version: 0.2 # About this buildspec # It derives the region from AWS_REGION which the AWS CLI is automatically programmed # to do so we don't set a region specifically. # $PASSPHRASE gets pulled from secretsmanager because codebuild can pull secrets from secretsmanager # as an integration point. This does require the codebuild role to have proper permissions. # $PRIVATE_KEY_ARN is pulled from the environment as well. This is something that will probably # be specified by the CloudFormation template that this becomes a part of. # $ECS_AGENT_AMD_TAR and $ECS_AGENT_ARM_TAR get fed into this codebuild by codepipeline env: exported-variables: - CODEBUILD_BUILD_ID phases: pre_build: on-failure: ABORT commands: # create functions for signing files and deleting the whole keyring # NOTE: you have to source /tmp/functions.sh before every command that requires the # functions defined here because each command is run in isolation so it doesn't # carry over the command environment from command to command - | cat <<- 'EOF' > /tmp/functions.sh function sign_file() { local file_to_sign="$1" echo "Signing $file_to_sign" gpg --detach-sign --batch --passphrase $PASSPHRASE --armor --output "$file_to_sign.asc" $file_to_sign echo "Signed $file_to_sign" } function delete_all_secret_keys() { for i in $(gpg --with-colons --fingerprint | grep "^fpr" | cut -d: -f10); do gpg --batch --delete-secret-keys "$i" done } EOF build: on-failure: ABORT commands: # Generate file names for signing from agent version and git short sha - ECS_AGENT_AMD_TAR="ecs-agent-v${AGENT_VERSION}.tar" - ECS_AGENT_AMD_LATEST_TAR="ecs-agent-latest.tar" - ECS_AGENT_AMD_GITSHORTSHA_TAR="ecs-agent-${GIT_COMMIT_SHORT_SHA}.tar" - ECS_AGENT_AMD_RPM="amazon-ecs-init-${INIT_VERSION}.x86_64.rpm" - ECS_AGENT_UBUNTU_AMD_DEB="amazon-ecs-init-${INIT_VERSION}.amd64.deb" - ECS_AGENT_ARM_TAR="ecs-agent-arm64-v${AGENT_VERSION}.tar" - ECS_AGENT_ARM_LATEST_TAR="ecs-agent-arm64-latest.tar" - ECS_AGENT_ARM_GITSHORTSHA_TAR="ecs-agent-arm64-${GIT_COMMIT_SHORT_SHA}.tar" - ECS_AGENT_ARM_RPM="amazon-ecs-init-${INIT_VERSION}.aarch64.rpm" - ECS_AGENT_UBUNTU_ARM_DEB="amazon-ecs-init-${INIT_VERSION}.arm64.deb" - ECS_ANYWHERE_SCRIPT="ecs-anywhere-install-${INIT_VERSION}.sh" - ECS_ANYWHERE_LATEST_SCRIPT="ecs-anywhere-install-latest.sh" # Get the private key from secrets manager, jq parse it, turn it into raw output, pipe to file - aws secretsmanager get-secret-value --secret-id $PRIVATE_KEY_ARN | jq -r '.SecretString' > private.gpg # import the key into the keychain, the private key comes with the public key built in - gpg --allow-secret-key-import --import private.gpg # remove the private key file because we don't want it to be packaged with the artifacts - rm private.gpg # Sign the amd tar and rpm (this is a secondary source so we have to do some copying) - cp "$CODEBUILD_SRC_DIR_AmdBuildArtifact/$ECS_AGENT_AMD_TAR" $ECS_AGENT_AMD_TAR - source /tmp/functions.sh && sign_file $ECS_AGENT_AMD_TAR - cp "$CODEBUILD_SRC_DIR_AmdBuildArtifact/$ECS_AGENT_AMD_LATEST_TAR" $ECS_AGENT_AMD_LATEST_TAR - source /tmp/functions.sh && sign_file $ECS_AGENT_AMD_LATEST_TAR - cp "$CODEBUILD_SRC_DIR_AmdBuildArtifact/$ECS_AGENT_AMD_GITSHORTSHA_TAR" $ECS_AGENT_AMD_GITSHORTSHA_TAR - source /tmp/functions.sh && sign_file $ECS_AGENT_AMD_GITSHORTSHA_TAR - cp "$CODEBUILD_SRC_DIR_AmdBuildArtifact/$ECS_AGENT_AMD_RPM" $ECS_AGENT_AMD_RPM - source /tmp/functions.sh && sign_file $ECS_AGENT_AMD_RPM # Sign ECS Anywhere Script - cp "$CODEBUILD_SRC_DIR_AmdBuildArtifact/scripts/ecs-anywhere-install.sh" $ECS_ANYWHERE_SCRIPT - source /tmp/functions.sh && sign_file $ECS_ANYWHERE_SCRIPT - cp $ECS_ANYWHERE_SCRIPT $ECS_ANYWHERE_LATEST_SCRIPT - source /tmp/functions.sh && sign_file $ECS_ANYWHERE_LATEST_SCRIPT # Sign the arm tar and rpm (this is a secondary source so we have to do some copying) - cp "$CODEBUILD_SRC_DIR_ArmBuildArtifact/$ECS_AGENT_ARM_TAR" $ECS_AGENT_ARM_TAR - source /tmp/functions.sh && sign_file $ECS_AGENT_ARM_TAR - cp "$CODEBUILD_SRC_DIR_ArmBuildArtifact/$ECS_AGENT_ARM_LATEST_TAR" $ECS_AGENT_ARM_LATEST_TAR - source /tmp/functions.sh && sign_file $ECS_AGENT_ARM_LATEST_TAR - cp "$CODEBUILD_SRC_DIR_ArmBuildArtifact/$ECS_AGENT_ARM_GITSHORTSHA_TAR" $ECS_AGENT_ARM_GITSHORTSHA_TAR - source /tmp/functions.sh && sign_file $ECS_AGENT_ARM_GITSHORTSHA_TAR - cp "$CODEBUILD_SRC_DIR_ArmBuildArtifact/$ECS_AGENT_ARM_RPM" $ECS_AGENT_ARM_RPM - source /tmp/functions.sh && sign_file $ECS_AGENT_ARM_RPM # Sign the amd deb (this is a secondary source so we have to do some copying) - cp "$CODEBUILD_SRC_DIR_UbuntuAmdBuildArtifact/$ECS_AGENT_UBUNTU_AMD_DEB" $ECS_AGENT_UBUNTU_AMD_DEB - source /tmp/functions.sh && sign_file $ECS_AGENT_UBUNTU_AMD_DEB # Sign the arm deb (this is a secondary source so we have to do some copying) - cp "$CODEBUILD_SRC_DIR_UbuntuArmBuildArtifact/$ECS_AGENT_UBUNTU_ARM_DEB" $ECS_AGENT_UBUNTU_ARM_DEB - source /tmp/functions.sh && sign_file $ECS_AGENT_UBUNTU_ARM_DEB # Clean up the key just in case - source /tmp/functions.sh && delete_all_secret_keys # validate that the keychain is empty - gpg --list-secret-keys --verbose artifacts: files: - $ECS_AGENT_AMD_TAR - '$ECS_AGENT_AMD_TAR.asc' - $ECS_AGENT_AMD_LATEST_TAR - '$ECS_AGENT_AMD_LATEST_TAR.asc' - $ECS_AGENT_AMD_GITSHORTSHA_TAR - '$ECS_AGENT_AMD_GITSHORTSHA_TAR.asc' - $ECS_AGENT_AMD_RPM - '$ECS_AGENT_AMD_RPM.asc' - $ECS_AGENT_ARM_TAR - '$ECS_AGENT_ARM_TAR.asc' - $ECS_AGENT_ARM_LATEST_TAR - '$ECS_AGENT_ARM_LATEST_TAR.asc' - $ECS_AGENT_ARM_GITSHORTSHA_TAR - '$ECS_AGENT_ARM_GITSHORTSHA_TAR.asc' - $ECS_AGENT_ARM_RPM - '$ECS_AGENT_ARM_RPM.asc' - $ECS_AGENT_UBUNTU_AMD_DEB - '$ECS_AGENT_UBUNTU_AMD_DEB.asc' - $ECS_AGENT_UBUNTU_ARM_DEB - '$ECS_AGENT_UBUNTU_ARM_DEB.asc' - $ECS_ANYWHERE_SCRIPT - '$ECS_ANYWHERE_SCRIPT.asc' - $ECS_ANYWHERE_LATEST_SCRIPT - '$ECS_ANYWHERE_LATEST_SCRIPT.asc'