From 6a54545de1cc62ea19f84c5eeaec46157d9b0e52 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Thu, 8 Feb 2024 09:55:53 -0800 Subject: [PATCH 1/8] committed form private --- cfn/ESDK-Python.yml | 341 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 341 insertions(+) create mode 100644 cfn/ESDK-Python.yml diff --git a/cfn/ESDK-Python.yml b/cfn/ESDK-Python.yml new file mode 100644 index 000000000..1e8025476 --- /dev/null +++ b/cfn/ESDK-Python.yml @@ -0,0 +1,341 @@ +AWSTemplateFormatVersion: "2010-09-09" +Description: "Template to build a CodeBuild Project, assumes that GitHub credentials are already set up." +Parameters: + ProjectName: + Type: String + Description: The name of the CodeBuild Project + ProjectDescription: + Type: String + Description: The description for the CodeBuild Project + SourceLocation: + Type: String + Description: The https GitHub URL for the project + NumberOfBuildsInBatch: + Type: Number + MaxValue: 100 + MinValue: 1 + Default: 4 + Description: The number of builds you expect to run in a batch + +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - + Label: + default: "Crypto Tools CodeBuild Project Template" + Parameters: + - ProjectName + - ProjectDescription + - SourceLocation + +Resources: + CodeBuildProject: + Type: "AWS::CodeBuild::Project" + Properties: + Name: !Ref ProjectName + Description: !Ref ProjectDescription + Source: + Location: !Ref SourceLocation + GitCloneDepth: 1 + GitSubmodulesConfig: + FetchSubmodules: true + InsecureSsl: false + ReportBuildStatus: false + Type: "GITHUB" + Artifacts: + Type: "NO_ARTIFACTS" + Cache: + Type: "NO_CACHE" + Environment: + ComputeType: "BUILD_GENERAL1_MEDIUM" + Image: "aws/codebuild/standard:3.0" + ImagePullCredentialsType: "CODEBUILD" + PrivilegedMode: false + Type: "LINUX_CONTAINER" + ServiceRole: !GetAtt CodeBuildCIServiceRole.Arn + TimeoutInMinutes: 60 + QueuedTimeoutInMinutes: 480 + EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3" + BadgeEnabled: false + BuildBatchConfig: + ServiceRole: !GetAtt CodeBuildCIServiceRole.Arn + Restrictions: + MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch + ComputeTypesAllowed: + - BUILD_GENERAL1_SMALL + - BUILD_GENERAL1_MEDIUM + TimeoutInMins: 480 + LogsConfig: + CloudWatchLogs: + Status: "ENABLED" + S3Logs: + Status: "DISABLED" + EncryptionDisabled: false + + CodeBuildProjectTestRelease: + Type: "AWS::CodeBuild::Project" + Properties: + Name: !Sub "${ProjectName}-test-release" + Description: !Sub "CodeBuild project for ${ProjectName} to release to test PyPi." + Source: + Location: !Ref SourceLocation + BuildSpec: "codebuild/release/test-release.yml" + GitCloneDepth: 1 + GitSubmodulesConfig: + FetchSubmodules: false + InsecureSsl: false + ReportBuildStatus: false + Type: "GITHUB" + Artifacts: + Type: "NO_ARTIFACTS" + Cache: + Type: "NO_CACHE" + Environment: + ComputeType: "BUILD_GENERAL1_SMALL" + Image: "aws/codebuild/standard:3.0" + ImagePullCredentialsType: "CODEBUILD" + PrivilegedMode: false + Type: "LINUX_CONTAINER" + ServiceRole: !GetAtt CodeBuildServiceRole.Arn + TimeoutInMinutes: 60 + QueuedTimeoutInMinutes: 480 + EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3" + BadgeEnabled: false + BuildBatchConfig: + ServiceRole: !GetAtt CodeBuildServiceRole.Arn + Restrictions: + MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch + ComputeTypesAllowed: + - BUILD_GENERAL1_SMALL + - BUILD_GENERAL1_MEDIUM + TimeoutInMins: 480 + LogsConfig: + CloudWatchLogs: + Status: "ENABLED" + S3Logs: + Status: "DISABLED" + EncryptionDisabled: false + + CodeBuildProjectProdRelease: + Type: "AWS::CodeBuild::Project" + Properties: + Name: !Sub "${ProjectName}-prod-release" + Description: !Sub "CodeBuild project for ${ProjectName} to release to prod PyPi." + Source: + Location: !Ref SourceLocation + BuildSpec: "codebuild/release/prod-release.yml" + GitCloneDepth: 1 + GitSubmodulesConfig: + FetchSubmodules: false + InsecureSsl: false + ReportBuildStatus: false + Type: "GITHUB" + Artifacts: + Type: "NO_ARTIFACTS" + Cache: + Type: "NO_CACHE" + Environment: + ComputeType: "BUILD_GENERAL1_SMALL" + Image: "aws/codebuild/standard:3.0" + ImagePullCredentialsType: "CODEBUILD" + PrivilegedMode: false + Type: "LINUX_CONTAINER" + ServiceRole: !GetAtt CodeBuildServiceRole.Arn + TimeoutInMinutes: 60 + QueuedTimeoutInMinutes: 480 + EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3" + BadgeEnabled: false + BuildBatchConfig: + ServiceRole: !GetAtt CodeBuildServiceRole.Arn + Restrictions: + MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch + ComputeTypesAllowed: + - BUILD_GENERAL1_SMALL + - BUILD_GENERAL1_MEDIUM + TimeoutInMins: 480 + LogsConfig: + CloudWatchLogs: + Status: "ENABLED" + S3Logs: + Status: "DISABLED" + EncryptionDisabled: false + + + + CodeBuildServiceRole: + Type: "AWS::IAM::Role" + Properties: + Path: "/service-role/" + RoleName: !Sub "codebuild-${ProjectName}-service-role" + AssumeRolePolicyDocument: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"codebuild.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"}]}" + MaxSessionDuration: 3600 + ManagedPolicyArns: + - !Ref CryptoToolsKMS + - !Ref CodeBuildBatchPolicy + - !Ref CodeBuildBasePolicy + - !Ref SecretsManagerPolicy + + CodeBuildCIServiceRole: + Type: "AWS::IAM::Role" + Properties: + Path: "/service-role/" + RoleName: !Sub "codebuild-${ProjectName}-CI-service-role" + AssumeRolePolicyDocument: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"codebuild.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"}]}" + MaxSessionDuration: 3600 + ManagedPolicyArns: + - !Ref CryptoToolsKMS + - !Ref CodeBuildCIBatchPolicy + - !Ref CodeBuildBasePolicy + + CodeBuildBatchPolicy: + Type: "AWS::IAM::ManagedPolicy" + Properties: + ManagedPolicyName: !Sub "CodeBuildBuildBatchPolicy-${ProjectName}-${AWS::Region}-codebuild-${ProjectName}-service-role" + Path: "/service-role/" + PolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": [ + "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}", + "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-test-release", + "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-prod-release" + ], + "Action": [ + "codebuild:StartBuild", + "codebuild:StopBuild", + "codebuild:RetryBuild" + ] + } + ] + } + + CodeBuildCIBatchPolicy: + Type: "AWS::IAM::ManagedPolicy" + Properties: + ManagedPolicyName: !Sub "CodeBuildBuildBatchPolicy-${ProjectName}-${AWS::Region}-codebuild-${ProjectName}-CI-service-role" + Path: "/service-role/" + PolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": [ + "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}" + ], + "Action": [ + "codebuild:StartBuild", + "codebuild:StopBuild", + "codebuild:RetryBuild" + ] + } + ] + } + + CodeBuildBasePolicy: + Type: "AWS::IAM::ManagedPolicy" + Properties: + ManagedPolicyName: !Sub "CodeBuildBasePolicy-${ProjectName}-${AWS::Region}" + Path: "/service-role/" + PolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": [ + "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}", + "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}:*", + "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-test-release", + "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-test-release:*", + "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-prod-release", + "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-prod-release:*" + ], + "Action": [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents" + ] + }, + { + "Effect": "Allow", + "Resource": [ + "arn:aws:s3:::codepipeline-${AWS::Region}-*" + ], + "Action": [ + "s3:PutObject", + "s3:GetObject", + "s3:GetObjectVersion", + "s3:GetBucketAcl", + "s3:GetBucketLocation" + ] + }, + { + "Effect": "Allow", + "Action": [ + "codebuild:CreateReportGroup", + "codebuild:CreateReport", + "codebuild:UpdateReport", + "codebuild:BatchPutTestCases", + "codebuild:BatchPutCodeCoverages" + ], + "Resource": [ + "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/${ProjectName}-*" + ] + } + ] + } + + SecretsManagerPolicy: + Type: "AWS::IAM::ManagedPolicy" + Properties: + ManagedPolicyName: !Sub "CryptoTools-SecretsManager-${ProjectName}-release" + Path: "/service-role/" + PolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": [ + "arn:aws:secretsmanager:us-west-2:587316601012:secret:TestPyPiCryptoTools-SxeLBh", + "arn:aws:secretsmanager:us-west-2:587316601012:secret:PyPiAdmin-ZWyd1T" + ], + "Action": "secretsmanager:GetSecretValue" + } + ] + } + + # There exist public AWS KMS CMKs that are used for testing + # Take care with these CMKs they are **ONLY** for testing!!! + CryptoToolsKMS: + Type: "AWS::IAM::ManagedPolicy" + Properties: + ManagedPolicyName: !Sub "CrypotToolsKMSPolicy-${ProjectName}-${AWS::Region}-codebuild-${ProjectName}-service-role" + Path: "/service-role/" + PolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": [ + "arn:aws:kms:*:658956600833:key/*", + "arn:aws:kms:*:658956600833:alias/*", + "arn:aws:kms:*:370957321024:key/*", + "arn:aws:kms:*:370957321024:alias/*" + ], + "Action": [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:Generate*", + "kms:GetPublicKey", + "kms:DescribeKey" + ] + } + ] + } From 3f214ff5ba308ae7c2907e81a89055fc60a06c90 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Thu, 8 Feb 2024 10:00:54 -0800 Subject: [PATCH 2/8] not semantic --- cfn/ESDK-Python.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cfn/ESDK-Python.yml b/cfn/ESDK-Python.yml index 1e8025476..47965bfb3 100644 --- a/cfn/ESDK-Python.yml +++ b/cfn/ESDK-Python.yml @@ -18,7 +18,7 @@ Parameters: Description: The number of builds you expect to run in a batch Metadata: - AWS::CloudFormation::Interface: + AWS::CloudFormation::Interface: ParameterGroups: - Label: From 18085971703bee141b1f1b02bf941c61f4f53d0e Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Thu, 8 Feb 2024 13:52:35 -0800 Subject: [PATCH 3/8] add managed policy --- cfn/ESDK-Python.yml | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/cfn/ESDK-Python.yml b/cfn/ESDK-Python.yml index 47965bfb3..ff0abca21 100644 --- a/cfn/ESDK-Python.yml +++ b/cfn/ESDK-Python.yml @@ -18,7 +18,7 @@ Parameters: Description: The number of builds you expect to run in a batch Metadata: - AWS::CloudFormation::Interface: + AWS::CloudFormation::Interface: ParameterGroups: - Label: @@ -339,3 +339,20 @@ Resources: } ] } + + CodeBuildCISTSAllow: + Type: "AWS::IAM::ManagedPolicy" + Properties: + ManagedPolicyName: !Sub CodeBuildCISTSAllow-${ProjectName} + Path: /service-role/ + PolicyDocument: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Resource": "arn:aws:iam::370957321024:role/GitHub-CI-Public-ESDK-Java-Role-us-west-2" + } + ] + } \ No newline at end of file From b37c64594ec3022dbd94215ae808b480096720a5 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Thu, 8 Feb 2024 14:00:32 -0800 Subject: [PATCH 4/8] add more --- cfn/ESDK-Python.yml | 8 +++-- cfn/Public-ESDK-Python-CI.yml | 67 +++++++++++++++++++++++++++++++++++ 2 files changed, 72 insertions(+), 3 deletions(-) create mode 100644 cfn/Public-ESDK-Python-CI.yml diff --git a/cfn/ESDK-Python.yml b/cfn/ESDK-Python.yml index ff0abca21..7dd284739 100644 --- a/cfn/ESDK-Python.yml +++ b/cfn/ESDK-Python.yml @@ -174,6 +174,7 @@ Resources: - !Ref CodeBuildBatchPolicy - !Ref CodeBuildBasePolicy - !Ref SecretsManagerPolicy + - !Ref CodeBuildCISTSAllow CodeBuildCIServiceRole: Type: "AWS::IAM::Role" @@ -186,6 +187,7 @@ Resources: - !Ref CryptoToolsKMS - !Ref CodeBuildCIBatchPolicy - !Ref CodeBuildBasePolicy + - !Ref CodeBuildCISTSAllow CodeBuildBatchPolicy: Type: "AWS::IAM::ManagedPolicy" @@ -350,9 +352,9 @@ Resources: "Version": "2012-10-17", "Statement": [ { - "Effect": "Allow", - "Action": "sts:AssumeRole", - "Resource": "arn:aws:iam::370957321024:role/GitHub-CI-Public-ESDK-Java-Role-us-west-2" + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Resource": "arn:aws:iam::370957321024:role/GitHub-CI-Public-ESDK-Python-Role-us-west-2" } ] } \ No newline at end of file diff --git a/cfn/Public-ESDK-Python-CI.yml b/cfn/Public-ESDK-Python-CI.yml new file mode 100644 index 000000000..2ea9adf3e --- /dev/null +++ b/cfn/Public-ESDK-Python-CI.yml @@ -0,0 +1,67 @@ +AWSTemplateFormatVersion: "2010-09-09" +Description: "DDB Table and IAM Managed Policies/Role for AWS KMS Hierarchical Keyring Testing" + +Parameters: + TableName: + Type: String + Description: Test Table Name + Default: HierarchicalKeyringTestTable + KeyStoreTable: + Type: String + Description: Key Store Test Table Name + Default: KeyStoreTestTable + ProjectName: + Type: String + Description: A prefix that will be applied to any names + Default: Public-ESDK-Python + GitHubRepo: + Type: String + Description: GitHub Repo that invokes CI + Default: aws/aws-encryption-sdk-python + +Resources: + GitHubCIRole: + Type: 'AWS::IAM::Role' + Properties: + RoleName: !Sub "GitHub-CI-${ProjectName}-Role-${AWS::Region}" + Description: "Access DDB, KMS, Resources for CI from GitHub" + ManagedPolicyArns: + - "arn:aws:iam::370957321024:policy/ESDK-Dafny-DDB-ReadWriteDelete-us-west-2" + - "arn:aws:iam::370957321024:policy/Hierarchical-GitHub-KMS-Key-Policy" + - "arn:aws:iam::370957321024:policy/KMS-Public-CMK-EncryptDecrypt-Key-Access" + - "arn:aws:iam::370957321024:policy/RSA-GitHub-KMS-Key-Policy" + AssumeRolePolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { "Federated": "arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com" }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { + "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" + }, + "StringLike": { + "token.actions.githubusercontent.com:sub": "repo:${GitHubRepo}:*" + } + } + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "aws:PrincipalArn": [ + "arn:aws:iam::587316601012:role/service-role/codebuild-python-esdk-CI-service-role", + "arn:aws:iam::587316601012:role/service-role/codebuild-python-esdk-service-role", + "arn:aws:iam::${AWS::AccountId}:role/ToolsDevelopment" + ] + } + } + } + ] + } \ No newline at end of file From e6313d80b5ced48d65ea1df92db1777b6a8a2f73 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Thu, 14 Mar 2024 18:54:48 -0700 Subject: [PATCH 5/8] Update cfn/Public-ESDK-Python-CI.yml Co-authored-by: Tony Knapp <5892063+texastony@users.noreply.github.com> --- cfn/Public-ESDK-Python-CI.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/cfn/Public-ESDK-Python-CI.yml b/cfn/Public-ESDK-Python-CI.yml index 2ea9adf3e..64789afa4 100644 --- a/cfn/Public-ESDK-Python-CI.yml +++ b/cfn/Public-ESDK-Python-CI.yml @@ -6,10 +6,6 @@ Parameters: Type: String Description: Test Table Name Default: HierarchicalKeyringTestTable - KeyStoreTable: - Type: String - Description: Key Store Test Table Name - Default: KeyStoreTestTable ProjectName: Type: String Description: A prefix that will be applied to any names From 31e38ac5cfca070629c144ec04a3ae92b7628859 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Thu, 14 Mar 2024 18:54:54 -0700 Subject: [PATCH 6/8] Update cfn/Public-ESDK-Python-CI.yml Co-authored-by: Tony Knapp <5892063+texastony@users.noreply.github.com> --- cfn/Public-ESDK-Python-CI.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/cfn/Public-ESDK-Python-CI.yml b/cfn/Public-ESDK-Python-CI.yml index 64789afa4..de5bd09a3 100644 --- a/cfn/Public-ESDK-Python-CI.yml +++ b/cfn/Public-ESDK-Python-CI.yml @@ -2,10 +2,6 @@ AWSTemplateFormatVersion: "2010-09-09" Description: "DDB Table and IAM Managed Policies/Role for AWS KMS Hierarchical Keyring Testing" Parameters: - TableName: - Type: String - Description: Test Table Name - Default: HierarchicalKeyringTestTable ProjectName: Type: String Description: A prefix that will be applied to any names From f64eea022c8485d2d1f50dbf9edc54ee750ce107 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Thu, 14 Mar 2024 18:54:59 -0700 Subject: [PATCH 7/8] Update cfn/Public-ESDK-Python-CI.yml Co-authored-by: Tony Knapp <5892063+texastony@users.noreply.github.com> --- cfn/Public-ESDK-Python-CI.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cfn/Public-ESDK-Python-CI.yml b/cfn/Public-ESDK-Python-CI.yml index de5bd09a3..36a8b8d03 100644 --- a/cfn/Public-ESDK-Python-CI.yml +++ b/cfn/Public-ESDK-Python-CI.yml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: "2010-09-09" -Description: "DDB Table and IAM Managed Policies/Role for AWS KMS Hierarchical Keyring Testing" +Description: "IAM Managed Policies/Role for AWS KMS Hierarchical Keyring Testing" Parameters: ProjectName: From d0d0be03faa09104a7b6e3c6215d1ffdf7f2496c Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Mon, 18 Mar 2024 09:21:35 -0700 Subject: [PATCH 8/8] Update cfn/Public-ESDK-Python-CI.yml --- cfn/Public-ESDK-Python-CI.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cfn/Public-ESDK-Python-CI.yml b/cfn/Public-ESDK-Python-CI.yml index 36a8b8d03..6d40b8274 100644 --- a/cfn/Public-ESDK-Python-CI.yml +++ b/cfn/Public-ESDK-Python-CI.yml @@ -4,7 +4,7 @@ Description: "IAM Managed Policies/Role for AWS KMS Hierarchical Keyring Testing Parameters: ProjectName: Type: String - Description: A prefix that will be applied to any names + Description: A prefix that will be applied to any resource names Default: Public-ESDK-Python GitHubRepo: Type: String