3:GetBucketAcl",
183+
"s3:GetBucketLocation"
184+
]
185+
},
186+
{
187+
"Effect": "Allow",
188+
"Action": [
189+
"codebuild:CreateReportGroup",
190+
"codebuild:CreateReport",
191+
"codebuild:UpdateReport",
192+
"codebuild:BatchPutTestCases",
193+
"codebuild:BatchPutCodeCoverages"
194+
],
195+
"Resource": [
196+
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/${ProjectName}-*"
197+
]
198+
}
199+
]
200+
}
201+
202+
SecretsManagerPolicyRelease:
203+
Type: "AWS::IAM::ManagedPolicy"
204+
Properties:
205+
ManagedPolicyName: !Sub "CryptoTools-SecretsManager-${ProjectName}-Release"
206+
Path: "/service-role/"
207+
PolicyDocument: !Sub |
208+
{
209+
"Version": "2012-10-17",
210+
"Statement": [
211+
{
212+
"Effect": "Allow",
213+
"Resource": [
214+
"arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-CI-xjAvTM",
215+
"arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-CI-Credentials-eBrSNB",
216+
"arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-Release-haLIjZ",
217+
"arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-Release-Credentials-WgJanS",
218+
"arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Sonatype-Team-Account-0tWvZm",
219+
"arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Github/aws-crypto-tools-ci-bot-AGUB3U"
220+
],
221+
"Action": "secretsmanager:GetSecretValue"
222+
}
223+
]
224+
}
225+
226+
ParameterStorePolicy:
227+
Type: "AWS::IAM::ManagedPolicy"
228+
Properties:
229+
ManagedPolicyName: !Sub "CryptoTools-ParameterStore-${ProjectName}"
230+
Path: /service-role/
231+
PolicyDocument: !Sub |
232+
{
233+
"Version": "2012-10-17",
234+
"Statement": [
235+
{
236+
"Effect": "Allow",
237+
"Resource": [
238+
"arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/CodeBuild/*"
239+
],
240+
"Action": "ssm:GetParameters"
241+
}
242+
]
243+
}

cfn/CI.yaml

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -323,6 +323,13 @@ Resources:
323323
"Effect": "Allow",
324324
"Principal": { "AWS": "arn:aws:iam::${AWS::AccountId}:role/ToolsDevelopment" },
325325
"Action": "sts:AssumeRole"
326+
},
327+
{
328+
"Effect": "Allow",
329+
"Principal": {
330+
"AWS": "arn:aws:iam::587316601012:role/service-role/codebuild-AWS-MPL-Java-service-role-release"
331+
},
332+
"Action": "sts:AssumeRole"
326333
}
327334
]
328335
}
@@ -364,6 +371,13 @@ Resources:
364371
"Effect": "Allow",
365372
"Principal": { "AWS": "arn:aws:iam::${AWS::AccountId}:role/ToolsDevelopment" },
366373
"Action": "sts:AssumeRole"
374+
},
375+
{
376+
"Effect": "Allow",
377+
"Principal": {
378+
"AWS": "arn:aws:iam::587316601012:role/service-role/codebuild-AWS-MPL-Java-service-role-release"
379+
},
380+
"Action": "sts:AssumeRole"
367381
}
368382
]
369383
}
@@ -405,6 +419,13 @@ Resources:
405419
"Effect": "Allow",
406420
"Principal": { "AWS": "arn:aws:iam::${AWS::AccountId}:role/ToolsDevelopment" },
407421
"Action": "sts:AssumeRole"
422+
},
423+
{
424+
"Effect": "Allow",
425+
"Principal": {
426+
"AWS": "arn:aws:iam::587316601012:role/service-role/codebuild-AWS-MPL-Java-service-role-release"
427+
},
428+
"Action": "sts:AssumeRole"
408429
}
409430
]
410431
}

cfn/code_build_parameter_map.json

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
{
2+
"NumberOfBuildsInBatch": 50,
3+
"ProjectDescription": "CD for Java DBESDK DDB",
4+
"ProjectName": "AWS-DBESDK-DDB-Java",
5+
"SourceLocation": "https://github.com/awslabs/aws-dynamodb-encryption-dafny.git"
6+
}
7+

0 commit comments

Comments
 (0)