From 82b5c67c84dd638df02b71a8c08f1938a737e6b7 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Thu, 12 Oct 2023 11:47:11 -0700 Subject: [PATCH 1/3] chore(CI): Add CFN Template for public repo with resources --- cfn/CI.yaml | 186 ++-------------------------------------------------- 1 file changed, 6 insertions(+), 180 deletions(-) diff --git a/cfn/CI.yaml b/cfn/CI.yaml index 0ed71e46d..69ad89e95 100644 --- a/cfn/CI.yaml +++ b/cfn/CI.yaml @@ -13,197 +13,23 @@ Parameters: ProjectName: Type: String Description: A prefix that will be applied to any names - Default: ESDK-Dafny + Default: Public-ESDK-Dafny GitHubRepo: Type: String Description: GitHub Repo that invokes CI - Default: aws/private-aws-encryption-sdk-dafny-staging + Default: aws/aws-encryption-sdk-dafny Resources: - KeyStoreTestTable: - Type: AWS::DynamoDB::Table - Properties: - AttributeDefinitions: - - AttributeName: "branch-key-id" - AttributeType: "S" - - AttributeName: "type" - AttributeType: "S" - - AttributeName: "status" - AttributeType: "S" - KeySchema: - - AttributeName: "branch-key-id" - KeyType: "HASH" - - AttributeName: "type" - KeyType: "RANGE" - ProvisionedThroughput: - ReadCapacityUnits: "5" - WriteCapacityUnits: "5" - TableName: !Ref KeyStoreTable - GlobalSecondaryIndexes: - - IndexName: !Sub "Active-Keys" - KeySchema: - - AttributeName: "branch-key-id" - KeyType: "HASH" - - AttributeName: "status" - KeyType: "RANGE" - Projection: - ProjectionType: "ALL" - ProvisionedThroughput: - ReadCapacityUnits: "5" - WriteCapacityUnits: "5" - - HierarchicalKeyringTestTable: - Type: AWS::DynamoDB::Table - Properties: - AttributeDefinitions: - - AttributeName: "branch-key-id" - AttributeType: "S" - - AttributeName: "version" - AttributeType: "S" - - AttributeName: "status" - AttributeType: "S" - KeySchema: - - AttributeName: "branch-key-id" - KeyType: "HASH" - - AttributeName: "version" - KeyType: "RANGE" - ProvisionedThroughput: - ReadCapacityUnits: "5" - WriteCapacityUnits: "5" - TableName: !Ref TableName - GlobalSecondaryIndexes: - - IndexName: "Active-Keys" - KeySchema: - - AttributeName: "status" - KeyType: "HASH" - - AttributeName: "branch-key-id" - KeyType: "RANGE" - Projection: - ProjectionType: "ALL" - ProvisionedThroughput: - ReadCapacityUnits: "5" - WriteCapacityUnits: "5" - - # This policy SHOULD be given to: - # - aws/private-aws-encryption-sdk-dafny-staging - # - ToolsDevelopment - HierarchicalKeyringTestTableUsage: - Type: "AWS::IAM::ManagedPolicy" - Properties: - Description: "Allow Read, Write, and Delete of Items in HierarchicalKeyringTestTable" - ManagedPolicyName: !Sub "${ProjectName}-DDB-ReadWriteDelete-${AWS::Region}" - PolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Action: - - dynamodb:PutItem - - dynamodb:DeleteItem - - dynamodb:GetItem - - dynamodb:Query - Resource: - - !Sub "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${TableName}" - - !Sub "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${TableName}/index/*" - - Effect: Allow - Action: - - dynamodb:DescribeTable - - dynamodb:CreateTable - - dynamodb:PutItem - - dynamodb:DeleteItem - - dynamodb:GetItem - - dynamodb:Query - - dynamodb:ConditionCheckItem - - dynamodb:UpdateItem - Resource: - - !Sub "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${KeyStoreTable}" - - !Sub "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${KeyStoreTable}/index/*" - - - HierarchicalGitHubKMSKeyID: - Type: 'AWS::KMS::Key' - Properties: - Description: KMS Key for GitHub Action Workflow - Enabled: true - KeyPolicy: - Version: 2012-10-17 - Statement: - - Effect: Allow - Principal: - AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root' - Action: 'kms:*' - Resource: '*' - - KMSUsage: - Type: 'AWS::IAM::ManagedPolicy' - Properties: - PolicyDocument: !Sub | - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "kms:Decrypt", - "kms:GenerateDataKeyWithoutPlaintext", - "kms:ReEncrypt*" - ], - "Resource": "arn:aws:kms:*:${AWS::AccountId}:key/${HierarchicalGitHubKMSKeyID}" - } - ] - } - ManagedPolicyName: Hierarchical-GitHub-KMS-Key-Policy - - RSAGitHubKMSKeyID: - Type: 'AWS::KMS::Key' - Properties: - Description: KMS RSA Key for GitHub Action Workflow - Enabled: true - KeyPolicy: - Version: 2012-10-17 - Statement: - - Effect: Allow - Principal: - AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root' - Action: 'kms:*' - Resource: '*' - KeySpec: "RSA_2048" - KeyUsage: "ENCRYPT_DECRYPT" - MultiRegion: true - - RSAKMSUsage: - Type: 'AWS::IAM::ManagedPolicy' - Properties: - PolicyDocument: !Sub | - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "kms:Encrypt", - "kms:Decrypt", - "kms:ReEncrypt*", - "kms:Generate*", - "kms:GetPublicKey", - "kms:DescribeKey" - ], - "Resource": "arn:aws:kms:*:${AWS::AccountId}:key/${RSAGitHubKMSKeyID}" - } - ] - } - ManagedPolicyName: RSA-GitHub-KMS-Key-Policy - GitHubCIRole: Type: 'AWS::IAM::Role' Properties: RoleName: !Sub "GitHub-CI-${ProjectName}-Role-${AWS::Region}" Description: "Access DDB, KMS, Resources for CI from GitHub" ManagedPolicyArns: - - "arn:aws:iam::370957321024:policy/PolymorphTestModels-KMS-us-west-2" - - !Ref KMSUsage - - !Ref RSAKMSUsage - - "arn:aws:iam::370957321024:policy/PolymorphTestModels-DDB-ReadWriteDelete-us-west-2" - - !Ref HierarchicalKeyringTestTableUsage + - "arn:aws:iam::370957321024:policy/ESDK-Dafny-DDB-ReadWriteDelete-us-west-2" + - "arn:aws:iam::370957321024:policy/Hierarchical-GitHub-KMS-Key-Policy" + - "arn:aws:iam::370957321024:policy/KMS-Public-CMK-EncryptDecrypt-Key-Access" + - "arn:aws:iam::370957321024:policy/RSA-GitHub-KMS-Key-Policy" AssumeRolePolicyDocument: !Sub | { "Version": "2012-10-17", From dd55d4c292e1a519935ff573850020b6c553ba6b Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Thu, 12 Oct 2023 11:50:13 -0700 Subject: [PATCH 2/3] chore(CI): Update GHA --- .github/workflows/library_dafny_verification.yml | 8 -------- .github/workflows/library_net_tests.yml | 10 +--------- 2 files changed, 1 insertion(+), 17 deletions(-) diff --git a/.github/workflows/library_dafny_verification.yml b/.github/workflows/library_dafny_verification.yml index f6ba68fe8..33b734f23 100644 --- a/.github/workflows/library_dafny_verification.yml +++ b/.github/workflows/library_dafny_verification.yml @@ -41,15 +41,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: Init Submodules - env: - # This secret is in the configured environment - # Token created on # 09/26/2023 - # expires in ~30 days 10/26/2023 - MPL_PAT: ${{ secrets.MPL_DAFNY }} run: | - AUTH="$(echo -n "pat:${MPL_PAT}" | base64 | tr -d '\n')" - git config --global http.https://github.com/.extraheader "AUTHORIZATION: basic $AUTH" - git config --global --add url.https://github.com/.insteadOf git@github.com: git submodule update --init libraries git submodule update --init --recursive mpl diff --git a/.github/workflows/library_net_tests.yml b/.github/workflows/library_net_tests.yml index ef530a863..2f335f924 100644 --- a/.github/workflows/library_net_tests.yml +++ b/.github/workflows/library_net_tests.yml @@ -54,15 +54,7 @@ jobs: - uses: actions/checkout@v2 - name: Init Submodules shell: bash - env: - # This secret is in the configured environment - # Token created on # 09/26/2023 - # expires in ~30 days 10/26/2023 - MPL_PAT: ${{ secrets.MPL_DAFNY }} run: | - AUTH="$(echo -n "pat:${MPL_PAT}" | base64 | tr -d '\n')" - git config --global http.https://github.com/.extraheader "AUTHORIZATION: basic $AUTH" - git config --global --add url.https://github.com/.insteadOf git@github.com: git submodule update --init libraries git submodule update --init --recursive mpl @@ -70,7 +62,7 @@ jobs: uses: aws-actions/configure-aws-credentials@v1 with: aws-region: us-west-2 - role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-ESDK-Dafny-Role-us-west-2 + role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-Public-ESDK-Dafny-Role-us-west-2 role-session-name: NetTests - name: Setup .NET Core SDK ${{ matrix.dotnet-version }} From 90f15f3d0b77955441c70306b72d9ee73c85bdf5 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Thu, 12 Oct 2023 13:47:44 -0700 Subject: [PATCH 3/3] update duvet --- .github/workflows/duvet.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/duvet.yaml b/.github/workflows/duvet.yaml index 090cba03d..bf278775b 100644 --- a/.github/workflows/duvet.yaml +++ b/.github/workflows/duvet.yaml @@ -20,13 +20,13 @@ jobs: DOTNET_CLI_TELEMETRY_OPTOUT: 1 DOTNET_NOLOGO: 1 steps: + - name: Support longpaths on Git checkout + run: | + git config --global core.longpaths true + - uses: actions/checkout@v3 with: - # This secret is in the configured environment - # Token created on # 12/14/2022 - # expires in ~30 days 01/13/2023 - token: ${{ secrets.PAT_SPEC }} - submodules: true + submodules: true - name: Install duvet shell: bash