Skip to content

Commit

Permalink
Merge branch 'master' into dependabot/pip/dev_requirements/setuptools…
Browse files Browse the repository at this point in the history 
…-70.0.0
  • Loading branch information
@rishav-karanjit
rishav-karanjit authored Nov 5, 2024
2 parents df3ebb2 + 2ae1881 commit daeddf7
Show file tree
Hide file tree
Showing 2 changed files with 365 additions and 1 deletion.
364 changes: 364 additions & 0 deletions cfn/CB.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,364 @@
AWSTemplateFormatVersion: "2010-09-09"
Description: "Template to build a CodeBuild Project, assumes that GitHub credentials are already set up."
Parameters:
ProjectName:
Type: String
Description: The name of the CodeBuild Project
ProjectDescription:
Type: String
Description: The description for the CodeBuild Project
SourceLocation:
Type: String
Description: The https GitHub URL for the project
NumberOfBuildsInBatch:
Type: Number
MaxValue: 100
MinValue: 1
Default: 4
Description: The number of builds you expect to run in a batch

Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
-
Label:
default: "Crypto Tools CodeBuild Project Template"
Parameters:
- ProjectName
- ProjectDescription
- SourceLocation

Resources:
CodeBuildProject:
Type: "AWS::CodeBuild::Project"
Properties:
Name: !Ref ProjectName
Description: !Ref ProjectDescription
Source:
Location: !Ref SourceLocation
GitCloneDepth: 1
GitSubmodulesConfig:
FetchSubmodules: false
InsecureSsl: false
ReportBuildStatus: false
Type: "GITHUB"
Triggers:
BuildType: BUILD_BATCH
Webhook: True
FilterGroups:
- - Type: EVENT
Pattern: PULL_REQUEST_CREATED,PULL_REQUEST_UPDATED,PUSH,PULL_REQUEST_REOPENED
Artifacts:
Type: "NO_ARTIFACTS"
Cache:
Type: "NO_CACHE"
Environment:
ComputeType: "BUILD_GENERAL1_SMALL"
Image: "aws/codebuild/standard:3.0"
ImagePullCredentialsType: "CODEBUILD"
PrivilegedMode: false
Type: "LINUX_CONTAINER"
ServiceRole: !GetAtt CodeBuildCIServiceRole.Arn
TimeoutInMinutes: 60
QueuedTimeoutInMinutes: 480
EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3"
BadgeEnabled: false
BuildBatchConfig:
ServiceRole: !GetAtt CodeBuildCIServiceRole.Arn
Restrictions:
MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch
ComputeTypesAllowed:
- BUILD_GENERAL1_SMALL
- BUILD_GENERAL1_MEDIUM
TimeoutInMins: 480
LogsConfig:
CloudWatchLogs:
Status: "ENABLED"
S3Logs:
Status: "DISABLED"
EncryptionDisabled: false

CodeBuildProjectTestRelease:
Type: "AWS::CodeBuild::Project"
Properties:
Name: !Sub "${ProjectName}-test-release"
Description: !Sub "CodeBuild project for ${ProjectName} to release to test PyPi."
Source:
Location: !Ref SourceLocation
BuildSpec: "codebuild/release/test-release.yml"
GitCloneDepth: 1
GitSubmodulesConfig:
FetchSubmodules: false
InsecureSsl: false
ReportBuildStatus: false
Type: "GITHUB"
Artifacts:
Type: "NO_ARTIFACTS"
Cache:
Type: "NO_CACHE"
Environment:
ComputeType: "BUILD_GENERAL1_SMALL"
Image: "aws/codebuild/standard:3.0"
ImagePullCredentialsType: "CODEBUILD"
PrivilegedMode: false
Type: "LINUX_CONTAINER"
ServiceRole: !GetAtt CodeBuildServiceRole.Arn
TimeoutInMinutes: 60
QueuedTimeoutInMinutes: 480
EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3"
BadgeEnabled: false
BuildBatchConfig:
ServiceRole: !GetAtt CodeBuildServiceRole.Arn
Restrictions:
MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch
ComputeTypesAllowed:
- BUILD_GENERAL1_SMALL
- BUILD_GENERAL1_MEDIUM
TimeoutInMins: 480
LogsConfig:
CloudWatchLogs:
Status: "ENABLED"
S3Logs:
Status: "DISABLED"
EncryptionDisabled: false

CodeBuildProjectProdRelease:
Type: "AWS::CodeBuild::Project"
Properties:
Name: !Sub "${ProjectName}-prod-release"
Description: !Sub "CodeBuild project for ${ProjectName} to release to prod PyPi."
Source:
Location: !Ref SourceLocation
BuildSpec: "codebuild/release/prod-release.yml"
GitCloneDepth: 1
GitSubmodulesConfig:
FetchSubmodules: false
InsecureSsl: false
ReportBuildStatus: false
Type: "GITHUB"
Artifacts:
Type: "NO_ARTIFACTS"
Cache:
Type: "NO_CACHE"
Environment:
ComputeType: "BUILD_GENERAL1_SMALL"
Image: "aws/codebuild/standard:3.0"
ImagePullCredentialsType: "CODEBUILD"
PrivilegedMode: false
Type: "LINUX_CONTAINER"
ServiceRole: !GetAtt CodeBuildServiceRole.Arn
TimeoutInMinutes: 60
QueuedTimeoutInMinutes: 480
EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3"
BadgeEnabled: false
BuildBatchConfig:
ServiceRole: !GetAtt CodeBuildServiceRole.Arn
Restrictions:
MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch
ComputeTypesAllowed:
- BUILD_GENERAL1_SMALL
- BUILD_GENERAL1_MEDIUM
TimeoutInMins: 480
LogsConfig:
CloudWatchLogs:
Status: "ENABLED"
S3Logs:
Status: "DISABLED"
EncryptionDisabled: false

CodeBuildServiceRole:
Type: "AWS::IAM::Role"
Properties:
Path: "/service-role/"
RoleName: !Sub "codebuild-${ProjectName}-service-role"
AssumeRolePolicyDocument: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"codebuild.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"}]}"
MaxSessionDuration: 3600
ManagedPolicyArns:
- !Ref CryptoToolsKMS
- !Ref CodeBuildBatchPolicy
- !Ref CodeBuildBasePolicy
- !Ref SecretsManagerPolicy
- !Ref DDBPolicy
- "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess"

CodeBuildCIServiceRole:
Type: "AWS::IAM::Role"
Properties:
Path: "/service-role/"
RoleName: !Sub "codebuild-${ProjectName}-CI-service-role"
AssumeRolePolicyDocument: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"codebuild.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"}]}"
MaxSessionDuration: 3600
ManagedPolicyArns:
- !Ref CryptoToolsKMS
- !Ref CodeBuildCIBatchPolicy
- !Ref CodeBuildBasePolicy
- !Ref DDBPolicy
- "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess"

CodeBuildBatchPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: !Sub "CodeBuildBuildBatchPolicy-${ProjectName}-${AWS::Region}-codebuild-${ProjectName}-service-role"
Path: "/service-role/"
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}",
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-test-release",
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-prod-release"
],
"Action": [
"codebuild:StartBuild",
"codebuild:StopBuild",
"codebuild:RetryBuild"
]
}
]
}
CodeBuildCIBatchPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: !Sub "CodeBuildBuildBatchPolicy-${ProjectName}-${AWS::Region}-codebuild-${ProjectName}-CI-service-role"
Path: "/service-role/"
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}"
],
"Action": [
"codebuild:StartBuild",
"codebuild:StopBuild",
"codebuild:RetryBuild"
]
}
]
}
CodeBuildBasePolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: !Sub "CodeBuildBasePolicy-${ProjectName}-${AWS::Region}"
Path: "/service-role/"
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}",
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}:*",
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-test-release",
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-test-release:*",
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-prod-release",
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-prod-release:*"
],
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
},
{
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::codepipeline-${AWS::Region}-*"
],
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetBucketAcl",
"s3:GetBucketLocation"
]
},
{
"Effect": "Allow",
"Action": [
"codebuild:CreateReportGroup",
"codebuild:CreateReport",
"codebuild:UpdateReport",
"codebuild:BatchPutTestCases",
"codebuild:BatchPutCodeCoverages"
],
"Resource": [
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/${ProjectName}-*"
]
}
]
}
SecretsManagerPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: !Sub "CryptoTools-SecretsManager-${ProjectName}-release"
Path: "/service-role/"
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:secretsmanager:us-west-2:587316601012:secret:TestPyPiAPIToken-uERFjs",
"arn:aws:secretsmanager:us-west-2:587316601012:secret:PyPiAPIToken-nu1Gu6"
],
"Action": "secretsmanager:GetSecretValue"
}
]
}
DDBPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: !Sub "CryptoTools-DynamoDB-${ProjectName}-CI"
Path: "/service-role/"
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:dynamodb:us-east-1:587316601012:table/ddbec-mrk-testing",
"arn:aws:dynamodb:us-west-2:587316601012:table/ddbec-mrk-testing"
],
"Action": "*"
}
]
}
# There exist public AWS KMS CMKs that are used for testing
# Take care with these CMKs they are **ONLY** for testing!!!
CryptoToolsKMS:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: !Sub "CrypotToolsKMSPolicy-${ProjectName}-${AWS::Region}-codebuild-${ProjectName}-service-role"
Path: "/service-role/"
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:kms:*:658956600833:key/*",
"arn:aws:kms:*:658956600833:alias/*"
],
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey"
]
}
]
}
2 changes: 1 addition & 1 deletion test/upstream-requirements-py311.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,5 +34,5 @@ sortedcontainers==2.4.0
toml==0.10.2
types-toml==0.10.8.5
urllib3==1.26.18
Werkzeug==2.3.8
Werkzeug==3.0.3
xmltodict==0.13.0

0 comments on commit daeddf7

Please sign in to comment.