Skip to content

Commit bd49852

Browse files
imabhichowimabhichow
authored
chore: update private esdk cfn template (#64)
1 parent b5fdede commit bd49852

File tree

1 file changed

+163
-0
lines changed

1 file changed

+163
-0
lines changed

cfn/CB-private-java-esdk.yaml

Lines changed: 163 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,163 @@
1+
AWSTemplateFormatVersion: "2010-09-09"
2+
Description: "Template to build a CodeBuild Project, assumes that GitHub credentials are already set up."
3+
4+
Resources:
5+
CodeBuildProject:
6+
Type: "AWS::CodeBuild::Project"
7+
Properties:
8+
Name: !Ref ProjectName
9+
Description: "CI for the Java ESDK private staging repo"
10+
Source:
11+
Location: "https://github.com/aws/private-aws-encryption-sdk-java-staging.git"
12+
GitCloneDepth: 1
13+
GitSubmodulesConfig:
14+
FetchSubmodules: true
15+
InsecureSsl: false
16+
ReportBuildStatus: false
17+
Type: "GITHUB"
18+
Artifacts:
19+
Type: "NO_ARTIFACTS"
20+
Cache:
21+
Type: "NO_CACHE"
22+
Environment:
23+
ComputeType: "BUILD_GENERAL1_SMALL"
24+
Image: "aws/codebuild/standard:5.0"
25+
ImagePullCredentialsType: "CODEBUILD"
26+
PrivilegedMode: false
27+
Type: "LINUX_CONTAINER"
28+
ServiceRole: !GetAtt CodeBuildServiceRole.Arn
29+
TimeoutInMinutes: 60
30+
QueuedTimeoutInMinutes: 480
31+
EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3"
32+
BadgeEnabled: false
33+
BuildBatchConfig:
34+
ServiceRole: !GetAtt CodeBuildServiceRole.Arn
35+
Restrictions:
36+
MaximumBuildsAllowed: 4
37+
ComputeTypesAllowed:
38+
- BUILD_GENERAL1_SMALL
39+
- BUILD_GENERAL1_MEDIUM
40+
TimeoutInMins: 480
41+
LogsConfig:
42+
CloudWatchLogs:
43+
Status: "ENABLED"
44+
S3Logs:
45+
Status: "DISABLED"
46+
EncryptionDisabled: false
47+
48+
CodeBuildServiceRole:
49+
Type: "AWS::IAM::Role"
50+
Properties:
51+
Path: "/service-role/"
52+
RoleName: !Sub "codebuild-private-java-esdk-service-role"
53+
AssumeRolePolicyDocument: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"codebuild.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"},{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":\"arn:aws:iam::587316601012:oidc-provider/token.actions.githubusercontent.com\"},\"Action\":\"sts:AssumeRoleWithWebIdentity\",\"Condition\":{\"StringEquals\":{\"token.actions.githubusercontent.com:aud\":\"sts.amazonaws.com\"},\"StringLike\":{\"token.actions.githubusercontent.com:sub\":\"repo:aws/private-aws-encryption-sdk-java-staging:*\"}}}]}"
54+
MaxSessionDuration: 3600
55+
ManagedPolicyArns:
56+
- !Ref CryptoToolsKMS
57+
- !Ref CodeBuildBatchPolicy
58+
- !Ref CodeBuildBasePolicy
59+
60+
CodeBuildBatchPolicy:
61+
Type: "AWS::IAM::ManagedPolicy"
62+
Properties:
63+
ManagedPolicyName: !Sub "CodeBuildBuildBatchPolicy-private-java-esdk-${AWS::Region}-codebuild-private-java-esdk-service-role"
64+
Path: "/service-role/"
65+
PolicyDocument: !Sub |
66+
{
67+
"Version": "2012-10-17",
68+
"Statement": [
69+
{
70+
"Effect": "Allow",
71+
"Resource": [
72+
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/private-java-esdk"
73+
],
74+
"Action": [
75+
"codebuild:StartBuild",
76+
"codebuild:StopBuild",
77+
"codebuild:RetryBuild",
78+
"codebuild:BatchGetBuilds"
79+
]
80+
}
81+
]
82+
}
83+
84+
CodeBuildBasePolicy:
85+
Type: "AWS::IAM::ManagedPolicy"
86+
Properties:
87+
ManagedPolicyName: !Sub "CodeBuildBasePolicy-private-java-esdk-${AWS::Region}"
88+
Path: "/service-role/"
89+
PolicyDocument: !Sub |
90+
{
91+
"Version": "2012-10-17",
92+
"Statement": [
93+
{
94+
"Effect": "Allow",
95+
"Resource": [
96+
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/private-java-esdk",
97+
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/private-java-esdk:*"
98+
],
99+
"Action": [
100+
"logs:CreateLogGroup",
101+
"logs:CreateLogStream",
102+
"logs:PutLogEvents",
103+
"logs:GetLogEvents"
104+
]
105+
},
106+
{
107+
"Effect": "Allow",
108+
"Resource": [
109+
"arn:aws:s3:::codepipeline-${AWS::Region}-*"
110+
],
111+
"Action": [
112+
"s3:PutObject",
113+
"s3:GetObject",
114+
"s3:GetObjectVersion",
115+
"s3:GetBucketAcl",
116+
"s3:GetBucketLocation"
117+
]
118+
},
119+
{
120+
"Effect": "Allow",
121+
"Action": [
122+
"codebuild:CreateReportGroup",
123+
"codebuild:CreateReport",
124+
"codebuild:UpdateReport",
125+
"codebuild:BatchPutTestCases",
126+
"codebuild:BatchPutCodeCoverages"
127+
],
128+
"Resource": [
129+
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/private-java-esdk-*"
130+
]
131+
}
132+
]
133+
}
134+
135+
# There exist public AWS KMS CMKs that are used for testing
136+
# Take care with these CMKs they are **ONLY** for testing!!!
137+
CryptoToolsKMS:
138+
Type: "AWS::IAM::ManagedPolicy"
139+
Properties:
140+
ManagedPolicyName: !Sub "CrypotToolsKMSPolicy-private-java-esdk-${AWS::Region}-codebuild-private-java-esdk-service-role"
141+
Path: "/service-role/"
142+
PolicyDocument: !Sub |
143+
{
144+
"Version": "2012-10-17",
145+
"Statement": [
146+
{
147+
"Effect": "Allow",
148+
"Resource": [
149+
"arn:aws:kms:*:658956600833:key/*",
150+
"arn:aws:kms:*:658956600833:alias/*",
151+
"arn:aws:kms:*:370957321024:key/*",
152+
"arn:aws:kms:*:370957321024:alias/*"
153+
],
154+
"Action": [
155+
"kms:Encrypt",
156+
"kms:Decrypt",
157+
"kms:GenerateDataKey",
158+
"kms:GenerateDataKeyWithoutPlaintext",
159+
"kms:ReEncrypt"
160+
]
161+
}
162+
]
163+
}

0 commit comments

Comments
 (0)