Skip to content

Commit ecc17a6

Browse files
josecorellajosecorella
authored
chore: updating prod template to remove resources and abstract ones (#354)
* chore: removing extra log p[olicy that is not needed for prod-release * chore: adding aws account id subsitution * chore: adding accountid back to managepolicy * chore: correctly formatting secrets policy * chore: rename file and adding cfn template for our CI project * chore: format json * style: add new line between resources
1 parent 3339c20 commit ecc17a6

File tree

1 file changed

+117
-24
lines changed

1 file changed

+117
-24
lines changed

cfn/prod-release.yml renamed to cfn/ci_cd.yml

+117-24
Original file line numberDiff line numberDiff line change
@@ -9,11 +9,11 @@ Parameters:
99
ProjectName:
1010
Type: String
1111
Description: The name of the CodeBuild Project
12-
Default: java-esdk-prod
12+
Default: AWS-ESDK-Java
1313
ProjectDescription:
1414
Type: String
1515
Description: The description for the CodeBuild Project
16-
Default: CFN stack for managing CodeBuild Release project for the ESDK-Java
16+
Default: CFN stack for managing CodeBuild projects for the AWS ESDK Java
1717
SourceLocation:
1818
Type: String
1919
Description: The https GitHub URL for the project
@@ -22,7 +22,7 @@ Parameters:
2222
Type: Number
2323
MaxValue: 100
2424
MinValue: 1
25-
Default: 10
25+
Default: 16
2626
Description: The number of builds you expect to run in a batch
2727
Metadata:
2828
"AWS::CloudFormation::Interface":
@@ -34,14 +34,65 @@ Metadata:
3434
- ProjectDescription
3535
- SourceLocation
3636
Resources:
37+
CodeBuildProjectCI:
38+
Type: "AWS::CodeBuild::Project"
39+
Properties:
40+
Name: !Sub "${ProjectName}-CI"
41+
Description: !Sub "CI for the Java ESDK"
42+
Source:
43+
Location: !Ref SourceLocation
44+
BuildSpec: codebuild/ci/ci.yml
45+
GitCloneDepth: 1
46+
GitSubmodulesConfig:
47+
FetchSubmodules: false
48+
InsecureSsl: false
49+
ReportBuildStatus: false
50+
Type: GITHUB
51+
Triggers:
52+
BuildType: BUILD_BATCH
53+
Webhook: true
54+
FilterGroups:
55+
- - Type: EVENT
56+
Pattern: PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED, PULL_REQUEST_REOPENED
57+
Artifacts:
58+
Type: NO_ARTIFACTS
59+
Cache:
60+
Type: NO_CACHE
61+
Environment:
62+
ComputeType: BUILD_GENERAL1_LARGE
63+
Image: "aws/codebuild/standard:5.0"
64+
ImagePullCredentialsType: CODEBUILD
65+
PrivilegedMode: false
66+
Type: LINUX_CONTAINER
67+
ServiceRole: !GetAtt CodeBuildServiceRoleCI.Arn
68+
TimeoutInMinutes: 60
69+
QueuedTimeoutInMinutes: 480
70+
EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3"
71+
BadgeEnabled: false
72+
BuildBatchConfig:
73+
ServiceRole: !GetAtt CodeBuildServiceRoleCI.Arn
74+
Restrictions:
75+
MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch
76+
ComputeTypesAllowed:
77+
- BUILD_GENERAL1_SMALL
78+
- BUILD_GENERAL1_MEDIUM
79+
- BUILD_GENERAL1_LARGE
80+
TimeoutInMins: 480
81+
LogsConfig:
82+
CloudWatchLogs:
83+
Status: ENABLED
84+
S3Logs:
85+
Status: DISABLED
86+
EncryptionDisabled: false
87+
3788
CodeBuildProjectRelease:
3889
Type: "AWS::CodeBuild::Project"
3990
Properties:
40-
Name: !Sub "${ProjectName}-release-prod"
91+
Name: !Sub "${ProjectName}-Release"
4192
Description: !Sub "CodeBuild project for ${ProjectName} to release to Sonatype."
4293
Source:
4394
Location: !Ref SourceLocation
44-
BuildSpec: codebuild/release/prod-release.yml
95+
BuildSpec: codebuild/release/release.yml
4596
GitCloneDepth: 1
4697
GitSubmodulesConfig:
4798
FetchSubmodules: false
@@ -54,17 +105,17 @@ Resources:
54105
Type: NO_CACHE
55106
Environment:
56107
ComputeType: BUILD_GENERAL1_LARGE
57-
Image: "aws/codebuild/standard:4.0"
108+
Image: "aws/codebuild/standard:5.0"
58109
ImagePullCredentialsType: CODEBUILD
59110
PrivilegedMode: false
60111
Type: LINUX_CONTAINER
61-
ServiceRole: !GetAtt CodeBuildServiceRole.Arn
112+
ServiceRole: !GetAtt CodeBuildServiceRoleRelease.Arn
62113
TimeoutInMinutes: 60
63114
QueuedTimeoutInMinutes: 480
64115
EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3"
65116
BadgeEnabled: false
66117
BuildBatchConfig:
67-
ServiceRole: !GetAtt CodeBuildServiceRole.Arn
118+
ServiceRole: !GetAtt CodeBuildServiceRoleRelease.Arn
68119
Restrictions:
69120
MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch
70121
ComputeTypesAllowed:
@@ -78,22 +129,41 @@ Resources:
78129
S3Logs:
79130
Status: DISABLED
80131
EncryptionDisabled: false
81-
CodeBuildServiceRole:
132+
133+
CodeBuildServiceRoleCI:
82134
Type: "AWS::IAM::Role"
83135
Properties:
84136
Path: /service-role/
85-
RoleName: !Sub "codebuild-${ProjectName}-service-role"
137+
RoleName: !Sub "codebuild-${ProjectName}-service-role-ci"
86138
AssumeRolePolicyDocument: >-
87139
{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"codebuild.amazonaws.com"},"Action":"sts:AssumeRole"}]}
88140
MaxSessionDuration: 3600
89141
ManagedPolicyArns:
90142
- !Ref CryptoToolsKMS
91143
- !Ref CodeBuildBatchPolicy
92144
- !Ref CodeBuildBasePolicy
93-
- !Ref SecretsManagerPolicy
145+
- !Ref SecretsManagerPolicyCI
94146
- !Ref ParameterStorePolicy
95147
- "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess"
96148
- "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess"
149+
150+
CodeBuildServiceRoleRelease:
151+
Type: "AWS::IAM::Role"
152+
Properties:
153+
Path: /service-role/
154+
RoleName: !Sub "codebuild-${ProjectName}-service-role-release"
155+
AssumeRolePolicyDocument: >-
156+
{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"codebuild.amazonaws.com"},"Action":"sts:AssumeRole"}]}
157+
MaxSessionDuration: 3600
158+
ManagedPolicyArns:
159+
- !Ref CryptoToolsKMS
160+
- !Ref CodeBuildBatchPolicy
161+
- !Ref CodeBuildBasePolicy
162+
- !Ref SecretsManagerPolicyRelease
163+
- !Ref ParameterStorePolicy
164+
- "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess"
165+
- "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess"
166+
97167
CodeBuildBatchPolicy:
98168
Type: "AWS::IAM::ManagedPolicy"
99169
Properties:
@@ -107,8 +177,8 @@ Resources:
107177
{
108178
"Effect": "Allow",
109179
"Resource": [
110-
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-test-release",
111-
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-prod-release",
180+
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-Release",
181+
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-CI",
112182
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}"
113183
],
114184
"Action": [
@@ -119,6 +189,7 @@ Resources:
119189
}
120190
]
121191
}
192+
122193
CodeBuildBasePolicy:
123194
Type: "AWS::IAM::ManagedPolicy"
124195
Properties:
@@ -133,10 +204,10 @@ Resources:
133204
"Resource": [
134205
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}",
135206
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}:*",
136-
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-test-release",
137-
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-test-release:*",
138-
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-prod-release",
139-
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-prod-release:*"
207+
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-CI",
208+
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-CI:*",
209+
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-Release",
210+
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-Release:*"
140211
],
141212
"Action": [
142213
"logs:CreateLogGroup",
@@ -172,18 +243,39 @@ Resources:
172243
}
173244
]
174245
}
246+
175247
AccountIdParameter:
176248
Type: "AWS::SSM::Parameter"
177249
Properties:
178250
Description: Parameter to store our account id so CodeBuild specs can access it
179-
Name: /CodeBuild/AccountId
251+
Name: /CodeBuild/AccountIdentity
180252
Type: String
181253
Value: !Sub "${AWS::AccountId}"
182-
SecretsManagerPolicy:
254+
255+
SecretsManagerPolicyCI:
183256
Type: "AWS::IAM::ManagedPolicy"
184257
Properties:
185-
ManagedPolicyName: !Sub "CryptoTools-SecretsManager-${ProjectName}-release"
186-
Path: /service-role/
258+
ManagedPolicyName: !Sub "CryptoTools-SecretsManager-${ProjectName}-CI"
259+
Path: "/service-role/"
260+
PolicyDocument: !Sub |
261+
{
262+
"Version": "2012-10-17",
263+
"Statement": [
264+
{
265+
"Effect": "Allow",
266+
"Resource": [
267+
"arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-GC6h0A"
268+
],
269+
"Action": "secretsmanager:GetSecretValue"
270+
}
271+
]
272+
}
273+
274+
SecretsManagerPolicyRelease:
275+
Type: "AWS::IAM::ManagedPolicy"
276+
Properties:
277+
ManagedPolicyName: !Sub "CryptoTools-SecretsManager-${ProjectName}-Release"
278+
Path: "/service-role/"
187279
PolicyDocument: !Sub |
188280
{
189281
"Version": "2012-10-17",
@@ -192,13 +284,13 @@ Resources:
192284
"Effect": "Allow",
193285
"Resource": [
194286
"arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-GC6h0A",
195-
"arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Sonatype-Team-Account-0tWvZm",
196-
"arn:aws:secretsmanager:us-west-2:587316601012:secret:Maven-GPG-Keys-Credentials-C0wCzI",
287+
"arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Sonatype-Team-Account-0tWvZm"
197288
],
198289
"Action": "secretsmanager:GetSecretValue"
199290
}
200291
]
201292
}
293+
202294
CryptoToolsKMS:
203295
Type: "AWS::IAM::ManagedPolicy"
204296
Properties:
@@ -223,10 +315,11 @@ Resources:
223315
}
224316
]
225317
}
318+
226319
ParameterStorePolicy:
227320
Type: "AWS::IAM::ManagedPolicy"
228321
Properties:
229-
ManagedPolicyName: !Sub "CryptoTools-ParameterStore-${ProjectName}-release"
322+
ManagedPolicyName: !Sub "CryptoTools-ParameterStore-${ProjectName}"
230323
Path: /service-role/
231324
PolicyDocument: !Sub |
232325
{

0 commit comments

Comments
 (0)