diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 000000000..43112040b --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,112 @@ +name: AWS CodeBuild CI +on: + pull_request: + push: + schedule: + - cron: "0 0 * * *" # Daily at 00:00 UTC (4 PM PDT) + +permissions: + id-token: write + contents: read + +jobs: + staticAnalysis: + name: Static Analysis + runs-on: ubuntu-latest + steps: + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }} + aws-region: us-west-2 + role-duration-seconds: 3600 + - name: Run Static Analysis + uses: aws-actions/aws-codebuild-run-build@v1 + timeout-minutes: 60 + with: + project-name: AWS-ESDK-Java-CI + buildspec-override: codebuild/ci/static-analysis.yml + compute-type-override: BUILD_GENERAL1_MEDIUM + image-override: aws/codebuild/amazonlinux2-x86_64-standard:3.0 + vectorTests: + name: Vector Tests + runs-on: ubuntu-latest + strategy: + fail-fast: true + matrix: + platform: + - distribution: openjdk + image: "aws/codebuild/standard:3.0" + - distribution: corretto + image: "aws/codebuild/amazonlinux2-x86_64-standard:3.0" # Corretto only runs on AL2 + version: [ 8, 11 ] + steps: + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }} + aws-region: us-west-2 + role-duration-seconds: 3600 + - name: Vector Tests ${{ matrix.platform.distribution }}${{ matrix.version }} + uses: aws-actions/aws-codebuild-run-build@v1 + timeout-minutes: 60 + with: + project-name: AWS-ESDK-Java-CI + buildspec-override: codebuild/ci/vectors-ci.yml + compute-type-override: BUILD_GENERAL1_LARGE + image-override: ${{ matrix.platform.image }} + env-vars-for-codebuild: JAVA_ENV_VERSION + env: + JAVA_ENV_VERSION: ${{ matrix.platform.distribution }}${{ matrix.version }} + releaseCI: + name: Release CI + runs-on: ubuntu-latest + steps: + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }} + aws-region: us-west-2 + role-duration-seconds: 3600 + - name: Release CI + uses: aws-actions/aws-codebuild-run-build@v1 + timeout-minutes: 60 + with: + project-name: AWS-ESDK-Java-CI + buildspec-override: codebuild/ci/release-ci.yml + compute-type-override: BUILD_GENERAL1_LARGE + image-override: aws/codebuild/standard:3.0 + validateCI: + name: Validate CI + runs-on: ubuntu-latest + needs: releaseCI + strategy: + fail-fast: true + matrix: + platform: + - distribution: openjdk + image: "aws/codebuild/standard:3.0" + - distribution: corretto + image: "aws/codebuild/amazonlinux2-x86_64-standard:3.0" # Corretto only runs on AL2 + version: [ 8, 11 ] + steps: + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }} + aws-region: us-west-2 + role-duration-seconds: 3600 + - name: Validate CI ${{ matrix.platform.distribution }}${{ matrix.version }} + uses: aws-actions/aws-codebuild-run-build@v1 + timeout-minutes: 60 + with: + project-name: AWS-ESDK-Java-CI + buildspec-override: codebuild/ci/validate-ci.yml + compute-type-override: BUILD_GENERAL1_MEDIUM + image-override: ${{ matrix.platform.image }} + env-vars-for-codebuild: | + JAVA_ENV_VERSION, + JAVA_NUMERIC_VERSION + env: + JAVA_ENV_VERSION: ${{ matrix.platform.distribution }}${{ matrix.version }} + JAVA_NUMERIC_VERSION: ${{ matrix.version }} diff --git a/cfn/ci_cd.yml b/cfn/ci_cd.yml index c49c2de33..73331d03b 100644 --- a/cfn/ci_cd.yml +++ b/cfn/ci_cd.yml @@ -44,16 +44,10 @@ Resources: BuildSpec: codebuild/ci/ci.yml GitCloneDepth: 1 GitSubmodulesConfig: - FetchSubmodules: false + FetchSubmodules: true InsecureSsl: false ReportBuildStatus: false Type: GITHUB - Triggers: - BuildType: BUILD_BATCH - Webhook: true - FilterGroups: - - - Type: EVENT - Pattern: PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED, PULL_REQUEST_REOPENED Artifacts: Type: NO_ARTIFACTS Cache: @@ -93,7 +87,9 @@ Resources: Source: Location: !Ref SourceLocation BuildSpec: codebuild/release/release.yml - GitCloneDepth: 1 + ## https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codebuild-project-source.html#cfn-codebuild-project-source-gitclonedepth + ## If this value is 0, greater than 25, or not provided then the full history is downloaded with each build project. + GitCloneDepth: 0 GitSubmodulesConfig: FetchSubmodules: false InsecureSsl: false @@ -136,7 +132,7 @@ Resources: Path: /service-role/ RoleName: !Sub "codebuild-${ProjectName}-service-role-ci" AssumeRolePolicyDocument: >- - {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"codebuild.amazonaws.com"},"Action":"sts:AssumeRole"}]} + {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"codebuild.amazonaws.com"},"Action":"sts:AssumeRole"},{"Effect":"Allow","Principal":{"Federated":"arn:aws:iam::587316601012:oidc-provider/token.actions.githubusercontent.com"},"Action":"sts:AssumeRoleWithWebIdentity","Condition":{"StringEquals":{"token.actions.githubusercontent.com:aud":"sts.amazonaws.com"},"StringLike":{"token.actions.githubusercontent.com:sub":"repo:aws/aws-encryption-sdk-java:*"}}}]} MaxSessionDuration: 3600 ManagedPolicyArns: - !Ref CryptoToolsKMS @@ -144,6 +140,7 @@ Resources: - !Ref CodeBuildBasePolicy - !Ref SecretsManagerPolicyCI - !Ref ParameterStorePolicy + - !Ref CodeBuildBasePolicyCI - "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess" - "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess" @@ -158,6 +155,7 @@ Resources: ManagedPolicyArns: - !Ref CryptoToolsKMS - !Ref CodeBuildBatchPolicy + - !Ref CodeBuildBatchPolicyRelease - !Ref CodeBuildBasePolicy - !Ref SecretsManagerPolicyRelease - !Ref ParameterStorePolicy @@ -184,12 +182,37 @@ Resources: "Action": [ "codebuild:StartBuild", "codebuild:StopBuild", - "codebuild:RetryBuild" + "codebuild:RetryBuild", + "codebuild:BatchGetBuilds" ] } ] } + CodeBuildBatchPolicyRelease: + Type: "AWS::IAM::ManagedPolicy" + Properties: + ManagedPolicyName: !Sub >- + CodeBuildBuildBatchPolicy-${ProjectName}-Release-${AWS::Region}-codebuild-${ProjectName}-release-service-role + Path: /service-role/ + PolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": [ + "arn:aws:codebuild:us-west-2:${AWS::AccountId}:project/AWS-ESDK-Java-Release" + ], + "Action": [ + "codebuild:StartBuild", + "codebuild:StopBuild", + "codebuild:RetryBuild" + ] + } + ] + } + CodeBuildBasePolicy: Type: "AWS::IAM::ManagedPolicy" Properties: @@ -212,7 +235,8 @@ Resources: "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", - "logs:PutLogEvents" + "logs:PutLogEvents", + "logs:GetLogEvents" ] }, { @@ -244,6 +268,56 @@ Resources: ] } + CodeBuildBasePolicyCI: + Type: "AWS::IAM::ManagedPolicy" + Properties: + ManagedPolicyName: !Sub "CodeBuildBasePolicy-${ProjectName}-CI-${AWS::Region}" + Path: /service-role/ + PolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": [ + "arn:aws:logs:us-west-2:${AWS::AccountId}:log-group:/aws/codebuild/AWS-ESDK-Java-CI", + "arn:aws:logs:us-west-2:${AWS::AccountId}:log-group:/aws/codebuild/AWS-ESDK-Java-CI:*" + ], + "Action": [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents" + ] + }, + { + "Effect": "Allow", + "Resource": [ + "arn:aws:s3:::codepipeline-us-west-2-*" + ], + "Action": [ + "s3:PutObject", + "s3:GetObject", + "s3:GetObjectVersion", + "s3:GetBucketAcl", + "s3:GetBucketLocation" + ] + }, + { + "Effect": "Allow", + "Action": [ + "codebuild:CreateReportGroup", + "codebuild:CreateReport", + "codebuild:UpdateReport", + "codebuild:BatchPutTestCases", + "codebuild:BatchPutCodeCoverages" + ], + "Resource": [ + "arn:aws:codebuild:us-west-2:${AWS::AccountId}:report-group/AWS-ESDK-Java-CI-*" + ] + } + ] + } + AccountIdParameter: Type: "AWS::SSM::Parameter" Properties: @@ -264,7 +338,8 @@ Resources: { "Effect": "Allow", "Resource": [ - "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-GC6h0A" + "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-CI-xjAvTM", + "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-CI-Credentials-eBrSNB" ], "Action": "secretsmanager:GetSecretValue" } @@ -283,8 +358,10 @@ Resources: { "Effect": "Allow", "Resource": [ - "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-GC6h0A", - "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Sonatype-Team-Account-0tWvZm" + "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-Release-haLIjZ", + "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-Release-Credentials-WgJanS", + "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Sonatype-Team-Account-0tWvZm", + "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Github/aws-crypto-tools-ci-bot-AGUB3U" ], "Action": "secretsmanager:GetSecretValue" } diff --git a/codebuild/ci/ci.yml b/codebuild/ci/ci.yml deleted file mode 100644 index 7c64ccf1d..000000000 --- a/codebuild/ci/ci.yml +++ /dev/null @@ -1,89 +0,0 @@ -version: 0.2 - -# TODO: Replace/Augment build-graph with build-matrix -# Note: It's possible that 9 builds will be running concurrently with the current arrangement - -batch: - fast-fail: false - build-graph: - - identifier: static_analysis - buildspec: codebuild/ci/static-analysis.yml - env: - compute-type: BUILD_GENERAL1_MEDIUM - image: aws/codebuild/amazonlinux2-x86_64-standard:3.0 - ######### Start Vector tests ######### - - identifier: vectors_ci_openjdk8 - buildspec: codebuild/ci/vectors-ci.yml - env: - compute-type: BUILD_GENERAL1_LARGE - variables: - JAVA_ENV_VERSION: openjdk8 - image: aws/codebuild/standard:3.0 - - identifier: vectors_ci_openjdk11 - buildspec: codebuild/ci/vectors-ci.yml - env: - compute-type: BUILD_GENERAL1_LARGE - variables: - JAVA_ENV_VERSION: openjdk11 - image: aws/codebuild/standard:3.0 - - identifier: vectors_ci_corretto8 - buildspec: codebuild/ci/vectors-ci.yml - env: - compute-type: BUILD_GENERAL1_LARGE - variables: - JAVA_ENV_VERSION: corretto8 - image: aws/codebuild/amazonlinux2-x86_64-standard:3.0 - - identifier: vectors_ci_corretto11 - buildspec: codebuild/ci/vectors-ci.yml - env: - compute-type: BUILD_GENERAL1_LARGE - variables: - JAVA_ENV_VERSION: corretto11 - image: aws/codebuild/amazonlinux2-x86_64-standard:3.0 - ######### End Vector tests ######### - - identifier: release_ci - buildspec: codebuild/ci/release-ci.yml - env: - compute-type: BUILD_GENERAL1_LARGE - image: aws/codebuild/standard:3.0 - ######### Start JAR Smoke tests ######### - - identifier: validate_ci_openjdk8 - depend-on: - - release_ci - buildspec: codebuild/ci/validate-ci.yml - env: - variables: - JAVA_ENV_VERSION: openjdk8 - JAVA_NUMERIC_VERSION: 8 - image: aws/codebuild/standard:3.0 - - identifier: validate_ci_openjdk11 - depend-on: - - release_ci - buildspec: codebuild/ci/validate-ci.yml - env: - compute-type: BUILD_GENERAL1_MEDIUM - variables: - JAVA_ENV_VERSION: openjdk11 - JAVA_NUMERIC_VERSION: 11 - image: aws/codebuild/standard:3.0 - - identifier: validate_ci_corretto8 - depend-on: - - release_ci - buildspec: codebuild/ci/validate-ci.yml - env: - compute-type: BUILD_GENERAL1_MEDIUM - variables: - JAVA_ENV_VERSION: corretto8 - JAVA_NUMERIC_VERSION: 8 - image: aws/codebuild/amazonlinux2-x86_64-standard:3.0 - - identifier: validate_ci_corretto11 - depend-on: - - release_ci - buildspec: codebuild/ci/validate-ci.yml - env: - compute-type: BUILD_GENERAL1_MEDIUM - variables: - JAVA_ENV_VERSION: corretto11 - JAVA_NUMERIC_VERSION: 11 - image: aws/codebuild/amazonlinux2-x86_64-standard:3.0 - ######### End JAR Smoke tests #########