From c0d9eb85816e16d39a7fcfba45c9b8343455d770 Mon Sep 17 00:00:00 2001 From: Steph Roberts <114956067+Ephylouise@users.noreply.github.com> Date: Wed, 3 Jul 2024 14:05:08 -0400 Subject: [PATCH] Add 4 new Amazon Linux CodeBuild jobs to CloudFormation stack template (#4228) * Add 4 new Amazon Linux CodeBuild jobs to CloudFormation stack template * Remove hardcoded Github account IDs --- .../codebuild-devbuild-stack.yml | 412 ++++++++++++++---- 1 file changed, 329 insertions(+), 83 deletions(-) diff --git a/build-infrastructure/codebuild-devbuild-stack.yml b/build-infrastructure/codebuild-devbuild-stack.yml index 772b18bede..ca9bc79cd7 100644 --- a/build-infrastructure/codebuild-devbuild-stack.yml +++ b/build-infrastructure/codebuild-devbuild-stack.yml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: A Cloudformation template to build Agent artifacts on PR creation and modification. It spawns CodeBuild projects for different architectures which trigger agent artifact builds for PR creation and modification, and store the artifacts in an S3 bucket. +Description: A Cloudformation template to build Agent artifacts on PR creation, modification, and merges. It spawns CodeBuild projects for different architectures which trigger agent artifact builds for PR creation, modification, and merges, and store the artifacts in an S3 bucket. Parameters: GithubFullRepoName: @@ -31,7 +31,7 @@ Resources: Type: S3 BadgeEnabled: false ConcurrentBuildLimit: 10 - Description: A CodeBuild project to build artifacts (AMD/x86_64). Builds are triggered by PR creation and updates, and artifacts are saved in S3 + Description: A CodeBuild project to build artifacts (AMD/x86_64). Builds are triggered by PR creation, updates, and merges, and artifacts are saved in S3 Environment: ComputeType: BUILD_GENERAL1_SMALL Image: 'public.ecr.aws/lts/ubuntu:20.04' @@ -52,25 +52,6 @@ Resources: # This allow list can be modified using aws-cli or aws-sdk # CodeBuild also supports pattern matches using regex, but this is not useful for listing different Github IDs # so they have to be listed separately - FilterGroups: - - - Type: EVENT - Pattern: 'PULL_REQUEST_CREATED,PULL_REQUEST_UPDATED,PULL_REQUEST_REOPENED' - - Type: BASE_REF - Pattern: !Sub '^${GithubBranchName}$' - - Type: ACTOR_ACCOUNT_ID - Pattern: '5080306' # prateekchaudhry - - - Type: EVENT - Pattern: 'PULL_REQUEST_CREATED,PULL_REQUEST_UPDATED,PULL_REQUEST_REOPENED' - - Type: BASE_REF - Pattern: !Sub '^${GithubBranchName}$' - - Type: ACTOR_ACCOUNT_ID - Pattern: '4751028' # fierlion - - - Type: EVENT - Pattern: 'PULL_REQUEST_CREATED,PULL_REQUEST_UPDATED,PULL_REQUEST_REOPENED' - - Type: BASE_REF - Pattern: !Sub '^${GithubBranchName}$' - - Type: ACTOR_ACCOUNT_ID - Pattern: '3102848' # YashdalfTheGray Webhook: true Visibility: PRIVATE UbuntuArmProject: @@ -85,7 +66,7 @@ Resources: Type: S3 BadgeEnabled: false ConcurrentBuildLimit: 10 - Description: A CodeBuild project to build artifacts (ARM). Builds are triggered by PR creation and updates, and artifacts are saved in S3 + Description: A CodeBuild project to build artifacts (ARM). Builds are triggered by PR creation, updates, and merges, and artifacts are saved in S3 Environment: ComputeType: BUILD_GENERAL1_SMALL Image: 'public.ecr.aws/lts/ubuntu:20.04' @@ -106,25 +87,6 @@ Resources: # This allow list can be modified using aws-cli or aws-sdk # CodeBuild also supports pattern matches using regex, but this is not useful for listing different Github IDs # so they have to be listed separately - FilterGroups: - - - Type: EVENT - Pattern: 'PULL_REQUEST_CREATED,PULL_REQUEST_UPDATED,PULL_REQUEST_REOPENED' - - Type: BASE_REF - Pattern: !Sub '^${GithubBranchName}$' - - Type: ACTOR_ACCOUNT_ID - Pattern: '5080306' # prateekchaudhry - - - Type: EVENT - Pattern: 'PULL_REQUEST_CREATED,PULL_REQUEST_UPDATED,PULL_REQUEST_REOPENED' - - Type: BASE_REF - Pattern: !Sub '^${GithubBranchName}$' - - Type: ACTOR_ACCOUNT_ID - Pattern: '4751028' # fierlion - - - Type: EVENT - Pattern: 'PULL_REQUEST_CREATED,PULL_REQUEST_UPDATED,PULL_REQUEST_REOPENED' - - Type: BASE_REF - Pattern: !Sub '^${GithubBranchName}$' - - Type: ACTOR_ACCOUNT_ID - Pattern: '3102848' # YashdalfTheGray Webhook: true Visibility: PRIVATE ArmProject: @@ -139,7 +101,7 @@ Resources: Type: S3 BadgeEnabled: false ConcurrentBuildLimit: 10 - Description: A CodeBuild project to build artifacts (ARM). Builds are triggered by PR creation and updates, and artifacts are saved in S3 + Description: A CodeBuild project to build artifacts (ARM). Builds are triggered by PR creation, updates, and merges, and artifacts are saved in S3 Environment: ComputeType: BUILD_GENERAL1_SMALL Image: 'aws/codebuild/amazonlinux2-aarch64-standard:3.0' @@ -160,25 +122,6 @@ Resources: # This allow list can be modified using aws-cli or aws-sdk # CodeBuild also supports pattern matches using regex, but this is not useful for listing different Github IDs # so they have to be listed separately - FilterGroups: - - - Type: EVENT - Pattern: 'PULL_REQUEST_CREATED,PULL_REQUEST_UPDATED,PULL_REQUEST_REOPENED' - - Type: BASE_REF - Pattern: !Sub '^${GithubBranchName}$' - - Type: ACTOR_ACCOUNT_ID - Pattern: '5080306' # prateekchaudhry - - - Type: EVENT - Pattern: 'PULL_REQUEST_CREATED,PULL_REQUEST_UPDATED,PULL_REQUEST_REOPENED' - - Type: BASE_REF - Pattern: !Sub '^${GithubBranchName}$' - - Type: ACTOR_ACCOUNT_ID - Pattern: '4751028' # fierlion - - - Type: EVENT - Pattern: 'PULL_REQUEST_CREATED,PULL_REQUEST_UPDATED,PULL_REQUEST_REOPENED' - - Type: BASE_REF - Pattern: !Sub '^${GithubBranchName}$' - - Type: ACTOR_ACCOUNT_ID - Pattern: '3102848' # YashdalfTheGray Webhook: true Visibility: PRIVATE AmdProject: @@ -193,7 +136,7 @@ Resources: Type: S3 BadgeEnabled: false ConcurrentBuildLimit: 10 - Description: A CodeBuild project to build artifacts (AMD/x86_64). Builds are triggered by PR creation and updates, and artifacts are saved in S3 + Description: A CodeBuild project to build artifacts (AMD/x86_64). Builds are triggered by PR creation, updates, and merges, and artifacts are saved in S3 Environment: ComputeType: BUILD_GENERAL1_SMALL Image: 'aws/codebuild/amazonlinux2-x86_64-standard:5.0' @@ -214,27 +157,158 @@ Resources: # This allow list can be modified using aws-cli or aws-sdk # CodeBuild also supports pattern matches using regex, but this is not useful for listing different Github IDs # so they have to be listed separately - FilterGroups: - - - Type: EVENT - Pattern: 'PULL_REQUEST_CREATED,PULL_REQUEST_UPDATED,PULL_REQUEST_REOPENED' - - Type: BASE_REF - Pattern: !Sub '^${GithubBranchName}$' - - Type: ACTOR_ACCOUNT_ID - Pattern: '5080306' # prateekchaudhry - - - Type: EVENT - Pattern: 'PULL_REQUEST_CREATED,PULL_REQUEST_UPDATED,PULL_REQUEST_REOPENED' - - Type: BASE_REF - Pattern: !Sub '^${GithubBranchName}$' - - Type: ACTOR_ACCOUNT_ID - Pattern: '4751028' # fierlion - - - Type: EVENT - Pattern: 'PULL_REQUEST_CREATED,PULL_REQUEST_UPDATED,PULL_REQUEST_REOPENED' - - Type: BASE_REF - Pattern: !Sub '^${GithubBranchName}$' - - Type: ACTOR_ACCOUNT_ID - Pattern: '3102848' # YashdalfTheGray Webhook: true Visibility: PRIVATE + + # Creates a CodeBuild project for Amazon Linux 2 ARM + Amzn2ArmProject: + Type: 'AWS::CodeBuild::Project' + Properties: + Artifacts: + Location: !Ref BuildBucketName + NamespaceType: NONE + OverrideArtifactName: true + Packaging: NONE + Path: development + Type: S3 + BadgeEnabled: false + ConcurrentBuildLimit: 10 + Description: A CodeBuild project to build artifacts (ARM) on Amazon Linux 2. Builds are triggered by PR creation, updates, and merges, and artifacts are saved in S3. + Environment: + ComputeType: BUILD_GENERAL1_SMALL + Image: 'aws/codebuild/amazonlinux2-aarch64-standard:2.0' + ImagePullCredentialsType: CODEBUILD + PrivilegedMode: true + Type: ARM_CONTAINER + Name: !Sub '${BuildProjectName}-amzn2-arm' + QueuedTimeoutInMinutes: 60 + ServiceRole: !Ref ServiceRoleAmzn2Arm + Source: + BuildSpec: buildspecs/pr-build-amzn.yml + Location: !Ref GithubFullRepoName + Type: GITHUB + TimeoutInMinutes: 60 + Triggers: + BuildType: BUILD + # Config list of developers allowlisted to create builds when creating PRs to GithubBranchName + # This allow list can be modified using aws-cli or aws-sdk + # CodeBuild also supports pattern matches using regex, but this is not useful for listing different Github IDs + # so they have to be listed separately + Webhook: true + Visibility: PRIVATE + + # Creates a CodeBuild project for Amazon Linux 2 AMD + Amzn2AmdProject: + Type: 'AWS::CodeBuild::Project' + Properties: + Artifacts: + Location: !Ref BuildBucketName + NamespaceType: NONE + OverrideArtifactName: true + Packaging: NONE + Path: development + Type: S3 + BadgeEnabled: false + ConcurrentBuildLimit: 10 + Description: A CodeBuild project to build artifacts (AMD/x86_64) on Amazon Linux 2. Builds are triggered by PR creation, updates, and merges, and artifacts are saved in S3. + Environment: + ComputeType: BUILD_GENERAL1_SMALL + Image: 'aws/codebuild/amazonlinux2-x86_64-standard:4.0' + ImagePullCredentialsType: CODEBUILD + PrivilegedMode: true + Type: LINUX_CONTAINER + Name: !Sub '${BuildProjectName}-amzn2-amd' + QueuedTimeoutInMinutes: 60 + ServiceRole: !Ref ServiceRoleAmzn2Amd + Source: + BuildSpec: buildspecs/pr-build-amzn.yml + Location: !Ref GithubFullRepoName + Type: GITHUB + TimeoutInMinutes: 60 + Triggers: + BuildType: BUILD + # Config list of developers allowlisted to create builds when creating PRs to GithubBranchName + # This allow list can be modified using aws-cli or aws-sdk + # CodeBuild also supports pattern matches using regex, but this is not useful for listing different Github IDs + # so they have to be listed separately + Webhook: true + Visibility: PRIVATE + + # Creates a CodeBuild project for Amazon Linux 2023 ARM + Amzn2023ArmProject: + Type: 'AWS::CodeBuild::Project' + Properties: + Artifacts: + Location: !Ref BuildBucketName + NamespaceType: NONE + OverrideArtifactName: true + Packaging: NONE + Path: development + Type: S3 + BadgeEnabled: false + ConcurrentBuildLimit: 10 + Description: A CodeBuild project to build artifacts (ARM) on Amazon-Linux 2023. Builds are triggered by PR creation, updates, and merges, and artifacts are saved in S3. + Environment: + ComputeType: BUILD_GENERAL1_SMALL + Image: 'aws/codebuild/amazonlinux2-aarch64-standard:3.0' + ImagePullCredentialsType: CODEBUILD + PrivilegedMode: true + Type: ARM_CONTAINER + Name: !Sub '${BuildProjectName}-amzn2023-arm' + QueuedTimeoutInMinutes: 60 + ServiceRole: !Ref ServiceRoleAmzn2023Arm + Source: + BuildSpec: buildspecs/pr-build-amzn.yml + Location: !Ref GithubFullRepoName + Type: GITHUB + TimeoutInMinutes: 60 + Triggers: + BuildType: BUILD + # Config list of developers allowlisted to create builds when creating PRs to GithubBranchName + # This allow list can be modified using aws-cli or aws-sdk + # CodeBuild also supports pattern matches using regex, but this is not useful for listing different Github IDs + # so they have to be listed separately + Webhook: true + Visibility: PRIVATE + + # Creates a CodeBuild project for Amazon Linux 2023 AMD + Amzn2023AmdProject: + Type: 'AWS::CodeBuild::Project' + Properties: + Artifacts: + Location: !Ref BuildBucketName + NamespaceType: NONE + OverrideArtifactName: true + Packaging: NONE + Path: development + Type: S3 + BadgeEnabled: false + ConcurrentBuildLimit: 10 + Description: A CodeBuild project to build artifacts (AMD/x86_64) on Amazon-Linux 2023. Builds are triggered by PR creation, updates, and merges, and artifacts are saved in S3. + Environment: + ComputeType: BUILD_GENERAL1_SMALL + Image: 'aws/codebuild/amazonlinux2-x86_64-standard:5.0' + ImagePullCredentialsType: CODEBUILD + PrivilegedMode: true + Type: LINUX_CONTAINER + Name: !Sub '${BuildProjectName}-amzn2023-amd' + QueuedTimeoutInMinutes: 60 + ServiceRole: !Ref ServiceRoleAmzn2023Amd + Source: + BuildSpec: buildspecs/pr-build-amzn.yml + Location: !Ref GithubFullRepoName + Type: GITHUB + TimeoutInMinutes: 60 + Triggers: + BuildType: BUILD + # Config list of developers allowlisted to create builds when creating PRs to GithubBranchName + # This allow list can be modified using aws-cli or aws-sdk + # CodeBuild also supports pattern matches using regex, but this is not useful for listing different Github IDs + # so they have to be listed separately + Webhook: true + Visibility: PRIVATE + + # Defines the service roles for the CodeBuild projects ServiceRoleAmd: Type: 'AWS::IAM::Role' Properties: @@ -277,7 +351,7 @@ Resources: - 's3:GetBucketAcl' - 's3:GetBucketLocation' PolicyName: !Sub '${AWS::StackName}-ServicePolicyAmd' - RoleName: !Sub '${AWS::StackName}-ServiceRoleAmd' + RoleName: !Sub '${AWS::StackName}-ServiceRoleAmd' ServiceRoleUbuntuAmd: Type: 'AWS::IAM::Role' Properties: @@ -406,4 +480,176 @@ Resources: - 's3:GetBucketAcl' - 's3:GetBucketLocation' PolicyName: !Sub '${AWS::StackName}-ServicePolicyUbuntuArm' - RoleName: !Sub '${AWS::StackName}-ServiceRoleUbuntuArm' + RoleName: !Sub '${AWS::StackName}-ServiceRoleUbuntuArm' + ServiceRoleAmzn2Arm: + Type: 'AWS::IAM::Role' + Properties: + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Service: codebuild.amazonaws.com + Action: 'sts:AssumeRole' + Description: Service role, allow access to CW and S3 + Path: / + Policies: + - PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Resource: + - !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${BuildProjectName}-amzn2-arm" + - !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${BuildProjectName}-amzn2-arm:*" + Action: + - 'logs:CreateLogGroup' + - 'logs:CreateLogStream' + - 'logs:PutLogEvents' + - Effect: Allow + Resource: + - 'arn:aws:s3:::codepipeline-us-west-2-*' + Action: + - 's3:PutObject' + - 's3:GetObject' + - 's3:GetObjectVersion' + - 's3:GetBucketAcl' + - 's3:GetBucketLocation' + - Effect: Allow + Resource: + - !Sub '${BuildBucketArn}/*' + Action: + - 's3:GetObject' + - 's3:PutObject' + - 's3:GetBucketAcl' + - 's3:GetBucketLocation' + PolicyName: !Sub '${AWS::StackName}-ServicePolicyAmzn2Arm' + RoleName: !Sub '${AWS::StackName}-ServiceRoleAmzn2Arm' + ServiceRoleAmzn2Amd: + Type: 'AWS::IAM::Role' + Properties: + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Service: codebuild.amazonaws.com + Action: 'sts:AssumeRole' + Description: Service role, allow access to CW and S3 + Path: / + Policies: + - PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Resource: + - !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${BuildProjectName}-amzn2-amd" + - !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${BuildProjectName}-amzn2-amd:*" + Action: + - 'logs:CreateLogGroup' + - 'logs:CreateLogStream' + - 'logs:PutLogEvents' + - Effect: Allow + Resource: + - 'arn:aws:s3:::codepipeline-us-west-2-*' + Action: + - 's3:PutObject' + - 's3:GetObject' + - 's3:GetObjectVersion' + - 's3:GetBucketAcl' + - 's3:GetBucketLocation' + - Effect: Allow + Resource: + - !Sub '${BuildBucketArn}/*' + Action: + - 's3:GetObject' + - 's3:PutObject' + - 's3:GetBucketAcl' + - 's3:GetBucketLocation' + PolicyName: !Sub '${AWS::StackName}-ServicePolicyAmzn2Amd' + RoleName: !Sub '${AWS::StackName}-ServiceRoleAmzn2Amd' + ServiceRoleAmzn2023Arm: + Type: 'AWS::IAM::Role' + Properties: + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Service: codebuild.amazonaws.com + Action: 'sts:AssumeRole' + Description: Service role, allow access to CW and S3 + Path: / + Policies: + - PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Resource: + - !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${BuildProjectName}-amzn2023-arm" + - !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${BuildProjectName}-amzn2023-arm:*" + Action: + - 'logs:CreateLogGroup' + - 'logs:CreateLogStream' + - 'logs:PutLogEvents' + - Effect: Allow + Resource: + - 'arn:aws:s3:::codepipeline-us-west-2-*' + Action: + - 's3:PutObject' + - 's3:GetObject' + - 's3:GetObjectVersion' + - 's3:GetBucketAcl' + - 's3:GetBucketLocation' + - Effect: Allow + Resource: + - !Sub '${BuildBucketArn}/*' + Action: + - 's3:GetObject' + - 's3:PutObject' + - 's3:GetBucketAcl' + - 's3:GetBucketLocation' + PolicyName: !Sub '${AWS::StackName}-ServicePolicyAmzn2023Arm' + RoleName: !Sub '${AWS::StackName}-ServiceRoleAmzn2023Arm' + ServiceRoleAmzn2023Amd: + Type: 'AWS::IAM::Role' + Properties: + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Service: codebuild.amazonaws.com + Action: 'sts:AssumeRole' + Description: Service role, allow access to CW and S3 + Path: / + Policies: + - PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Resource: + - !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${BuildProjectName}-amzn2023-amd" + - !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${BuildProjectName}-amzn2023-amd:*" + Action: + - 'logs:CreateLogGroup' + - 'logs:CreateLogStream' + - 'logs:PutLogEvents' + - Effect: Allow + Resource: + - 'arn:aws:s3:::codepipeline-us-west-2-*' + Action: + - 's3:PutObject' + - 's3:GetObject' + - 's3:GetObjectVersion' + - 's3:GetBucketAcl' + - 's3:GetBucketLocation' + - Effect: Allow + Resource: + - !Sub '${BuildBucketArn}/*' + Action: + - 's3:GetObject' + - 's3:PutObject' + - 's3:GetBucketAcl' + - 's3:GetBucketLocation' + PolicyName: !Sub '${AWS::StackName}-ServicePolicyAmzn2023Amd' + RoleName: !Sub '${AWS::StackName}-ServiceRoleAmzn2023Amd' \ No newline at end of file