From f3d496f40cc85cde50685df11fe9d6def7e6340c Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Tue, 12 Mar 2024 11:42:15 -0700 Subject: [PATCH 1/6] chore(CFN): check in CFN --- cfn/JavaScriptESDK.yml | 77 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 cfn/JavaScriptESDK.yml diff --git a/cfn/JavaScriptESDK.yml b/cfn/JavaScriptESDK.yml new file mode 100644 index 000000000..51333ac98 --- /dev/null +++ b/cfn/JavaScriptESDK.yml @@ -0,0 +1,77 @@ +Outputs: + StackArn: + Description: >- + Do not remove this output! Pipelines needs this to do its association. (And + LPT. Removing it will break things) + Value: !Ref 'AWS::StackId' +Parameters: + DeploymentBucketImportName: + Default: 'BONESBootstrap-PDX-beta-DeploymentBucket' + Description: >- + This parameter is meant to be passed by LPT (and piplines). It holds the + name of import that points to the bucket that holds your artifacts. You + should use this as the import (Fn::ImportValue: {Ref: DeploymentBucket}) + for getting any BATS related artifacts. + Type: String + Stage: + Default: 'beta' + Type: String + PipelinesControlledRegionBucket: + Type: String + Description: The regionalized bucket to read the artifact from. + Default: 'placeholder' + +Resources: + CodeBuildRole: + Properties: + AssumeRolePolicyDocument: >- + {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"codebuild.amazonaws.com"},"Action":"sts:AssumeRole"},{"Effect":"Allow","Principal":{"Federated":"arn:aws:iam::587316601012:oidc-provider/token.actions.githubusercontent.com"},"Action":"sts:AssumeRoleWithWebIdentity","Condition":{"StringEquals":{"token.actions.githubusercontent.com:aud":"sts.amazonaws.com"},"StringLike":{"token.actions.githubusercontent.com:sub":"repo:aws/aws-encryption-sdk-javascript:*"}}}]} + Policies: + - PolicyDocument: + Statement: + - Action: + - 'logs:CreateLogGroup' + - 'logs:CreateLogStream' + - 'logs:PutLogEvents' + Effect: Allow + Resource: + - '*' + - Action: + - 'kms:Encrypt' + - 'kms:Decrypt' + - 'kms:GenerateDataKey' + Effect: Allow + Resource: + - '*' + - Action: + - 's3:PutObject' + Effect: Allow + Resource: + - '*' + PolicyName: !Sub '${AWS::StackName}CloudWatchLogsPolicy' + Type: 'AWS::IAM::Role' + ExampleWaitHandle: + Properties: {} + Type: 'AWS::CloudFormation::WaitConditionHandle' + JavaScriptESDK: + Properties: + Artifacts: + Type: NO_ARTIFACTS + Environment: + ComputeType: BUILD_GENERAL1_SMALL + Image: 'aws/codebuild/standard:2.0' + Type: LINUX_CONTAINER + LogsConfig: + S3Logs: + Location: !Sub '${LogBucket}/JavaScriptESDK' + Status: ENABLED + Name: JavaScriptESDK + ServiceRole: !Ref CodeBuildRole + Source: + Location: 'https://github.com/awslabs/aws-encryption-sdk-javascript' + ReportBuildStatus: 'true' + Type: GITHUB + Type: 'AWS::CodeBuild::Project' + LogBucket: + Type: 'AWS::S3::Bucket' + From c550ab514dd5979cfc0fadf43cfd016e4bfb575d Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Wed, 13 Mar 2024 10:18:56 -0700 Subject: [PATCH 2/6] oops name change --- cfn/JavaScriptESDK.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cfn/JavaScriptESDK.yml b/cfn/JavaScriptESDK.yml index 51333ac98..2e10faa47 100644 --- a/cfn/JavaScriptESDK.yml +++ b/cfn/JavaScriptESDK.yml @@ -68,7 +68,7 @@ Resources: Name: JavaScriptESDK ServiceRole: !Ref CodeBuildRole Source: - Location: 'https://github.com/awslabs/aws-encryption-sdk-javascript' + Location: 'https://github.com/aws/aws-encryption-sdk-javascript' ReportBuildStatus: 'true' Type: GITHUB Type: 'AWS::CodeBuild::Project' From fde814bf0fe13494a717173a99430ac5ba184b9e Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Wed, 13 Mar 2024 15:11:01 -0700 Subject: [PATCH 3/6] one more update --- cfn/JavaScriptESDK.yml | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/cfn/JavaScriptESDK.yml b/cfn/JavaScriptESDK.yml index 2e10faa47..e545ee80b 100644 --- a/cfn/JavaScriptESDK.yml +++ b/cfn/JavaScriptESDK.yml @@ -48,6 +48,16 @@ Resources: Effect: Allow Resource: - '*' + - Action: + - 'codebuild:StartBuild' + - 'codebuild:StopBuild' + - 'codebuild:RetryBuild' + - 'codebuild:BatchGetBuilds' + Effect: Allow + Resource: + - 'arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/JavaScriptESDK' + + PolicyName: !Sub '${AWS::StackName}CloudWatchLogsPolicy' Type: 'AWS::IAM::Role' ExampleWaitHandle: @@ -59,14 +69,22 @@ Resources: Type: NO_ARTIFACTS Environment: ComputeType: BUILD_GENERAL1_SMALL - Image: 'aws/codebuild/standard:2.0' + Image: 'aws/codebuild/standard:5.0' Type: LINUX_CONTAINER LogsConfig: S3Logs: Location: !Sub '${LogBucket}/JavaScriptESDK' Status: ENABLED Name: JavaScriptESDK - ServiceRole: !Ref CodeBuildRole + BuildBatchConfig: + ServiceRole: !GetAtt CodeBuildRole.Arn + Restrictions: + MaximumBuildsAllowed: 100 + ComputeTypesAllowed: + - BUILD_GENERAL1_SMALL + - BUILD_GENERAL1_MEDIUM + - BUILD_GENERAL1_LARGE + TimeoutInMins: 480 Source: Location: 'https://github.com/aws/aws-encryption-sdk-javascript' ReportBuildStatus: 'true' From 8262adf5d2f5c6ef57fb2a4cdb9c446323a8ba82 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Wed, 13 Mar 2024 15:17:12 -0700 Subject: [PATCH 4/6] parametrize? --- cfn/JavaScriptESDK.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/cfn/JavaScriptESDK.yml b/cfn/JavaScriptESDK.yml index e545ee80b..67a485579 100644 --- a/cfn/JavaScriptESDK.yml +++ b/cfn/JavaScriptESDK.yml @@ -20,6 +20,12 @@ Parameters: Type: String Description: The regionalized bucket to read the artifact from. Default: 'placeholder' + NumberOfBuildsInBatch: + Type: Number + MaxValue: 100 + MinValue: 1 + Default: 16 + Description: The number of builds you expect to run in a batch Resources: CodeBuildRole: @@ -79,7 +85,7 @@ Resources: BuildBatchConfig: ServiceRole: !GetAtt CodeBuildRole.Arn Restrictions: - MaximumBuildsAllowed: 100 + MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch ComputeTypesAllowed: - BUILD_GENERAL1_SMALL - BUILD_GENERAL1_MEDIUM From dd7528e5cbcb04d24a9f5d81fe93e5b674565440 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Wed, 13 Mar 2024 15:36:17 -0700 Subject: [PATCH 5/6] m --- cfn/JavaScriptESDK.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/cfn/JavaScriptESDK.yml b/cfn/JavaScriptESDK.yml index 67a485579..8cc41cdfb 100644 --- a/cfn/JavaScriptESDK.yml +++ b/cfn/JavaScriptESDK.yml @@ -61,9 +61,7 @@ Resources: - 'codebuild:BatchGetBuilds' Effect: Allow Resource: - - 'arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/JavaScriptESDK' - - + - !Sub 'arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/JavaScriptESDK' PolicyName: !Sub '${AWS::StackName}CloudWatchLogsPolicy' Type: 'AWS::IAM::Role' ExampleWaitHandle: @@ -82,6 +80,7 @@ Resources: Location: !Sub '${LogBucket}/JavaScriptESDK' Status: ENABLED Name: JavaScriptESDK + ServiceRole: !GetAtt CodeBuildRole.Arn BuildBatchConfig: ServiceRole: !GetAtt CodeBuildRole.Arn Restrictions: From 0f81db7ccb7fb1d08a3cbf8fb8f674ac41845e0d Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Wed, 13 Mar 2024 15:46:51 -0700 Subject: [PATCH 6/6] t --- cfn/JavaScriptESDK.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/cfn/JavaScriptESDK.yml b/cfn/JavaScriptESDK.yml index 8cc41cdfb..c9163449f 100644 --- a/cfn/JavaScriptESDK.yml +++ b/cfn/JavaScriptESDK.yml @@ -39,6 +39,7 @@ Resources: - 'logs:CreateLogGroup' - 'logs:CreateLogStream' - 'logs:PutLogEvents' + - 'logs:GetLogEvents' Effect: Allow Resource: - '*'