Skip to content

Commit

Permalink
chore: fix release cfn and codebuild (#380)
Browse files Browse the repository at this point in the history
  • Loading branch information
@kessplas
kessplas authored Oct 4, 2024
1 parent dd61547 commit 2844498
Show file tree
Hide file tree
Showing 4 changed files with 20 additions and 45 deletions.
59 changes: 14 additions & 45 deletions cfn/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,9 +95,7 @@ Resources:
- !Ref SecretsManagerPolicyRelease
- !Ref ParameterStorePolicy
- !Ref S3ECReleaseTestKMSKeyPolicy
- !Ref S3ECReleaseTestKMSKeyPolicyTestVectors
- !Ref S3ECReleaseS3BucketPolicy
- !Ref S3ECReleaseS3BucketPolicyTestVectors
- "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess"
- "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess"

Expand Down Expand Up @@ -297,29 +295,6 @@ Resources:
AliasName: alias/S3EC-Release-Testing-KMS-Key
TargetKeyId: !Ref S3ECReleaseTestingKMSKeyID

S3ECReleaseKMSKeyPolicyTestVectors:
Type: 'AWS::IAM::ManagedPolicy'
Properties:
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:kms:*:${AWS::AccountId}:key/${S3ECReleaseKMSKeyIDTestVectors}",
"arn:aws:kms:*:${AWS::AccountId}:${S3ECReleaseKMSKeyAliasTestVectors}"
],
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:GenerateDataKeyPair"
]
}
]
}
ManagedPolicyName: S3EC-Release-KMS-Key-Policy-TestVectors

S3ECReleaseTestS3BucketTestVectors:
Type: 'AWS::S3::Bucket'
Properties:
Expand All @@ -330,26 +305,6 @@ Resources:
IgnorePublicAcls: false
RestrictPublicBuckets: false

S3ECReleaseS3BucketPolicyTestVectors:
Type: 'AWS::IAM::ManagedPolicy'
Properties:
ManagedPolicyName: S3EC-Release-S3-Bucket-Policy-testvectors
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 's3:ListBucket'
Resource:
- !GetAtt S3ECReleaseTestS3BucketTestVectors.Arn
- Effect: Allow
Action:
- 's3:PutObject'
- 's3:GetObject'
- 's3:DeleteObject'
Resource:
- !Join [ "", [ !GetAtt S3ECReleaseTestS3BucketTestVectors.Arn, '/*'] ]

S3ECReleaseTestS3Bucket:
Type: 'AWS::S3::Bucket'
Properties:
Expand Down Expand Up @@ -379,6 +334,12 @@ Resources:
- 's3:DeleteObject'
Resource:
- !Join [ "", [ !GetAtt S3ECReleaseTestS3Bucket.Arn, '/*' ] ]
- !Join [ "", [ !GetAtt S3ECReleaseTestS3BucketTestVectors.Arn, '/*'] ]
- Effect: Allow
Action:
- 's3:ListBucket'
Resource:
- !GetAtt S3ECReleaseTestS3BucketTestVectors.Arn

S3ECReleaseTestS3BucketAlternate:
Type: 'AWS::S3::Bucket'
Expand Down Expand Up @@ -433,6 +394,14 @@ Resources:
- Effect: Allow
Action: sts:AssumeRole
Resource: !Sub "arn:aws:iam::${AWS::AccountId}:role/service-role/S3EC-Release-test-role-alternate"
- Effect: Allow
Action:
- "kms:Decrypt"
- "kms:GenerateDataKey"
- "kms:GenerateDataKeyPair"
Resource:
- !Sub "arn:aws:kms:*:${AWS::AccountId}:key/${S3ECReleaseKMSKeyIDTestVectors}"
- !Sub "arn:aws:kms:*:${AWS::AccountId}:${S3ECReleaseKMSKeyAliasTestVectors}"

S3ECReleaseKMSKeyPolicyAlternate:
Type: 'AWS::IAM::ManagedPolicy'
Expand Down
2 changes: 2 additions & 0 deletions codebuild/release/release-prod.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,10 @@ phases:
- export AWS_S3EC_TEST_ALT_ROLE_ARN=arn:aws:iam::${ACCOUNT}:role/service-role/S3EC-Release-test-role-alternate
- export AWS_S3EC_TEST_BUCKET=s3ec-release-test-bucket
- export AWS_S3EC_TEST_ALT_BUCKET=s3ec-release-test-bucket-alternate
- export AWS_S3EC_TEST_TESTVECTORS_BUCKET=s3ec-release-test-bucket-testvectors
- export AWS_S3EC_TEST_KMS_KEY_ID=arn:aws:kms:us-west-2:${ACCOUNT}:key/af4ce40a-05ab-4f7c-b3fa-97bd0c9b7fb1
- export AWS_S3EC_TEST_KMS_KEY_ALIAS=arn:aws:kms:us-west-2:${ACCOUNT}:alias/S3EC-Release-Testing-KMS-Key
- export AWS_S3EC_TEST_TESTVECTORS_KMS_KEY_ARN=arn:aws:kms:us-west-2:${ACCOUNT}:key/38d132d7-c8ad-4699-a653-87caa9a4c13a
- export AWS_REGION=us-west-2
- git checkout $BRANCH
- export SETTINGS_FILE=$(pwd)/codebuild/release/settings.xml
Expand Down
2 changes: 2 additions & 0 deletions codebuild/release/release-staging.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,10 @@ phases:
- export AWS_S3EC_TEST_ALT_ROLE_ARN=arn:aws:iam::${ACCOUNT}:role/service-role/S3EC-Release-test-role-alternate
- export AWS_S3EC_TEST_BUCKET=s3ec-release-test-bucket
- export AWS_S3EC_TEST_ALT_BUCKET=s3ec-release-test-bucket-alternate
- export AWS_S3EC_TEST_TESTVECTORS_BUCKET=s3ec-release-test-bucket-testvectors
- export AWS_S3EC_TEST_KMS_KEY_ID=arn:aws:kms:us-west-2:${ACCOUNT}:key/af4ce40a-05ab-4f7c-b3fa-97bd0c9b7fb1
- export AWS_S3EC_TEST_KMS_KEY_ALIAS=arn:aws:kms:us-west-2:${ACCOUNT}:alias/S3EC-Release-Testing-KMS-Key
- export AWS_S3EC_TEST_TESTVECTORS_KMS_KEY_ARN=arn:aws:kms:us-west-2:${ACCOUNT}:key/38d132d7-c8ad-4699-a653-87caa9a4c13a
- export AWS_REGION=us-west-2
build:
commands:
Expand Down
2 changes: 2 additions & 0 deletions codebuild/release/validate-staging.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,10 @@ phases:
- export AWS_S3EC_TEST_ALT_ROLE_ARN=arn:aws:iam::${ACCOUNT}:role/service-role/S3EC-Release-test-role-alternate
- export AWS_S3EC_TEST_BUCKET=s3ec-release-test-bucket
- export AWS_S3EC_TEST_ALT_BUCKET=s3ec-release-test-bucket-alternate
- export AWS_S3EC_TEST_TESTVECTORS_BUCKET=s3ec-release-test-bucket-testvectors
- export AWS_S3EC_TEST_KMS_KEY_ID=arn:aws:kms:us-west-2:${ACCOUNT}:key/af4ce40a-05ab-4f7c-b3fa-97bd0c9b7fb1
- export AWS_S3EC_TEST_KMS_KEY_ALIAS=arn:aws:kms:us-west-2:${ACCOUNT}:alias/S3EC-Release-Testing-KMS-Key
- export AWS_S3EC_TEST_TESTVECTORS_KMS_KEY_ARN=arn:aws:kms:us-west-2:${ACCOUNT}:key/38d132d7-c8ad-4699-a653-87caa9a4c13a
- export AWS_REGION=us-west-2
build:
commands:
Expand Down

0 comments on commit 2844498

Please sign in to comment.