From f15335fbc6b1fb19dadb61a50ea5264a5a597141 Mon Sep 17 00:00:00 2001
From: Lucas McDonald <lucasmcdonald3@gmail.com>
Date: Thu, 14 Mar 2024 16:16:09 -0700
Subject: [PATCH 01/17] chore: Allow CodeBuild access to GH CI bot

---
 cfn/ESDK-Python.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/cfn/ESDK-Python.yml b/cfn/ESDK-Python.yml
index 47965bfb3..5c77e27a5 100644
--- a/cfn/ESDK-Python.yml
+++ b/cfn/ESDK-Python.yml
@@ -302,7 +302,8 @@ Resources:
               "Effect": "Allow",
               "Resource": [
                 "arn:aws:secretsmanager:us-west-2:587316601012:secret:TestPyPiCryptoTools-SxeLBh",
-                "arn:aws:secretsmanager:us-west-2:587316601012:secret:PyPiAdmin-ZWyd1T"
+                "arn:aws:secretsmanager:us-west-2:587316601012:secret:PyPiAdmin-ZWyd1T",
+                "arn:aws:secretsmanager:us-west-2:587316601012:secret:Github/aws-crypto-tools-ci-bot-AGUB3U"
               ],
               "Action": "secretsmanager:GetSecretValue"
             }

From 3ac7daed28528a53afda5ec99d80dbc9a73e340a Mon Sep 17 00:00:00 2001
From: Lucas McDonald <lucasmcdonald3@gmail.com>
Date: Thu, 14 Mar 2024 17:07:41 -0700
Subject: [PATCH 02/17] update perms

---
 cfn/ESDK-Python.yml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/cfn/ESDK-Python.yml b/cfn/ESDK-Python.yml
index 5c77e27a5..1b7ee638b 100644
--- a/cfn/ESDK-Python.yml
+++ b/cfn/ESDK-Python.yml
@@ -186,6 +186,7 @@ Resources:
         - !Ref CryptoToolsKMS
         - !Ref CodeBuildCIBatchPolicy
         - !Ref CodeBuildBasePolicy
+        - !Ref SecretsManagerCIPolicy
         
   CodeBuildBatchPolicy:
     Type: "AWS::IAM::ManagedPolicy"
@@ -309,6 +310,25 @@ Resources:
             }
           ]
         }
+  
+  SecretsManagerCIPolicy:
+    Type: "AWS::IAM::ManagedPolicy"
+    Properties:
+      ManagedPolicyName: !Sub "CryptoTools-SecretsManager-${ProjectName}-release"
+      Path: "/service-role/"
+      PolicyDocument: !Sub |
+        {
+          "Version": "2012-10-17",
+          "Statement": [
+            {
+              "Effect": "Allow",
+              "Resource": [
+                "arn:aws:secretsmanager:us-west-2:587316601012:secret:Github/aws-crypto-tools-ci-bot-AGUB3U"
+              ],
+              "Action": "secretsmanager:GetSecretValue"
+            }
+          ]
+        }
 
   # There exist public AWS KMS CMKs that are used for testing
   # Take care with these CMKs they are **ONLY** for testing!!!

From 3ab4d2b7babedd8529dd684663ef79d80d48bdaa Mon Sep 17 00:00:00 2001
From: Lucas McDonald <lucasmcdonald3@gmail.com>
Date: Mon, 18 Mar 2024 10:43:48 -0700
Subject: [PATCH 03/17] add artifact s3 bucket

---
 cfn/ESDK-Python.yml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/cfn/ESDK-Python.yml b/cfn/ESDK-Python.yml
index 766df3512..cb9a732f5 100644
--- a/cfn/ESDK-Python.yml
+++ b/cfn/ESDK-Python.yml
@@ -175,6 +175,7 @@ Resources:
         - !Ref CodeBuildBasePolicy
         - !Ref SecretsManagerPolicy
         - !Ref CodeBuildCISTSAllow
+        - !Ref GeneratedVectorsArtifactsS3BucketPolicy
 
   CodeBuildCIServiceRole:
     Type: "AWS::IAM::Role"
@@ -189,6 +190,7 @@ Resources:
         - !Ref CodeBuildBasePolicy
         - !Ref SecretsManagerCIPolicy
         - !Ref CodeBuildCISTSAllow
+        - !Ref GeneratedVectorsArtifactsS3BucketPolicy
         
   CodeBuildBatchPolicy:
     Type: "AWS::IAM::ManagedPolicy"
@@ -379,3 +381,28 @@ Resources:
               }
           ]
         }
+
+  GeneratedVectorsArtifactsS3Bucket:
+    Type: 'AWS::S3::Bucket'
+    Properties:
+      BucketName: generated-vectors-artifacts-bucket
+      LifecycleConfiguration:
+        Rules:
+          - Id: Expire artifacts in 14 days
+            Status: Enabled
+            ExpirationInDays: 14
+
+  GeneratedVectorsArtifactsS3BucketPolicy:
+    Type: 'AWS::IAM::ManagedPolicy'
+    Properties:
+      ManagedPolicyName: Generated-Vectors-Artifacts-S3-Bucket-Policy
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action:
+              - 's3:PutObject'
+              - 's3:GetObject'
+              - 's3:DeleteObject'
+            Resource:
+              - !Join [ "", [ !GetAtt GeneratedVectorsArtifactsS3Bucket.Arn, '/*'] ]

From 77e07359c64645293896fbb745106de4f5d22987 Mon Sep 17 00:00:00 2001
From: Lucas McDonald <lucasmcdonald3@gmail.com>
Date: Mon, 18 Mar 2024 11:06:52 -0700
Subject: [PATCH 04/17] update

---
 cfn/ESDK-Python.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/cfn/ESDK-Python.yml b/cfn/ESDK-Python.yml
index cb9a732f5..c3ad6a75a 100644
--- a/cfn/ESDK-Python.yml
+++ b/cfn/ESDK-Python.yml
@@ -43,7 +43,9 @@ Resources:
         ReportBuildStatus: false
         Type: "GITHUB"
       Artifacts: 
-        Type: "NO_ARTIFACTS"
+        Type: "S3"
+        Location: !GetAtt GeneratedVectorsArtifactsS3Bucket.BucketName
+        Name: "/"
       Cache: 
         Type: "NO_CACHE"
       Environment: 
@@ -318,7 +320,7 @@ Resources:
   SecretsManagerCIPolicy:
     Type: "AWS::IAM::ManagedPolicy"
     Properties:
-      ManagedPolicyName: !Sub "CryptoTools-SecretsManager-${ProjectName}-release"
+      ManagedPolicyName: !Sub "CryptoTools-SecretsManagerCI-${ProjectName}-release"
       Path: "/service-role/"
       PolicyDocument: !Sub |
         {

From 2d208e328b09248eb65334c83ecf08c064e75421 Mon Sep 17 00:00:00 2001
From: Lucas McDonald <lucasmcdonald3@gmail.com>
Date: Mon, 18 Mar 2024 11:21:40 -0700
Subject: [PATCH 05/17] update

---
 cfn/ESDK-Python.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/cfn/ESDK-Python.yml b/cfn/ESDK-Python.yml
index c3ad6a75a..4c34f956a 100644
--- a/cfn/ESDK-Python.yml
+++ b/cfn/ESDK-Python.yml
@@ -172,12 +172,15 @@ Resources:
       AssumeRolePolicyDocument: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"codebuild.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"}]}"
       MaxSessionDuration: 3600
       ManagedPolicyArns:
+        # Ideally we would add GeneratedVectorsArtifactsS3BucketPolicy to run test vectors.
+        # However, this role would then have 11 managed policies.
+        # IAM has a limit of 10 managed policies per role.
+        # If we need to add more policies here, we should increase this limit.
         - !Ref CryptoToolsKMS
         - !Ref CodeBuildBatchPolicy
         - !Ref CodeBuildBasePolicy
         - !Ref SecretsManagerPolicy
         - !Ref CodeBuildCISTSAllow
-        - !Ref GeneratedVectorsArtifactsS3BucketPolicy
 
   CodeBuildCIServiceRole:
     Type: "AWS::IAM::Role"

From 7ec013c6390f422ab78bee26024c18d166b238bc Mon Sep 17 00:00:00 2001
From: Lucas McDonald <lucasmcdonald3@gmail.com>
Date: Mon, 18 Mar 2024 11:27:17 -0700
Subject: [PATCH 06/17] update

---
 cfn/ESDK-Python.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cfn/ESDK-Python.yml b/cfn/ESDK-Python.yml
index 4c34f956a..db6a092ab 100644
--- a/cfn/ESDK-Python.yml
+++ b/cfn/ESDK-Python.yml
@@ -44,7 +44,7 @@ Resources:
         Type: "GITHUB"
       Artifacts: 
         Type: "S3"
-        Location: !GetAtt GeneratedVectorsArtifactsS3Bucket.BucketName
+        Location: !Ref GeneratedVectorsArtifactsS3Bucket.BucketName
         Name: "/"
       Cache: 
         Type: "NO_CACHE"

From 2ba0060663f8330b46585ea03da9a98661942645 Mon Sep 17 00:00:00 2001
From: Lucas McDonald <lucasmcdonald3@gmail.com>
Date: Mon, 18 Mar 2024 11:29:48 -0700
Subject: [PATCH 07/17] update

---
 cfn/ESDK-Python.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cfn/ESDK-Python.yml b/cfn/ESDK-Python.yml
index db6a092ab..e477b27c1 100644
--- a/cfn/ESDK-Python.yml
+++ b/cfn/ESDK-Python.yml
@@ -44,7 +44,7 @@ Resources:
         Type: "GITHUB"
       Artifacts: 
         Type: "S3"
-        Location: !Ref GeneratedVectorsArtifactsS3Bucket.BucketName
+        Location: !Ref GeneratedVectorsArtifactsS3Bucket
         Name: "/"
       Cache: 
         Type: "NO_CACHE"

From e32eca5439c47b9dbd580daa4c1806b5c4153d04 Mon Sep 17 00:00:00 2001
From: Lucas McDonald <lucasmcdonald3@gmail.com>
Date: Tue, 19 Mar 2024 08:56:32 -0700
Subject: [PATCH 08/17] add build id

---
 cfn/ESDK-Python.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/cfn/ESDK-Python.yml b/cfn/ESDK-Python.yml
index e477b27c1..6b2e5ca7f 100644
--- a/cfn/ESDK-Python.yml
+++ b/cfn/ESDK-Python.yml
@@ -46,6 +46,8 @@ Resources:
         Type: "S3"
         Location: !Ref GeneratedVectorsArtifactsS3Bucket
         Name: "/"
+        NamespaceType: "BUILD_ID"
+        Path: "GeneratedVectors"
       Cache: 
         Type: "NO_CACHE"
       Environment: 

From 7bcf637f1931f1ed2140a1679baafb3064733131 Mon Sep 17 00:00:00 2001
From: Lucas McDonald <lucasmcdonald3@gmail.com>
Date: Tue, 19 Mar 2024 10:35:28 -0700
Subject: [PATCH 09/17] fix depend-on

---
 cfn/ESDK-Python.yml | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/cfn/ESDK-Python.yml b/cfn/ESDK-Python.yml
index 6b2e5ca7f..82285dfe6 100644
--- a/cfn/ESDK-Python.yml
+++ b/cfn/ESDK-Python.yml
@@ -46,8 +46,6 @@ Resources:
         Type: "S3"
         Location: !Ref GeneratedVectorsArtifactsS3Bucket
         Name: "/"
-        NamespaceType: "BUILD_ID"
-        Path: "GeneratedVectors"
       Cache: 
         Type: "NO_CACHE"
       Environment: 
@@ -218,7 +216,8 @@ Resources:
               "Action": [
                 "codebuild:StartBuild",
                 "codebuild:StopBuild",
-                "codebuild:RetryBuild"
+                "codebuild:RetryBuild",
+                "codebuild:BatchGetBuilds"
               ]
             }
           ]
@@ -241,7 +240,8 @@ Resources:
               "Action": [
                 "codebuild:StartBuild",
                 "codebuild:StopBuild",
-                "codebuild:RetryBuild"
+                "codebuild:RetryBuild",
+                "codebuild:BatchGetBuilds"
               ]
             }
           ]
@@ -269,7 +269,8 @@ Resources:
               "Action": [
                 "logs:CreateLogGroup",
                 "logs:CreateLogStream",
-                "logs:PutLogEvents"
+                "logs:PutLogEvents",
+                "logs:GetLogEvents"
               ]
             },
             {

From 4d49f7687102c0a091a2eb18ea3597bc78939e0d Mon Sep 17 00:00:00 2001
From: Lucas McDonald <lucasmcdonald3@gmail.com>
Date: Tue, 19 Mar 2024 10:37:19 -0700
Subject: [PATCH 10/17] fix depend-on

---
 cfn/ESDK-Python.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/cfn/ESDK-Python.yml b/cfn/ESDK-Python.yml
index 82285dfe6..c1f6db075 100644
--- a/cfn/ESDK-Python.yml
+++ b/cfn/ESDK-Python.yml
@@ -216,8 +216,7 @@ Resources:
               "Action": [
                 "codebuild:StartBuild",
                 "codebuild:StopBuild",
-                "codebuild:RetryBuild",
-                "codebuild:BatchGetBuilds"
+                "codebuild:RetryBuild"
               ]
             }
           ]

From 38c71e428cf707ca8a84dbc9b65a0f69047e16f6 Mon Sep 17 00:00:00 2001
From: Lucas McDonald <lucasmcdonald3@gmail.com>
Date: Tue, 19 Mar 2024 14:07:29 -0700
Subject: [PATCH 11/17] me

---
 cfn/ESDK-Python.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cfn/ESDK-Python.yml b/cfn/ESDK-Python.yml
index c1f6db075..19969c0b6 100644
--- a/cfn/ESDK-Python.yml
+++ b/cfn/ESDK-Python.yml
@@ -315,7 +315,7 @@ Resources:
               "Resource": [
                 "arn:aws:secretsmanager:us-west-2:587316601012:secret:TestPyPiCryptoTools-SxeLBh",
                 "arn:aws:secretsmanager:us-west-2:587316601012:secret:PyPiAdmin-ZWyd1T",
-                "arn:aws:secretsmanager:us-west-2:587316601012:secret:Github/aws-crypto-tools-ci-bot-AGUB3U"
+                "arn:aws:secretsmanager:us-west-2:587316601012:secret:Github/lucasmcdonald3-fgpat-1aAsdO"
               ],
               "Action": "secretsmanager:GetSecretValue"
             }

From 8008f72501d3fd631600de554e38f7b25970c62f Mon Sep 17 00:00:00 2001
From: Lucas McDonald <lucasmcdonald3@gmail.com>
Date: Tue, 19 Mar 2024 14:08:15 -0700
Subject: [PATCH 12/17] me

---
 cfn/ESDK-Python.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cfn/ESDK-Python.yml b/cfn/ESDK-Python.yml
index 19969c0b6..39fa25b15 100644
--- a/cfn/ESDK-Python.yml
+++ b/cfn/ESDK-Python.yml
@@ -334,7 +334,7 @@ Resources:
             {
               "Effect": "Allow",
               "Resource": [
-                "arn:aws:secretsmanager:us-west-2:587316601012:secret:Github/aws-crypto-tools-ci-bot-AGUB3U"
+                "arn:aws:secretsmanager:us-west-2:587316601012:secret:Github/lucasmcdonald3-fgpat-1aAsdO"
               ],
               "Action": "secretsmanager:GetSecretValue"
             }

From 7beb98e96a54af8c53aadd4322642d4ad48c32a1 Mon Sep 17 00:00:00 2001
From: Lucas McDonald <lucasmcdonald3@gmail.com>
Date: Tue, 19 Mar 2024 14:09:28 -0700
Subject: [PATCH 13/17] me

---
 cfn/ESDK-Python.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cfn/ESDK-Python.yml b/cfn/ESDK-Python.yml
index 39fa25b15..67738a64a 100644
--- a/cfn/ESDK-Python.yml
+++ b/cfn/ESDK-Python.yml
@@ -314,8 +314,7 @@ Resources:
               "Effect": "Allow",
               "Resource": [
                 "arn:aws:secretsmanager:us-west-2:587316601012:secret:TestPyPiCryptoTools-SxeLBh",
-                "arn:aws:secretsmanager:us-west-2:587316601012:secret:PyPiAdmin-ZWyd1T",
-                "arn:aws:secretsmanager:us-west-2:587316601012:secret:Github/lucasmcdonald3-fgpat-1aAsdO"
+                "arn:aws:secretsmanager:us-west-2:587316601012:secret:PyPiAdmin-ZWyd1T"
               ],
               "Action": "secretsmanager:GetSecretValue"
             }
@@ -327,6 +326,7 @@ Resources:
     Properties:
       ManagedPolicyName: !Sub "CryptoTools-SecretsManagerCI-${ProjectName}-release"
       Path: "/service-role/"
+      # Policy: Allow access to a Github fine-grained PAT that can read ESDK-Dafny "Daily CI" artifacts
       PolicyDocument: !Sub |
         {
           "Version": "2012-10-17",

From b658c4f9b3f5e8fd940549f56d51e96d12a33d7a Mon Sep 17 00:00:00 2001
From: Lucas McDonald <lucasmcdonald3@gmail.com>
Date: Tue, 19 Mar 2024 14:37:24 -0700
Subject: [PATCH 14/17] try add perissions to cb

---
 cfn/ESDK-Python.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/cfn/ESDK-Python.yml b/cfn/ESDK-Python.yml
index 67738a64a..0638344ea 100644
--- a/cfn/ESDK-Python.yml
+++ b/cfn/ESDK-Python.yml
@@ -275,7 +275,8 @@ Resources:
             {
               "Effect": "Allow",
               "Resource": [
-                "arn:aws:s3:::codepipeline-${AWS::Region}-*"
+                "arn:aws:s3:::codepipeline-${AWS::Region}-*",
+                "arn:aws:s3:::generated-vectors-artifacts-bucket/*"
               ],
               "Action": [
                 "s3:PutObject",

From 8e3e4ec059e817c2f50f58a37c5d03028c0865e4 Mon Sep 17 00:00:00 2001
From: Lucas McDonald <lucasmcdonald3@gmail.com>
Date: Tue, 19 Mar 2024 14:39:30 -0700
Subject: [PATCH 15/17] try add perissions to cb

---
 cfn/ESDK-Python.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/cfn/ESDK-Python.yml b/cfn/ESDK-Python.yml
index 0638344ea..3dcc0aa15 100644
--- a/cfn/ESDK-Python.yml
+++ b/cfn/ESDK-Python.yml
@@ -251,6 +251,7 @@ Resources:
     Properties:
       ManagedPolicyName: !Sub "CodeBuildBasePolicy-${ProjectName}-${AWS::Region}"
       Path: "/service-role/"
+      # TODO: The "arn:aws:s3:::generated-vectors-artifacts-bucket/*" is debug and should be removed
       PolicyDocument: !Sub |
         {
           "Version": "2012-10-17",

From d82d4ac559521752a90747abcbd1ff6ed21823fd Mon Sep 17 00:00:00 2001
From: Lucas McDonald <lucasmcdonald3@gmail.com>
Date: Tue, 19 Mar 2024 15:51:44 -0700
Subject: [PATCH 16/17] no artifacts

---
 cfn/ESDK-Python.yml | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/cfn/ESDK-Python.yml b/cfn/ESDK-Python.yml
index 3dcc0aa15..27925ce5a 100644
--- a/cfn/ESDK-Python.yml
+++ b/cfn/ESDK-Python.yml
@@ -43,9 +43,7 @@ Resources:
         ReportBuildStatus: false
         Type: "GITHUB"
       Artifacts: 
-        Type: "S3"
-        Location: !Ref GeneratedVectorsArtifactsS3Bucket
-        Name: "/"
+        Type: "NO_ARTIFACTS"
       Cache: 
         Type: "NO_CACHE"
       Environment: 
@@ -251,7 +249,6 @@ Resources:
     Properties:
       ManagedPolicyName: !Sub "CodeBuildBasePolicy-${ProjectName}-${AWS::Region}"
       Path: "/service-role/"
-      # TODO: The "arn:aws:s3:::generated-vectors-artifacts-bucket/*" is debug and should be removed
       PolicyDocument: !Sub |
         {
           "Version": "2012-10-17",
@@ -277,7 +274,6 @@ Resources:
               "Effect": "Allow",
               "Resource": [
                 "arn:aws:s3:::codepipeline-${AWS::Region}-*",
-                "arn:aws:s3:::generated-vectors-artifacts-bucket/*"
               ],
               "Action": [
                 "s3:PutObject",

From fa1c7a23a4bd5dbad38db18b3c1e1713a397dfa7 Mon Sep 17 00:00:00 2001
From: Lucas McDonald <lucasmcdonald3@gmail.com>
Date: Tue, 19 Mar 2024 15:52:50 -0700
Subject: [PATCH 17/17] no artifacts

---
 cfn/ESDK-Python.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cfn/ESDK-Python.yml b/cfn/ESDK-Python.yml
index 27925ce5a..df085ac68 100644
--- a/cfn/ESDK-Python.yml
+++ b/cfn/ESDK-Python.yml
@@ -273,7 +273,7 @@ Resources:
             {
               "Effect": "Allow",
               "Resource": [
-                "arn:aws:s3:::codepipeline-${AWS::Region}-*",
+                "arn:aws:s3:::codepipeline-${AWS::Region}-*"
               ],
               "Action": [
                 "s3:PutObject",