Skip to content

Commit

Permalink
chore: source controlling cfn templates that will be used for our rel…
Browse files Browse the repository at this point in the history 
…ease process (#345)

* chore: Adding cfn template for the release code build project

* chore: Adding parameter map and code artifact cfn template

* chore: removing cloud designer metadata
  • Loading branch information
@josecorella
josecorella authored Sep 23, 2021
1 parent 291be0a commit 456dda0
Show file tree
Hide file tree
Showing 3 changed files with 293 additions and 0 deletions.
44 changes: 44 additions & 0 deletions cfn/code_artifact.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
AWSTemplateFormatVersion: 2010-09-09
Description: "Template for CodeArtifact repositories. Creates Domain if CreateDomainFlag is True"
Parameters:
DomainName:
Type: String
Description: The name of the CodeArtifact Domain
Default: crypto-tools-internal
RepositoryName:
Type: String
Description: Base Name for the Repositories
Default: esdk-java
CreateDomainFlag:
Type: String
Description: Attempt to create Domain or not
Default: False
AllowedValues:
- True
- False

Conditions:
CreateDomain: !Equals
- !Ref CreateDomainFlag
- True

Resources:
Domain:
Type: AWS::CodeArtifact::Domain
Condition: CreateDomain
Properties:
DomainName: !Ref DomainName

CIRepo:
Type: AWS::CodeArtifact::Repository
Properties:
DomainName: !Ref DomainName
RepositoryName: !Sub "${RepositoryName}-ci"

StagingRepo:
Type: AWS::CodeArtifact::Repository
Properties:
DomainName: !Ref DomainName
RepositoryName: !Sub "${RepositoryName}-staging"
6 changes: 6 additions & 0 deletions cfn/code_build_parameter_map.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
{
"NumberOfBuildsInBatch": 50,
"ProjectDescription": "CD for Java ESDK",
"ProjectName": "java-esdk",
"SourceLocation": "https://github.com/aws/aws-encryption-sdk-java.git"
}
243 changes: 243 additions & 0 deletions cfn/prod-release.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,243 @@
# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0

AWSTemplateFormatVersion: 2010-09-09
Description: >-
Template to build a CodeBuild Project, assumes that GitHub credentials are
already set up.
Parameters:
ProjectName:
Type: String
Description: The name of the CodeBuild Project
Default: java-esdk-prod
ProjectDescription:
Type: String
Description: The description for the CodeBuild Project
Default: CFN stack for managing CodeBuild Release project for the ESDK-Java
SourceLocation:
Type: String
Description: The https GitHub URL for the project
Default: "https://github.com/aws/aws-encryption-sdk-java.git"
NumberOfBuildsInBatch:
Type: Number
MaxValue: 100
MinValue: 1
Default: 10
Description: The number of builds you expect to run in a batch
Metadata:
"AWS::CloudFormation::Interface":
ParameterGroups:
- Label:
default: Crypto Tools CodeBuild Project Template
Parameters:
- ProjectName
- ProjectDescription
- SourceLocation
Resources:
CodeBuildProjectRelease:
Type: "AWS::CodeBuild::Project"
Properties:
Name: !Sub "${ProjectName}-release-prod"
Description: !Sub "CodeBuild project for ${ProjectName} to release to Sonatype."
Source:
Location: !Ref SourceLocation
BuildSpec: codebuild/release/prod-release.yml
GitCloneDepth: 1
GitSubmodulesConfig:
FetchSubmodules: false
InsecureSsl: false
ReportBuildStatus: false
Type: GITHUB
Artifacts:
Type: NO_ARTIFACTS
Cache:
Type: NO_CACHE
Environment:
ComputeType: BUILD_GENERAL1_LARGE
Image: "aws/codebuild/standard:4.0"
ImagePullCredentialsType: CODEBUILD
PrivilegedMode: false
Type: LINUX_CONTAINER
ServiceRole: !GetAtt CodeBuildServiceRole.Arn
TimeoutInMinutes: 60
QueuedTimeoutInMinutes: 480
EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3"
BadgeEnabled: false
BuildBatchConfig:
ServiceRole: !GetAtt CodeBuildServiceRole.Arn
Restrictions:
MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch
ComputeTypesAllowed:
- BUILD_GENERAL1_SMALL
- BUILD_GENERAL1_MEDIUM
- BUILD_GENERAL1_LARGE
TimeoutInMins: 480
LogsConfig:
CloudWatchLogs:
Status: ENABLED
S3Logs:
Status: DISABLED
EncryptionDisabled: false
CodeBuildServiceRole:
Type: "AWS::IAM::Role"
Properties:
Path: /service-role/
RoleName: !Sub "codebuild-${ProjectName}-service-role"
AssumeRolePolicyDocument: >-
{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"codebuild.amazonaws.com"},"Action":"sts:AssumeRole"}]}
MaxSessionDuration: 3600
ManagedPolicyArns:
- !Ref CryptoToolsKMS
- !Ref CodeBuildBatchPolicy
- !Ref CodeBuildBasePolicy
- !Ref SecretsManagerPolicy
- !Ref ParameterStorePolicy
- "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess"
- "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess"
CodeBuildBatchPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: !Sub >-
CodeBuildBuildBatchPolicy-${ProjectName}-${AWS::Region}-codebuild-${ProjectName}-service-role
Path: /service-role/
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-test-release",
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-prod-release",
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}"
],
"Action": [
"codebuild:StartBuild",
"codebuild:StopBuild",
"codebuild:RetryBuild"
]
}
]
}
CodeBuildBasePolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: !Sub "CodeBuildBasePolicy-${ProjectName}-${AWS::Region}"
Path: /service-role/
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}",
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}:*",
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-test-release",
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-test-release:*",
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-prod-release",
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-prod-release:*"
],
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
},
{
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::codepipeline-${AWS::Region}-*"
],
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetBucketAcl",
"s3:GetBucketLocation"
]
},
{
"Effect": "Allow",
"Action": [
"codebuild:CreateReportGroup",
"codebuild:CreateReport",
"codebuild:UpdateReport",
"codebuild:BatchPutTestCases",
"codebuild:BatchPutCodeCoverages"
],
"Resource": [
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/${ProjectName}-*"
]
}
]
}
AccountIdParameter:
Type: "AWS::SSM::Parameter"
Properties:
Description: Parameter to store our account id so CodeBuild specs can access it
Name: /CodeBuild/AccountId
Type: String
Value: !Sub "${AWS::AccountId}"
SecretsManagerPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: !Sub "CryptoTools-SecretsManager-${ProjectName}-release"
Path: /service-role/
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-GC6h0A",
"arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Sonatype-Team-Account-0tWvZm",
"arn:aws:secretsmanager:us-west-2:587316601012:secret:Maven-GPG-Keys-Credentials-C0wCzI",
],
"Action": "secretsmanager:GetSecretValue"
}
]
}
CryptoToolsKMS:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: !Sub >-
CrypotToolsKMSPolicy-${ProjectName}-${AWS::Region}-codebuild-${ProjectName}-service-role
Path: /service-role/
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:kms:*:658956600833:key/*",
"arn:aws:kms:*:658956600833:alias/*"
],
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey"
]
}
]
}
ParameterStorePolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: !Sub "CryptoTools-ParameterStore-${ProjectName}-release"
Path: /service-role/
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/CodeBuild/*"
],
"Action": "ssm:GetParameters"
}
]
}

0 comments on commit 456dda0

Please sign in to comment.