From 7c916601f8f49ecc9a8e59989de4a1e6f0e351d8 Mon Sep 17 00:00:00 2001 From: Darin Webb Date: Fri, 27 Oct 2023 11:15:11 -0500 Subject: [PATCH 1/6] remove unused ECR repository --- cicd/2-cicd/cicd.template.yml | 31 ------------------------------- 1 file changed, 31 deletions(-) diff --git a/cicd/2-cicd/cicd.template.yml b/cicd/2-cicd/cicd.template.yml index c0a8ac66..4ba83f55 100644 --- a/cicd/2-cicd/cicd.template.yml +++ b/cicd/2-cicd/cicd.template.yml @@ -40,31 +40,6 @@ Conditions: Resources: - # The Elastic Container Registry Repository will store our built docker - # images, for example, the load-test docker image. - EcrRepository: - Type: AWS::ECR::Repository - Properties: - RepositoryName: !Sub javabuilder-${GitHubBranch} - RepositoryPolicyText: - Version: "2012-10-17" - Statement: - - - Sid: AllowDeveloperPushPull - Effect: Allow - Principal: - AWS: - - !ImportValue JavabuilderCodeBuildRoleArn - - !Sub "arn:aws:iam::${AWS::AccountId}:role/admin/Developer" - Action: - - "ecr:GetDownloadUrlForLayer" - - "ecr:BatchGetImage" - - "ecr:BatchCheckLayerAvailability" - - "ecr:PutImage" - - "ecr:InitiateLayerUpload" - - "ecr:UploadLayerPart" - - "ecr:CompleteLayerUpload" - EncryptionKey: Type: 'AWS::KMS::Key' Properties: @@ -126,8 +101,6 @@ Resources: EnvironmentVariables: - Name: ARTIFACT_STORE Value: !ImportValue JavabuilderCodeBuildArtifactBucket - - Name: ECR_REPOSITORY - Value: !GetAtt EcrRepository.RepositoryUri Cache: Type: LOCAL Modes: @@ -165,8 +138,6 @@ Resources: EnvironmentVariables: - Name: ARTIFACT_STORE Value: !ImportValue JavabuilderCodeBuildArtifactBucket - - Name: ECR_REPOSITORY - Value: !GetAtt EcrRepository.RepositoryUri Source: Type: CODEPIPELINE BuildSpec: cicd/3-app/load-test/load-test.buildspec.yml @@ -188,8 +159,6 @@ Resources: EnvironmentVariables: - Name: ARTIFACT_STORE Value: !ImportValue JavabuilderCodeBuildArtifactBucket - - Name: ECR_REPOSITORY - Value: !GetAtt EcrRepository.RepositoryUri Source: Type: CODEPIPELINE BuildSpec: cicd/3-app/javabuilder/buildspec.yml From 5c48398827cc188650e16e2a115d4d4ef2cc25c8 Mon Sep 17 00:00:00 2001 From: Darin Webb Date: Fri, 27 Oct 2023 11:15:56 -0500 Subject: [PATCH 2/6] tune pull request filter --- cicd/2-cicd/cicd.template.yml | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/cicd/2-cicd/cicd.template.yml b/cicd/2-cicd/cicd.template.yml index 4ba83f55..0f5afee7 100644 --- a/cicd/2-cicd/cicd.template.yml +++ b/cicd/2-cicd/cicd.template.yml @@ -118,10 +118,21 @@ Resources: Triggers: Webhook: true FilterGroups: - - - Pattern: !Sub ^refs/heads/${GitHubBranch}$ - Type: BASE_REF - - Pattern: PULL_REQUEST_CREATED,PULL_REQUEST_UPDATED,PULL_REQUEST_REOPENED - Type: EVENT + # Pull requests into `main` from a trusted user + - - Type: BASE_REF + Pattern: !Sub ^refs/heads/${GitHubBranch}$ + - Type: EVENT + Pattern: PULL_REQUEST_CREATED,PULL_REQUEST_UPDATED,PULL_REQUEST_REOPENED + - Type: ACTOR_ACCOUNT_ID + Pattern: ^(31292421|113540108|10283727|105933103|16494556|11708250|11284819|8747128|25372625|46464143|2205926|131809324|7014619|7144482|5107622|68714964|8001765|1372238|5184438|2933346|137330041|208083|26844240|12300669|4108328|107423305|1859238|244100|37230822|82185575|8324574|38662275|137838584|95503833|117784268|9256643|24883357|22244040|25193259|8573958|29001621|113938636|66776217|43474485|33666587|5454101|98911841|8847422|5552007|65205145|108825710|1382374|126921802|85528507|769225|223277|2157034|14046120|1466175|137829631|142271809|56283563|146779710|124813947|31674)$ + # Pull requests into `main` for non-cicd files, from any user + - - Type: BASE_REF + Pattern: !Sub ^refs/heads/${GitHubBranch}$ + - Type: EVENT + Pattern: PULL_REQUEST_CREATED,PULL_REQUEST_UPDATED,PULL_REQUEST_REOPENED + - Type: FILE_PATH + ExcludeMatchedPattern: true + Pattern: ^cicd/.*$ # The CodeBuild Project is used in the CodePipeline pipeline to prepare for a release. # It will perform any steps defined in the referenced buildspec.yml file. From 197625df43e6a7a85739cdedd2618211afafb4d2 Mon Sep 17 00:00:00 2001 From: Darin Webb Date: Tue, 31 Oct 2023 10:51:19 -0500 Subject: [PATCH 3/6] create public codebuild role --- cicd/1-setup/cicd-dependencies.template.yml | 49 +++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/cicd/1-setup/cicd-dependencies.template.yml b/cicd/1-setup/cicd-dependencies.template.yml index ec15d0eb..220bf0a1 100644 --- a/cicd/1-setup/cicd-dependencies.template.yml +++ b/cicd/1-setup/cicd-dependencies.template.yml @@ -73,6 +73,47 @@ Resources: Resource: - !Sub arn:aws:codestar-connections:us-east-1:${AWS::AccountId}:connection/* + # This role will be used by CodeBuild to verify pull requests. As such it has + # very limited permissions, as any GitHub user can create a Pull Requests. + PublicCodeBuildRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Statement: + - Action: ['sts:AssumeRole'] + Effect: Allow + Principal: + Service: + - codebuild.amazonaws.com + Version: '2012-10-17' + Path: /service-role/ + PermissionsBoundary: !ImportValue IAM-DevPermissions + Policies: + # - PolicyName: CloudformationPackage + # PolicyDocument: + # Statement: + # - Effect: Allow + # Action: + # - TBD + # Resource: TBD + - PolicyName: CodeBuildResourcesAccess + PolicyDocument: + Statement: + - Effect: Allow + Action: + - s3:GetBucketAcl + - s3:GetBucketLocation + Resource: + - !Sub arn:aws:s3:::${ArtifactStore} + - Effect: Allow + Action: + - s3:PutObject + - s3:PutObjectAcl + - s3:GetObject + - s3:GetObjectVersion + Resource: + - !Sub arn:aws:s3:::${ArtifactStore}/* + Outputs: JavabuilderCodeBuildArtifactBucket: Description: Javabuilder CodeBuild Artifact Bucket Name @@ -86,3 +127,11 @@ Outputs: Description: Javabuilder CodeBuild Role Name Value: !Ref JavabuilderCodeBuildRole Export: {Name: JavabuilderCodeBuildRoleName} + JavabuilderPublicCodeBuildRoleArn: + Description: Javabuilder Public CodeBuild Role ARN + Value: !GetAtt PublicCodeBuildRole.Arn + Export: {Name: JavabuilderPublicCodeBuildRoleArn} + JavabuilderPublicCodeBuildRoleName: + Description: Javabuilder Public CodeBuild Role Name + Value: !Ref PublicCodeBuildRole + Export: {Name: JavabuilderPublicCodeBuildRoleName} From e77541bfb4e5ded0ae1df2c27dcff303008eb361 Mon Sep 17 00:00:00 2001 From: Darin Webb Date: Tue, 31 Oct 2023 10:52:48 -0500 Subject: [PATCH 4/6] use public codebuild role --- cicd/2-cicd/cicd.template.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cicd/2-cicd/cicd.template.yml b/cicd/2-cicd/cicd.template.yml index 0f5afee7..bcfcaf68 100644 --- a/cicd/2-cicd/cicd.template.yml +++ b/cicd/2-cicd/cicd.template.yml @@ -91,7 +91,7 @@ Resources: Type: AWS::CodeBuild::Project Properties: Name: !Sub ${AWS::StackName}-${GitHubBranch}-pr-build - ServiceRole: !ImportValue JavabuilderCodeBuildRoleArn + ServiceRole: !ImportValue JavabuilderPublicCodeBuildRoleArn BadgeEnabled: !Ref GitHubBadgeEnabled Environment: Type: LINUX_CONTAINER From 3d2aad1a3c7fd5ffe6b05249fe84798a32a00c7e Mon Sep 17 00:00:00 2001 From: Darin Webb Date: Tue, 31 Oct 2023 15:51:42 -0500 Subject: [PATCH 5/6] remove 2nd filter --- cicd/2-cicd/cicd.template.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/cicd/2-cicd/cicd.template.yml b/cicd/2-cicd/cicd.template.yml index bcfcaf68..55c927c4 100644 --- a/cicd/2-cicd/cicd.template.yml +++ b/cicd/2-cicd/cicd.template.yml @@ -125,14 +125,6 @@ Resources: Pattern: PULL_REQUEST_CREATED,PULL_REQUEST_UPDATED,PULL_REQUEST_REOPENED - Type: ACTOR_ACCOUNT_ID Pattern: ^(31292421|113540108|10283727|105933103|16494556|11708250|11284819|8747128|25372625|46464143|2205926|131809324|7014619|7144482|5107622|68714964|8001765|1372238|5184438|2933346|137330041|208083|26844240|12300669|4108328|107423305|1859238|244100|37230822|82185575|8324574|38662275|137838584|95503833|117784268|9256643|24883357|22244040|25193259|8573958|29001621|113938636|66776217|43474485|33666587|5454101|98911841|8847422|5552007|65205145|108825710|1382374|126921802|85528507|769225|223277|2157034|14046120|1466175|137829631|142271809|56283563|146779710|124813947|31674)$ - # Pull requests into `main` for non-cicd files, from any user - - - Type: BASE_REF - Pattern: !Sub ^refs/heads/${GitHubBranch}$ - - Type: EVENT - Pattern: PULL_REQUEST_CREATED,PULL_REQUEST_UPDATED,PULL_REQUEST_REOPENED - - Type: FILE_PATH - ExcludeMatchedPattern: true - Pattern: ^cicd/.*$ # The CodeBuild Project is used in the CodePipeline pipeline to prepare for a release. # It will perform any steps defined in the referenced buildspec.yml file. From 03c3f842805a49f08d0b23f4282b6456a1807b71 Mon Sep 17 00:00:00 2001 From: Darin Webb Date: Tue, 2 Jan 2024 11:36:49 -0600 Subject: [PATCH 6/6] WIP adding policy don't remember the context for this... --- cicd/2-cicd/cicd.template.yml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/cicd/2-cicd/cicd.template.yml b/cicd/2-cicd/cicd.template.yml index 55c927c4..80d3b34d 100644 --- a/cicd/2-cicd/cicd.template.yml +++ b/cicd/2-cicd/cicd.template.yml @@ -212,6 +212,34 @@ Resources: Roles: - !ImportValue JavabuilderCodeBuildRoleName + # Grant the Javabuilder CodeBuild Role additional permissions for resources in + # this template. This allows us to avoid granting permission to * resources. + JavabuilderRolePolicy: + Type: 'AWS::IAM::Policy' + Properties: + PolicyName: !Sub "${AWS::StackName}-codebuild-policy" + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - codebuild:* + Resource: + - !GetAtt LoadTestBuildProject.Arn + - !GetAtt AppBuildProject.Arn + - !GetAtt IntegrationTestBuildProject.Arn + - Effect: Allow + Action: + - codebuild:CreateReportGroup + - codebuild:CreateReport + - codebuild:UpdateReport + - codebuild:BatchPutTestCases + - codebuild:BatchPutCodeCoverage + Resource: + - !Sub arn:aws:codebuild:us-east-1:165336972514:report-group/${AWS::StackName}-${GitHubBranch}-pr-build + Roles: + - !ImportValue JavabuilderCodeBuildRoleName + Pipeline: Type: AWS::CodePipeline::Pipeline Properties: