Skip to content

Commit 456dda0

Browse files
josecorellajosecorella
authored
chore: source controlling cfn templates that will be used for our release process (#345)
* chore: Adding cfn template for the release code build project * chore: Adding parameter map and code artifact cfn template * chore: removing cloud designer metadata
1 parent 291be0a commit 456dda0

File tree

3 files changed

+293
-0
lines changed

3 files changed

+293
-0
lines changed

cfn/code_artifact.yml

+44
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
2+
# SPDX-License-Identifier: Apache-2.0
3+
AWSTemplateFormatVersion: 2010-09-09
4+
Description: "Template for CodeArtifact repositories. Creates Domain if CreateDomainFlag is True"
5+
Parameters:
6+
DomainName:
7+
Type: String
8+
Description: The name of the CodeArtifact Domain
9+
Default: crypto-tools-internal
10+
RepositoryName:
11+
Type: String
12+
Description: Base Name for the Repositories
13+
Default: esdk-java
14+
CreateDomainFlag:
15+
Type: String
16+
Description: Attempt to create Domain or not
17+
Default: False
18+
AllowedValues:
19+
- True
20+
- False
21+
22+
Conditions:
23+
CreateDomain: !Equals
24+
- !Ref CreateDomainFlag
25+
- True
26+
27+
Resources:
28+
Domain:
29+
Type: AWS::CodeArtifact::Domain
30+
Condition: CreateDomain
31+
Properties:
32+
DomainName: !Ref DomainName
33+
34+
CIRepo:
35+
Type: AWS::CodeArtifact::Repository
36+
Properties:
37+
DomainName: !Ref DomainName
38+
RepositoryName: !Sub "${RepositoryName}-ci"
39+
40+
StagingRepo:
41+
Type: AWS::CodeArtifact::Repository
42+
Properties:
43+
DomainName: !Ref DomainName
44+
RepositoryName: !Sub "${RepositoryName}-staging"

cfn/code_build_parameter_map.json

+6
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
{
2+
"NumberOfBuildsInBatch": 50,
3+
"ProjectDescription": "CD for Java ESDK",
4+
"ProjectName": "java-esdk",
5+
"SourceLocation": "https://github.com/aws/aws-encryption-sdk-java.git"
6+
}

cfn/prod-release.yml

+243
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,243 @@
1+
# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
2+
# SPDX-License-Identifier: Apache-2.0
3+
4+
AWSTemplateFormatVersion: 2010-09-09
5+
Description: >-
6+
Template to build a CodeBuild Project, assumes that GitHub credentials are
7+
already set up.
8+
Parameters:
9+
ProjectName:
10+
Type: String
11+
Description: The name of the CodeBuild Project
12+
Default: java-esdk-prod
13+
ProjectDescription:
14+
Type: String
15+
Description: The description for the CodeBuild Project
16+
Default: CFN stack for managing CodeBuild Release project for the ESDK-Java
17+
SourceLocation:
18+
Type: String
19+
Description: The https GitHub URL for the project
20+
Default: "https://github.com/aws/aws-encryption-sdk-java.git"
21+
NumberOfBuildsInBatch:
22+
Type: Number
23+
MaxValue: 100
24+
MinValue: 1
25+
Default: 10
26+
Description: The number of builds you expect to run in a batch
27+
Metadata:
28+
"AWS::CloudFormation::Interface":
29+
ParameterGroups:
30+
- Label:
31+
default: Crypto Tools CodeBuild Project Template
32+
Parameters:
33+
- ProjectName
34+
- ProjectDescription
35+
- SourceLocation
36+
Resources:
37+
CodeBuildProjectRelease:
38+
Type: "AWS::CodeBuild::Project"
39+
Properties:
40+
Name: !Sub "${ProjectName}-release-prod"
41+
Description: !Sub "CodeBuild project for ${ProjectName} to release to Sonatype."
42+
Source:
43+
Location: !Ref SourceLocation
44+
BuildSpec: codebuild/release/prod-release.yml
45+
GitCloneDepth: 1
46+
GitSubmodulesConfig:
47+
FetchSubmodules: false
48+
InsecureSsl: false
49+
ReportBuildStatus: false
50+
Type: GITHUB
51+
Artifacts:
52+
Type: NO_ARTIFACTS
53+
Cache:
54+
Type: NO_CACHE
55+
Environment:
56+
ComputeType: BUILD_GENERAL1_LARGE
57+
Image: "aws/codebuild/standard:4.0"
58+
ImagePullCredentialsType: CODEBUILD
59+
PrivilegedMode: false
60+
Type: LINUX_CONTAINER
61+
ServiceRole: !GetAtt CodeBuildServiceRole.Arn
62+
TimeoutInMinutes: 60
63+
QueuedTimeoutInMinutes: 480
64+
EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3"
65+
BadgeEnabled: false
66+
BuildBatchConfig:
67+
ServiceRole: !GetAtt CodeBuildServiceRole.Arn
68+
Restrictions:
69+
MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch
70+
ComputeTypesAllowed:
71+
- BUILD_GENERAL1_SMALL
72+
- BUILD_GENERAL1_MEDIUM
73+
- BUILD_GENERAL1_LARGE
74+
TimeoutInMins: 480
75+
LogsConfig:
76+
CloudWatchLogs:
77+
Status: ENABLED
78+
S3Logs:
79+
Status: DISABLED
80+
EncryptionDisabled: false
81+
CodeBuildServiceRole:
82+
Type: "AWS::IAM::Role"
83+
Properties:
84+
Path: /service-role/
85+
RoleName: !Sub "codebuild-${ProjectName}-service-role"
86+
AssumeRolePolicyDocument: >-
87+
{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"codebuild.amazonaws.com"},"Action":"sts:AssumeRole"}]}
88+
MaxSessionDuration: 3600
89+
ManagedPolicyArns:
90+
- !Ref CryptoToolsKMS
91+
- !Ref CodeBuildBatchPolicy
92+
- !Ref CodeBuildBasePolicy
93+
- !Ref SecretsManagerPolicy
94+
- !Ref ParameterStorePolicy
95+
- "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess"
96+
- "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess"
97+
CodeBuildBatchPolicy:
98+
Type: "AWS::IAM::ManagedPolicy"
99+
Properties:
100+
ManagedPolicyName: !Sub >-
101+
CodeBuildBuildBatchPolicy-${ProjectName}-${AWS::Region}-codebuild-${ProjectName}-service-role
102+
Path: /service-role/
103+
PolicyDocument: !Sub |
104+
{
105+
"Version": "2012-10-17",
106+
"Statement": [
107+
{
108+
"Effect": "Allow",
109+
"Resource": [
110+
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-test-release",
111+
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-prod-release",
112+
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}"
113+
],
114+
"Action": [
115+
"codebuild:StartBuild",
116+
"codebuild:StopBuild",
117+
"codebuild:RetryBuild"
118+
]
119+
}
120+
]
121+
}
122+
CodeBuildBasePolicy:
123+
Type: "AWS::IAM::ManagedPolicy"
124+
Properties:
125+
ManagedPolicyName: !Sub "CodeBuildBasePolicy-${ProjectName}-${AWS::Region}"
126+
Path: /service-role/
127+
PolicyDocument: !Sub |
128+
{
129+
"Version": "2012-10-17",
130+
"Statement": [
131+
{
132+
"Effect": "Allow",
133+
"Resource": [
134+
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}",
135+
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}:*",
136+
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-test-release",
137+
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-test-release:*",
138+
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-prod-release",
139+
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-prod-release:*"
140+
],
141+
"Action": [
142+
"logs:CreateLogGroup",
143+
"logs:CreateLogStream",
144+
"logs:PutLogEvents"
145+
]
146+
},
147+
{
148+
"Effect": "Allow",
149+
"Resource": [
150+
"arn:aws:s3:::codepipeline-${AWS::Region}-*"
151+
],
152+
"Action": [
153+
"s3:PutObject",
154+
"s3:GetObject",
155+
"s3:GetObjectVersion",
156+
"s3:GetBucketAcl",
157+
"s3:GetBucketLocation"
158+
]
159+
},
160+
{
161+
"Effect": "Allow",
162+
"Action": [
163+
"codebuild:CreateReportGroup",
164+
"codebuild:CreateReport",
165+
"codebuild:UpdateReport",
166+
"codebuild:BatchPutTestCases",
167+
"codebuild:BatchPutCodeCoverages"
168+
],
169+
"Resource": [
170+
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/${ProjectName}-*"
171+
]
172+
}
173+
]
174+
}
175+
AccountIdParameter:
176+
Type: "AWS::SSM::Parameter"
177+
Properties:
178+
Description: Parameter to store our account id so CodeBuild specs can access it
179+
Name: /CodeBuild/AccountId
180+
Type: String
181+
Value: !Sub "${AWS::AccountId}"
182+
SecretsManagerPolicy:
183+
Type: "AWS::IAM::ManagedPolicy"
184+
Properties:
185+
ManagedPolicyName: !Sub "CryptoTools-SecretsManager-${ProjectName}-release"
186+
Path: /service-role/
187+
PolicyDocument: !Sub |
188+
{
189+
"Version": "2012-10-17",
190+
"Statement": [
191+
{
192+
"Effect": "Allow",
193+
"Resource": [
194+
"arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-GC6h0A",
195+
"arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Sonatype-Team-Account-0tWvZm",
196+
"arn:aws:secretsmanager:us-west-2:587316601012:secret:Maven-GPG-Keys-Credentials-C0wCzI",
197+
],
198+
"Action": "secretsmanager:GetSecretValue"
199+
}
200+
]
201+
}
202+
CryptoToolsKMS:
203+
Type: "AWS::IAM::ManagedPolicy"
204+
Properties:
205+
ManagedPolicyName: !Sub >-
206+
CrypotToolsKMSPolicy-${ProjectName}-${AWS::Region}-codebuild-${ProjectName}-service-role
207+
Path: /service-role/
208+
PolicyDocument: !Sub |
209+
{
210+
"Version": "2012-10-17",
211+
"Statement": [
212+
{
213+
"Effect": "Allow",
214+
"Resource": [
215+
"arn:aws:kms:*:658956600833:key/*",
216+
"arn:aws:kms:*:658956600833:alias/*"
217+
],
218+
"Action": [
219+
"kms:Encrypt",
220+
"kms:Decrypt",
221+
"kms:GenerateDataKey"
222+
]
223+
}
224+
]
225+
}
226+
ParameterStorePolicy:
227+
Type: "AWS::IAM::ManagedPolicy"
228+
Properties:
229+
ManagedPolicyName: !Sub "CryptoTools-ParameterStore-${ProjectName}-release"
230+
Path: /service-role/
231+
PolicyDocument: !Sub |
232+
{
233+
"Version": "2012-10-17",
234+
"Statement": [
235+
{
236+
"Effect": "Allow",
237+
"Resource": [
238+
"arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/CodeBuild/*"
239+
],
240+
"Action": "ssm:GetParameters"
241+
}
242+
]
243+
}

0 commit comments

Comments
 (0)