# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 AWSTemplateFormatVersion: 2010-09-09 Description: >- Template to build a CodeBuild Project, assumes that GitHub credentials are already set up. Parameters: ProjectName: Type: String Description: The name of the CodeBuild Project Default: AWS-MPL-Java ProjectDescription: Type: String Description: The description for the CodeBuild Project Default: CFN stack for managing CodeBuild projects for the AWS MPL Java SourceLocation: Type: String Description: The https GitHub URL for the project Default: "https://github.com/aws/aws-cryptographic-material-providers-library-java.git" NumberOfBuildsInBatch: Type: Number MaxValue: 100 MinValue: 1 Default: 16 Description: The number of builds you expect to run in a batch Metadata: "AWS::CloudFormation::Interface": ParameterGroups: - Label: default: Crypto Tools CodeBuild Project Template Parameters: - ProjectName - ProjectDescription - SourceLocation Resources: CodeBuildProjectRelease: Type: "AWS::CodeBuild::Project" Properties: Name: !Sub "${ProjectName}-Release" Description: !Sub "CodeBuild project for ${ProjectName} to release to Sonatype." Source: Location: !Ref SourceLocation BuildSpec: codebuild/release/release.yml ## https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codebuild-project-source.html#cfn-codebuild-project-source-gitclonedepth ## If this value is 0, greater than 25, or not provided then the full history is downloaded with each build project. GitCloneDepth: 0 GitSubmodulesConfig: FetchSubmodules: true InsecureSsl: false ReportBuildStatus: false Type: GITHUB Artifacts: Type: NO_ARTIFACTS Cache: Type: NO_CACHE Environment: ComputeType: BUILD_GENERAL1_LARGE Image: "aws/codebuild/standard:5.0" ImagePullCredentialsType: CODEBUILD PrivilegedMode: false Type: LINUX_CONTAINER ServiceRole: !GetAtt CodeBuildServiceRoleRelease.Arn TimeoutInMinutes: 60 QueuedTimeoutInMinutes: 480 EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3" BadgeEnabled: false BuildBatchConfig: ServiceRole: !GetAtt CodeBuildServiceRoleRelease.Arn Restrictions: MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch ComputeTypesAllowed: - BUILD_GENERAL1_SMALL - BUILD_GENERAL1_MEDIUM - BUILD_GENERAL1_LARGE TimeoutInMins: 480 LogsConfig: CloudWatchLogs: Status: ENABLED S3Logs: Status: DISABLED EncryptionDisabled: false CodeBuildServiceRoleRelease: Type: "AWS::IAM::Role" Properties: Path: /service-role/ RoleName: !Sub "codebuild-${ProjectName}-service-role-release" AssumeRolePolicyDocument: >- {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"codebuild.amazonaws.com"},"Action":"sts:AssumeRole"}]} MaxSessionDuration: 3600 ManagedPolicyArns: - !Ref CodeBuildBatchPolicyRelease - !Ref CodeBuildBasePolicy - !Ref SecretsManagerPolicyRelease - !Ref ParameterStorePolicy - !Ref CodeBuildCISTSAllow - "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess" - "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess" CodeBuildCISTSAllow: Type: "AWS::IAM::ManagedPolicy" Properties: ManagedPolicyName: !Sub >- CodeBuildCISTSAllow-${ProjectName} Path: /service-role/ PolicyDocument: !Sub | { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2" } ] } CodeBuildBatchPolicy: Type: "AWS::IAM::ManagedPolicy" Properties: ManagedPolicyName: !Sub >- CodeBuildBuildBatchPolicy-${ProjectName}-${AWS::Region}-codebuild-${ProjectName}-service-role Path: /service-role/ PolicyDocument: !Sub | { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Resource": [ "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-Release", "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}" ], "Action": [ "codebuild:StartBuild", "codebuild:StopBuild", "codebuild:RetryBuild", "codebuild:BatchGetBuilds" ] } ] } CodeBuildBatchPolicyRelease: Type: "AWS::IAM::ManagedPolicy" Properties: ManagedPolicyName: !Sub >- CodeBuildBuildBatchPolicy-${ProjectName}-Release-${AWS::Region}-codebuild-${ProjectName}-release-service-role Path: /service-role/ PolicyDocument: !Sub | { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Resource": [ "arn:aws:codebuild:us-west-2:${AWS::AccountId}:project/${ProjectName}-Release" ], "Action": [ "codebuild:StartBuild", "codebuild:StopBuild", "codebuild:RetryBuild" ] } ] } CodeBuildBasePolicy: Type: "AWS::IAM::ManagedPolicy" Properties: ManagedPolicyName: !Sub "CodeBuildBasePolicy-${ProjectName}-${AWS::Region}" Path: /service-role/ PolicyDocument: !Sub | { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Resource": [ "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}", "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}:*", "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-Release", "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-Release:*" ], "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:GetLogEvents" ] }, { "Effect": "Allow", "Resource": [ "arn:aws:s3:::codepipeline-${AWS::Region}-*" ], "Action": [ "s3:PutObject", "s3:GetObject", "s3:GetObjectVersion", "s3:GetBucketAcl", "s3:GetBucketLocation" ] }, { "Effect": "Allow", "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages" ], "Resource": [ "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/${ProjectName}-*" ] } ] } SecretsManagerPolicyRelease: Type: "AWS::IAM::ManagedPolicy" Properties: ManagedPolicyName: !Sub "CryptoTools-SecretsManager-${ProjectName}-Release" Path: "/service-role/" PolicyDocument: !Sub | { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Resource": [ "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-CI-xjAvTM", "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-CI-Credentials-eBrSNB", "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-Release-haLIjZ", "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-Release-Credentials-WgJanS", "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Sonatype-Team-Account-0tWvZm", "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Github/aws-crypto-tools-ci-bot-AGUB3U" ], "Action": "secretsmanager:GetSecretValue" } ] } ParameterStorePolicy: Type: "AWS::IAM::ManagedPolicy" Properties: ManagedPolicyName: !Sub "CryptoTools-ParameterStore-${ProjectName}" Path: /service-role/ PolicyDocument: !Sub | { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Resource": [ "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/CodeBuild/*" ], "Action": "ssm:GetParameters" } ] }