Skip to content

Commit

Permalink
Scope down IAM role permissions. (#109)
Browse files Browse the repository at this point in the history 
* Scope down IAM role permissions.

* Remove 'AmazonEC2ContainerRegistryReadOnly'.
  • Loading branch information
@bryce-shang
bryce-shang authored Mar 9, 2021
1 parent 66e3510 commit c6af55b
Show file tree
Hide file tree
Showing 8 changed files with 91 additions and 58 deletions.
9 changes: 6 additions & 3 deletions tests/ci/cdk/app.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,8 +31,11 @@
WindowsDockerImageBuildStack(app, "aws-lc-docker-image-build-windows", env=env)

# Define CodeBuild Batch job for testing code.
AwsLcGitHubCIStack(app, "aws-lc-ci-linux-x86", "./cdk/codebuild/github_ci_linux_x86_omnibus.yaml", env=env)
AwsLcGitHubCIStack(app, "aws-lc-ci-linux-arm", "./cdk/codebuild/github_ci_linux_arm_omnibus.yaml", env=env)
AwsLcGitHubCIStack(app, "aws-lc-ci-windows-x86", "./cdk/codebuild/github_ci_windows_x86_omnibus.yaml", env=env)
x86_build_spec_file = "./cdk/codebuild/github_ci_linux_x86_omnibus.yaml"
AwsLcGitHubCIStack(app, "aws-lc-ci-linux-x86", LINUX_X86_ECR_REPO, x86_build_spec_file, env=env)
arm_build_spec_file = "./cdk/codebuild/github_ci_linux_arm_omnibus.yaml"
AwsLcGitHubCIStack(app, "aws-lc-ci-linux-arm", LINUX_AARCH_ECR_REPO, arm_build_spec_file, env=env)
win_x86_build_spec_file = "./cdk/codebuild/github_ci_windows_x86_omnibus.yaml"
AwsLcGitHubCIStack(app, "aws-lc-ci-windows-x86", WINDOWS_X86_ECR_REPO, win_x86_build_spec_file, env=env)

app.synth()
25 changes: 12 additions & 13 deletions tests/ci/cdk/cdk/aws_lc_github_ci_stack.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,8 @@
# SPDX-License-Identifier: Apache-2.0

from aws_cdk import core, aws_codebuild as codebuild, aws_iam as iam
from util.iam_policies import codebuild_batch_policy_in_json
from util.metadata import AWS_ACCOUNT, AWS_REGION, GITHUB_REPO_OWNER, GITHUB_REPO_NAME, LINUX_X86_ECR_REPO, \
LINUX_AARCH_ECR_REPO, WINDOWS_X86_ECR_REPO
from util.iam_policies import code_build_batch_policy_in_json, ecr_pull_only_policy_in_json
from util.metadata import AWS_ACCOUNT, AWS_REGION, GITHUB_REPO_OWNER, GITHUB_REPO_NAME
from util.yml_loader import YmlLoader


Expand All @@ -14,6 +13,7 @@ class AwsLcGitHubCIStack(core.Stack):
def __init__(self,
scope: core.Construct,
id: str,
ecr_repo_name: str,
spec_file_path: str,
**kwargs) -> None:
super().__init__(scope, id, **kwargs)
Expand All @@ -32,23 +32,22 @@ def __init__(self,
clone_depth=1)

# Define a IAM role for this stack.
codebuild_batch_policy = iam.PolicyDocument.from_json(
codebuild_batch_policy_in_json([id])
code_build_batch_policy = iam.PolicyDocument.from_json(
code_build_batch_policy_in_json([id])
)
inline_policies = {"codebuild_batch_policy": codebuild_batch_policy}
ecr_pull_only_policy = iam.PolicyDocument.from_json(
ecr_pull_only_policy_in_json(ecr_repo_name)
)
inline_policies = {"code_build_batch_policy": code_build_batch_policy,
"ecr_pull_only_policy": ecr_pull_only_policy}
role = iam.Role(scope=self,
id="{}-role".format(id),
assumed_by=iam.ServicePrincipal("codebuild.amazonaws.com"),
inline_policies=inline_policies,
managed_policies=[
iam.ManagedPolicy.from_aws_managed_policy_name("AmazonEC2ContainerRegistryReadOnly")
])
inline_policies=inline_policies)

# Create build spec.
placeholder_map = {"AWS_ACCOUNT_ID_PLACEHOLDER": AWS_ACCOUNT, "AWS_REGION_PLACEHOLDER": AWS_REGION,
"ECR_REPO_X86_PLACEHOLDER": LINUX_X86_ECR_REPO,
"ECR_REPO_AARCH_PLACEHOLDER": LINUX_AARCH_ECR_REPO,
"ECR_REPO_WINDOWS_PLACEHOLDER": WINDOWS_X86_ECR_REPO}
"ECR_REPO_PLACEHOLDER": ecr_repo_name}
build_spec_content = YmlLoader.load(spec_file_path, placeholder_map)

# Define CodeBuild.
Expand Down
8 changes: 4 additions & 4 deletions tests/ci/cdk/cdk/codebuild/github_ci_linux_arm_omnibus.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,28 +13,28 @@ batch:
type: ARM_CONTAINER
privileged-mode: false
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_AARCH_PLACEHOLDER:ubuntu-19.10_clang-9x_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:ubuntu-19.10_clang-9x_latest

- identifier: ubuntu2004_clang10x_aarch
buildspec: ./tests/ci/codebuild/linux-aarch/ubuntu-20.04_clang-10x.yml
env:
type: ARM_CONTAINER
privileged-mode: false
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_AARCH_PLACEHOLDER:ubuntu-20.04_clang-10x_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:ubuntu-20.04_clang-10x_latest

- identifier: ubuntu1910_clang9x_aarch_sanitizer
buildspec: ./tests/ci/codebuild/linux-aarch/ubuntu-19.10_clang-9x_sanitizer.yml
env:
type: ARM_CONTAINER
privileged-mode: true
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_AARCH_PLACEHOLDER:ubuntu-19.10_clang-9x_sanitizer_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:ubuntu-19.10_clang-9x_sanitizer_latest

- identifier: amazonlinux2_gcc7x_aarch
buildspec: ./tests/ci/codebuild/linux-aarch/amazonlinux-2_gcc-7x.yml
env:
type: ARM_CONTAINER
privileged-mode: false
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_AARCH_PLACEHOLDER:amazonlinux-2_gcc-7x_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:amazonlinux-2_gcc-7x_latest
38 changes: 19 additions & 19 deletions tests/ci/cdk/cdk/codebuild/github_ci_linux_x86_omnibus.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,127 +12,127 @@ batch:
type: LINUX_CONTAINER
privileged-mode: false
compute-type: BUILD_GENERAL1_SMALL
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:ubuntu-18.04_gcc-7x_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:ubuntu-18.04_gcc-7x_latest

- identifier: ubuntu1604_gcc5x_x86
buildspec: ./tests/ci/codebuild/linux-x86/ubuntu-16.04_gcc-5x_32-bits.yml
env:
type: LINUX_CONTAINER
privileged-mode: false
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:ubuntu-16.04_gcc-5x_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:ubuntu-16.04_gcc-5x_latest

- identifier: ubuntu1804_clang6x_x86_64
buildspec: ./tests/ci/codebuild/linux-x86/ubuntu-18.04_clang-6x.yml
env:
type: LINUX_CONTAINER
privileged-mode: true
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:ubuntu-18.04_clang-6x_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:ubuntu-18.04_clang-6x_latest

- identifier: ubuntu1804_gcc7x_x86_64
buildspec: ./tests/ci/codebuild/linux-x86/ubuntu-18.04_gcc-7x.yml
env:
type: LINUX_CONTAINER
privileged-mode: true
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:ubuntu-18.04_gcc-7x_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:ubuntu-18.04_gcc-7x_latest

- identifier: ubuntu1910_clang9x_x86_64
buildspec: ./tests/ci/codebuild/linux-x86/ubuntu-19.10_clang-9x.yml
env:
type: LINUX_CONTAINER
privileged-mode: true
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:ubuntu-19.10_clang-9x_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:ubuntu-19.10_clang-9x_latest

- identifier: ubuntu2004_clang10x_x86_64
buildspec: ./tests/ci/codebuild/linux-x86/ubuntu-20.04_clang-10x.yml
env:
type: LINUX_CONTAINER
privileged-mode: true
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:ubuntu-20.04_clang-10x_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:ubuntu-20.04_clang-10x_latest

- identifier: ubuntu1904_gcc8x_x86_64
buildspec: ./tests/ci/codebuild/linux-x86/ubuntu-19.04_gcc-8x.yml
env:
type: LINUX_CONTAINER
privileged-mode: true
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:ubuntu-19.04_gcc-8x_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:ubuntu-19.04_gcc-8x_latest

- identifier: ubuntu1904_clang8x_x86_64
buildspec: ./tests/ci/codebuild/linux-x86/ubuntu-19.04_clang-8x.yml
env:
type: LINUX_CONTAINER
privileged-mode: true
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:ubuntu-19.04_clang-8x_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:ubuntu-19.04_clang-8x_latest

- identifier: centos7_gcc4x_x86
buildspec: ./tests/ci/codebuild/linux-x86/centos-7_gcc-4x-32-bits.yml
env:
type: LINUX_CONTAINER
privileged-mode: false
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:centos-7_gcc-4x_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:centos-7_gcc-4x_latest

- identifier: centos7_gcc4x_x86_64
buildspec: ./tests/ci/codebuild/linux-x86/centos-7_gcc-4x.yml
env:
type: LINUX_CONTAINER
privileged-mode: true
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:centos-7_gcc-4x_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:centos-7_gcc-4x_latest

- identifier: amazonlinux2_gcc7x_x86_64
buildspec: ./tests/ci/codebuild/linux-x86/amazonlinux-2_gcc-7x.yml
env:
type: LINUX_CONTAINER
privileged-mode: true
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:amazonlinux-2_gcc-7x_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:amazonlinux-2_gcc-7x_latest

- identifier: amazonlinux2_gcc7x_intel_sde_x86_64
buildspec: ./tests/ci/codebuild/linux-x86/amazonlinux-2_gcc-7x_intel-sde.yml
env:
type: LINUX_CONTAINER
privileged-mode: true
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:amazonlinux-2_gcc-7x_intel-sde_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:amazonlinux-2_gcc-7x_intel-sde_latest

- identifier: amazonlinux2_gcc7x_x86_64_valgrind
buildspec: ./tests/ci/codebuild/linux-x86/amazonlinux-2_gcc-7x_valgrind.yml
env:
type: LINUX_CONTAINER
privileged-mode: true
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:amazonlinux-2_gcc-7x_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:amazonlinux-2_gcc-7x_latest

- identifier: s2n_integration
buildspec: ./tests/ci/codebuild/linux-x86/s2n_integration.yml
env:
type: LINUX_CONTAINER
privileged-mode: false
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:s2n_integration_clang-9x_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:s2n_integration_clang-9x_latest

- identifier: fedora31_clang9x_x86_64
buildspec: ./tests/ci/codebuild/linux-x86/fedora-31_clang-9x.yml
env:
type: LINUX_CONTAINER
privileged-mode: true
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:fedora-31_clang-9x_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:fedora-31_clang-9x_latest

- identifier: ubuntu1910_clang9x_x86_64_sanitizer
buildspec: ./tests/ci/codebuild/linux-x86/ubuntu-19.10_clang-9x_sanitizer.yml
env:
type: LINUX_CONTAINER
privileged-mode: true
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:ubuntu-19.10_clang-9x_sanitizer_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:ubuntu-19.10_clang-9x_sanitizer_latest

# When no SELECTCHECK env variable is undefined, formal verification is executed with a few parameters.
# SAW does not support thread level parallelism.
Expand All @@ -145,7 +145,7 @@ batch:
type: LINUX_CONTAINER
privileged-mode: false
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:ubuntu-20.04_clang-10x_formal-verification_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:ubuntu-20.04_clang-10x_formal-verification_latest

# When 'SHA512_384_SELECTCHECK' is defined, SHA512-384 formal verification is executed against more parameters.
- identifier: ubuntu2004_clang10x_formal_verification_sha_selectcheck
Expand All @@ -154,7 +154,7 @@ batch:
type: LINUX_CONTAINER
privileged-mode: false
compute-type: BUILD_GENERAL1_2XLARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:ubuntu-20.04_clang-10x_formal-verification_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:ubuntu-20.04_clang-10x_formal-verification_latest
variables:
SHA512_384_SELECTCHECK: 1

Expand All @@ -165,6 +165,6 @@ batch:
type: LINUX_CONTAINER
privileged-mode: false
compute-type: BUILD_GENERAL1_2XLARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:ubuntu-20.04_clang-10x_formal-verification_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:ubuntu-20.04_clang-10x_formal-verification_latest
variables:
HMAC_SELECTCHECK: 1
4 changes: 2 additions & 2 deletions tests/ci/cdk/cdk/codebuild/github_ci_windows_x86_omnibus.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ batch:
type: WINDOWS_SERVER_2019_CONTAINER
privileged-mode: false
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_WINDOWS_PLACEHOLDER:vs2015_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:vs2015_latest

- identifier: windows_msvc2017_x64
buildspec: ./tests/ci/codebuild/windows-x86/windows-msvc2017.yml
Expand All @@ -22,4 +22,4 @@ batch:
type: WINDOWS_SERVER_2019_CONTAINER
privileged-mode: false
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_WINDOWS_PLACEHOLDER:vs2017_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:vs2017_latest
9 changes: 5 additions & 4 deletions tests/ci/cdk/cdk/linux_docker_image_batch_build_stack.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
from aws_cdk import core, aws_codebuild as codebuild, aws_iam as iam
from util.metadata import AWS_ACCOUNT, GITHUB_REPO_OWNER, GITHUB_REPO_NAME, GITHUB_SOURCE_VERSION, LINUX_AARCH_ECR_REPO, \
LINUX_X86_ECR_REPO
from util.iam_policies import codebuild_batch_policy_in_json, ecr_power_user_policy_in_json
from util.iam_policies import code_build_batch_policy_in_json, ecr_power_user_policy_in_json
from util.yml_loader import YmlLoader


Expand All @@ -22,9 +22,10 @@ def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
clone_depth=1)

# Define a role.
codebuild_batch_policy = iam.PolicyDocument.from_json(codebuild_batch_policy_in_json([id]))
ecr_power_user_policy = iam.PolicyDocument.from_json(ecr_power_user_policy_in_json())
inline_policies = {"codebuild_batch_policy": codebuild_batch_policy,
code_build_batch_policy = iam.PolicyDocument.from_json(code_build_batch_policy_in_json([id]))
ecr_repo_names = [LINUX_AARCH_ECR_REPO, LINUX_X86_ECR_REPO]
ecr_power_user_policy = iam.PolicyDocument.from_json(ecr_power_user_policy_in_json(ecr_repo_names))
inline_policies = {"code_build_batch_policy": code_build_batch_policy,
"ecr_power_user_policy": ecr_power_user_policy}
role = iam.Role(scope=self,
id="{}-role".format(id),
Expand Down
2 changes: 1 addition & 1 deletion tests/ci/cdk/cdk/windows_docker_image_build_stack.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ def __init__(self,
block_public_access=s3.BlockPublicAccess.BLOCK_ALL)

# Define a role for EC2.
ecr_power_user_policy = iam.PolicyDocument.from_json(ecr_power_user_policy_in_json())
ecr_power_user_policy = iam.PolicyDocument.from_json(ecr_power_user_policy_in_json([WINDOWS_X86_ECR_REPO]))
s3_read_write_policy = iam.PolicyDocument.from_json(s3_read_write_policy_in_json(S3_BUCKET_NAME))
inline_policies = {"ecr_power_user_policy": ecr_power_user_policy, "s3_read_write_policy": s3_read_write_policy}
role = iam.Role(scope=self, id="{}-role".format(id),
Expand Down
Loading

0 comments on commit c6af55b

Please sign in to comment.