From b8a9a532c4615feb3c8417e2f4104e4ad87ac187 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Tue, 24 Jun 2025 15:10:27 -0700 Subject: [PATCH 1/4] chore(CFN): Commit CFN template --- cfn/DDB-EC-Java.yml | 422 ++++++++++++++++++++++++++++++++++++++++++++ cfn/live.yml | 422 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 844 insertions(+) create mode 100644 cfn/DDB-EC-Java.yml create mode 100644 cfn/live.yml diff --git a/cfn/DDB-EC-Java.yml b/cfn/DDB-EC-Java.yml new file mode 100644 index 00000000..ce60883d --- /dev/null +++ b/cfn/DDB-EC-Java.yml @@ -0,0 +1,422 @@ +AWSTemplateFormatVersion: "2010-09-09" +Description: "Template to build a CodeBuild Project, assumes that GitHub credentials are already set up." +Parameters: + ProjectName: + Type: String + Description: The name of the CodeBuild Project + ProjectDescription: + Type: String + Description: The description for the CodeBuild Project + SourceLocation: + Type: String + Description: The https GitHub URL for the project + NumberOfBuildsInBatch: + Type: Number + MaxValue: 100 + MinValue: 1 + Default: 4 + Description: The number of builds you expect to run in a batch + CodeArtifactRegion: + Type: String + Description: Region for CodeArtifact + Default: "us-east-1" + CodeArtifactAccount: + Type: String + Description: AWS Account with CodeArtifact Resources + Default: 587316601012 + CodeArtifactDomain: + Type: String + Description: Domain for CodeArtifact GetAuthToken + Default: "crypto-tools-internal" + CodeArtifactStagingRepo: + Type: String + Description: Staging Repo for CodeArtifact + Default: "java-ddbec-staging" + + +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - + Label: + default: "Crypto Tools CodeBuild Project Template" + Parameters: + - ProjectName + - ProjectDescription + - SourceLocation + - + Label: + default: "Crypto Tools CodeArtifact Parameters" + Parameters: + - CodeArtifactRegion + - CodeArtifactAccount + - CodeArtifactDomain + - CodeArtifactStagingRepo + +Resources: + CodeBuildProject: + Type: "AWS::CodeBuild::Project" + Properties: + Name: !Ref ProjectName + Description: !Ref ProjectDescription + Source: + Location: !Ref SourceLocation + GitCloneDepth: 1 + GitSubmodulesConfig: + FetchSubmodules: true + InsecureSsl: false + ReportBuildStatus: false + Type: "GITHUB" + Artifacts: + Type: "NO_ARTIFACTS" + Cache: + Type: "NO_CACHE" + Environment: + ComputeType: "BUILD_GENERAL1_LARGE" + Image: "aws/codebuild/standard:3.0" + ImagePullCredentialsType: "CODEBUILD" + PrivilegedMode: false + Type: "LINUX_CONTAINER" + ServiceRole: !GetAtt CodeBuildServiceRole.Arn + TimeoutInMinutes: 60 + QueuedTimeoutInMinutes: 480 + EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3" + BadgeEnabled: false + BuildBatchConfig: + ServiceRole: !GetAtt CodeBuildServiceRole.Arn + Restrictions: + MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch + ComputeTypesAllowed: + - BUILD_GENERAL1_SMALL + - BUILD_GENERAL1_MEDIUM + - BUILD_GENERAL1_LARGE + TimeoutInMins: 480 + LogsConfig: + CloudWatchLogs: + Status: "ENABLED" + S3Logs: + Status: "DISABLED" + EncryptionDisabled: false + + CodeBuildProjectTestRelease: + Type: "AWS::CodeBuild::Project" + Properties: + Name: !Sub "${ProjectName}-test-release" + Description: !Sub "CodeBuild project for ${ProjectName} to release to test repository." + Source: + Location: !Ref SourceLocation + BuildSpec: "codebuild/release/release-staging.yml" + GitCloneDepth: 1 + GitSubmodulesConfig: + FetchSubmodules: false + InsecureSsl: false + ReportBuildStatus: false + Type: "GITHUB" + Artifacts: + Type: "NO_ARTIFACTS" + Cache: + Type: "NO_CACHE" + Environment: + ComputeType: "BUILD_GENERAL1_LARGE" + Image: "aws/codebuild/standard:3.0" + ImagePullCredentialsType: "CODEBUILD" + PrivilegedMode: false + Type: "LINUX_CONTAINER" + ServiceRole: !GetAtt CodeBuildServiceRole.Arn + TimeoutInMinutes: 60 + QueuedTimeoutInMinutes: 480 + EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3" + BadgeEnabled: false + BuildBatchConfig: + ServiceRole: !GetAtt CodeBuildServiceRole.Arn + Restrictions: + MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch + ComputeTypesAllowed: + - BUILD_GENERAL1_SMALL + - BUILD_GENERAL1_MEDIUM + - BUILD_GENERAL1_LARGE + TimeoutInMins: 480 + LogsConfig: + CloudWatchLogs: + Status: "ENABLED" + S3Logs: + Status: "DISABLED" + EncryptionDisabled: false + + CodeBuildProjectProdRelease: + Type: "AWS::CodeBuild::Project" + Properties: + Name: !Sub "${ProjectName}-prod-release" + Description: !Sub "CodeBuild project for ${ProjectName} to release to prod repository." + Source: + Location: !Ref SourceLocation + BuildSpec: "codebuild/release/release-prod.yml" + GitCloneDepth: 1 + GitSubmodulesConfig: + FetchSubmodules: false + InsecureSsl: false + ReportBuildStatus: false + Type: "GITHUB" + Artifacts: + Type: "NO_ARTIFACTS" + Cache: + Type: "NO_CACHE" + Environment: + ComputeType: "BUILD_GENERAL1_LARGE" + Image: "aws/codebuild/standard:3.0" + ImagePullCredentialsType: "CODEBUILD" + PrivilegedMode: false + Type: "LINUX_CONTAINER" + ServiceRole: !GetAtt CodeBuildServiceRole.Arn + TimeoutInMinutes: 60 + QueuedTimeoutInMinutes: 480 + EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3" + BadgeEnabled: false + BuildBatchConfig: + ServiceRole: !GetAtt CodeBuildServiceRole.Arn + Restrictions: + MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch + ComputeTypesAllowed: + - BUILD_GENERAL1_SMALL + - BUILD_GENERAL1_MEDIUM + - BUILD_GENERAL1_LARGE + TimeoutInMins: 480 + LogsConfig: + CloudWatchLogs: + Status: "ENABLED" + S3Logs: + Status: "DISABLED" + EncryptionDisabled: false + + CodeBuildServiceRole: + Type: "AWS::IAM::Role" + Properties: + Path: "/service-role/" + RoleName: !Sub "codebuild-${ProjectName}-service-role" + AssumeRolePolicyDocument: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"codebuild.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"},{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":\"arn:aws:iam::587316601012:oidc-provider/token.actions.githubusercontent.com\"},\"Action\":\"sts:AssumeRoleWithWebIdentity\",\"Condition\":{\"StringEquals\":{\"token.actions.githubusercontent.com:aud\":\"sts.amazonaws.com\"},\"StringLike\":{\"token.actions.githubusercontent.com:sub\":\"repo:aws/aws-dynamodb-encryption-java:*\"}}}]}" + MaxSessionDuration: 3600 + ManagedPolicyArns: + - !Ref CryptoToolsKMS + - !Ref CodeBuildBatchPolicy + - !Ref CodeBuildBasePolicy + - !Ref SecretsManagerPolicy + - !Ref ParameterStorePolicy + - !Ref DDBPolicy + - "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess" + - !Ref CodeArtifactRepoLimitedReadWriteAuthToken + + CodeArtifactRepoLimitedReadWriteAuthToken: + Type: "AWS::IAM::ManagedPolicy" + Properties: + ManagedPolicyName: !Sub "CodeArtifactRepoLimitedReadWriteAuthToken-${ProjectName}-${CodeArtifactStagingRepo}" + Path: "/service-role/" + PolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "codeartifact:UntagResource", + "codeartifact:GetPackageVersionReadme", + "codeartifact:PutRepositoryPermissionsPolicy", + "codeartifact:ListTagsForResource", + "codeartifact:DescribeRepository", + "codeartifact:ListPackageVersionAssets", + "codeartifact:DeletePackageVersions", + "codeartifact:UpdateRepository", + "codeartifact:CopyPackageVersions", + "codeartifact:PutPackageMetadata", + "codeartifact:DisposePackageVersions", + "codeartifact:ListPackageVersionDependencies", + "codeartifact:TagResource", + "codeartifact:UpdatePackageVersionsStatus", + "codeartifact:ListPackages", + "codeartifact:ReadFromRepository", + "codeartifact:GetRepositoryEndpoint", + "codeartifact:PublishPackageVersion", + "codeartifact:GetPackageVersionAsset", + "codeartifact:GetRepositoryPermissionsPolicy", + "codeartifact:ListPackageVersions", + "codeartifact:GetAuthorizationToken" + ], + "Resource": [ + "arn:aws:codeartifact:${CodeArtifactRegion}:${CodeArtifactAccount}:domain/${CodeArtifactDomain}", + "arn:aws:codeartifact:${CodeArtifactRegion}:${CodeArtifactAccount}:*/crypto-tools-internal/${CodeArtifactStagingRepo}", + "arn:aws:codeartifact:${CodeArtifactRegion}:${CodeArtifactAccount}:*/crypto-tools-internal/${CodeArtifactStagingRepo}/*", + "arn:aws:codeartifact:${CodeArtifactRegion}:${CodeArtifactAccount}:*/crypto-tools-internal/${CodeArtifactStagingRepo}/*/*", + "arn:aws:codeartifact:${CodeArtifactRegion}:${CodeArtifactAccount}:*/crypto-tools-internal/${CodeArtifactStagingRepo}/*/*/*" + ] + } + ] + } + + + CodeBuildBatchPolicy: + Type: "AWS::IAM::ManagedPolicy" + Properties: + ManagedPolicyName: !Sub "CodeBuildBuildBatchPolicy-${ProjectName}-${AWS::Region}-codebuild-${ProjectName}-service-role" + Path: "/service-role/" + PolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": [ + "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-test-release", + "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-prod-release", + "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}" + ], + "Action": [ + "codebuild:StartBuild", + "codebuild:StopBuild", + "codebuild:RetryBuild", + "codebuild:BatchGetBuilds" + ] + } + ] + } + + CodeBuildBasePolicy: + Type: "AWS::IAM::ManagedPolicy" + Properties: + ManagedPolicyName: !Sub "CodeBuildBasePolicy-${ProjectName}-${AWS::Region}" + Path: "/service-role/" + PolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": [ + "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}", + "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}:*", + "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-test-release", + "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-test-release:*", + "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-prod-release", + "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-prod-release:*" + ], + "Action": [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:GetLogEvents" + ] + }, + { + "Effect": "Allow", + "Resource": [ + "arn:aws:s3:::codepipeline-${AWS::Region}-*" + ], + "Action": [ + "s3:PutObject", + "s3:GetObject", + "s3:GetObjectVersion", + "s3:GetBucketAcl", + "s3:GetBucketLocation" + ] + }, + { + "Effect": "Allow", + "Action": [ + "codebuild:CreateReportGroup", + "codebuild:CreateReport", + "codebuild:UpdateReport", + "codebuild:BatchPutTestCases", + "codebuild:BatchPutCodeCoverages" + ], + "Resource": [ + "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/${ProjectName}-*" + ] + } + ] + } + + + SecretsManagerPolicy: + Type: "AWS::IAM::ManagedPolicy" + Properties: + ManagedPolicyName: !Sub "CryptoTools-SecretsManager-${ProjectName}-release" + Path: "/service-role/" + PolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": [ + "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-GC6h0A", + "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Sonatype-Team-Account-0tWvZm", + "arn:aws:secretsmanager:us-west-2:587316601012:secret:Maven-GPG-Keys-Credentials-C0wCzI" + ], + "Action": "secretsmanager:GetSecretValue" + } + ] + } + + DDBPolicy: + Type: "AWS::IAM::ManagedPolicy" + Properties: + ManagedPolicyName: !Sub "CryptoTools-DynamoDB-${ProjectName}-CI" + Path: "/service-role/" + PolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": [ + "arn:aws:dynamodb:us-east-1:587316601012:table/ddbec-mrk-testing", + "arn:aws:dynamodb:us-west-2:587316601012:table/ddbec-mrk-testing" + ], + "Action": "*" + } + ] + } + + # There exist public AWS KMS CMKs that are used for testing + # Take care with these CMKs they are **ONLY** for testing!!! + CryptoToolsKMS: + Type: "AWS::IAM::ManagedPolicy" + Properties: + ManagedPolicyName: !Sub "CrypotToolsKMSPolicy-${ProjectName}-${AWS::Region}-codebuild-${ProjectName}-service-role" + Path: "/service-role/" + PolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": [ + "arn:aws:kms:*:658956600833:key/*", + "arn:aws:kms:*:658956600833:alias/*" + ], + "Action": [ + "kms:Encrypt", + "kms:Decrypt", + "kms:GenerateDataKey" + ] + } + ] + } + + # As of 2021/07/06, there is only 1 parameter stored, CodeBuild/AccountId, and it's created by ESDK-Java + ParameterStorePolicy: + Type: "AWS::IAM::ManagedPolicy" + Properties: + ManagedPolicyName: !Sub "CryptoTools-ParameterStore-${ProjectName}-release" + Path: "/service-role/" + PolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": [ + "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/CodeBuild/*" + ], + "Action": "ssm:GetParameters" + } + ] + } diff --git a/cfn/live.yml b/cfn/live.yml new file mode 100644 index 00000000..e47e40d6 --- /dev/null +++ b/cfn/live.yml @@ -0,0 +1,422 @@ +AWSTemplateFormatVersion: "2010-09-09" +Description: "Template to build a CodeBuild Project, assumes that GitHub credentials are already set up." +Parameters: + ProjectName: + Type: String + Description: The name of the CodeBuild Project + ProjectDescription: + Type: String + Description: The description for the CodeBuild Project + SourceLocation: + Type: String + Description: The https GitHub URL for the project + NumberOfBuildsInBatch: + Type: Number + MaxValue: 100 + MinValue: 1 + Default: 4 + Description: The number of builds you expect to run in a batch + CodeArtifactRegion: + Type: String + Description: Region for CodeArtifact + Default: "us-east-1" + CodeArtifactAccount: + Type: String + Description: AWS Account with CodeArtifact Resources + Default: 587316601012 + CodeArtifactDomain: + Type: String + Description: Domain for CodeArtifact GetAuthToken + Default: "crypto-tools-internal" + CodeArtifactStagingRepo: + Type: String + Description: Staging Repo for CodeArtifact + Default: "java-ddbec-staging" + + +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - + Label: + default: "Crypto Tools CodeBuild Project Template" + Parameters: + - ProjectName + - ProjectDescription + - SourceLocation + - + Label: + default: "Crypto Tools CodeArtifact Parameters" + Parameters: + - CodeArtifactRegion + - CodeArtifactAccount + - CodeArtifactDomain + - CodeArtifactStagingRepo + +Resources: + CodeBuildProject: + Type: "AWS::CodeBuild::Project" + Properties: + Name: !Ref ProjectName + Description: !Ref ProjectDescription + Source: + Location: !Ref SourceLocation + GitCloneDepth: 1 + GitSubmodulesConfig: + FetchSubmodules: true + InsecureSsl: false + ReportBuildStatus: false + Type: "GITHUB" + Artifacts: + Type: "NO_ARTIFACTS" + Cache: + Type: "NO_CACHE" + Environment: + ComputeType: "BUILD_GENERAL1_LARGE" + Image: "aws/codebuild/standard:3.0" + ImagePullCredentialsType: "CODEBUILD" + PrivilegedMode: false + Type: "LINUX_CONTAINER" + ServiceRole: !GetAtt CodeBuildServiceRole.Arn + TimeoutInMinutes: 60 + QueuedTimeoutInMinutes: 480 + EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3" + BadgeEnabled: false + BuildBatchConfig: + ServiceRole: !GetAtt CodeBuildServiceRole.Arn + Restrictions: + MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch + ComputeTypesAllowed: + - BUILD_GENERAL1_SMALL + - BUILD_GENERAL1_MEDIUM + - BUILD_GENERAL1_LARGE + TimeoutInMins: 480 + LogsConfig: + CloudWatchLogs: + Status: "ENABLED" + S3Logs: + Status: "DISABLED" + EncryptionDisabled: false + + CodeBuildProjectTestRelease: + Type: "AWS::CodeBuild::Project" + Properties: + Name: !Sub "${ProjectName}-test-release" + Description: !Sub "CodeBuild project for ${ProjectName} to release to test repository." + Source: + Location: !Ref SourceLocation + BuildSpec: "codebuild/release/release-staging.yml" + GitCloneDepth: 1 + GitSubmodulesConfig: + FetchSubmodules: false + InsecureSsl: false + ReportBuildStatus: false + Type: "GITHUB" + Artifacts: + Type: "NO_ARTIFACTS" + Cache: + Type: "NO_CACHE" + Environment: + ComputeType: "BUILD_GENERAL1_LARGE" + Image: "aws/codebuild/standard:3.0" + ImagePullCredentialsType: "CODEBUILD" + PrivilegedMode: false + Type: "LINUX_CONTAINER" + ServiceRole: !GetAtt CodeBuildServiceRole.Arn + TimeoutInMinutes: 60 + QueuedTimeoutInMinutes: 480 + EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3" + BadgeEnabled: false + BuildBatchConfig: + ServiceRole: !GetAtt CodeBuildServiceRole.Arn + Restrictions: + MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch + ComputeTypesAllowed: + - BUILD_GENERAL1_SMALL + - BUILD_GENERAL1_MEDIUM + - BUILD_GENERAL1_LARGE + TimeoutInMins: 480 + LogsConfig: + CloudWatchLogs: + Status: "ENABLED" + S3Logs: + Status: "DISABLED" + EncryptionDisabled: false + + CodeBuildProjectProdRelease: + Type: "AWS::CodeBuild::Project" + Properties: + Name: !Sub "${ProjectName}-prod-release" + Description: !Sub "CodeBuild project for ${ProjectName} to release to prod repository." + Source: + Location: !Ref SourceLocation + BuildSpec: "codebuild/release/release-prod.yml" + GitCloneDepth: 1 + GitSubmodulesConfig: + FetchSubmodules: false + InsecureSsl: false + ReportBuildStatus: false + Type: "GITHUB" + Artifacts: + Type: "NO_ARTIFACTS" + Cache: + Type: "NO_CACHE" + Environment: + ComputeType: "BUILD_GENERAL1_LARGE" + Image: "aws/codebuild/standard:3.0" + ImagePullCredentialsType: "CODEBUILD" + PrivilegedMode: false + Type: "LINUX_CONTAINER" + ServiceRole: !GetAtt CodeBuildServiceRole.Arn + TimeoutInMinutes: 60 + QueuedTimeoutInMinutes: 480 + EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3" + BadgeEnabled: false + BuildBatchConfig: + ServiceRole: !GetAtt CodeBuildServiceRole.Arn + Restrictions: + MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch + ComputeTypesAllowed: + - BUILD_GENERAL1_SMALL + - BUILD_GENERAL1_MEDIUM + - BUILD_GENERAL1_LARGE + TimeoutInMins: 480 + LogsConfig: + CloudWatchLogs: + Status: "ENABLED" + S3Logs: + Status: "DISABLED" + EncryptionDisabled: false + + CodeBuildServiceRole: + Type: "AWS::IAM::Role" + Properties: + Path: "/service-role/" + RoleName: !Sub "codebuild-${ProjectName}-service-role" + AssumeRolePolicyDocument: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"codebuild.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"},{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":\"arn:aws:iam::587316601012:oidc-provider/token.actions.githubusercontent.com\"},\"Action\":\"sts:AssumeRoleWithWebIdentity\",\"Condition\":{\"StringEquals\":{\"token.actions.githubusercontent.com:aud\":\"sts.amazonaws.com\"},\"StringLike\":{\"token.actions.githubusercontent.com:sub\":\"repo:aws/aws-dynamodb-encryption-java:*\"}}}]}" + MaxSessionDuration: 3600 + ManagedPolicyArns: + - !Ref CryptoToolsKMS + - !Ref CodeBuildBatchPolicy + - !Ref CodeBuildBasePolicy + - !Ref SecretsManagerPolicy + - !Ref ParameterStorePolicy + - !Ref DDBPolicy + - "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess" + - !Ref CodeArtifactRepoLimitedReadWriteAuthToken + + CodeArtifactRepoLimitedReadWriteAuthToken: + Type: "AWS::IAM::ManagedPolicy" + Properties: + ManagedPolicyName: !Sub "CodeArtifactRepoLimitedReadWriteAuthToken-${ProjectName}-${CodeArtifactStagingRepo}" + Path: "/service-role/" + PolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "codeartifact:UntagResource", + "codeartifact:GetPackageVersionReadme", + "codeartifact:PutRepositoryPermissionsPolicy", + "codeartifact:ListTagsForResource", + "codeartifact:DescribeRepository", + "codeartifact:ListPackageVersionAssets", + "codeartifact:DeletePackageVersions", + "codeartifact:UpdateRepository", + "codeartifact:CopyPackageVersions", + "codeartifact:PutPackageMetadata", + "codeartifact:DisposePackageVersions", + "codeartifact:ListPackageVersionDependencies", + "codeartifact:TagResource", + "codeartifact:UpdatePackageVersionsStatus", + "codeartifact:ListPackages", + "codeartifact:ReadFromRepository", + "codeartifact:GetRepositoryEndpoint", + "codeartifact:PublishPackageVersion", + "codeartifact:GetPackageVersionAsset", + "codeartifact:GetRepositoryPermissionsPolicy", + "codeartifact:ListPackageVersions", + "codeartifact:GetAuthorizationToken" + ], + "Resource": [ + "arn:aws:codeartifact:${CodeArtifactRegion}:${CodeArtifactAccount}:domain/${CodeArtifactDomain}", + "arn:aws:codeartifact:${CodeArtifactRegion}:${CodeArtifactAccount}:*/crypto-tools-internal/${CodeArtifactStagingRepo}", + "arn:aws:codeartifact:${CodeArtifactRegion}:${CodeArtifactAccount}:*/crypto-tools-internal/${CodeArtifactStagingRepo}/*", + "arn:aws:codeartifact:${CodeArtifactRegion}:${CodeArtifactAccount}:*/crypto-tools-internal/${CodeArtifactStagingRepo}/*/*", + "arn:aws:codeartifact:${CodeArtifactRegion}:${CodeArtifactAccount}:*/crypto-tools-internal/${CodeArtifactStagingRepo}/*/*/*" + ] + } + ] + } + + + CodeBuildBatchPolicy: + Type: "AWS::IAM::ManagedPolicy" + Properties: + ManagedPolicyName: !Sub "CodeBuildBuildBatchPolicy-${ProjectName}-${AWS::Region}-codebuild-${ProjectName}-service-role" + Path: "/service-role/" + PolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": [ + "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-test-release", + "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-prod-release", + "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}" + ], + "Action": [ + "codebuild:StartBuild", + "codebuild:StopBuild", + "codebuild:RetryBuild", + "codebuild:BatchGetBuilds" + ] + } + ] + } + + CodeBuildBasePolicy: + Type: "AWS::IAM::ManagedPolicy" + Properties: + ManagedPolicyName: !Sub "CodeBuildBasePolicy-${ProjectName}-${AWS::Region}" + Path: "/service-role/" + PolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": [ + "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}", + "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}:*", + "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-test-release", + "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-test-release:*", + "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-prod-release", + "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-prod-release:*" + ], + "Action": [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:GetLogEvents" + ] + }, + { + "Effect": "Allow", + "Resource": [ + "arn:aws:s3:::codepipeline-${AWS::Region}-*" + ], + "Action": [ + "s3:PutObject", + "s3:GetObject", + "s3:GetObjectVersion", + "s3:GetBucketAcl", + "s3:GetBucketLocation" + ] + }, + { + "Effect": "Allow", + "Action": [ + "codebuild:CreateReportGroup", + "codebuild:CreateReport", + "codebuild:UpdateReport", + "codebuild:BatchPutTestCases", + "codebuild:BatchPutCodeCoverages" + ], + "Resource": [ + "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/${ProjectName}-*" + ] + } + ] + } + + + SecretsManagerPolicy: + Type: "AWS::IAM::ManagedPolicy" + Properties: + ManagedPolicyName: !Sub "CryptoTools-SecretsManager-${ProjectName}-release" + Path: "/service-role/" + PolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": [ + "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-GC6h0A", + "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Sonatype-Team-Account-0tWvZm", + "arn:aws:secretsmanager:us-west-2:587316601012:secret:Maven-GPG-Keys-Credentials-C0wCzI" + ], + "Action": "secretsmanager:GetSecretValue" + } + ] + } + + DDBPolicy: + Type: "AWS::IAM::ManagedPolicy" + Properties: + ManagedPolicyName: !Sub "CryptoTools-DynamoDB-${ProjectName}-CI" + Path: "/service-role/" + PolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": [ + "arn:aws:dynamodb:us-east-1:587316601012:table/ddbec-mrk-testing", + "arn:aws:dynamodb:us-west-2:587316601012:table/ddbec-mrk-testing" + ], + "Action": "*" + } + ] + } + + # There exist public AWS KMS CMKs that are used for testing + # Take care with these CMKs they are **ONLY** for testing!!! + CryptoToolsKMS: + Type: "AWS::IAM::ManagedPolicy" + Properties: + ManagedPolicyName: !Sub "CrypotToolsKMSPolicy-${ProjectName}-${AWS::Region}-codebuild-${ProjectName}-service-role" + Path: "/service-role/" + PolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": [ + "arn:aws:kms:*:658956600833:key/*", + "arn:aws:kms:*:658956600833:alias/*" + ], + "Action": [ + "kms:Encrypt", + "kms:Decrypt", + "kms:GenerateDataKey" + ] + } + ] + } + + # As of 2021/07/06, there is only 1 parameter stored, CodeBuild/AccountId, and it's created by ESDK-Java + ParameterStorePolicy: + Type: "AWS::IAM::ManagedPolicy" + Properties: + ManagedPolicyName: !Sub "CryptoTools-ParameterStore-${ProjectName}-release" + Path: "/service-role/" + PolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": [ + "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/CodeBuild/*" + ], + "Action": "ssm:GetParameters" + } + ] + } \ No newline at end of file From 84c9656dfeefd001db336147752a82ffacf2f145 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Tue, 24 Jun 2025 15:38:46 -0700 Subject: [PATCH 2/4] Update DDB-EC-Java.yml --- cfn/DDB-EC-Java.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cfn/DDB-EC-Java.yml b/cfn/DDB-EC-Java.yml index ce60883d..a7dd8d6c 100644 --- a/cfn/DDB-EC-Java.yml +++ b/cfn/DDB-EC-Java.yml @@ -1,4 +1,4 @@ -AWSTemplateFormatVersion: "2010-09-09" +AWSTemplateFormatVersion: "2010-09-09" Description: "Template to build a CodeBuild Project, assumes that GitHub credentials are already set up." Parameters: ProjectName: From 1bca2baa19ee936d08428ac3fd6d8936e18e6fd9 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Tue, 24 Jun 2025 15:40:01 -0700 Subject: [PATCH 3/4] m --- cfn/DDB-EC-Java.yml | 2 +- cfn/live.yml | 422 -------------------------------------------- 2 files changed, 1 insertion(+), 423 deletions(-) delete mode 100644 cfn/live.yml diff --git a/cfn/DDB-EC-Java.yml b/cfn/DDB-EC-Java.yml index a7dd8d6c..ce60883d 100644 --- a/cfn/DDB-EC-Java.yml +++ b/cfn/DDB-EC-Java.yml @@ -1,4 +1,4 @@ -AWSTemplateFormatVersion: "2010-09-09" +AWSTemplateFormatVersion: "2010-09-09" Description: "Template to build a CodeBuild Project, assumes that GitHub credentials are already set up." Parameters: ProjectName: diff --git a/cfn/live.yml b/cfn/live.yml deleted file mode 100644 index e47e40d6..00000000 --- a/cfn/live.yml +++ /dev/null @@ -1,422 +0,0 @@ -AWSTemplateFormatVersion: "2010-09-09" -Description: "Template to build a CodeBuild Project, assumes that GitHub credentials are already set up." -Parameters: - ProjectName: - Type: String - Description: The name of the CodeBuild Project - ProjectDescription: - Type: String - Description: The description for the CodeBuild Project - SourceLocation: - Type: String - Description: The https GitHub URL for the project - NumberOfBuildsInBatch: - Type: Number - MaxValue: 100 - MinValue: 1 - Default: 4 - Description: The number of builds you expect to run in a batch - CodeArtifactRegion: - Type: String - Description: Region for CodeArtifact - Default: "us-east-1" - CodeArtifactAccount: - Type: String - Description: AWS Account with CodeArtifact Resources - Default: 587316601012 - CodeArtifactDomain: - Type: String - Description: Domain for CodeArtifact GetAuthToken - Default: "crypto-tools-internal" - CodeArtifactStagingRepo: - Type: String - Description: Staging Repo for CodeArtifact - Default: "java-ddbec-staging" - - -Metadata: - AWS::CloudFormation::Interface: - ParameterGroups: - - - Label: - default: "Crypto Tools CodeBuild Project Template" - Parameters: - - ProjectName - - ProjectDescription - - SourceLocation - - - Label: - default: "Crypto Tools CodeArtifact Parameters" - Parameters: - - CodeArtifactRegion - - CodeArtifactAccount - - CodeArtifactDomain - - CodeArtifactStagingRepo - -Resources: - CodeBuildProject: - Type: "AWS::CodeBuild::Project" - Properties: - Name: !Ref ProjectName - Description: !Ref ProjectDescription - Source: - Location: !Ref SourceLocation - GitCloneDepth: 1 - GitSubmodulesConfig: - FetchSubmodules: true - InsecureSsl: false - ReportBuildStatus: false - Type: "GITHUB" - Artifacts: - Type: "NO_ARTIFACTS" - Cache: - Type: "NO_CACHE" - Environment: - ComputeType: "BUILD_GENERAL1_LARGE" - Image: "aws/codebuild/standard:3.0" - ImagePullCredentialsType: "CODEBUILD" - PrivilegedMode: false - Type: "LINUX_CONTAINER" - ServiceRole: !GetAtt CodeBuildServiceRole.Arn - TimeoutInMinutes: 60 - QueuedTimeoutInMinutes: 480 - EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3" - BadgeEnabled: false - BuildBatchConfig: - ServiceRole: !GetAtt CodeBuildServiceRole.Arn - Restrictions: - MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch - ComputeTypesAllowed: - - BUILD_GENERAL1_SMALL - - BUILD_GENERAL1_MEDIUM - - BUILD_GENERAL1_LARGE - TimeoutInMins: 480 - LogsConfig: - CloudWatchLogs: - Status: "ENABLED" - S3Logs: - Status: "DISABLED" - EncryptionDisabled: false - - CodeBuildProjectTestRelease: - Type: "AWS::CodeBuild::Project" - Properties: - Name: !Sub "${ProjectName}-test-release" - Description: !Sub "CodeBuild project for ${ProjectName} to release to test repository." - Source: - Location: !Ref SourceLocation - BuildSpec: "codebuild/release/release-staging.yml" - GitCloneDepth: 1 - GitSubmodulesConfig: - FetchSubmodules: false - InsecureSsl: false - ReportBuildStatus: false - Type: "GITHUB" - Artifacts: - Type: "NO_ARTIFACTS" - Cache: - Type: "NO_CACHE" - Environment: - ComputeType: "BUILD_GENERAL1_LARGE" - Image: "aws/codebuild/standard:3.0" - ImagePullCredentialsType: "CODEBUILD" - PrivilegedMode: false - Type: "LINUX_CONTAINER" - ServiceRole: !GetAtt CodeBuildServiceRole.Arn - TimeoutInMinutes: 60 - QueuedTimeoutInMinutes: 480 - EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3" - BadgeEnabled: false - BuildBatchConfig: - ServiceRole: !GetAtt CodeBuildServiceRole.Arn - Restrictions: - MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch - ComputeTypesAllowed: - - BUILD_GENERAL1_SMALL - - BUILD_GENERAL1_MEDIUM - - BUILD_GENERAL1_LARGE - TimeoutInMins: 480 - LogsConfig: - CloudWatchLogs: - Status: "ENABLED" - S3Logs: - Status: "DISABLED" - EncryptionDisabled: false - - CodeBuildProjectProdRelease: - Type: "AWS::CodeBuild::Project" - Properties: - Name: !Sub "${ProjectName}-prod-release" - Description: !Sub "CodeBuild project for ${ProjectName} to release to prod repository." - Source: - Location: !Ref SourceLocation - BuildSpec: "codebuild/release/release-prod.yml" - GitCloneDepth: 1 - GitSubmodulesConfig: - FetchSubmodules: false - InsecureSsl: false - ReportBuildStatus: false - Type: "GITHUB" - Artifacts: - Type: "NO_ARTIFACTS" - Cache: - Type: "NO_CACHE" - Environment: - ComputeType: "BUILD_GENERAL1_LARGE" - Image: "aws/codebuild/standard:3.0" - ImagePullCredentialsType: "CODEBUILD" - PrivilegedMode: false - Type: "LINUX_CONTAINER" - ServiceRole: !GetAtt CodeBuildServiceRole.Arn - TimeoutInMinutes: 60 - QueuedTimeoutInMinutes: 480 - EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3" - BadgeEnabled: false - BuildBatchConfig: - ServiceRole: !GetAtt CodeBuildServiceRole.Arn - Restrictions: - MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch - ComputeTypesAllowed: - - BUILD_GENERAL1_SMALL - - BUILD_GENERAL1_MEDIUM - - BUILD_GENERAL1_LARGE - TimeoutInMins: 480 - LogsConfig: - CloudWatchLogs: - Status: "ENABLED" - S3Logs: - Status: "DISABLED" - EncryptionDisabled: false - - CodeBuildServiceRole: - Type: "AWS::IAM::Role" - Properties: - Path: "/service-role/" - RoleName: !Sub "codebuild-${ProjectName}-service-role" - AssumeRolePolicyDocument: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"codebuild.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"},{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":\"arn:aws:iam::587316601012:oidc-provider/token.actions.githubusercontent.com\"},\"Action\":\"sts:AssumeRoleWithWebIdentity\",\"Condition\":{\"StringEquals\":{\"token.actions.githubusercontent.com:aud\":\"sts.amazonaws.com\"},\"StringLike\":{\"token.actions.githubusercontent.com:sub\":\"repo:aws/aws-dynamodb-encryption-java:*\"}}}]}" - MaxSessionDuration: 3600 - ManagedPolicyArns: - - !Ref CryptoToolsKMS - - !Ref CodeBuildBatchPolicy - - !Ref CodeBuildBasePolicy - - !Ref SecretsManagerPolicy - - !Ref ParameterStorePolicy - - !Ref DDBPolicy - - "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess" - - !Ref CodeArtifactRepoLimitedReadWriteAuthToken - - CodeArtifactRepoLimitedReadWriteAuthToken: - Type: "AWS::IAM::ManagedPolicy" - Properties: - ManagedPolicyName: !Sub "CodeArtifactRepoLimitedReadWriteAuthToken-${ProjectName}-${CodeArtifactStagingRepo}" - Path: "/service-role/" - PolicyDocument: !Sub | - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "codeartifact:UntagResource", - "codeartifact:GetPackageVersionReadme", - "codeartifact:PutRepositoryPermissionsPolicy", - "codeartifact:ListTagsForResource", - "codeartifact:DescribeRepository", - "codeartifact:ListPackageVersionAssets", - "codeartifact:DeletePackageVersions", - "codeartifact:UpdateRepository", - "codeartifact:CopyPackageVersions", - "codeartifact:PutPackageMetadata", - "codeartifact:DisposePackageVersions", - "codeartifact:ListPackageVersionDependencies", - "codeartifact:TagResource", - "codeartifact:UpdatePackageVersionsStatus", - "codeartifact:ListPackages", - "codeartifact:ReadFromRepository", - "codeartifact:GetRepositoryEndpoint", - "codeartifact:PublishPackageVersion", - "codeartifact:GetPackageVersionAsset", - "codeartifact:GetRepositoryPermissionsPolicy", - "codeartifact:ListPackageVersions", - "codeartifact:GetAuthorizationToken" - ], - "Resource": [ - "arn:aws:codeartifact:${CodeArtifactRegion}:${CodeArtifactAccount}:domain/${CodeArtifactDomain}", - "arn:aws:codeartifact:${CodeArtifactRegion}:${CodeArtifactAccount}:*/crypto-tools-internal/${CodeArtifactStagingRepo}", - "arn:aws:codeartifact:${CodeArtifactRegion}:${CodeArtifactAccount}:*/crypto-tools-internal/${CodeArtifactStagingRepo}/*", - "arn:aws:codeartifact:${CodeArtifactRegion}:${CodeArtifactAccount}:*/crypto-tools-internal/${CodeArtifactStagingRepo}/*/*", - "arn:aws:codeartifact:${CodeArtifactRegion}:${CodeArtifactAccount}:*/crypto-tools-internal/${CodeArtifactStagingRepo}/*/*/*" - ] - } - ] - } - - - CodeBuildBatchPolicy: - Type: "AWS::IAM::ManagedPolicy" - Properties: - ManagedPolicyName: !Sub "CodeBuildBuildBatchPolicy-${ProjectName}-${AWS::Region}-codebuild-${ProjectName}-service-role" - Path: "/service-role/" - PolicyDocument: !Sub | - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Resource": [ - "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-test-release", - "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-prod-release", - "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}" - ], - "Action": [ - "codebuild:StartBuild", - "codebuild:StopBuild", - "codebuild:RetryBuild", - "codebuild:BatchGetBuilds" - ] - } - ] - } - - CodeBuildBasePolicy: - Type: "AWS::IAM::ManagedPolicy" - Properties: - ManagedPolicyName: !Sub "CodeBuildBasePolicy-${ProjectName}-${AWS::Region}" - Path: "/service-role/" - PolicyDocument: !Sub | - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Resource": [ - "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}", - "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}:*", - "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-test-release", - "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-test-release:*", - "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-prod-release", - "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-prod-release:*" - ], - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents", - "logs:GetLogEvents" - ] - }, - { - "Effect": "Allow", - "Resource": [ - "arn:aws:s3:::codepipeline-${AWS::Region}-*" - ], - "Action": [ - "s3:PutObject", - "s3:GetObject", - "s3:GetObjectVersion", - "s3:GetBucketAcl", - "s3:GetBucketLocation" - ] - }, - { - "Effect": "Allow", - "Action": [ - "codebuild:CreateReportGroup", - "codebuild:CreateReport", - "codebuild:UpdateReport", - "codebuild:BatchPutTestCases", - "codebuild:BatchPutCodeCoverages" - ], - "Resource": [ - "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/${ProjectName}-*" - ] - } - ] - } - - - SecretsManagerPolicy: - Type: "AWS::IAM::ManagedPolicy" - Properties: - ManagedPolicyName: !Sub "CryptoTools-SecretsManager-${ProjectName}-release" - Path: "/service-role/" - PolicyDocument: !Sub | - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Resource": [ - "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-GC6h0A", - "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Sonatype-Team-Account-0tWvZm", - "arn:aws:secretsmanager:us-west-2:587316601012:secret:Maven-GPG-Keys-Credentials-C0wCzI" - ], - "Action": "secretsmanager:GetSecretValue" - } - ] - } - - DDBPolicy: - Type: "AWS::IAM::ManagedPolicy" - Properties: - ManagedPolicyName: !Sub "CryptoTools-DynamoDB-${ProjectName}-CI" - Path: "/service-role/" - PolicyDocument: !Sub | - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Resource": [ - "arn:aws:dynamodb:us-east-1:587316601012:table/ddbec-mrk-testing", - "arn:aws:dynamodb:us-west-2:587316601012:table/ddbec-mrk-testing" - ], - "Action": "*" - } - ] - } - - # There exist public AWS KMS CMKs that are used for testing - # Take care with these CMKs they are **ONLY** for testing!!! - CryptoToolsKMS: - Type: "AWS::IAM::ManagedPolicy" - Properties: - ManagedPolicyName: !Sub "CrypotToolsKMSPolicy-${ProjectName}-${AWS::Region}-codebuild-${ProjectName}-service-role" - Path: "/service-role/" - PolicyDocument: !Sub | - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Resource": [ - "arn:aws:kms:*:658956600833:key/*", - "arn:aws:kms:*:658956600833:alias/*" - ], - "Action": [ - "kms:Encrypt", - "kms:Decrypt", - "kms:GenerateDataKey" - ] - } - ] - } - - # As of 2021/07/06, there is only 1 parameter stored, CodeBuild/AccountId, and it's created by ESDK-Java - ParameterStorePolicy: - Type: "AWS::IAM::ManagedPolicy" - Properties: - ManagedPolicyName: !Sub "CryptoTools-ParameterStore-${ProjectName}-release" - Path: "/service-role/" - PolicyDocument: !Sub | - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Resource": [ - "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/CodeBuild/*" - ], - "Action": "ssm:GetParameters" - } - ] - } \ No newline at end of file From 3ff850ba89f3b322c4effcdb01c8c5869117fc2c Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Tue, 24 Jun 2025 16:00:24 -0700 Subject: [PATCH 4/4] chore(release): Migrate release to Central Portal (#1157) * chore(release): Migrate release to Nexus Central --------- Co-authored-by: Lucas McDonald --- cfn/DDB-EC-Java.yml | 1 + codebuild/release/release-prod.yml | 4 ++-- codebuild/release/settings.xml | 2 +- sdk1/pom.xml | 14 +++++++------- 4 files changed, 11 insertions(+), 10 deletions(-) diff --git a/cfn/DDB-EC-Java.yml b/cfn/DDB-EC-Java.yml index ce60883d..2879488a 100644 --- a/cfn/DDB-EC-Java.yml +++ b/cfn/DDB-EC-Java.yml @@ -348,6 +348,7 @@ Resources: "Resource": [ "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-GC6h0A", "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Sonatype-Team-Account-0tWvZm", + "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Sonatype-Central-Portal-XrYUs2", "arn:aws:secretsmanager:us-west-2:587316601012:secret:Maven-GPG-Keys-Credentials-C0wCzI" ], "Action": "secretsmanager:GetSecretValue" diff --git a/codebuild/release/release-prod.yml b/codebuild/release/release-prod.yml index bc25225b..2fedc5fe 100644 --- a/codebuild/release/release-prod.yml +++ b/codebuild/release/release-prod.yml @@ -10,8 +10,8 @@ env: secrets-manager: GPG_KEY: Maven-GPG-Keys-Credentials:Keyname GPG_PASS: Maven-GPG-Keys-Credentials:Passphrase - SONA_USERNAME: Sonatype-Team-Account:Username - SONA_PASSWORD: Sonatype-Team-Account:Password + SONA_USERNAME: Sonatype-Central-Portal:Username + SONA_PASSWORD: Sonatype-Central-Portal:Password phases: install: diff --git a/codebuild/release/settings.xml b/codebuild/release/settings.xml index 19587de0..42b64ebe 100644 --- a/codebuild/release/settings.xml +++ b/codebuild/release/settings.xml @@ -9,7 +9,7 @@ ${codeartifact.token} - sonatype-nexus-staging + central ${sonatype.username} ${sonatype.password} diff --git a/sdk1/pom.xml b/sdk1/pom.xml index f0d4d6ea..2a1ab266 100644 --- a/sdk1/pom.xml +++ b/sdk1/pom.xml @@ -63,8 +63,8 @@ - sonatype-nexus-staging - https://aws.oss.sonatype.org/content/repositories/snapshots + central + https://ossrh-staging-api.central.sonatype.com/content/repositories/snapshots @@ -92,13 +92,13 @@ - org.sonatype.plugins - nexus-staging-maven-plugin - 1.6.13 + org.sonatype.central + central-publishing-maven-plugin + 0.7.0 true - sonatype-nexus-staging - https://aws.oss.sonatype.org + central + true