# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
AWSTemplateFormatVersion: 2010-09-09
Description: >-
Template to build a CodeBuild Project, assumes that GitHub credentials are
already set up.
Parameters:
ProjectName:
Type: String
Description: The name of the CodeBuild Project
Default: AWS-DBESDK-DDB-Java
ProjectDescription:
Type: String
Description: The description for the CodeBuild Project
Default: CFN stack for managing CodeBuild projects for the AWS DBESDK DDB Java
SourceLocation:
Type: String
Description: The https GitHub URL for the project
Default: "https://github.com/aws/aws-database-encryption-sdk-dynamodb-java.git"
NumberOfBuildsInBatch:
Type: Number
MaxValue: 100
MinValue: 1
Default: 16
Description: The number of builds you expect to run in a batch
Metadata:
"AWS::CloudFormation::Interface":
ParameterGroups:
- Label:
default: Crypto Tools CodeBuild Project Template
Parameters:
- ProjectName
- ProjectDescription
- SourceLocation
Resources:
CodeBuildProjectRelease:
Type: "AWS::CodeBuild::Project"
Properties:
Name: !Sub "${ProjectName}-Release"
Description: !Sub "CodeBuild project for ${ProjectName} to release to Sonatype."
Source:
Location: !Ref SourceLocation
BuildSpec: codebuild/release/release.yml
## https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codebuild-project-source.html#cfn-codebuild-project-source-gitclonedepth
## If this value is 0, greater than 25, or not provided then the full history is downloaded with each build project.
GitCloneDepth: 0
GitSubmodulesConfig:
FetchSubmodules: true
InsecureSsl: false
ReportBuildStatus: false
Type: GITHUB
Artifacts:
Type: NO_ARTIFACTS
Cache:
Type: NO_CACHE
Environment:
ComputeType: BUILD_GENERAL1_LARGE
Image: "aws/codebuild/standard:5.0"
ImagePullCredentialsType: CODEBUILD
PrivilegedMode: true
Type: LINUX_CONTAINER
ServiceRole: !GetAtt CodeBuildServiceRoleRelease.Arn
TimeoutInMinutes: 60
QueuedTimeoutInMinutes: 480
EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3"
BadgeEnabled: false
BuildBatchConfig:
ServiceRole: !GetAtt CodeBuildServiceRoleRelease.Arn
Restrictions:
MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch
ComputeTypesAllowed:
- BUILD_GENERAL1_SMALL
- BUILD_GENERAL1_MEDIUM
- BUILD_GENERAL1_LARGE
TimeoutInMins: 480
LogsConfig:
CloudWatchLogs:
Status: ENABLED
S3Logs:
Status: DISABLED
EncryptionDisabled: false
CodeBuildServiceRoleRelease:
Type: "AWS::IAM::Role"
Properties:
Path: /service-role/
RoleName: !Sub "codebuild-${ProjectName}-service-role-release"
AssumeRolePolicyDocument: >-
{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"codebuild.amazonaws.com"},"Action":"sts:AssumeRole"}]}
MaxSessionDuration: 3600
ManagedPolicyArns:
- !Ref CodeBuildBatchPolicyRelease
- !Ref CodeBuildBasePolicy
- !Ref SecretsManagerPolicyRelease
- !Ref ParameterStorePolicy
- !Ref CodeBuildCISTSAllow
- "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess"
- "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess"
CodeBuildCISTSAllow:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: !Sub >-
CodeBuildCISTSAllow-${ProjectName}
Path: /service-role/
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::370957321024:role/GitHub-CI-DDBEC-Dafny-Role-us-west-2",
"arn:aws:iam::370957321024:role/GitHub-CI-DDBEC-Dafny-Role-only-us-east-1-KMS-keys",
"arn:aws:iam::370957321024:role/GitHub-CI-DDBEC-Dafny-Role-only-eu-west-1-KMS-keys"
]
}
]
}
CodeBuildBatchPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: !Sub >-
CodeBuildBuildBatchPolicy-${ProjectName}-${AWS::Region}-codebuild-${ProjectName}-service-role
Path: /service-role/
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-Release",
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}"
],
"Action": [
"codebuild:StartBuild",
"codebuild:StopBuild",
"codebuild:RetryBuild",
"codebuild:BatchGetBuilds"
]
}
]
}
CodeBuildBatchPolicyRelease:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: !Sub >-
CodeBuildBuildBatchPolicy-${ProjectName}-Release-${AWS::Region}-codebuild-${ProjectName}-release-service-role
Path: /service-role/
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:codebuild:us-west-2:${AWS::AccountId}:project/${ProjectName}-Release"
],
"Action": [
"codebuild:StartBuild",
"codebuild:StopBuild",
"codebuild:RetryBuild"
]
}
]
}
CodeBuildBasePolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: !Sub "CodeBuildBasePolicy-${ProjectName}-${AWS::Region}"
Path: /service-role/
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}",
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}:*",
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-Release",
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-Release:*"
],
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:GetLogEvents"
]
},
{
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::codepipeline-${AWS::Region}-*"
],
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetBucketAcl",
"s3:GetBucketLocation"
]
},
{
"Effect": "Allow",
"Action": [
"codebuild:CreateReportGroup",
"codebuild:CreateReport",
"codebuild:UpdateReport",
"codebuild:BatchPutTestCases",
"codebuild:BatchPutCodeCoverages"
],
"Resource": [
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/${ProjectName}-*"
]
}
]
}
SecretsManagerPolicyRelease:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: !Sub "CryptoTools-SecretsManager-${ProjectName}-Release"
Path: "/service-role/"
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-CI-xjAvTM",
"arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-CI-Credentials-eBrSNB",
"arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-Release-haLIjZ",
"arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-Release-Credentials-WgJanS",
"arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Sonatype-Team-Account-0tWvZm",
"arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Github/aws-crypto-tools-ci-bot-AGUB3U"
],
"Action": "secretsmanager:GetSecretValue"
}
]
}
ParameterStorePolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: !Sub "CryptoTools-ParameterStore-${ProjectName}"
Path: /service-role/
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/CodeBuild/*"
],
"Action": "ssm:GetParameters"
}
]
}