Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scope down IAM role permissions. #109

Merged
merged 3 commits into from
Mar 9, 2021
Merged

Scope down IAM role permissions. #109

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
28c5173
Scope down IAM role permissions.
bryce-shang Mar 9, 2021
eaec3da
Remove 'AmazonEC2ContainerRegistryReadOnly'.
bryce-shang Mar 9, 2021
dfc9cef
Merge branch 'main' into ci-iam-role
bryce-shang Mar 9, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 6 additions & 3 deletions tests/ci/cdk/app.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,8 +31,11 @@
WindowsDockerImageBuildStack(app, "aws-lc-docker-image-build-windows", env=env)

# Define CodeBuild Batch job for testing code.
AwsLcGitHubCIStack(app, "aws-lc-ci-linux-x86", "./cdk/codebuild/github_ci_linux_x86_omnibus.yaml", env=env)
AwsLcGitHubCIStack(app, "aws-lc-ci-linux-arm", "./cdk/codebuild/github_ci_linux_arm_omnibus.yaml", env=env)
AwsLcGitHubCIStack(app, "aws-lc-ci-windows-x86", "./cdk/codebuild/github_ci_windows_x86_omnibus.yaml", env=env)
x86_build_spec_file = "./cdk/codebuild/github_ci_linux_x86_omnibus.yaml"
AwsLcGitHubCIStack(app, "aws-lc-ci-linux-x86", LINUX_X86_ECR_REPO, x86_build_spec_file, env=env)
arm_build_spec_file = "./cdk/codebuild/github_ci_linux_arm_omnibus.yaml"
AwsLcGitHubCIStack(app, "aws-lc-ci-linux-arm", LINUX_AARCH_ECR_REPO, arm_build_spec_file, env=env)
win_x86_build_spec_file = "./cdk/codebuild/github_ci_windows_x86_omnibus.yaml"
AwsLcGitHubCIStack(app, "aws-lc-ci-windows-x86", WINDOWS_X86_ECR_REPO, win_x86_build_spec_file, env=env)

app.synth()
25 changes: 12 additions & 13 deletions tests/ci/cdk/cdk/aws_lc_github_ci_stack.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,8 @@
# SPDX-License-Identifier: Apache-2.0

from aws_cdk import core, aws_codebuild as codebuild, aws_iam as iam
from util.iam_policies import codebuild_batch_policy_in_json
from util.metadata import AWS_ACCOUNT, AWS_REGION, GITHUB_REPO_OWNER, GITHUB_REPO_NAME, LINUX_X86_ECR_REPO, \
LINUX_AARCH_ECR_REPO, WINDOWS_X86_ECR_REPO
from util.iam_policies import code_build_batch_policy_in_json, ecr_pull_only_policy_in_json
from util.metadata import AWS_ACCOUNT, AWS_REGION, GITHUB_REPO_OWNER, GITHUB_REPO_NAME
from util.yml_loader import YmlLoader


Expand All @@ -14,6 +13,7 @@ class AwsLcGitHubCIStack(core.Stack):
def __init__(self,
scope: core.Construct,
id: str,
ecr_repo_name: str,
spec_file_path: str,
**kwargs) -> None:
super().__init__(scope, id, **kwargs)
Expand All @@ -32,23 +32,22 @@ def __init__(self,
clone_depth=1)

# Define a IAM role for this stack.
codebuild_batch_policy = iam.PolicyDocument.from_json(
codebuild_batch_policy_in_json([id])
code_build_batch_policy = iam.PolicyDocument.from_json(
code_build_batch_policy_in_json([id])
)
inline_policies = {"codebuild_batch_policy": codebuild_batch_policy}
ecr_pull_only_policy = iam.PolicyDocument.from_json(
ecr_pull_only_policy_in_json(ecr_repo_name)
)
inline_policies = {"code_build_batch_policy": code_build_batch_policy,
"ecr_pull_only_policy": ecr_pull_only_policy}
role = iam.Role(scope=self,
id="{}-role".format(id),
assumed_by=iam.ServicePrincipal("codebuild.amazonaws.com"),
inline_policies=inline_policies,
managed_policies=[
iam.ManagedPolicy.from_aws_managed_policy_name("AmazonEC2ContainerRegistryReadOnly")
])
inline_policies=inline_policies)

# Create build spec.
placeholder_map = {"AWS_ACCOUNT_ID_PLACEHOLDER": AWS_ACCOUNT, "AWS_REGION_PLACEHOLDER": AWS_REGION,
"ECR_REPO_X86_PLACEHOLDER": LINUX_X86_ECR_REPO,
"ECR_REPO_AARCH_PLACEHOLDER": LINUX_AARCH_ECR_REPO,
"ECR_REPO_WINDOWS_PLACEHOLDER": WINDOWS_X86_ECR_REPO}
"ECR_REPO_PLACEHOLDER": ecr_repo_name}
build_spec_content = YmlLoader.load(spec_file_path, placeholder_map)

# Define CodeBuild.
Expand Down
8 changes: 4 additions & 4 deletions tests/ci/cdk/cdk/codebuild/github_ci_linux_arm_omnibus.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,28 +13,28 @@ batch:
type: ARM_CONTAINER
privileged-mode: false
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_AARCH_PLACEHOLDER:ubuntu-19.10_clang-9x_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:ubuntu-19.10_clang-9x_latest

- identifier: ubuntu2004_clang10x_aarch
buildspec: ./tests/ci/codebuild/linux-aarch/ubuntu-20.04_clang-10x.yml
env:
type: ARM_CONTAINER
privileged-mode: false
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_AARCH_PLACEHOLDER:ubuntu-20.04_clang-10x_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:ubuntu-20.04_clang-10x_latest

- identifier: ubuntu1910_clang9x_aarch_sanitizer
buildspec: ./tests/ci/codebuild/linux-aarch/ubuntu-19.10_clang-9x_sanitizer.yml
env:
type: ARM_CONTAINER
privileged-mode: true
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_AARCH_PLACEHOLDER:ubuntu-19.10_clang-9x_sanitizer_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:ubuntu-19.10_clang-9x_sanitizer_latest

- identifier: amazonlinux2_gcc7x_aarch
buildspec: ./tests/ci/codebuild/linux-aarch/amazonlinux-2_gcc-7x.yml
env:
type: ARM_CONTAINER
privileged-mode: false
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_AARCH_PLACEHOLDER:amazonlinux-2_gcc-7x_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:amazonlinux-2_gcc-7x_latest
38 changes: 19 additions & 19 deletions tests/ci/cdk/cdk/codebuild/github_ci_linux_x86_omnibus.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,127 +12,127 @@ batch:
type: LINUX_CONTAINER
privileged-mode: false
compute-type: BUILD_GENERAL1_SMALL
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:ubuntu-18.04_gcc-7x_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:ubuntu-18.04_gcc-7x_latest

- identifier: ubuntu1604_gcc5x_x86
buildspec: ./tests/ci/codebuild/linux-x86/ubuntu-16.04_gcc-5x_32-bits.yml
env:
type: LINUX_CONTAINER
privileged-mode: false
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:ubuntu-16.04_gcc-5x_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:ubuntu-16.04_gcc-5x_latest

- identifier: ubuntu1804_clang6x_x86_64
buildspec: ./tests/ci/codebuild/linux-x86/ubuntu-18.04_clang-6x.yml
env:
type: LINUX_CONTAINER
privileged-mode: true
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:ubuntu-18.04_clang-6x_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:ubuntu-18.04_clang-6x_latest

- identifier: ubuntu1804_gcc7x_x86_64
buildspec: ./tests/ci/codebuild/linux-x86/ubuntu-18.04_gcc-7x.yml
env:
type: LINUX_CONTAINER
privileged-mode: true
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:ubuntu-18.04_gcc-7x_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:ubuntu-18.04_gcc-7x_latest

- identifier: ubuntu1910_clang9x_x86_64
buildspec: ./tests/ci/codebuild/linux-x86/ubuntu-19.10_clang-9x.yml
env:
type: LINUX_CONTAINER
privileged-mode: true
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:ubuntu-19.10_clang-9x_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:ubuntu-19.10_clang-9x_latest

- identifier: ubuntu2004_clang10x_x86_64
buildspec: ./tests/ci/codebuild/linux-x86/ubuntu-20.04_clang-10x.yml
env:
type: LINUX_CONTAINER
privileged-mode: true
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:ubuntu-20.04_clang-10x_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:ubuntu-20.04_clang-10x_latest

- identifier: ubuntu1904_gcc8x_x86_64
buildspec: ./tests/ci/codebuild/linux-x86/ubuntu-19.04_gcc-8x.yml
env:
type: LINUX_CONTAINER
privileged-mode: true
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:ubuntu-19.04_gcc-8x_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:ubuntu-19.04_gcc-8x_latest

- identifier: ubuntu1904_clang8x_x86_64
buildspec: ./tests/ci/codebuild/linux-x86/ubuntu-19.04_clang-8x.yml
env:
type: LINUX_CONTAINER
privileged-mode: true
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:ubuntu-19.04_clang-8x_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:ubuntu-19.04_clang-8x_latest

- identifier: centos7_gcc4x_x86
buildspec: ./tests/ci/codebuild/linux-x86/centos-7_gcc-4x-32-bits.yml
env:
type: LINUX_CONTAINER
privileged-mode: false
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:centos-7_gcc-4x_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:centos-7_gcc-4x_latest

- identifier: centos7_gcc4x_x86_64
buildspec: ./tests/ci/codebuild/linux-x86/centos-7_gcc-4x.yml
env:
type: LINUX_CONTAINER
privileged-mode: true
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:centos-7_gcc-4x_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:centos-7_gcc-4x_latest

- identifier: amazonlinux2_gcc7x_x86_64
buildspec: ./tests/ci/codebuild/linux-x86/amazonlinux-2_gcc-7x.yml
env:
type: LINUX_CONTAINER
privileged-mode: true
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:amazonlinux-2_gcc-7x_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:amazonlinux-2_gcc-7x_latest

- identifier: amazonlinux2_gcc7x_intel_sde_x86_64
buildspec: ./tests/ci/codebuild/linux-x86/amazonlinux-2_gcc-7x_intel-sde.yml
env:
type: LINUX_CONTAINER
privileged-mode: true
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:amazonlinux-2_gcc-7x_intel-sde_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:amazonlinux-2_gcc-7x_intel-sde_latest

- identifier: amazonlinux2_gcc7x_x86_64_valgrind
buildspec: ./tests/ci/codebuild/linux-x86/amazonlinux-2_gcc-7x_valgrind.yml
env:
type: LINUX_CONTAINER
privileged-mode: true
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:amazonlinux-2_gcc-7x_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:amazonlinux-2_gcc-7x_latest

- identifier: s2n_integration
buildspec: ./tests/ci/codebuild/linux-x86/s2n_integration.yml
env:
type: LINUX_CONTAINER
privileged-mode: false
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:s2n_integration_clang-9x_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:s2n_integration_clang-9x_latest

- identifier: fedora31_clang9x_x86_64
buildspec: ./tests/ci/codebuild/linux-x86/fedora-31_clang-9x.yml
env:
type: LINUX_CONTAINER
privileged-mode: true
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:fedora-31_clang-9x_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:fedora-31_clang-9x_latest

- identifier: ubuntu1910_clang9x_x86_64_sanitizer
buildspec: ./tests/ci/codebuild/linux-x86/ubuntu-19.10_clang-9x_sanitizer.yml
env:
type: LINUX_CONTAINER
privileged-mode: true
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:ubuntu-19.10_clang-9x_sanitizer_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:ubuntu-19.10_clang-9x_sanitizer_latest

# When no SELECTCHECK env variable is undefined, formal verification is executed with a few parameters.
# SAW does not support thread level parallelism.
Expand All @@ -145,7 +145,7 @@ batch:
type: LINUX_CONTAINER
privileged-mode: false
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:ubuntu-20.04_clang-10x_formal-verification_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:ubuntu-20.04_clang-10x_formal-verification_latest

# When 'SHA512_384_SELECTCHECK' is defined, SHA512-384 formal verification is executed against more parameters.
- identifier: ubuntu2004_clang10x_formal_verification_sha_selectcheck
Expand All @@ -154,7 +154,7 @@ batch:
type: LINUX_CONTAINER
privileged-mode: false
compute-type: BUILD_GENERAL1_2XLARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:ubuntu-20.04_clang-10x_formal-verification_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:ubuntu-20.04_clang-10x_formal-verification_latest
variables:
SHA512_384_SELECTCHECK: 1

Expand All @@ -165,6 +165,6 @@ batch:
type: LINUX_CONTAINER
privileged-mode: false
compute-type: BUILD_GENERAL1_2XLARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:ubuntu-20.04_clang-10x_formal-verification_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:ubuntu-20.04_clang-10x_formal-verification_latest
variables:
HMAC_SELECTCHECK: 1
4 changes: 2 additions & 2 deletions tests/ci/cdk/cdk/codebuild/github_ci_windows_x86_omnibus.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ batch:
type: WINDOWS_SERVER_2019_CONTAINER
privileged-mode: false
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_WINDOWS_PLACEHOLDER:vs2015_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:vs2015_latest

- identifier: windows_msvc2017_x64
buildspec: ./tests/ci/codebuild/windows-x86/windows-msvc2017.yml
Expand All @@ -22,4 +22,4 @@ batch:
type: WINDOWS_SERVER_2019_CONTAINER
privileged-mode: false
compute-type: BUILD_GENERAL1_LARGE
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_WINDOWS_PLACEHOLDER:vs2017_latest
image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_PLACEHOLDER:vs2017_latest
9 changes: 5 additions & 4 deletions tests/ci/cdk/cdk/linux_docker_image_batch_build_stack.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
from aws_cdk import core, aws_codebuild as codebuild, aws_iam as iam
from util.metadata import AWS_ACCOUNT, GITHUB_REPO_OWNER, GITHUB_REPO_NAME, GITHUB_SOURCE_VERSION, LINUX_AARCH_ECR_REPO, \
LINUX_X86_ECR_REPO
from util.iam_policies import codebuild_batch_policy_in_json, ecr_power_user_policy_in_json
from util.iam_policies import code_build_batch_policy_in_json, ecr_power_user_policy_in_json
from util.yml_loader import YmlLoader


Expand All @@ -22,9 +22,10 @@ def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
clone_depth=1)

# Define a role.
codebuild_batch_policy = iam.PolicyDocument.from_json(codebuild_batch_policy_in_json([id]))
ecr_power_user_policy = iam.PolicyDocument.from_json(ecr_power_user_policy_in_json())
inline_policies = {"codebuild_batch_policy": codebuild_batch_policy,
code_build_batch_policy = iam.PolicyDocument.from_json(code_build_batch_policy_in_json([id]))
ecr_repo_names = [LINUX_AARCH_ECR_REPO, LINUX_X86_ECR_REPO]
ecr_power_user_policy = iam.PolicyDocument.from_json(ecr_power_user_policy_in_json(ecr_repo_names))
inline_policies = {"code_build_batch_policy": code_build_batch_policy,
"ecr_power_user_policy": ecr_power_user_policy}
role = iam.Role(scope=self,
id="{}-role".format(id),
Expand Down
2 changes: 1 addition & 1 deletion tests/ci/cdk/cdk/windows_docker_image_build_stack.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ def __init__(self,
block_public_access=s3.BlockPublicAccess.BLOCK_ALL)

# Define a role for EC2.
ecr_power_user_policy = iam.PolicyDocument.from_json(ecr_power_user_policy_in_json())
ecr_power_user_policy = iam.PolicyDocument.from_json(ecr_power_user_policy_in_json([WINDOWS_X86_ECR_REPO]))
s3_read_write_policy = iam.PolicyDocument.from_json(s3_read_write_policy_in_json(S3_BUCKET_NAME))
inline_policies = {"ecr_power_user_policy": ecr_power_user_policy, "s3_read_write_policy": s3_read_write_policy}
role = iam.Role(scope=self, id="{}-role".format(id),
Expand Down
Loading