diff --git a/data/content/aws-stack.yml b/data/content/aws-stack.yml index 808994e003..c24e8887a6 100644 --- a/data/content/aws-stack.yml +++ b/data/content/aws-stack.yml @@ -1,6 +1,6 @@ --- AWSTemplateFormatVersion: "2010-09-09" -Description: "Buildkite stack v6.23.0" +Description: "Buildkite stack v6.27.0" # The Buildkite Elastic CI Stack for AWS gives you a private, # autoscaling Buildkite Agent cluster. Use it to parallelize @@ -27,15 +27,23 @@ Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: - default: Buildkite Configuration + default: Base Configuration Parameters: + - BuildkiteAgentToken - BuildkiteAgentTokenParameterStorePath - BuildkiteAgentTokenParameterStoreKMSKey - - BuildkiteAgentToken - BuildkiteQueue - Label: - default: Advanced Buildkite Configuration + default: Signed Pipelines Configuration + Parameters: + - PipelineSigningKMSKeyId + - PipelineSigningKMSKeySpec + - PipelineSigningKMSAccess + - PipelineSigningVerificationFailureBehavior + + - Label: + default: Advanced Configuration Parameters: - BuildkiteAgentRelease - BuildkiteAgentTags @@ -386,7 +394,7 @@ Parameters: Default: 125 RootVolumeIops: - Description: If the `RootVolumeType` is io1 or io2, the number of IOPS to provision for the root volume + Description: If the `RootVolumeType` is gp3, io1, or io2, the number of IOPS to provision for the root volume Type: Number Default: 1000 @@ -568,6 +576,35 @@ Parameters: Description: Optional - Customise the EC2 instance Name tag Default: "" + PipelineSigningKMSKeyId: + Type: String + Description: Optional - Identifier of the KMS key used to sign and verify pipelines (Created if left blank and PipelineSigningKMSKeySpec is selected) + Default: "" + + PipelineSigningKMSKeySpec: + Type: String + Description: The key spec for the KMS key used to sign and verify pipelines + AllowedValues: + - "ECC_NIST_P256" + - "none" + Default: "none" + + PipelineSigningKMSAccess: + Type: String + Description: The access level for the KMS key used to sign and verify pipelines + AllowedValues: + - "sign-and-verify" + - "verify" + Default: "sign-and-verify" + + PipelineSigningVerificationFailureBehavior: + Type: String + Description: The behavior when a job is received without a valid verifiable signature (without a signature, with an invalid signature, or with a signature that fails verification) + AllowedValues: + - "block" + - "warn" + Default: "block" + Rules: HasToken: Assertions: @@ -582,6 +619,17 @@ Rules: - !Ref BuildkiteAgentTokenParameterStorePath - "" AssertDescription: "You must provide BuildkiteAgentToken or BuildkiteAgentTokenParameterStorePath" + HasPipelineSigningKMSKey: + Assertions: + - Assert: + !Or + - !Equals + - !Ref PipelineSigningKMSKeyId + - "" + - !Equals + - !Ref PipelineSigningKMSKeySpec + - "none" + AssertDescription: "You must provide either provide a PipelineSigningKMSKeyId or select a PipelineSigningKMSKeySpec but not both" Outputs: VpcId: @@ -602,6 +650,12 @@ Outputs: Export: Name: !Sub '${AWS::StackName}-ManagedSecretsLoggingBucket' + PipelineSigningKMSKey: + Value: + !If [ CreatePipelineSigningKMSKey, !Ref PipelineSigningKMSKey, "none" ] + Export: + Name: !Sub '${AWS::StackName}-PipelineSigningKMSKey' + AutoScalingGroupName: Value: !Ref AgentAutoScaleGroup Export: @@ -685,6 +739,20 @@ Conditions: UseCostAllocationTags: !Equals [ !Ref EnableCostAllocationTags, "true" ] + + UsePipelineSigningKMSKey: + !Not [ !Equals [ !Ref PipelineSigningKMSKeyId, "" ] ] + + CreatePipelineSigningKMSKey: + !And + - !Equals [ !Ref PipelineSigningKMSKeyId, "" ] + - !Not [ !Equals [ !Ref PipelineSigningKMSKeySpec, "none" ] ] + + HasPipelineSigningKMSKey: + !Or [ !Condition CreatePipelineSigningKMSKey, !Condition UsePipelineSigningKMSKey ] + + HasSigningKMSAccessSignAndVerify: + !Equals [ !Ref PipelineSigningKMSAccess, "sign-and-verify" ] HasKeyName: !Not [ !Equals [ !Ref KeyName, "" ] ] @@ -760,26 +828,26 @@ Mappings: # Generated from Makefile via build/mappings.yml AWSRegion2AMI: - us-east-1 : { linuxamd64: ami-09dce4453e68fc5cd, linuxarm64: ami-0100de0b1e920f43a, windows: ami-0461661ce536ba218 } - us-east-2 : { linuxamd64: ami-01cde7aaf362f4aae, linuxarm64: ami-0ab8f88ac8c2c8d30, windows: ami-0b7b91b74290a35e1 } - us-west-1 : { linuxamd64: ami-045c6cf6c0dd4a9e4, linuxarm64: ami-0d5aec634b234e2a2, windows: ami-034824341c9421171 } - us-west-2 : { linuxamd64: ami-09132553fcbda5aee, linuxarm64: ami-0fd1d63fc28576e60, windows: ami-0116268efe38d10ea } - af-south-1 : { linuxamd64: ami-09c9633cb3f5e6fc3, linuxarm64: ami-09ba6dd6ae16f3d50, windows: ami-0fb7a12b133324fe7 } - ap-east-1 : { linuxamd64: ami-02a5f01ef4759b1c8, linuxarm64: ami-0deee5536e9c6a921, windows: ami-0c0a16b6ab6ba6660 } - ap-south-1 : { linuxamd64: ami-0217aeaac4339e394, linuxarm64: ami-06f31d79b57c0dbbf, windows: ami-0d10933d7e9a73e9e } - ap-northeast-2 : { linuxamd64: ami-092d6af0904c034b4, linuxarm64: ami-04329b443681048cd, windows: ami-0d9e4a96c235911de } - ap-northeast-1 : { linuxamd64: ami-0593f6abedb12612b, linuxarm64: ami-019d0ac19de3be566, windows: ami-02e7907798fd7f610 } - ap-southeast-2 : { linuxamd64: ami-0cc25f9f626518d8f, linuxarm64: ami-0e45dfa046084a2d3, windows: ami-0170122288687202b } - ap-southeast-1 : { linuxamd64: ami-03de8f54bc57a1397, linuxarm64: ami-046f6c2468548ca1a, windows: ami-0320407754d0bc85c } - ca-central-1 : { linuxamd64: ami-066d74f4d940d276e, linuxarm64: ami-09ef4b6d5cdb0c2e9, windows: ami-0570c4a6bb33ba9d4 } - eu-central-1 : { linuxamd64: ami-09e9769fb4085b24f, linuxarm64: ami-00c97f86e923e1020, windows: ami-08f61f9105d9e8a58 } - eu-west-1 : { linuxamd64: ami-05e7c8d4ade2095f3, linuxarm64: ami-07dd06558ae7a536d, windows: ami-0c90c3038b518ac09 } - eu-west-2 : { linuxamd64: ami-03ec96deaf3c2f04b, linuxarm64: ami-093477938aa7559d8, windows: ami-0d26fa7d30160237a } - eu-south-1 : { linuxamd64: ami-05cb67bc084762468, linuxarm64: ami-0e815380647635c63, windows: ami-0cee7ea24afffe195 } - eu-west-3 : { linuxamd64: ami-01700752047bdb1b2, linuxarm64: ami-046d7376033a1af0e, windows: ami-0358e8f0b406f3442 } - eu-north-1 : { linuxamd64: ami-0d62d22eacdc93353, linuxarm64: ami-01adb2cc0dd49e999, windows: ami-050cbc763f520f830 } - me-south-1 : { linuxamd64: ami-012fbb242739a1f1a, linuxarm64: ami-08d934ccc6cddc763, windows: ami-009277c4bc01371da } - sa-east-1 : { linuxamd64: ami-05d829f95ceb5f292, linuxarm64: ami-00390af183eab4b74, windows: ami-08e8e717a53b6b2b5 } + us-east-1 : { linuxamd64: ami-0d870d6249c932e3f, linuxarm64: ami-0a3d7a30823a79bed, windows: ami-0cc1cf707c9bde297 } + us-east-2 : { linuxamd64: ami-0f3019cc4ae209e8d, linuxarm64: ami-06fbf388ceadee136, windows: ami-0cf377d071681be17 } + us-west-1 : { linuxamd64: ami-0bc45e1a1e3b81024, linuxarm64: ami-03ccc79e335ddfeb2, windows: ami-0bf3b5f6168efcd16 } + us-west-2 : { linuxamd64: ami-0fb582405657e5e7d, linuxarm64: ami-019482f9dad0e6c6c, windows: ami-01a7cfec21679fdc6 } + af-south-1 : { linuxamd64: ami-0472a3974f5fc2b3e, linuxarm64: ami-031d70266097ac913, windows: ami-0c9d2380139ca74ae } + ap-east-1 : { linuxamd64: ami-0d01d071f6cb4531f, linuxarm64: ami-076b30b50dd891795, windows: ami-0047ed2d7146a7bfd } + ap-south-1 : { linuxamd64: ami-03dcda51307fc8cb5, linuxarm64: ami-012d6489d7405cac9, windows: ami-075d2d36dfbf32867 } + ap-northeast-2 : { linuxamd64: ami-0f2d7daa735810eee, linuxarm64: ami-0a2cc2b93142ea24a, windows: ami-08cb758a9ddc43059 } + ap-northeast-1 : { linuxamd64: ami-04051311bdfde36f3, linuxarm64: ami-09e4f9370ec79c3ba, windows: ami-05b6ec0208eb2a58a } + ap-southeast-2 : { linuxamd64: ami-0dca9e865ae37c7ed, linuxarm64: ami-05d80d286a7bade59, windows: ami-0667ba4d9ff4dc9d7 } + ap-southeast-1 : { linuxamd64: ami-041a2f49842dfedd1, linuxarm64: ami-04b58654a0075cf44, windows: ami-012d7bd61f9b1d6b7 } + ca-central-1 : { linuxamd64: ami-00e53b8bc82f9c9db, linuxarm64: ami-0f16c32fb617d5a48, windows: ami-088bf9470ff92506c } + eu-central-1 : { linuxamd64: ami-05c5209917612c4ef, linuxarm64: ami-08bb74ee0e90d2670, windows: ami-06826a0d3b4c7e1ab } + eu-west-1 : { linuxamd64: ami-06274dc3861664987, linuxarm64: ami-07ccdfbf8eaa3c951, windows: ami-036f1d5605b9dbf1e } + eu-west-2 : { linuxamd64: ami-086942d9992b4e6d3, linuxarm64: ami-0008aaf782bc53012, windows: ami-0825cacfdb3a8dcd6 } + eu-south-1 : { linuxamd64: ami-0e482f53f6f51d3e3, linuxarm64: ami-08c23003032d5ca62, windows: ami-0cb004f172e2b7007 } + eu-west-3 : { linuxamd64: ami-087631959c2b65a0b, linuxarm64: ami-08216f2c9c2778a91, windows: ami-03f5013af4a1e133b } + eu-north-1 : { linuxamd64: ami-0d769ff12cca6d68d, linuxarm64: ami-06ad99587f4894bbd, windows: ami-0406a7b8f45352245 } + me-south-1 : { linuxamd64: ami-0b82f151c4fed9e4a, linuxarm64: ami-00b941cafd5b87c70, windows: ami-0bf6572cc349f9447 } + sa-east-1 : { linuxamd64: ami-09db409e3b9399d3b, linuxarm64: ami-002802cb7c79d6fd8, windows: ami-0d9f87a270ecf8c21 } Resources: Vpc: @@ -891,6 +959,18 @@ Resources: Name: !Sub "/${AWS::StackName}/buildkite/agent-token" Type: String Value: !Ref BuildkiteAgentToken + + PipelineSigningKMSKey: + Type: AWS::KMS::Key + Condition: CreatePipelineSigningKMSKey + DeletionPolicy: Retain + Properties: + Description: Key used to sign and verify pipelines + KeySpec: !Ref PipelineSigningKMSKeySpec + KeyUsage: SIGN_VERIFY + Tags: + - Key: Name + Value: !Sub '${AWS::StackName}-PipelineSigningKey' # Allow ec2 instances to assume a role and be granted the IAMPolicies IAMInstanceProfile: @@ -923,6 +1003,26 @@ Resources: - !Ref 'AWS::NoValue' - !Ref 'AWS::NoValue' Policies: + - !If + - HasPipelineSigningKMSKey + - PolicyName: PipelineSigningKMSKeyAccess + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + !If + - HasSigningKMSAccessSignAndVerify + - - kms:Sign + - kms:Verify + - kms:GetPublicKey + - - kms:Verify + - kms:GetPublicKey + Resource: !If + - CreatePipelineSigningKMSKey + - !Sub arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/${PipelineSigningKMSKey} + - !Sub arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/${PipelineSigningKMSKeyId} + - !Ref 'AWS::NoValue' - !If - UseCustomerManagedKeyForParameterStore - PolicyName: DecryptAgentToken @@ -1237,7 +1337,7 @@ Resources: powershell -file C:\buildkite-agent\bin\bk-configure-docker.ps1 >> C:\buildkite-agent\elastic-stack.log $Env:BUILDKITE_STACK_NAME="${AWS::StackName}" - $Env:BUILDKITE_STACK_VERSION="v6.23.0" + $Env:BUILDKITE_STACK_VERSION="v6.27.0" $Env:BUILDKITE_SCALE_IN_IDLE_PERIOD="${ScaleInIdlePeriod}" $Env:BUILDKITE_SECRETS_BUCKET="${LocalSecretsBucket}" $Env:BUILDKITE_SECRETS_BUCKET_REGION="${LocalSecretsBucketRegion}" @@ -1251,6 +1351,8 @@ Resources: $Env:BUILDKITE_QUEUE="${BuildkiteQueue}" $Env:BUILDKITE_AGENT_ENABLE_GIT_MIRRORS="${BuildkiteAgentEnableGitMirrors}" $Env:BUILDKITE_ELASTIC_BOOTSTRAP_SCRIPT="${BootstrapScriptUrl}" + $Env:BUILDKITE_AGENT_SIGNING_KMS_KEY="${PipelineSigningKMSKey}" + $Env:BUILDKITE_AGENT_SIGNING_FAILURE_BEHAVIOR="${PipelineSigningVerificationFailureBehavior}" $Env:BUILDKITE_ENV_FILE_URL="${AgentEnvFileUrl}" $Env:BUILDKITE_AUTHORIZED_USERS_URL="${AuthorizedUsersUrl}" $Env:BUILDKITE_ECR_POLICY="${ECRAccessPolicy}" @@ -1268,6 +1370,7 @@ Resources: LocalSecretsBucket: !If [ CreateSecretsBucket, !Ref ManagedSecretsBucket, !Ref SecretsBucket ], LocalSecretsBucketRegion: !If [ CreateSecretsBucket, !Ref "AWS::Region", !Ref SecretsBucketRegion ], AgentTokenPath: !If [ UseCustomerManagedParameterPath, !Ref BuildkiteAgentTokenParameterStorePath, !Ref BuildkiteAgentTokenParameter ], + PipelineSigningKMSKey: !If [ CreatePipelineSigningKMSKey, !Ref PipelineSigningKMSKey, !Ref PipelineSigningKMSKeyId ], } - !Sub - | @@ -1296,7 +1399,7 @@ Resources: Content-Type: text/x-shellscript; charset="us-ascii" #!/bin/bash -v BUILDKITE_STACK_NAME="${AWS::StackName}" \ - BUILDKITE_STACK_VERSION="v6.23.0" \ + BUILDKITE_STACK_VERSION="v6.27.0" \ BUILDKITE_SCALE_IN_IDLE_PERIOD="${ScaleInIdlePeriod}" \ BUILDKITE_SECRETS_BUCKET="${LocalSecretsBucket}" \ BUILDKITE_SECRETS_BUCKET_REGION="${LocalSecretsBucketRegion}" \ @@ -1308,6 +1411,8 @@ Resources: BUILDKITE_AGENT_TRACING_BACKEND="${BuildkiteAgentTracingBackend}" \ BUILDKITE_AGENT_RELEASE="${BuildkiteAgentRelease}" \ BUILDKITE_AGENT_CANCEL_GRACE_PERIOD="${BuildkiteAgentCancelGracePeriod}" \ + BUILDKITE_AGENT_SIGNING_KMS_KEY="${PipelineSigningKMSKey}" \ + BUILDKITE_AGENT_SIGNING_FAILURE_BEHAVIOR="${PipelineSigningVerificationFailureBehavior}" \ BUILDKITE_QUEUE="${BuildkiteQueue}" \ BUILDKITE_AGENT_ENABLE_GIT_MIRRORS="${BuildkiteAgentEnableGitMirrors}" \ BUILDKITE_ELASTIC_BOOTSTRAP_SCRIPT="${BootstrapScriptUrl}" \ @@ -1330,6 +1435,7 @@ Resources: LocalSecretsBucket: !If [ CreateSecretsBucket, !Ref ManagedSecretsBucket, !Ref SecretsBucket ], LocalSecretsBucketRegion: !If [ CreateSecretsBucket, !Ref "AWS::Region", !Ref SecretsBucketRegion ], AgentTokenPath: !If [ UseCustomerManagedParameterPath, !Ref BuildkiteAgentTokenParameterStorePath, !Ref BuildkiteAgentTokenParameter ], + PipelineSigningKMSKey: !If [ CreatePipelineSigningKMSKey, !Ref PipelineSigningKMSKey, !Ref PipelineSigningKMSKeyId ], } AgentAutoScaleGroup: