diff --git a/cfn/Public-ESDK-Java-CI.yml b/cfn/Public-ESDK-Java-CI.yml new file mode 100644 index 000000000..132387677 --- /dev/null +++ b/cfn/Public-ESDK-Java-CI.yml @@ -0,0 +1,67 @@ +AWSTemplateFormatVersion: "2010-09-09" +Description: "DDB Table and IAM Managed Policies/Role for AWS KMS Hierarchical Keyring Testing" + +Parameters: + TableName: + Type: String + Description: Test Table Name + Default: HierarchicalKeyringTestTable + KeyStoreTable: + Type: String + Description: Key Store Test Table Name + Default: KeyStoreTestTable + ProjectName: + Type: String + Description: A prefix that will be applied to any names + Default: Public-ESDK-Java + GitHubRepo: + Type: String + Description: GitHub Repo that invokes CI + Default: aws/aws-encryption-sdk-java + +Resources: + GitHubCIRole: + Type: 'AWS::IAM::Role' + Properties: + RoleName: !Sub "GitHub-CI-${ProjectName}-Role-${AWS::Region}" + Description: "Access DDB, KMS, Resources for CI from GitHub" + ManagedPolicyArns: + - "arn:aws:iam::370957321024:policy/ESDK-Dafny-DDB-ReadWriteDelete-us-west-2" + - "arn:aws:iam::370957321024:policy/Hierarchical-GitHub-KMS-Key-Policy" + - "arn:aws:iam::370957321024:policy/KMS-Public-CMK-EncryptDecrypt-Key-Access" + - "arn:aws:iam::370957321024:policy/RSA-GitHub-KMS-Key-Policy" + AssumeRolePolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { "Federated": "arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com" }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { + "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" + }, + "StringLike": { + "token.actions.githubusercontent.com:sub": "repo:${GitHubRepo}:*" + } + } + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "aws:PrincipalArn": [ + "arn:aws:iam::587316601012:role/service-role/codebuild-AWS-ESDK-Java-service-role-ci", + "arn:aws:iam::587316601012:role/service-role/codebuild-AWS-ESDK-Java-service-role-release", + "arn:aws:iam::${AWS::AccountId}:role/ToolsDevelopment" + ] + } + } + } + ] + } diff --git a/cfn/ci_cd.yml b/cfn/ci_cd.yml index 73331d03b..df27dffdb 100644 --- a/cfn/ci_cd.yml +++ b/cfn/ci_cd.yml @@ -141,6 +141,8 @@ Resources: - !Ref SecretsManagerPolicyCI - !Ref ParameterStorePolicy - !Ref CodeBuildBasePolicyCI + - !Ref HierarchicalKeyringTestTableUsage + - !Ref CodeBuildCISTSAllow - "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess" - "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess" @@ -159,9 +161,28 @@ Resources: - !Ref CodeBuildBasePolicy - !Ref SecretsManagerPolicyRelease - !Ref ParameterStorePolicy + - !Ref HierarchicalKeyringTestTableUsage + - !Ref CodeBuildCISTSAllow - "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess" - "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess" + CodeBuildCISTSAllow: + Type: "AWS::IAM::ManagedPolicy" + Properties: + ManagedPolicyName: !Sub CodeBuildCISTSAllow-${ProjectName} + Path: /service-role/ + PolicyDocument: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Resource": "arn:aws:iam::370957321024:role/GitHub-CI-Public-ESDK-Java-Role-us-west-2" + } + ] + } + CodeBuildBatchPolicy: Type: "AWS::IAM::ManagedPolicy" Properties: @@ -382,12 +403,17 @@ Resources: "Effect": "Allow", "Resource": [ "arn:aws:kms:*:658956600833:key/*", - "arn:aws:kms:*:658956600833:alias/*" + "arn:aws:kms:*:658956600833:alias/*", + "arn:aws:kms:*:370957321024:key/*", + "arn:aws:kms:*:370957321024:alias/*" ], "Action": [ "kms:Encrypt", "kms:Decrypt", - "kms:GenerateDataKey" + "kms:ReEncrypt*", + "kms:Generate*", + "kms:GetPublicKey", + "kms:DescribeKey" ] } ]