update the aws elastic ci stack to v6.27.0

buildkite · Sep 13, 2024 · 6f43162 · 6f43162
1 parent c20e899
commit 6f43162
Showing 1 changed file with 133 additions and 27 deletions.
diff --git a/data/content/aws-stack.yml b/data/content/aws-stack.yml
@@ -1,6 +1,6 @@
 ---
 AWSTemplateFormatVersion: "2010-09-09"
-Description: "Buildkite stack v6.23.0"
+Description: "Buildkite stack v6.27.0"
 
 # The Buildkite Elastic CI Stack for AWS gives you a private,
 # autoscaling Buildkite Agent cluster. Use it to parallelize
@@ -27,15 +27,23 @@ Metadata:
  AWS::CloudFormation::Interface:
  ParameterGroups:
  - Label:
- default: Buildkite Configuration
+ default: Base Configuration
  Parameters:
+ - BuildkiteAgentToken
  - BuildkiteAgentTokenParameterStorePath
  - BuildkiteAgentTokenParameterStoreKMSKey
- - BuildkiteAgentToken
  - BuildkiteQueue
 
  - Label:
- default: Advanced Buildkite Configuration
+ default: Signed Pipelines Configuration
+ Parameters:
+ - PipelineSigningKMSKeyId
+ - PipelineSigningKMSKeySpec
+ - PipelineSigningKMSAccess
+ - PipelineSigningVerificationFailureBehavior
+
+ - Label:
+ default: Advanced Configuration
  Parameters:
  - BuildkiteAgentRelease
  - BuildkiteAgentTags
@@ -386,7 +394,7 @@ Parameters:
  Default: 125
 
  RootVolumeIops:
- Description: If the `RootVolumeType` is io1 or io2, the number of IOPS to provision for the root volume
+ Description: If the `RootVolumeType` is gp3, io1, or io2, the number of IOPS to provision for the root volume
  Type: Number
  Default: 1000
 
@@ -568,6 +576,35 @@ Parameters:
  Description: Optional - Customise the EC2 instance Name tag
  Default: ""
 
+ PipelineSigningKMSKeyId:
+ Type: String
+ Description: Optional - Identifier of the KMS key used to sign and verify pipelines (Created if left blank and PipelineSigningKMSKeySpec is selected)
+ Default: ""
+
+ PipelineSigningKMSKeySpec:
+ Type: String
+ Description: The key spec for the KMS key used to sign and verify pipelines
+ AllowedValues:
+ - "ECC_NIST_P256"
+ - "none"
+ Default: "none"
+
+ PipelineSigningKMSAccess:
+ Type: String
+ Description: The access level for the KMS key used to sign and verify pipelines
+ AllowedValues:
+ - "sign-and-verify"
+ - "verify"
+ Default: "sign-and-verify"
+
+ PipelineSigningVerificationFailureBehavior:
+ Type: String
+ Description: The behavior when a job is received without a valid verifiable signature (without a signature, with an invalid signature, or with a signature that fails verification)
+ AllowedValues:
+ - "block"
+ - "warn"
+ Default: "block"
+
 Rules:
  HasToken:
  Assertions:
@@ -582,6 +619,17 @@ Rules:
  - !Ref BuildkiteAgentTokenParameterStorePath
  - ""
  AssertDescription: "You must provide BuildkiteAgentToken or BuildkiteAgentTokenParameterStorePath"
+ HasPipelineSigningKMSKey:
+ Assertions:
+ - Assert:
+ !Or
+ - !Equals
+ - !Ref PipelineSigningKMSKeyId
+ - "" 
+ - !Equals
+ - !Ref PipelineSigningKMSKeySpec
+ - "none"
+ AssertDescription: "You must provide either provide a PipelineSigningKMSKeyId or select a PipelineSigningKMSKeySpec but not both"
 
 Outputs:
  VpcId:
@@ -602,6 +650,12 @@ Outputs:
  Export:
  Name: !Sub '${AWS::StackName}-ManagedSecretsLoggingBucket'
 
+ PipelineSigningKMSKey:
+ Value:
+ !If [ CreatePipelineSigningKMSKey, !Ref PipelineSigningKMSKey, "none" ]
+ Export:
+ Name: !Sub '${AWS::StackName}-PipelineSigningKMSKey'
+
  AutoScalingGroupName:
  Value: !Ref AgentAutoScaleGroup
  Export:
@@ -685,6 +739,20 @@ Conditions:
 
  UseCostAllocationTags:
  !Equals [ !Ref EnableCostAllocationTags, "true" ]
+
+ UsePipelineSigningKMSKey:
+ !Not [ !Equals [ !Ref PipelineSigningKMSKeyId, "" ] ]
+
+ CreatePipelineSigningKMSKey:
+ !And
+ - !Equals [ !Ref PipelineSigningKMSKeyId, "" ]
+ - !Not [ !Equals [ !Ref PipelineSigningKMSKeySpec, "none" ] ]
+
+ HasPipelineSigningKMSKey:
+ !Or [ !Condition CreatePipelineSigningKMSKey, !Condition UsePipelineSigningKMSKey ]
+
+ HasSigningKMSAccessSignAndVerify:
+ !Equals [ !Ref PipelineSigningKMSAccess, "sign-and-verify" ]
 
  HasKeyName:
  !Not [ !Equals [ !Ref KeyName, "" ] ]
@@ -760,26 +828,26 @@ Mappings:
 
  # Generated from Makefile via build/mappings.yml
  AWSRegion2AMI:
- us-east-1 : { linuxamd64: ami-09dce4453e68fc5cd, linuxarm64: ami-0100de0b1e920f43a, windows: ami-0461661ce536ba218 }
- us-east-2 : { linuxamd64: ami-01cde7aaf362f4aae, linuxarm64: ami-0ab8f88ac8c2c8d30, windows: ami-0b7b91b74290a35e1 }
- us-west-1 : { linuxamd64: ami-045c6cf6c0dd4a9e4, linuxarm64: ami-0d5aec634b234e2a2, windows: ami-034824341c9421171 }
- us-west-2 : { linuxamd64: ami-09132553fcbda5aee, linuxarm64: ami-0fd1d63fc28576e60, windows: ami-0116268efe38d10ea }
- af-south-1 : { linuxamd64: ami-09c9633cb3f5e6fc3, linuxarm64: ami-09ba6dd6ae16f3d50, windows: ami-0fb7a12b133324fe7 }
- ap-east-1 : { linuxamd64: ami-02a5f01ef4759b1c8, linuxarm64: ami-0deee5536e9c6a921, windows: ami-0c0a16b6ab6ba6660 }
- ap-south-1 : { linuxamd64: ami-0217aeaac4339e394, linuxarm64: ami-06f31d79b57c0dbbf, windows: ami-0d10933d7e9a73e9e }
- ap-northeast-2 : { linuxamd64: ami-092d6af0904c034b4, linuxarm64: ami-04329b443681048cd, windows: ami-0d9e4a96c235911de }
- ap-northeast-1 : { linuxamd64: ami-0593f6abedb12612b, linuxarm64: ami-019d0ac19de3be566, windows: ami-02e7907798fd7f610 }
- ap-southeast-2 : { linuxamd64: ami-0cc25f9f626518d8f, linuxarm64: ami-0e45dfa046084a2d3, windows: ami-0170122288687202b }
- ap-southeast-1 : { linuxamd64: ami-03de8f54bc57a1397, linuxarm64: ami-046f6c2468548ca1a, windows: ami-0320407754d0bc85c }
- ca-central-1 : { linuxamd64: ami-066d74f4d940d276e, linuxarm64: ami-09ef4b6d5cdb0c2e9, windows: ami-0570c4a6bb33ba9d4 }
- eu-central-1 : { linuxamd64: ami-09e9769fb4085b24f, linuxarm64: ami-00c97f86e923e1020, windows: ami-08f61f9105d9e8a58 }
- eu-west-1 : { linuxamd64: ami-05e7c8d4ade2095f3, linuxarm64: ami-07dd06558ae7a536d, windows: ami-0c90c3038b518ac09 }
- eu-west-2 : { linuxamd64: ami-03ec96deaf3c2f04b, linuxarm64: ami-093477938aa7559d8, windows: ami-0d26fa7d30160237a }
- eu-south-1 : { linuxamd64: ami-05cb67bc084762468, linuxarm64: ami-0e815380647635c63, windows: ami-0cee7ea24afffe195 }
- eu-west-3 : { linuxamd64: ami-01700752047bdb1b2, linuxarm64: ami-046d7376033a1af0e, windows: ami-0358e8f0b406f3442 }
- eu-north-1 : { linuxamd64: ami-0d62d22eacdc93353, linuxarm64: ami-01adb2cc0dd49e999, windows: ami-050cbc763f520f830 }
- me-south-1 : { linuxamd64: ami-012fbb242739a1f1a, linuxarm64: ami-08d934ccc6cddc763, windows: ami-009277c4bc01371da }
- sa-east-1 : { linuxamd64: ami-05d829f95ceb5f292, linuxarm64: ami-00390af183eab4b74, windows: ami-08e8e717a53b6b2b5 }
+ us-east-1 : { linuxamd64: ami-0d870d6249c932e3f, linuxarm64: ami-0a3d7a30823a79bed, windows: ami-0cc1cf707c9bde297 }
+ us-east-2 : { linuxamd64: ami-0f3019cc4ae209e8d, linuxarm64: ami-06fbf388ceadee136, windows: ami-0cf377d071681be17 }
+ us-west-1 : { linuxamd64: ami-0bc45e1a1e3b81024, linuxarm64: ami-03ccc79e335ddfeb2, windows: ami-0bf3b5f6168efcd16 }
+ us-west-2 : { linuxamd64: ami-0fb582405657e5e7d, linuxarm64: ami-019482f9dad0e6c6c, windows: ami-01a7cfec21679fdc6 }
+ af-south-1 : { linuxamd64: ami-0472a3974f5fc2b3e, linuxarm64: ami-031d70266097ac913, windows: ami-0c9d2380139ca74ae }
+ ap-east-1 : { linuxamd64: ami-0d01d071f6cb4531f, linuxarm64: ami-076b30b50dd891795, windows: ami-0047ed2d7146a7bfd }
+ ap-south-1 : { linuxamd64: ami-03dcda51307fc8cb5, linuxarm64: ami-012d6489d7405cac9, windows: ami-075d2d36dfbf32867 }
+ ap-northeast-2 : { linuxamd64: ami-0f2d7daa735810eee, linuxarm64: ami-0a2cc2b93142ea24a, windows: ami-08cb758a9ddc43059 }
+ ap-northeast-1 : { linuxamd64: ami-04051311bdfde36f3, linuxarm64: ami-09e4f9370ec79c3ba, windows: ami-05b6ec0208eb2a58a }
+ ap-southeast-2 : { linuxamd64: ami-0dca9e865ae37c7ed, linuxarm64: ami-05d80d286a7bade59, windows: ami-0667ba4d9ff4dc9d7 }
+ ap-southeast-1 : { linuxamd64: ami-041a2f49842dfedd1, linuxarm64: ami-04b58654a0075cf44, windows: ami-012d7bd61f9b1d6b7 }
+ ca-central-1 : { linuxamd64: ami-00e53b8bc82f9c9db, linuxarm64: ami-0f16c32fb617d5a48, windows: ami-088bf9470ff92506c }
+ eu-central-1 : { linuxamd64: ami-05c5209917612c4ef, linuxarm64: ami-08bb74ee0e90d2670, windows: ami-06826a0d3b4c7e1ab }
+ eu-west-1 : { linuxamd64: ami-06274dc3861664987, linuxarm64: ami-07ccdfbf8eaa3c951, windows: ami-036f1d5605b9dbf1e }
+ eu-west-2 : { linuxamd64: ami-086942d9992b4e6d3, linuxarm64: ami-0008aaf782bc53012, windows: ami-0825cacfdb3a8dcd6 }
+ eu-south-1 : { linuxamd64: ami-0e482f53f6f51d3e3, linuxarm64: ami-08c23003032d5ca62, windows: ami-0cb004f172e2b7007 }
+ eu-west-3 : { linuxamd64: ami-087631959c2b65a0b, linuxarm64: ami-08216f2c9c2778a91, windows: ami-03f5013af4a1e133b }
+ eu-north-1 : { linuxamd64: ami-0d769ff12cca6d68d, linuxarm64: ami-06ad99587f4894bbd, windows: ami-0406a7b8f45352245 }
+ me-south-1 : { linuxamd64: ami-0b82f151c4fed9e4a, linuxarm64: ami-00b941cafd5b87c70, windows: ami-0bf6572cc349f9447 }
+ sa-east-1 : { linuxamd64: ami-09db409e3b9399d3b, linuxarm64: ami-002802cb7c79d6fd8, windows: ami-0d9f87a270ecf8c21 }
 
 Resources:
  Vpc:
@@ -891,6 +959,18 @@ Resources:
  Name: !Sub "/${AWS::StackName}/buildkite/agent-token"
  Type: String
  Value: !Ref BuildkiteAgentToken
+
+ PipelineSigningKMSKey:
+ Type: AWS::KMS::Key
+ Condition: CreatePipelineSigningKMSKey
+ DeletionPolicy: Retain
+ Properties:
+ Description: Key used to sign and verify pipelines
+ KeySpec: !Ref PipelineSigningKMSKeySpec
+ KeyUsage: SIGN_VERIFY
+ Tags:
+ - Key: Name
+ Value: !Sub '${AWS::StackName}-PipelineSigningKey'
 
  # Allow ec2 instances to assume a role and be granted the IAMPolicies
  IAMInstanceProfile:
@@ -923,6 +1003,26 @@ Resources:
  - !Ref 'AWS::NoValue'
  - !Ref 'AWS::NoValue'
  Policies:
+ - !If
+ - HasPipelineSigningKMSKey
+ - PolicyName: PipelineSigningKMSKeyAccess
+ PolicyDocument:
+ Version: '2012-10-17'
+ Statement:
+ - Effect: Allow
+ Action:
+ !If
+ - HasSigningKMSAccessSignAndVerify
+ - - kms:Sign
+ - kms:Verify
+ - kms:GetPublicKey
+ - - kms:Verify
+ - kms:GetPublicKey
+ Resource: !If
+ - CreatePipelineSigningKMSKey
+ - !Sub arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/${PipelineSigningKMSKey}
+ - !Sub arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/${PipelineSigningKMSKeyId}
+ - !Ref 'AWS::NoValue'
  - !If
  - UseCustomerManagedKeyForParameterStore
  - PolicyName: DecryptAgentToken
@@ -1237,7 +1337,7 @@ Resources:
  powershell -file C:\buildkite-agent\bin\bk-configure-docker.ps1 >> C:\buildkite-agent\elastic-stack.log
 
  $Env:BUILDKITE_STACK_NAME="${AWS::StackName}"
- $Env:BUILDKITE_STACK_VERSION="v6.23.0"
+ $Env:BUILDKITE_STACK_VERSION="v6.27.0"
  $Env:BUILDKITE_SCALE_IN_IDLE_PERIOD="${ScaleInIdlePeriod}"
  $Env:BUILDKITE_SECRETS_BUCKET="${LocalSecretsBucket}"
  $Env:BUILDKITE_SECRETS_BUCKET_REGION="${LocalSecretsBucketRegion}"
@@ -1251,6 +1351,8 @@ Resources:
  $Env:BUILDKITE_QUEUE="${BuildkiteQueue}"
  $Env:BUILDKITE_AGENT_ENABLE_GIT_MIRRORS="${BuildkiteAgentEnableGitMirrors}"
  $Env:BUILDKITE_ELASTIC_BOOTSTRAP_SCRIPT="${BootstrapScriptUrl}"
+ $Env:BUILDKITE_AGENT_SIGNING_KMS_KEY="${PipelineSigningKMSKey}"
+ $Env:BUILDKITE_AGENT_SIGNING_FAILURE_BEHAVIOR="${PipelineSigningVerificationFailureBehavior}"
  $Env:BUILDKITE_ENV_FILE_URL="${AgentEnvFileUrl}"
  $Env:BUILDKITE_AUTHORIZED_USERS_URL="${AuthorizedUsersUrl}"
  $Env:BUILDKITE_ECR_POLICY="${ECRAccessPolicy}"
@@ -1268,6 +1370,7 @@ Resources:
  LocalSecretsBucket: !If [ CreateSecretsBucket, !Ref ManagedSecretsBucket, !Ref SecretsBucket ],
  LocalSecretsBucketRegion: !If [ CreateSecretsBucket, !Ref "AWS::Region", !Ref SecretsBucketRegion ],
  AgentTokenPath: !If [ UseCustomerManagedParameterPath, !Ref BuildkiteAgentTokenParameterStorePath, !Ref BuildkiteAgentTokenParameter ],
+ PipelineSigningKMSKey: !If [ CreatePipelineSigningKMSKey, !Ref PipelineSigningKMSKey, !Ref PipelineSigningKMSKeyId ],
  }
  - !Sub
  - |
@@ -1296,7 +1399,7 @@ Resources:
  Content-Type: text/x-shellscript; charset="us-ascii"
  #!/bin/bash -v
  BUILDKITE_STACK_NAME="${AWS::StackName}" \
- BUILDKITE_STACK_VERSION="v6.23.0" \
+ BUILDKITE_STACK_VERSION="v6.27.0" \
  BUILDKITE_SCALE_IN_IDLE_PERIOD="${ScaleInIdlePeriod}" \
  BUILDKITE_SECRETS_BUCKET="${LocalSecretsBucket}" \
  BUILDKITE_SECRETS_BUCKET_REGION="${LocalSecretsBucketRegion}" \
@@ -1308,6 +1411,8 @@ Resources:
  BUILDKITE_AGENT_TRACING_BACKEND="${BuildkiteAgentTracingBackend}" \
  BUILDKITE_AGENT_RELEASE="${BuildkiteAgentRelease}" \
  BUILDKITE_AGENT_CANCEL_GRACE_PERIOD="${BuildkiteAgentCancelGracePeriod}" \
+ BUILDKITE_AGENT_SIGNING_KMS_KEY="${PipelineSigningKMSKey}" \
+ BUILDKITE_AGENT_SIGNING_FAILURE_BEHAVIOR="${PipelineSigningVerificationFailureBehavior}" \
  BUILDKITE_QUEUE="${BuildkiteQueue}" \
  BUILDKITE_AGENT_ENABLE_GIT_MIRRORS="${BuildkiteAgentEnableGitMirrors}" \
  BUILDKITE_ELASTIC_BOOTSTRAP_SCRIPT="${BootstrapScriptUrl}" \
@@ -1330,6 +1435,7 @@ Resources:
  LocalSecretsBucket: !If [ CreateSecretsBucket, !Ref ManagedSecretsBucket, !Ref SecretsBucket ],
  LocalSecretsBucketRegion: !If [ CreateSecretsBucket, !Ref "AWS::Region", !Ref SecretsBucketRegion ],
  AgentTokenPath: !If [ UseCustomerManagedParameterPath, !Ref BuildkiteAgentTokenParameterStorePath, !Ref BuildkiteAgentTokenParameter ],
+ PipelineSigningKMSKey: !If [ CreatePipelineSigningKMSKey, !Ref PipelineSigningKMSKey, !Ref PipelineSigningKMSKeyId ],
  }
 
  AgentAutoScaleGroup: