Add verification failure behaviour param

packer/linux/conf/bin/bk-install-elastic-stack.sh

@@ -314,6 +314,10 @@ if [[ -n "$BUILDKITE_AGENT_SIGNING_KEY_ID" ]]; then
   echo "signing-jwks-key-id=$BUILDKITE_AGENT_SIGNING_KEY_ID" >>/etc/buildkite-agent/buildkite-agent.cfg
 fi
 
+if [[ -n "$BUILDKITE_AGENT_VERIFICATION_FAILURE_BEHAVIOR" ]]; then
+  echo "verification-failure-behavior=$BUILDKITE_AGENT_VERIFICATION_FAILURE_BEHAVIOR" >>/etc/buildkite-agent/buildkite-agent.cfg
+fi
+
 if [[ -n "$BUILDKITE_AGENT_VERIFICATION_KEY_PATH" ]]; then
   echo "Fetching signing key from ssm: $BUILDKITE_AGENT_VERIFICATION_KEY_PATH..."
 

packer/windows/conf/bin/bk-install-elastic-stack.ps1

@@ -168,6 +168,10 @@ if (![string]::IsNullOrEmpty($Env:BUILDKITE_AGENT_SIGNING_KEY_ID)) {
   Add-Content -Path C:\buildkite-agent\buildkite-agent.cfg -Value "signing-jwks-key-id=$Env:BUILDKITE_AGENT_SIGNING_KEY_ID"
 }
 
+if (![string]::IsNullOrEmpty($Env:BUILDKITE_AGENT_VERIFICATION_FAILURE_BEHAVIOR)) {
+  Add-Content -Path C:\buildkite-agent\buildkite-agent.cfg -Value "verification-failure-behavior=$Env:BUILDKITE_AGENT_VERIFICATION_FAILURE_BEHAVIOR"
+}
+
 if (![string]::IsNullOrEmpty($Env:BUILDKITE_AGENT_VERIFICATION_KEY_PATH)) {
   Write-Output "Fetching verification key from ssm: $Env:BUILDKITE_AGENT_VERIFICATION_KEY_PATH..."
 

templates/aws-stack.yml

@@ -52,6 +52,7 @@ Metadata:
         - BuildkiteAgentSigningKeySSMParameter
         - BuildkiteAgentSigningKeyID
         - BuildkiteAgentVerificationKeySSMParameter
+        - BuildkiteAgentVerificationFailureBehavior
 
       - Label:
           default: Network Configuration
@@ -217,6 +218,15 @@ Parameters:
     AllowedPattern: "^$|^/[a-zA-Z0-9_.\\-/]+$"
     ConstraintDescription: "Expects a leading forward slash"
 
+  BuildkiteAgentVerificationFailureBehavior:
+    Description: "How the agent should respond when a job signature fails verification"
+    Type: String
+    AllowedValues:
+      - "block"
+      - "warn"
+      - ""
+    Default: ""
+
   BuildkiteAgentCancelGracePeriod:
     Description: The number of seconds a canceled or timed out job is given to gracefully terminate and upload its artifacts.
     Type: Number
@@ -1204,6 +1214,7 @@ Resources:
                   $Env:BUILDKITE_AGENT_SIGNING_KEY_PATH="${BuildkiteAgentSigningKeySSMParameter}"
                   $Env:BUILDKITE_AGENT_SIGNING_KEY_ID="${BuildkiteAgentSigningKeyID}"
                   $Env:BUILDKITE_AGENT_VERIFICATION_KEY_PATH="${BuildkiteAgentVerificationKeySSMParameter}"
+                  $Env:BUILDKITE_AGENT_VERIFICATION_FAILURE_BEHAVIOR="${BuildkiteAgentVerificationFailureBehavior}"
                   $Env:BUILDKITE_AGENT_RELEASE="${BuildkiteAgentRelease}"
                   $Env:BUILDKITE_QUEUE="${BuildkiteQueue}"
                   $Env:BUILDKITE_AGENT_ENABLE_GIT_MIRRORS="${BuildkiteAgentEnableGitMirrors}"
@@ -1264,6 +1275,7 @@ Resources:
                   BUILDKITE_AGENT_SIGNING_KEY_PATH="${BuildkiteAgentSigningKeySSMParameter}" \
                   BUILDKITE_AGENT_SIGNING_KEY_ID="${BuildkiteAgentSigningKeyID}" \
                   BUILDKITE_AGENT_VERIFICATION_KEY_PATH="${BuildkiteAgentVerificationKeySSMParameter}" \
+                  BUILDKITE_AGENT_VERIFICATION_FAILURE_BEHAVIOR="${BuildkiteAgentVerificationFailureBehavior}" \
                   BUILDKITE_AGENT_RELEASE="${BuildkiteAgentRelease}" \
                   BUILDKITE_AGENT_CANCEL_GRACE_PERIOD="${BuildkiteAgentCancelGracePeriod}" \
                   BUILDKITE_QUEUE="${BuildkiteQueue}" \