aws · skmcgrail · Nov 11, 2025 · Nov 5, 2025 · Nov 11, 2025
@@ -2,7 +2,6 @@
 
 from aws_cdk import (
     Duration,
-    Stack,
     aws_codebuild as codebuild,
     aws_s3 as s3,
     Environment,
@@ -11,15 +10,6 @@
 
 from cdk.aws_lc_base_ci_stack import AwsLcBaseCiStack
 from util.build_spec_loader import BuildSpecLoader
-from util.metadata import (
-    GITHUB_PUSH_CI_BRANCH_TARGETS,
-    GITHUB_REPO_NAME,
-    GITHUB_REPO_OWNER,
-    PRE_PROD_ACCOUNT,
-    STAGING_GITHUB_REPO_OWNER,
-    STAGING_GITHUB_REPO_NAME,
-)
-
 
 class AwsLcGitHubX509CIStack(AwsLcBaseCiStack):
     def __init__(

@@ -5,7 +5,6 @@
 from aws_cdk import (
     Duration,
     Size,
-    Stack,
     aws_codebuild as codebuild,
     aws_iam as iam,
     aws_ec2 as ec2,
@@ -20,14 +19,6 @@
     code_build_batch_policy_in_json,
     code_build_publish_metrics_in_json,
 )
-from util.metadata import (
-    GITHUB_PUSH_CI_BRANCH_TARGETS,
-    GITHUB_REPO_OWNER,
-    GITHUB_REPO_NAME,
-    PRE_PROD_ACCOUNT,
-    STAGING_GITHUB_REPO_OWNER,
-    STAGING_GITHUB_REPO_NAME,
-)
 from util.build_spec_loader import BuildSpecLoader
 
 

@@ -13,8 +13,9 @@ batch:
         type: LINUX_CONTAINER
         privileged-mode: true
         compute-type: BUILD_GENERAL1_LARGE
-        image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:amazonlinux-2023_clang-15x_sanitizer_latest
+        image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc/amazonlinux:2023
         variables:
+          AWS_LC_CI_COMPILER_ENV: clang-15
           AWS_LC_CI_TARGET: "tests/ci/run_fuzz_tests.sh"
 
     - identifier: al2023_clang14_arm_fuzz
@@ -23,8 +24,9 @@ batch:
         type: ARM_CONTAINER
         privileged-mode: true
         compute-type: BUILD_GENERAL1_LARGE
-        image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-aarch:amazonlinux-2023_clang-15x_sanitizer_latest
+        image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc/amazonlinux:2023
         variables:
+          AWS_LC_CI_COMPILER_ENV: clang-15
           AWS_LC_CI_TARGET: "tests/ci/run_fuzz_tests.sh"
 
     - identifier: al2023_clang15_x86_64_cryptofuzz
@@ -33,8 +35,9 @@ batch:
         type: LINUX_CONTAINER
         privileged-mode: true
         compute-type: BUILD_GENERAL1_LARGE
-        image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:amazonlinux-2023_clang-15x_cryptofuzz_latest
+        image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc/amazonlinux:2023
         variables:
+          AWS_LC_CI_COMPILER_ENV: clang-15
           AWS_LC_CI_TARGET: "tests/ci/run_cryptofuzz.sh"
 
     - identifier: al2023_clang15_arm_cryptofuzz
@@ -43,6 +46,7 @@ batch:
         type: ARM_CONTAINER
         privileged-mode: true
         compute-type: BUILD_GENERAL1_LARGE
-        image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-aarch:amazonlinux-2023_clang-15x_cryptofuzz_latest
+        image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc/amazonlinux:2023
         variables:
+          AWS_LC_CI_COMPILER_ENV: clang-15
           AWS_LC_CI_TARGET: "tests/ci/run_cryptofuzz.sh"
@@ -13,6 +13,7 @@ batch:
         type: LINUX_CONTAINER
         privileged-mode: true
         compute-type: BUILD_GENERAL1_LARGE
-        image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:amazonlinux-2023_x509_latest
+        image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc/amazonlinux:2023_x509
         variables:
+          AWS_LC_CI_COMPILER_ENV: gcc
           AWS_LC_CI_TARGET: "tests/ci/run_x509_limbo.sh"
@@ -41,6 +41,7 @@ class EcrRepoDataClass:
     cdk_id: str
     ecr_name: str
     allow_scrutinice_pull: bool = False
+    allow_codebuild_pull: bool = False
 
 
 class PrivateEcrStackV2(Stack):
@@ -89,20 +90,25 @@ def __init__(self,
         for x in [
             EcrRepoDataClass("aws-lc-ecr-ubuntu", UBUNTU_ECR_REPO),
             EcrRepoDataClass("aws-lc-ecr-amazonlinux",
-                             AMAZONLINUX_ECR_REPO, allow_scrutinice_pull=True),
+                             AMAZONLINUX_ECR_REPO,
+                             allow_scrutinice_pull=True,
+                             allow_codebuild_pull=True),
             EcrRepoDataClass("aws-lc-ecr-fedora", FEDORA_ECR_REPO),
             EcrRepoDataClass("aws-lc-ecr-centos", CENTOS_ECR_REPO),
             EcrRepoDataClass("aws-lc-ecr-windows", WINDOWS_ECR_REPO),
             EcrRepoDataClass("aws-lc-ecr-verification", VERIFICATION_ECR_REPO),
             EcrRepoDataClass("aws-lc-ecr-android", ANDROID_ECR_REPO),
         ]:
-            EcrPrivateRepo(self, x.cdk_id, repo_name=x.ecr_name, allow_scrutinice_pull=x.allow_scrutinice_pull)
+            EcrPrivateRepo(self, x.cdk_id, repo_name=x.ecr_name,
+                           allow_scrutinice_pull=x.allow_scrutinice_pull,
+                           allow_codebuild_pull=x.allow_codebuild_pull)
 
 
 class EcrPrivateRepo(Construct):
     """Define private ECR repository to store container images."""
 
-    def __init__(self, scope: Construct, id: str, repo_name: str, *, allow_scrutinice_pull: bool, **kwargs) -> None:
+    def __init__(self, scope: Construct, id: str, repo_name: str, *, allow_scrutinice_pull: bool,
+                 allow_codebuild_pull: bool, **kwargs) -> None:
         super().__init__(scope, id, **kwargs)
 
         self.repo = ecr.Repository(
@@ -114,3 +120,5 @@ def __init__(self, scope: Construct, id: str, repo_name: str, *, allow_scrutinic
         )
         if allow_scrutinice_pull:
             self.repo.grant_pull(iam.ArnPrincipal(SCRUTINICE_PRINCIPAL_ROLE_ARN))
+        if allow_codebuild_pull:
+            self.repo.grant_pull(iam.ServicePrincipal("codebuild.amazonaws.com"))
@@ -10,4 +10,5 @@ env:
 phases:
   build:
     commands:
+      - source /opt/compiler-env/setup-${AWS_LC_CI_COMPILER_ENV}.sh
       - ./${AWS_LC_CI_TARGET}
@@ -10,6 +10,7 @@ env:
 phases:
   build:
     commands:
+      - source /opt/compiler-env/setup-${AWS_LC_CI_COMPILER_ENV}.sh
       - "./${AWS_LC_CI_TARGET}"
 
 artifacts: