chore: Run CodeBuild CI from Github Actions (#1213)

Author: lucasmcdonald3

.github/workflows/ci.yml

@@ -0,0 +1,112 @@
+name: AWS CodeBuild CI
+on:
+  pull_request:
+  push:
+  schedule:
+    - cron: "0 0 * * *" # Daily at 00:00 UTC (4 PM PDT)
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  staticAnalysis:
+    name: Static Analysis
+    runs-on: ubuntu-latest
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }}
+          aws-region: us-west-2
+          role-duration-seconds: 3600
+      - name: Run Static Analysis
+        uses: aws-actions/aws-codebuild-run-build@v1
+        timeout-minutes: 60
+        with:
+          project-name: AWS-ESDK-Java-CI
+          buildspec-override: codebuild/ci/static-analysis.yml
+          compute-type-override: BUILD_GENERAL1_MEDIUM
+          image-override: aws/codebuild/amazonlinux2-x86_64-standard:3.0
+  vectorTests:
+    name: Vector Tests
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: true
+      matrix:
+        platform:
+          - distribution: openjdk
+            image: "aws/codebuild/standard:3.0"
+          - distribution: corretto
+            image: "aws/codebuild/amazonlinux2-x86_64-standard:3.0" # Corretto only runs on AL2
+        version: [ 8, 11 ]
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }}
+          aws-region: us-west-2
+          role-duration-seconds: 3600
+      - name: Vector Tests ${{ matrix.platform.distribution }}${{ matrix.version }}
+        uses: aws-actions/aws-codebuild-run-build@v1
+        timeout-minutes: 60
+        with:
+          project-name: AWS-ESDK-Java-CI
+          buildspec-override: codebuild/ci/vectors-ci.yml
+          compute-type-override: BUILD_GENERAL1_LARGE
+          image-override: ${{ matrix.platform.image }}
+          env-vars-for-codebuild: JAVA_ENV_VERSION
+        env:
+          JAVA_ENV_VERSION: ${{ matrix.platform.distribution }}${{ matrix.version }}
+  releaseCI:
+    name: Release CI
+    runs-on: ubuntu-latest
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }}
+          aws-region: us-west-2
+          role-duration-seconds: 3600
+      - name: Release CI
+        uses: aws-actions/aws-codebuild-run-build@v1
+        timeout-minutes: 60
+        with:
+          project-name: AWS-ESDK-Java-CI
+          buildspec-override: codebuild/ci/release-ci.yml
+          compute-type-override: BUILD_GENERAL1_LARGE
+          image-override: aws/codebuild/standard:3.0
+  validateCI:
+    name: Validate CI
+    runs-on: ubuntu-latest
+    needs: releaseCI
+    strategy:
+      fail-fast: true
+      matrix:
+        platform:
+          - distribution: openjdk
+            image: "aws/codebuild/standard:3.0"
+          - distribution: corretto
+            image: "aws/codebuild/amazonlinux2-x86_64-standard:3.0" # Corretto only runs on AL2
+        version: [ 8, 11 ]
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }}
+          aws-region: us-west-2
+          role-duration-seconds: 3600
+      - name: Validate CI ${{ matrix.platform.distribution }}${{ matrix.version }}
+        uses: aws-actions/aws-codebuild-run-build@v1
+        timeout-minutes: 60
+        with:
+          project-name: AWS-ESDK-Java-CI
+          buildspec-override: codebuild/ci/validate-ci.yml
+          compute-type-override: BUILD_GENERAL1_MEDIUM
+          image-override: ${{ matrix.platform.image }}
+          env-vars-for-codebuild: |
+            JAVA_ENV_VERSION,
+            JAVA_NUMERIC_VERSION
+        env:
+          JAVA_ENV_VERSION: ${{ matrix.platform.distribution }}${{ matrix.version }}
+          JAVA_NUMERIC_VERSION: ${{ matrix.version }}

cfn/ci_cd.yml

@@ -44,16 +44,10 @@ Resources:
         BuildSpec: codebuild/ci/ci.yml
         GitCloneDepth: 1
         GitSubmodulesConfig:
-          FetchSubmodules: false
+          FetchSubmodules: true
         InsecureSsl: false
         ReportBuildStatus: false
         Type: GITHUB
-      Triggers:
-        BuildType: BUILD_BATCH
-        Webhook: true
-        FilterGroups:
-          - - Type: EVENT
-              Pattern: PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED, PULL_REQUEST_REOPENED
       Artifacts:
         Type: NO_ARTIFACTS
       Cache:
@@ -93,7 +87,9 @@ Resources:
       Source:
         Location: !Ref SourceLocation
         BuildSpec: codebuild/release/release.yml
-        GitCloneDepth: 1
+        ## https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codebuild-project-source.html#cfn-codebuild-project-source-gitclonedepth
+        ## If this value is 0, greater than 25, or not provided then the full history is downloaded with each build project.
+        GitCloneDepth: 0
         GitSubmodulesConfig:
           FetchSubmodules: false
         InsecureSsl: false
@@ -136,14 +132,15 @@ Resources:
       Path: /service-role/
       RoleName: !Sub "codebuild-${ProjectName}-service-role-ci"
       AssumeRolePolicyDocument: >-
-        {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"codebuild.amazonaws.com"},"Action":"sts:AssumeRole"}]}
+        {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"codebuild.amazonaws.com"},"Action":"sts:AssumeRole"},{"Effect":"Allow","Principal":{"Federated":"arn:aws:iam::587316601012:oidc-provider/token.actions.githubusercontent.com"},"Action":"sts:AssumeRoleWithWebIdentity","Condition":{"StringEquals":{"token.actions.githubusercontent.com:aud":"sts.amazonaws.com"},"StringLike":{"token.actions.githubusercontent.com:sub":"repo:aws/aws-encryption-sdk-java:*"}}}]}
       MaxSessionDuration: 3600
       ManagedPolicyArns:
         - !Ref CryptoToolsKMS
         - !Ref CodeBuildBatchPolicy
         - !Ref CodeBuildBasePolicy
         - !Ref SecretsManagerPolicyCI
         - !Ref ParameterStorePolicy
+        - !Ref CodeBuildBasePolicyCI
         - "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess"
         - "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess"
 
@@ -158,6 +155,7 @@ Resources:
       ManagedPolicyArns:
         - !Ref CryptoToolsKMS
         - !Ref CodeBuildBatchPolicy
+        - !Ref CodeBuildBatchPolicyRelease
         - !Ref CodeBuildBasePolicy
         - !Ref SecretsManagerPolicyRelease
         - !Ref ParameterStorePolicy
@@ -184,12 +182,37 @@ Resources:
               "Action": [
                 "codebuild:StartBuild",
                 "codebuild:StopBuild",
-                "codebuild:RetryBuild"
+                "codebuild:RetryBuild",
+                "codebuild:BatchGetBuilds"
               ]
             }
           ]
         }
 
+  CodeBuildBatchPolicyRelease:
+    Type: "AWS::IAM::ManagedPolicy"
+    Properties:
+      ManagedPolicyName: !Sub >-
+        CodeBuildBuildBatchPolicy-${ProjectName}-Release-${AWS::Region}-codebuild-${ProjectName}-release-service-role
+      Path: /service-role/
+      PolicyDocument: !Sub |
+        {
+            "Version": "2012-10-17",
+            "Statement": [
+                {
+                    "Effect": "Allow",
+                    "Resource": [
+                        "arn:aws:codebuild:us-west-2:${AWS::AccountId}:project/AWS-ESDK-Java-Release"
+                    ],
+                    "Action": [
+                        "codebuild:StartBuild",
+                        "codebuild:StopBuild",
+                        "codebuild:RetryBuild"
+                    ]
+                }
+            ]
+          }
+
   CodeBuildBasePolicy:
     Type: "AWS::IAM::ManagedPolicy"
     Properties:
@@ -212,7 +235,8 @@ Resources:
               "Action": [
                 "logs:CreateLogGroup",
                 "logs:CreateLogStream",
-                "logs:PutLogEvents"
+                "logs:PutLogEvents",
+                "logs:GetLogEvents"
               ]
             },
             {
@@ -244,6 +268,56 @@ Resources:
           ]
         }
 
+  CodeBuildBasePolicyCI:
+    Type: "AWS::IAM::ManagedPolicy"
+    Properties:
+      ManagedPolicyName: !Sub "CodeBuildBasePolicy-${ProjectName}-CI-${AWS::Region}"
+      Path: /service-role/
+      PolicyDocument: !Sub |
+          {
+              "Version": "2012-10-17",
+              "Statement": [
+                  {
+                      "Effect": "Allow",
+                      "Resource": [
+                          "arn:aws:logs:us-west-2:${AWS::AccountId}:log-group:/aws/codebuild/AWS-ESDK-Java-CI",
+                          "arn:aws:logs:us-west-2:${AWS::AccountId}:log-group:/aws/codebuild/AWS-ESDK-Java-CI:*"
+                      ],
+                      "Action": [
+                          "logs:CreateLogGroup",
+                          "logs:CreateLogStream",
+                          "logs:PutLogEvents"
+                      ]
+                  },
+                  {
+                      "Effect": "Allow",
+                      "Resource": [
+                          "arn:aws:s3:::codepipeline-us-west-2-*"
+                      ],
+                      "Action": [
+                          "s3:PutObject",
+                          "s3:GetObject",
+                          "s3:GetObjectVersion",
+                          "s3:GetBucketAcl",
+                          "s3:GetBucketLocation"
+                      ]
+                  },
+                  {
+                      "Effect": "Allow",
+                      "Action": [
+                          "codebuild:CreateReportGroup",
+                          "codebuild:CreateReport",
+                          "codebuild:UpdateReport",
+                          "codebuild:BatchPutTestCases",
+                          "codebuild:BatchPutCodeCoverages"
+                      ],
+                      "Resource": [
+                          "arn:aws:codebuild:us-west-2:${AWS::AccountId}:report-group/AWS-ESDK-Java-CI-*"
+                      ]
+                  }
+              ]
+          }
+
   AccountIdParameter:
     Type: "AWS::SSM::Parameter"
     Properties:
@@ -264,7 +338,8 @@ Resources:
             {
               "Effect": "Allow",
               "Resource": [
-                "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-GC6h0A"
+                  "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-CI-xjAvTM",
+                  "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-CI-Credentials-eBrSNB"
               ],
               "Action": "secretsmanager:GetSecretValue"
             }
@@ -283,8 +358,10 @@ Resources:
             {
               "Effect": "Allow",
               "Resource": [
-                "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-GC6h0A",
-                "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Sonatype-Team-Account-0tWvZm"
+                "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-Release-haLIjZ",
+                "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-Release-Credentials-WgJanS",
+                "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Sonatype-Team-Account-0tWvZm",
+                "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Github/aws-crypto-tools-ci-bot-AGUB3U"
               ],
               "Action": "secretsmanager:GetSecretValue"
             }