Skip to content

chore(CFN): Changes for TestVectors #653

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 19 commits into from
Mar 20, 2024
Merged

chore(CFN): Changes for TestVectors #653

Changes from 16 commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
f15335f
chore: Allow CodeBuild access to GH CI bot
lucasmcdonald3 Mar 14, 2024
3ac7dae
update perms
lucasmcdonald3 Mar 15, 2024
3e8d68e
merge
lucasmcdonald3 Mar 18, 2024
3ab4d2b
add artifact s3 bucket
lucasmcdonald3 Mar 18, 2024
77e0735
update
lucasmcdonald3 Mar 18, 2024
2d208e3
update
lucasmcdonald3 Mar 18, 2024
7ec013c
update
lucasmcdonald3 Mar 18, 2024
2ba0060
update
lucasmcdonald3 Mar 18, 2024
e32eca5
add build id
lucasmcdonald3 Mar 19, 2024
7bcf637
fix depend-on
lucasmcdonald3 Mar 19, 2024
4d49f76
fix depend-on
lucasmcdonald3 Mar 19, 2024
38c71e4
me
lucasmcdonald3 Mar 19, 2024
8008f72
me
lucasmcdonald3 Mar 19, 2024
7beb98e
me
lucasmcdonald3 Mar 19, 2024
b658c4f
try add perissions to cb
lucasmcdonald3 Mar 19, 2024
8e3e4ec
try add perissions to cb
lucasmcdonald3 Mar 19, 2024
d82d4ac
no artifacts
lucasmcdonald3 Mar 19, 2024
fa1c7a2
no artifacts
lucasmcdonald3 Mar 19, 2024
4855cf3
Merge branch 'master' into secrets-permissions
lucasmcdonald3 Mar 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 61 additions & 4 deletions cfn/ESDK-Python.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,9 @@ Resources:
ReportBuildStatus: false
Type: "GITHUB"
Artifacts:
Type: "NO_ARTIFACTS"
Type: "S3"
Location: !Ref GeneratedVectorsArtifactsS3Bucket
Name: "/"
Cache:
Type: "NO_CACHE"
Environment:
Expand Down Expand Up @@ -170,6 +172,10 @@ Resources:
AssumeRolePolicyDocument: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"codebuild.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"}]}"
MaxSessionDuration: 3600
ManagedPolicyArns:
# Ideally we would add GeneratedVectorsArtifactsS3BucketPolicy to run test vectors.
# However, this role would then have 11 managed policies.
# IAM has a limit of 10 managed policies per role.
# If we need to add more policies here, we should increase this limit.
- !Ref CryptoToolsKMS
- !Ref CodeBuildBatchPolicy
- !Ref CodeBuildBasePolicy
Expand All @@ -187,7 +193,9 @@ Resources:
- !Ref CryptoToolsKMS
- !Ref CodeBuildCIBatchPolicy
- !Ref CodeBuildBasePolicy
- !Ref SecretsManagerCIPolicy
- !Ref CodeBuildCISTSAllow
- !Ref GeneratedVectorsArtifactsS3BucketPolicy

CodeBuildBatchPolicy:
Type: "AWS::IAM::ManagedPolicy"
Expand Down Expand Up @@ -231,7 +239,8 @@ Resources:
"Action": [
"codebuild:StartBuild",
"codebuild:StopBuild",
"codebuild:RetryBuild"
"codebuild:RetryBuild",
"codebuild:BatchGetBuilds"
]
}
]
Expand All @@ -242,6 +251,7 @@ Resources:
Properties:
ManagedPolicyName: !Sub "CodeBuildBasePolicy-${ProjectName}-${AWS::Region}"
Path: "/service-role/"
# TODO: The "arn:aws:s3:::generated-vectors-artifacts-bucket/*" is debug and should be removed
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
Expand All @@ -259,13 +269,15 @@ Resources:
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
"logs:PutLogEvents",
"logs:GetLogEvents"
]
},
{
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::codepipeline-${AWS::Region}-*"
"arn:aws:s3:::codepipeline-${AWS::Region}-*",
"arn:aws:s3:::generated-vectors-artifacts-bucket/*"
],
"Action": [
"s3:PutObject",
Expand Down Expand Up @@ -310,6 +322,26 @@ Resources:
}
]
}

SecretsManagerCIPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: !Sub "CryptoTools-SecretsManagerCI-${ProjectName}-release"
Path: "/service-role/"
# Policy: Allow access to a Github fine-grained PAT that can read ESDK-Dafny "Daily CI" artifacts
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:secretsmanager:us-west-2:587316601012:secret:Github/lucasmcdonald3-fgpat-1aAsdO"
],
"Action": "secretsmanager:GetSecretValue"
}
]
}

# There exist public AWS KMS CMKs that are used for testing
# Take care with these CMKs they are **ONLY** for testing!!!
Expand Down Expand Up @@ -358,3 +390,28 @@ Resources:
}
]
}

GeneratedVectorsArtifactsS3Bucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: generated-vectors-artifacts-bucket
LifecycleConfiguration:
Rules:
- Id: Expire artifacts in 14 days
Status: Enabled
ExpirationInDays: 14

GeneratedVectorsArtifactsS3BucketPolicy:
Type: 'AWS::IAM::ManagedPolicy'
Properties:
ManagedPolicyName: Generated-Vectors-Artifacts-S3-Bucket-Policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 's3:PutObject'
- 's3:GetObject'
- 's3:DeleteObject'
Resource:
- !Join [ "", [ !GetAtt GeneratedVectorsArtifactsS3Bucket.Arn, '/*'] ]
Loading