diff --git a/tests/ci/cdk/cdk/aws_lc_github_actions_stack.py b/tests/ci/cdk/cdk/aws_lc_github_actions_stack.py index 10ed481a90..77821bd1ab 100644 --- a/tests/ci/cdk/cdk/aws_lc_github_actions_stack.py +++ b/tests/ci/cdk/cdk/aws_lc_github_actions_stack.py @@ -17,7 +17,7 @@ from util.iam_policies import ( code_build_publish_metrics_in_json, ) -from util.metadata import AMAZONLINUX_ECR_REPO, ANDROID_ECR_REPO, CENTOS_ECR_REPO, FEDORA_ECR_REPO, LINUX_X86_ECR_REPO, LINUX_AARCH_ECR_REPO, UBUNTU_ECR_REPO, VERIFICATION_ECR_REPO, WINDOWS_ECR_REPO, WINDOWS_X86_ECR_REPO +from util.metadata import ECR_REPOS, IMAGE_STAGING_REPO, LINUX_AARCH_ECR_REPO, LINUX_X86_ECR_REPO, WINDOWS_X86_ECR_REPO class AwsLcGitHubActionsStack(AwsLcBaseCiStack): """Define a stack used to execute AWS-LC self-hosted GitHub Actions Runners.""" @@ -32,19 +32,19 @@ def __init__( super().__init__(scope, id, env=env, timeout=180, **kwargs) # TODO: First 3 indices ordering is important for now as they are referenced directly for now. - repo_names = [LINUX_X86_ECR_REPO, LINUX_AARCH_ECR_REPO, WINDOWS_X86_ECR_REPO, UBUNTU_ECR_REPO, - AMAZONLINUX_ECR_REPO, CENTOS_ECR_REPO, FEDORA_ECR_REPO, WINDOWS_ECR_REPO, VERIFICATION_ECR_REPO, - ANDROID_ECR_REPO] + repo_names = [LINUX_X86_ECR_REPO, LINUX_AARCH_ECR_REPO, WINDOWS_X86_ECR_REPO] + repo_names.extend(ECR_REPOS) ecr_repos = [ecr.Repository.from_repository_name(self, x.replace('/', '-'), repository_name=x) for x in repo_names] + + self.staging_repo = ecr.Repository(self, IMAGE_STAGING_REPO.replace('/', '-'), + repository_name=IMAGE_STAGING_REPO, + image_tag_mutability=ecr.TagMutability.IMMUTABLE, + lifecycle_rules=[ecr.LifecycleRule( + max_image_age=Duration.days(1), + )]) - staging_repo = ecr.Repository(self, "aws-lc-ecr-staging", - image_tag_mutability=ecr.TagMutability.IMMUTABLE, - lifecycle_rules=[ecr.LifecycleRule( - max_image_age=Duration.days(1), - )]) - - ecr_repos.append(staging_repo) + ecr_repos.append(self.staging_repo) pull_through_caches = [ecr.Repository.from_repository_name(self, "quay-io", "quay.io/*")] @@ -145,7 +145,7 @@ def __init__( value=ecr_repos[2].repository_uri ), "ECR_REGISTRY_URL": codebuild.BuildEnvironmentVariable(value=ecr_repos[0].registry_uri), - "ECR_STAGING_REPO": codebuild.BuildEnvironmentVariable(value=staging_repo.repository_uri), + "ECR_STAGING_REPO": codebuild.BuildEnvironmentVariable(value=self.staging_repo.repository_uri), }, ), ) diff --git a/tests/ci/cdk/cdk/aws_lc_github_oidc_stack.py b/tests/ci/cdk/cdk/aws_lc_github_oidc_stack.py index 629618f9d7..d1504038b5 100644 --- a/tests/ci/cdk/cdk/aws_lc_github_oidc_stack.py +++ b/tests/ci/cdk/cdk/aws_lc_github_oidc_stack.py @@ -12,7 +12,7 @@ from constructs import Construct from util.metadata import ( - ECR_REPOS, GITHUB_REPO_OWNER, GITHUB_REPO_NAME, AWS_LC_METRIC_NS) + ECR_REPOS, GITHUB_REPO_OWNER, GITHUB_REPO_NAME, AWS_LC_METRIC_NS, IMAGE_STAGING_REPO) from util.iam_policies import ( device_farm_access_policy_in_json ) @@ -93,6 +93,9 @@ def create_docker_image_build_role(scope: Construct, id: str, pull_through_caches = [ecr.Repository.from_repository_name( scope, "quay-io", "quay.io/*")] + + staging_repo = ecr.Repository.from_repository_name( + scope, IMAGE_STAGING_REPO.replace('/', '-'), IMAGE_STAGING_REPO) role = iam.Role(scope, id, role_name=id, assumed_by=iam.SessionTagsPrincipal(principal), @@ -132,7 +135,7 @@ def create_docker_image_build_role(scope: Construct, id: str, ], resources=[x for x in itertools.chain([ x.repository_arn for x in repos - ], [x.repository_arn for x in pull_through_caches])], + ], [x.repository_arn for x in pull_through_caches], [staging_repo.repository_arn])], ), iam.PolicyStatement( effect=iam.Effect.ALLOW, @@ -142,8 +145,8 @@ def create_docker_image_build_role(scope: Construct, id: str, "ecr:PutImage", "ecr:UploadLayerPart", ], - resources=[ - x.repository_arn for x in repos], + resources=[x for x in itertools.chain([ + x.repository_arn for x in repos], [staging_repo.repository_arn])], ), iam.PolicyStatement( effect=iam.Effect.ALLOW, diff --git a/tests/ci/cdk/pipeline/github_actions_stage.py b/tests/ci/cdk/pipeline/github_actions_stage.py index 58450ea6aa..cd9208cd88 100644 --- a/tests/ci/cdk/pipeline/github_actions_stage.py +++ b/tests/ci/cdk/pipeline/github_actions_stage.py @@ -36,7 +36,7 @@ def __init__( self.odic_stack = AwsLcGitHubOidcStack( self, "aws-lc-github-oidc", env=deploy_environment, **kwargs) - + self.actions_stack = AwsLcGitHubActionsStack( self, "aws-lc-ci-github-actions", @@ -44,7 +44,7 @@ def __init__( ignore_failure=False, stack_name="aws-lc-ci-github-actions", ) - + @property def stacks(self): return [child for child in self.node.children if isinstance(child, Stack)] diff --git a/tests/ci/cdk/util/metadata.py b/tests/ci/cdk/util/metadata.py index e3b3aabd62..5a6c682281 100644 --- a/tests/ci/cdk/util/metadata.py +++ b/tests/ci/cdk/util/metadata.py @@ -40,9 +40,11 @@ WINDOWS_ECR_REPO = "aws-lc/windows" VERIFICATION_ECR_REPO = "aws-lc/verification" ANDROID_ECR_REPO = "aws-lc/android" +IMAGE_STAGING_REPO = "aws-lc/staging" ECR_REPOS = [UBUNTU_ECR_REPO, AMAZONLINUX_ECR_REPO, CENTOS_ECR_REPO, - FEDORA_ECR_REPO, WINDOWS_ECR_REPO, VERIFICATION_ECR_REPO, ANDROID_ECR_REPO] + FEDORA_ECR_REPO, WINDOWS_ECR_REPO, VERIFICATION_ECR_REPO, + ANDROID_ECR_REPO] AWS_LC_METRIC_NS = "AWS-LC" AWS_LC_FUZZ_METRIC_NS = "AWS-LC-Fuzz"