Add signing parameters to cfn template

moskyb · moskyb · commit af9170ad1dc8 · 2023-11-20T14:42:08.000+11:00
diff --git a/packer/linux/conf/bin/bk-install-elastic-stack.sh b/packer/linux/conf/bin/bk-install-elastic-stack.sh
@@ -292,6 +292,44 @@ tracing-backend=${BUILDKITE_AGENT_TRACING_BACKEND}
 cancel-grace-period=${BUILDKITE_AGENT_CANCEL_GRACE_PERIOD}
 EOF
 
+if [[ -n "$BUILDKITE_AGENT_SIGNING_KEY_PATH" ]]; then
+  echo "Fetching signing key from ssm: $BUILDKITE_AGENT_SIGNING_KEY_PATH..."
+
+  keyfile=/etc/buildkite-agent/signing-key.json
+
+  aws ssm get-parameter \
+    --name "$BUILDKITE_AGENT_SIGNING_KEY_PATH" \
+    --with-decryption \
+    --query Parameter.Value \
+    --output text >"$keyfile"
+
+  echo "Setting ownership of $keyfile to buildkite-agent..."
+  chown buildkite-agent: "$keyfile"
+
+  echo "signing-jwks-file=$keyfile" >>/etc/buildkite-agent/buildkite-agent.cfg
+fi
+
+if [[ -n "$BUILDKITE_AGENT_VERIFICATION_KEY_ID" ]]; then
+  echo "signing-jwks-key-id=$BUILDKITE_AGENT_VERIFICATION_KEY_ID" >>/etc/buildkite-agent/buildkite-agent.cfg
+fi
+
+if [[ -n "$BUILDKITE_AGENT_VERIFICATION_KEY_PATH" ]]; then
+  echo "Fetching signing key from ssm: $BUILDKITE_AGENT_VERIFICATION_KEY_PATH..."
+
+  keyfile=/etc/buildkite-agent/verification-key.json
+
+  aws ssm get-parameter \
+    --name "$BUILDKITE_AGENT_VERIFICATION_KEY_PATH" \
+    --with-decryption \
+    --query Parameter.Value \
+    --output text >"$keyfile"
+
+  echo "Setting ownership of $keyfile to buildkite-agent..."
+  chown buildkite-agent: "$keyfile"
+
+  echo "verification-jwks-file=$keyfile" >>/etc/buildkite-agent/buildkite-agent.cfg
+fi
+
 if [[ "${BUILDKITE_ENV_FILE_URL}" != "" ]]; then
   echo "Fetching env file from ${BUILDKITE_ENV_FILE_URL}..."
   /usr/local/bin/bk-fetch.sh "${BUILDKITE_ENV_FILE_URL}" /var/lib/buildkite-agent/env
diff --git a/packer/windows/conf/bin/bk-install-elastic-stack.ps1 b/packer/windows/conf/bin/bk-install-elastic-stack.ps1
@@ -150,6 +150,38 @@ tracing-backend=${Env:BUILDKITE_AGENT_TRACING_BACKEND}
 "@
 $OFS=" "
 
+If (![string]::IsNullOrEmpty($Env:BUILDKITE_AGENT_SIGNING_KEY_PATH)) {
+  Write-Output "Fetching signing key from ssm: $Env:BUILDKITE_AGENT_SIGNING_KEY_PATH..."
+
+  $keyfile=C:\buildkite-agent\signing-key.json
+
+  aws ssm get-parameter `
+    --name "$Env:BUILDKITE_AGENT_SIGNING_KEY_PATH" `
+    --with-decryption `
+    --query Parameter.Value `
+    --output text >"$keyfile"
+
+  Add-Content -Path C:\buildkite-agent\buildkite-agent.cfg -Value "signing-jwks-file=$keyfile"
+}
+
+if (![string]::IsNullOrEmpty)($Env:BUILDKITE_AGENT_SIGNING_KEY_ID) {
+  Add-Content -Path C:\buildkite-agent\buildkite-agent.cfg -Value "signing-jwks-key-id=$Env:BUILDKITE_AGENT_SIGNING_KEY_ID"
+}
+
+if (![string]::IsNullOrEmpty($Env:BUILDKITE_AGENT_VERIFICATION_KEY_PATH)) {
+  Write-Output "Fetching verification key from ssm: $Env:BUILDKITE_AGENT_VERIFICATION_KEY_PATH..."
+
+  $keyfile=C:\buildkite-agent\verification-key.json
+
+  aws ssm get-parameter `
+    --name "$Env:BUILDKITE_AGENT_VERIFICATION_KEY_PATH" `
+    --with-decryption `
+    --query Parameter.Value `
+    --output text >"$keyfile"
+
+  Add-Content -Path C:\buildkite-agent\buildkite-agent.cfg -Value "verification-jwks-file=$keyfile"
+}
+
 nssm set lifecycled AppEnvironmentExtra +AWS_REGION=$Env:AWS_REGION
 nssm set lifecycled AppEnvironmentExtra +LIFECYCLED_HANDLER="C:\buildkite-agent\bin\stop-agent-gracefully.ps1"
 Restart-Service lifecycled
diff --git a/templates/aws-stack.yml b/templates/aws-stack.yml
@@ -49,6 +49,9 @@ Metadata:
         - BuildkiteWindowsAdministrator
         - BuildkiteAgentScalerServerlessARN
         - BuildkiteAgentScalerVersion
+        - BuildkiteAgentSigningKeySSMParameter
+        - BuildkiteAgentSigningKeyID
+        - BuildkiteAgentVerificationKeySSMParameter
 
       - Label:
           default: Network Configuration
@@ -195,6 +198,25 @@ Parameters:
       - "opentelemetry"
     Default: ""
 
+  BuildkiteAgentSigningKeySSMParameter:
+    Description: Existing SSM Parameter Store path to the to a JSON Web Key Set (JWKS) containing a key to sign jobs with.
+    Type: String
+    Default: ""
+    AllowedPattern: "^$|^/[a-zA-Z0-9_.\\-/]+$"
+    ConstraintDescription: "Expects a leading forward slash"
+
+  BuildkiteAgentSigningKeyID:
+    Description: The ID of the key in the JWKS to use for signing jobs. If not specified, and the JWKS contains only one key, that key will be used.
+    Type: String
+    Default: ""
+
+  BuildkiteAgentVerificationKeySSMParameter:
+    Description: Existing SSM Parameter Store path to the to a JSON Web Key Set (JWKS) containing keys with which to verify jobs.
+    Type: String
+    Default: ""
+    AllowedPattern: "^$|^/[a-zA-Z0-9_.\\-/]+$"
+    ConstraintDescription: "Expects a leading forward slash"
+
   BuildkiteAgentCancelGracePeriod:
     Description: The number of seconds a canceled or timed out job is given to gracefully terminate and upload its artifacts.
     Type: Number
@@ -1179,6 +1201,9 @@ Resources:
                   $Env:BUILDKITE_AGENT_TIMESTAMP_LINES="${BuildkiteAgentTimestampLines}"
                   $Env:BUILDKITE_AGENT_EXPERIMENTS="${BuildkiteAgentExperiments}"
                   $Env:BUILDKITE_AGENT_TRACING_BACKEND="${BuildkiteAgentTracingBackend}"
+                  $Env:BUILDKITE_AGENT_SIGNING_KEY_PATH="${BuildkiteAgentSigningKeySSMParameter}" \
+                  $Env:BUILDKITE_AGENT_SIGNING_KEY_ID="${BuildkiteAgentSigningKeyId}" \
+                  $Env:BUILDKITE_AGENT_VERIFICATION_KEY_PATH="${BuildkiteAgentVerificationKeySSMParameter}" \
                   $Env:BUILDKITE_AGENT_RELEASE="${BuildkiteAgentRelease}"
                   $Env:BUILDKITE_QUEUE="${BuildkiteQueue}"
                   $Env:BUILDKITE_AGENT_ENABLE_GIT_MIRRORS="${BuildkiteAgentEnableGitMirrors}"
@@ -1236,6 +1261,9 @@ Resources:
                   BUILDKITE_AGENT_TIMESTAMP_LINES="${BuildkiteAgentTimestampLines}" \
                   BUILDKITE_AGENT_EXPERIMENTS="${BuildkiteAgentExperiments}" \
                   BUILDKITE_AGENT_TRACING_BACKEND="${BuildkiteAgentTracingBackend}" \
+                  BUILDKITE_AGENT_SIGNING_KEY_PATH="${BuildkiteAgentSigningKeySSMParameter}" \
+                  BUILDKITE_AGENT_SIGNING_KEY_ID="${BuildkiteAgentSigningKeyId}" \
+                  BUILDKITE_AGENT_VERIFICATION_KEY_PATH="${BuildkiteAgentVerificationKeySSMParameter}" \
                   BUILDKITE_AGENT_RELEASE="${BuildkiteAgentRelease}" \
                   BUILDKITE_AGENT_CANCEL_GRACE_PERIOD="${BuildkiteAgentCancelGracePeriod}" \
                   BUILDKITE_QUEUE="${BuildkiteQueue}" \
