From 524842adfed70077224ce8da6c49ee793e5036f4 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Tue, 28 Sep 2021 11:51:59 -0700 Subject: [PATCH 1/7] chore: removing extra log p[olicy that is not needed for prod-release --- cfn/prod-release.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/cfn/prod-release.yml b/cfn/prod-release.yml index ebdf0ac52..dbe5ff8df 100644 --- a/cfn/prod-release.yml +++ b/cfn/prod-release.yml @@ -107,8 +107,7 @@ Resources: { "Effect": "Allow", "Resource": [ - "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-test-release", - "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-prod-release", + "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-release-prod", "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}" ], "Action": [ @@ -133,10 +132,8 @@ Resources: "Resource": [ "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}", "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}:*", - "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-test-release", - "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-test-release:*", - "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-prod-release", - "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-prod-release:*" + "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-release-prod", + "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-release-prod:*" ], "Action": [ "logs:CreateLogGroup", From 746ee3e21ec138669290ef7856c841f767e176ec Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Tue, 28 Sep 2021 12:24:14 -0700 Subject: [PATCH 2/7] chore: adding aws account id subsitution --- cfn/prod-release.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cfn/prod-release.yml b/cfn/prod-release.yml index dbe5ff8df..c409a618b 100644 --- a/cfn/prod-release.yml +++ b/cfn/prod-release.yml @@ -190,7 +190,7 @@ Resources: "Resource": [ "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-GC6h0A", "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Sonatype-Team-Account-0tWvZm", - "arn:aws:secretsmanager:us-west-2:587316601012:secret:Maven-GPG-Keys-Credentials-C0wCzI", + "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-Credentials-C0wCzI", ], "Action": "secretsmanager:GetSecretValue" } @@ -209,8 +209,8 @@ Resources: { "Effect": "Allow", "Resource": [ - "arn:aws:kms:*:658956600833:key/*", - "arn:aws:kms:*:658956600833:alias/*" + "arn:aws:kms:*:${AWS::AccountId}:key/*", + "arn:aws:kms:*:${AWS::AccountId}:alias/*" ], "Action": [ "kms:Encrypt", From 83fb8fd18d22d50cde7e7b9fe3bff1823910bc39 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Wed, 29 Sep 2021 13:19:54 -0700 Subject: [PATCH 3/7] chore: adding accountid back to managepolicy --- cfn/prod-release.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cfn/prod-release.yml b/cfn/prod-release.yml index c409a618b..f7f1aae26 100644 --- a/cfn/prod-release.yml +++ b/cfn/prod-release.yml @@ -173,7 +173,7 @@ Resources: Type: "AWS::SSM::Parameter" Properties: Description: Parameter to store our account id so CodeBuild specs can access it - Name: /CodeBuild/AccountId + Name: /CodeBuild/Account Type: String Value: !Sub "${AWS::AccountId}" SecretsManagerPolicy: @@ -209,8 +209,8 @@ Resources: { "Effect": "Allow", "Resource": [ - "arn:aws:kms:*:${AWS::AccountId}:key/*", - "arn:aws:kms:*:${AWS::AccountId}:alias/*" + "arn:aws:kms:*:658956600833:key/*", + "arn:aws:kms:*:658956600833:alias/*" ], "Action": [ "kms:Encrypt", From fc2ae56ad51c062a9833edeea023e9846c801e8b Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Wed, 29 Sep 2021 14:06:19 -0700 Subject: [PATCH 4/7] chore: correctly formatting secrets policy --- cfn/prod-release.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/cfn/prod-release.yml b/cfn/prod-release.yml index f7f1aae26..347a8c0fa 100644 --- a/cfn/prod-release.yml +++ b/cfn/prod-release.yml @@ -180,7 +180,7 @@ Resources: Type: "AWS::IAM::ManagedPolicy" Properties: ManagedPolicyName: !Sub "CryptoTools-SecretsManager-${ProjectName}-release" - Path: /service-role/ + Path: "/service-role/" PolicyDocument: !Sub | { "Version": "2012-10-17", @@ -189,8 +189,7 @@ Resources: "Effect": "Allow", "Resource": [ "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-GC6h0A", - "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Sonatype-Team-Account-0tWvZm", - "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-Credentials-C0wCzI", + "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Sonatype-Team-Account-0tWvZm" ], "Action": "secretsmanager:GetSecretValue" } From 87be1adb20cb034d0d4ed4734bff593aae709df4 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Thu, 30 Sep 2021 12:13:56 -0700 Subject: [PATCH 5/7] chore: rename file and adding cfn template for our CI project --- cfn/{prod-release.yml => ci_cd.yml} | 123 ++++++++++++++++++++++++---- 1 file changed, 105 insertions(+), 18 deletions(-) rename cfn/{prod-release.yml => ci_cd.yml} (65%) diff --git a/cfn/prod-release.yml b/cfn/ci_cd.yml similarity index 65% rename from cfn/prod-release.yml rename to cfn/ci_cd.yml index 347a8c0fa..29d91378a 100644 --- a/cfn/prod-release.yml +++ b/cfn/ci_cd.yml @@ -9,11 +9,11 @@ Parameters: ProjectName: Type: String Description: The name of the CodeBuild Project - Default: java-esdk-prod + Default: AWS-ESDK-Java ProjectDescription: Type: String Description: The description for the CodeBuild Project - Default: CFN stack for managing CodeBuild Release project for the ESDK-Java + Default: CFN stack for managing CodeBuild projects for the AWS ESDK Java SourceLocation: Type: String Description: The https GitHub URL for the project @@ -22,7 +22,7 @@ Parameters: Type: Number MaxValue: 100 MinValue: 1 - Default: 10 + Default: 16 Description: The number of builds you expect to run in a batch Metadata: "AWS::CloudFormation::Interface": @@ -34,14 +34,64 @@ Metadata: - ProjectDescription - SourceLocation Resources: + CodeBuildProjectCI: + Type: "AWS::CodeBuild::Project" + Properties: + Name: !Sub "${ProjectName}-CI" + Description: !Sub "CI for the Java ESDK" + Source: + Location: !Ref SourceLocation + BuildSpec: codebuild/ci/ci.yml + GitCloneDepth: 1 + GitSubmodulesConfig: + FetchSubmodules: false + InsecureSsl: false + ReportBuildStatus: false + Type: GITHUB + Triggers: + BuildType: BUILD_BATCH + Webhook: true + FilterGroups: + - - Type: EVENT + Pattern: PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED, PULL_REQUEST_REOPENED + Artifacts: + Type: NO_ARTIFACTS + Cache: + Type: NO_CACHE + Environment: + ComputeType: BUILD_GENERAL1_LARGE + Image: "aws/codebuild/standard:5.0" + ImagePullCredentialsType: CODEBUILD + PrivilegedMode: false + Type: LINUX_CONTAINER + ServiceRole: !GetAtt CodeBuildServiceRoleCI.Arn + TimeoutInMinutes: 60 + QueuedTimeoutInMinutes: 480 + EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3" + BadgeEnabled: false + BuildBatchConfig: + ServiceRole: !GetAtt CodeBuildServiceRoleCI.Arn + Restrictions: + MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch + ComputeTypesAllowed: + - BUILD_GENERAL1_SMALL + - BUILD_GENERAL1_MEDIUM + - BUILD_GENERAL1_LARGE + TimeoutInMins: 480 + LogsConfig: + CloudWatchLogs: + Status: ENABLED + S3Logs: + Status: DISABLED + EncryptionDisabled: false CodeBuildProjectRelease: Type: "AWS::CodeBuild::Project" Properties: - Name: !Sub "${ProjectName}-release-prod" + Name: !Sub "${ProjectName}-Release" Description: !Sub "CodeBuild project for ${ProjectName} to release to Sonatype." Source: Location: !Ref SourceLocation - BuildSpec: codebuild/release/prod-release.yml + BuildSpec: codebuild/release/release.yml GitCloneDepth: 1 GitSubmodulesConfig: FetchSubmodules: false @@ -54,17 +104,17 @@ Resources: Type: NO_CACHE Environment: ComputeType: BUILD_GENERAL1_LARGE - Image: "aws/codebuild/standard:4.0" + Image: "aws/codebuild/standard:5.0" ImagePullCredentialsType: CODEBUILD PrivilegedMode: false Type: LINUX_CONTAINER - ServiceRole: !GetAtt CodeBuildServiceRole.Arn + ServiceRole: !GetAtt CodeBuildServiceRoleRelease.Arn TimeoutInMinutes: 60 QueuedTimeoutInMinutes: 480 EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3" BadgeEnabled: false BuildBatchConfig: - ServiceRole: !GetAtt CodeBuildServiceRole.Arn + ServiceRole: !GetAtt CodeBuildServiceRoleRelease.Arn Restrictions: MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch ComputeTypesAllowed: @@ -78,11 +128,27 @@ Resources: S3Logs: Status: DISABLED EncryptionDisabled: false - CodeBuildServiceRole: + CodeBuildServiceRoleCI: + Type: "AWS::IAM::Role" + Properties: + Path: /service-role/ + RoleName: !Sub "codebuild-${ProjectName}-service-role-ci" + AssumeRolePolicyDocument: >- + {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"codebuild.amazonaws.com"},"Action":"sts:AssumeRole"}]} + MaxSessionDuration: 3600 + ManagedPolicyArns: + - !Ref CryptoToolsKMS + - !Ref CodeBuildBatchPolicy + - !Ref CodeBuildBasePolicy + - !Ref SecretsManagerPolicyCI + - !Ref ParameterStorePolicy + - "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess" + - "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess" + CodeBuildServiceRoleRelease: Type: "AWS::IAM::Role" Properties: Path: /service-role/ - RoleName: !Sub "codebuild-${ProjectName}-service-role" + RoleName: !Sub "codebuild-${ProjectName}-service-role-release" AssumeRolePolicyDocument: >- {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"codebuild.amazonaws.com"},"Action":"sts:AssumeRole"}]} MaxSessionDuration: 3600 @@ -90,7 +156,7 @@ Resources: - !Ref CryptoToolsKMS - !Ref CodeBuildBatchPolicy - !Ref CodeBuildBasePolicy - - !Ref SecretsManagerPolicy + - !Ref SecretsManagerPolicyRelease - !Ref ParameterStorePolicy - "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess" - "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess" @@ -107,7 +173,8 @@ Resources: { "Effect": "Allow", "Resource": [ - "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-release-prod", + "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-Release", + "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-CI", "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}" ], "Action": [ @@ -132,8 +199,10 @@ Resources: "Resource": [ "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}", "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}:*", - "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-release-prod", - "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-release-prod:*" + "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-CI", + "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-CI:*" + "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-Release", + "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-Release:*" ], "Action": [ "logs:CreateLogGroup", @@ -173,13 +242,31 @@ Resources: Type: "AWS::SSM::Parameter" Properties: Description: Parameter to store our account id so CodeBuild specs can access it - Name: /CodeBuild/Account + Name: /CodeBuild/AccountIdentity Type: String Value: !Sub "${AWS::AccountId}" - SecretsManagerPolicy: + SecretsManagerPolicyCI: + Type: "AWS::IAM::ManagedPolicy" + Properties: + ManagedPolicyName: !Sub "CryptoTools-SecretsManager-${ProjectName}-CI" + Path: "/service-role/" + PolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": [ + "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-GC6h0A" + ], + "Action": "secretsmanager:GetSecretValue" + } + ] + } + SecretsManagerPolicyRelease: Type: "AWS::IAM::ManagedPolicy" Properties: - ManagedPolicyName: !Sub "CryptoTools-SecretsManager-${ProjectName}-release" + ManagedPolicyName: !Sub "CryptoTools-SecretsManager-${ProjectName}-Release" Path: "/service-role/" PolicyDocument: !Sub | { @@ -222,7 +309,7 @@ Resources: ParameterStorePolicy: Type: "AWS::IAM::ManagedPolicy" Properties: - ManagedPolicyName: !Sub "CryptoTools-ParameterStore-${ProjectName}-release" + ManagedPolicyName: !Sub "CryptoTools-ParameterStore-${ProjectName}" Path: /service-role/ PolicyDocument: !Sub | { From 35b1b7df79b35f9a0fec198ad8c5256200510c2a Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Thu, 30 Sep 2021 12:22:06 -0700 Subject: [PATCH 6/7] chore: format json --- cfn/ci_cd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cfn/ci_cd.yml b/cfn/ci_cd.yml index 29d91378a..4bf640360 100644 --- a/cfn/ci_cd.yml +++ b/cfn/ci_cd.yml @@ -200,7 +200,7 @@ Resources: "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}", "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}:*", "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-CI", - "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-CI:*" + "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-CI:*", "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-Release", "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-Release:*" ], From b49aad96932f505e0a81d620f9c59a5f931915ca Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Mon, 4 Oct 2021 09:39:11 -0700 Subject: [PATCH 7/7] style: add new line between resources --- cfn/ci_cd.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/cfn/ci_cd.yml b/cfn/ci_cd.yml index 4bf640360..c49c2de33 100644 --- a/cfn/ci_cd.yml +++ b/cfn/ci_cd.yml @@ -84,6 +84,7 @@ Resources: S3Logs: Status: DISABLED EncryptionDisabled: false + CodeBuildProjectRelease: Type: "AWS::CodeBuild::Project" Properties: @@ -128,6 +129,7 @@ Resources: S3Logs: Status: DISABLED EncryptionDisabled: false + CodeBuildServiceRoleCI: Type: "AWS::IAM::Role" Properties: @@ -144,6 +146,7 @@ Resources: - !Ref ParameterStorePolicy - "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess" - "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess" + CodeBuildServiceRoleRelease: Type: "AWS::IAM::Role" Properties: @@ -160,6 +163,7 @@ Resources: - !Ref ParameterStorePolicy - "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess" - "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess" + CodeBuildBatchPolicy: Type: "AWS::IAM::ManagedPolicy" Properties: @@ -185,6 +189,7 @@ Resources: } ] } + CodeBuildBasePolicy: Type: "AWS::IAM::ManagedPolicy" Properties: @@ -238,6 +243,7 @@ Resources: } ] } + AccountIdParameter: Type: "AWS::SSM::Parameter" Properties: @@ -245,6 +251,7 @@ Resources: Name: /CodeBuild/AccountIdentity Type: String Value: !Sub "${AWS::AccountId}" + SecretsManagerPolicyCI: Type: "AWS::IAM::ManagedPolicy" Properties: @@ -263,6 +270,7 @@ Resources: } ] } + SecretsManagerPolicyRelease: Type: "AWS::IAM::ManagedPolicy" Properties: @@ -282,6 +290,7 @@ Resources: } ] } + CryptoToolsKMS: Type: "AWS::IAM::ManagedPolicy" Properties: @@ -306,6 +315,7 @@ Resources: } ] } + ParameterStorePolicy: Type: "AWS::IAM::ManagedPolicy" Properties: