Skip to content

chore: source controlling cfn templates that will be used for our release process #345

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Sep 23, 2021
Merged

chore: source controlling cfn templates that will be used for our release process #345

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
5ad3336
chore: Adding cfn template for the release code build project
josecorella Sep 22, 2021
727ef3c
chore: Adding parameter map and code artifact cfn template
josecorella Sep 22, 2021
d60ce25
chore: removing cloud designer metadata
josecorella Sep 23, 2021
f6a5249
Merge branch 'master' into CodeBuild
josecorella Sep 23, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions cfn/code_artifact.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
Comment on lines +1 to +2
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nice!

AWSTemplateFormatVersion: 2010-09-09
Description: "Template for CodeArtifact repositories. Creates Domain if CreateDomainFlag is True"
Parameters:
DomainName:
Type: String
Description: The name of the CodeArtifact Domain
Default: crypto-tools-internal
RepositoryName:
Type: String
Description: Base Name for the Repositories
Default: esdk-java
CreateDomainFlag:
Type: String
Description: Attempt to create Domain or not
Default: False
AllowedValues:
- True
- False

Conditions:
CreateDomain: !Equals
- !Ref CreateDomainFlag
- True

Resources:
Domain:
Type: AWS::CodeArtifact::Domain
Condition: CreateDomain
Properties:
DomainName: !Ref DomainName

CIRepo:
Type: AWS::CodeArtifact::Repository
Properties:
DomainName: !Ref DomainName
RepositoryName: !Sub "${RepositoryName}-ci"

StagingRepo:
Type: AWS::CodeArtifact::Repository
Properties:
DomainName: !Ref DomainName
RepositoryName: !Sub "${RepositoryName}-staging"
6 changes: 6 additions & 0 deletions cfn/code_build_parameter_map.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
{
"NumberOfBuildsInBatch": 50,
"ProjectDescription": "CD for Java ESDK",
"ProjectName": "java-esdk",
"SourceLocation": "https://github.com/aws/aws-encryption-sdk-java.git"
}
243 changes: 243 additions & 0 deletions cfn/prod-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,243 @@
# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0

AWSTemplateFormatVersion: 2010-09-09
Description: >-
Template to build a CodeBuild Project, assumes that GitHub credentials are
already set up.
Parameters:
ProjectName:
Type: String
Description: The name of the CodeBuild Project
Default: java-esdk-prod
ProjectDescription:
Type: String
Description: The description for the CodeBuild Project
Default: CFN stack for managing CodeBuild Release project for the ESDK-Java
SourceLocation:
Type: String
Description: The https GitHub URL for the project
Default: "https://github.com/aws/aws-encryption-sdk-java.git"
NumberOfBuildsInBatch:
Type: Number
MaxValue: 100
MinValue: 1
Default: 10
Description: The number of builds you expect to run in a batch
Metadata:
"AWS::CloudFormation::Interface":
ParameterGroups:
- Label:
default: Crypto Tools CodeBuild Project Template
Parameters:
- ProjectName
- ProjectDescription
- SourceLocation
Resources:
CodeBuildProjectRelease:
Type: "AWS::CodeBuild::Project"
Properties:
Name: !Sub "${ProjectName}-release-prod"
Description: !Sub "CodeBuild project for ${ProjectName} to release to Sonatype."
Source:
Location: !Ref SourceLocation
BuildSpec: codebuild/release/prod-release.yml
GitCloneDepth: 1
GitSubmodulesConfig:
FetchSubmodules: false
InsecureSsl: false
ReportBuildStatus: false
Type: GITHUB
Artifacts:
Type: NO_ARTIFACTS
Cache:
Type: NO_CACHE
Environment:
ComputeType: BUILD_GENERAL1_LARGE
Image: "aws/codebuild/standard:4.0"
ImagePullCredentialsType: CODEBUILD
PrivilegedMode: false
Type: LINUX_CONTAINER
ServiceRole: !GetAtt CodeBuildServiceRole.Arn
TimeoutInMinutes: 60
QueuedTimeoutInMinutes: 480
EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3"
BadgeEnabled: false
BuildBatchConfig:
ServiceRole: !GetAtt CodeBuildServiceRole.Arn
Restrictions:
MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch
ComputeTypesAllowed:
- BUILD_GENERAL1_SMALL
- BUILD_GENERAL1_MEDIUM
- BUILD_GENERAL1_LARGE
TimeoutInMins: 480
LogsConfig:
CloudWatchLogs:
Status: ENABLED
S3Logs:
Status: DISABLED
EncryptionDisabled: false
CodeBuildServiceRole:
Type: "AWS::IAM::Role"
Properties:
Path: /service-role/
RoleName: !Sub "codebuild-${ProjectName}-service-role"
AssumeRolePolicyDocument: >-
{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"codebuild.amazonaws.com"},"Action":"sts:AssumeRole"}]}
MaxSessionDuration: 3600
ManagedPolicyArns:
- !Ref CryptoToolsKMS
- !Ref CodeBuildBatchPolicy
- !Ref CodeBuildBasePolicy
- !Ref SecretsManagerPolicy
- !Ref ParameterStorePolicy
- "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess"
- "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess"
CodeBuildBatchPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: !Sub >-
CodeBuildBuildBatchPolicy-${ProjectName}-${AWS::Region}-codebuild-${ProjectName}-service-role
Path: /service-role/
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-test-release",
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-prod-release",
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}"
],
"Action": [
"codebuild:StartBuild",
"codebuild:StopBuild",
"codebuild:RetryBuild"
]
}
]
}
CodeBuildBasePolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: !Sub "CodeBuildBasePolicy-${ProjectName}-${AWS::Region}"
Path: /service-role/
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}",
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}:*",
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-test-release",
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-test-release:*",
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-prod-release",
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-prod-release:*"
],
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
},
{
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::codepipeline-${AWS::Region}-*"
],
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetBucketAcl",
"s3:GetBucketLocation"
]
},
{
"Effect": "Allow",
"Action": [
"codebuild:CreateReportGroup",
"codebuild:CreateReport",
"codebuild:UpdateReport",
"codebuild:BatchPutTestCases",
"codebuild:BatchPutCodeCoverages"
],
"Resource": [
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/${ProjectName}-*"
]
}
]
}
AccountIdParameter:
Type: "AWS::SSM::Parameter"
Properties:
Description: Parameter to store our account id so CodeBuild specs can access it
Name: /CodeBuild/AccountId
Type: String
Value: !Sub "${AWS::AccountId}"
SecretsManagerPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: !Sub "CryptoTools-SecretsManager-${ProjectName}-release"
Path: /service-role/
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-GC6h0A",
"arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Sonatype-Team-Account-0tWvZm",
"arn:aws:secretsmanager:us-west-2:587316601012:secret:Maven-GPG-Keys-Credentials-C0wCzI",
],
"Action": "secretsmanager:GetSecretValue"
}
]
}
CryptoToolsKMS:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: !Sub >-
CrypotToolsKMSPolicy-${ProjectName}-${AWS::Region}-codebuild-${ProjectName}-service-role
Path: /service-role/
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:kms:*:658956600833:key/*",
"arn:aws:kms:*:658956600833:alias/*"
],
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey"
]
}
]
}
ParameterStorePolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: !Sub "CryptoTools-ParameterStore-${ProjectName}-release"
Path: /service-role/
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/CodeBuild/*"
],
"Action": "ssm:GetParameters"
}
]
}