chore: Update Release CFN (#343)

seebees · web-flow · commit 81606b67d722 · 2024-08-19T15:16:34.000-07:00
#382 Added resources for tests. Add these resources to the release process.
diff --git a/cfn/release.yml b/cfn/release.yml
@@ -167,7 +167,7 @@ Resources:
                 "codebuild:BatchPutCodeCoverages"
               ],
               "Resource": [
-                "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/${ProjectName}-Release"
+                "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/${ProjectName}-Release-*"
               ]
             }
           ]
@@ -214,6 +214,7 @@ Resources:
                 "arn:aws:kms:*:658956600833:alias/*"
               ],
               "Action": [
+                "kms:Encrypt", 
                 "kms:Decrypt",
                 "kms:GenerateDataKey"
               ]
@@ -254,6 +255,20 @@ Resources:
             Action: 'kms:*'
             Resource: '*'
 
+  S3ECReleaseKMSKeyIDAlternate:
+    Type: 'AWS::KMS::Key'
+    Properties:
+      Description: Alternate KMS Key for Release Testing
+      Enabled: true
+      KeyPolicy:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Principal:
+              AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
+            Action: 'kms:*'
+            Resource: '*'
+
   S3ECReleaseKMSKeyAlias:
     Type: 'AWS::KMS::Alias'
     Properties:
@@ -263,7 +278,7 @@ Resources:
   S3ECReleaseTestS3Bucket:
     Type: 'AWS::S3::Bucket'
     Properties:
-      BucketName: s3ec-release-test-bucket
+      BucketName: !Sub "s3ec-release-test-bucket"
       LifecycleConfiguration:
         Rules:
           - Id: Expire in 14 days
@@ -291,6 +306,29 @@ Resources:
               - !Join [ "", [ !GetAtt S3ECReleaseTestS3Bucket.Arn, '/*' ] ]
 
   S3ECReleaseTestKMSKeyPolicy:
+    Type: 'AWS::IAM::ManagedPolicy'
+    Properties:
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: "Allow"
+            Resource:
+              - Sub! "arn:aws:kms:*:${AWS::AccountId}:key/${S3ECReleaseTestingKMSKeyID}"
+              - Sub! "arn:aws:kms:*:${AWS::AccountId}:${S3ECReleaseKMSKeyAlias}"
+            Action:
+              - "kms:Encrypt"
+              - "kms:Decrypt"
+              - "kms:GenerateDataKey"
+              - "kms:GenerateDataKeyPair"
+          - Effect: Allow
+            Action: sts:AssumeRole
+            Resource:
+              Fn::GetAtt: [ S3ECReleaseTestRoleAlternate, Arn ]
+
+
+      ManagedPolicyName: S3EC-Release-Test-KMS-Key-Policy
+
+  S3ECReleaseKMSKeyPolicyAlternate:
     Type: 'AWS::IAM::ManagedPolicy'
     Properties:
       PolicyDocument: !Sub |
@@ -300,16 +338,34 @@ Resources:
             {
               "Effect": "Allow",
               "Resource": [
-                "arn:aws:kms:*:${AWS::AccountId}:key/${S3ECReleaseTestingKMSKeyID}",
-                "arn:aws:kms:*:${AWS::AccountId}:${S3ECReleaseKMSKeyAlias}"
+                "arn:aws:kms:*:${AWS::AccountId}:key/${S3ECReleaseKMSKeyIDAlternate}"
               ],
               "Action": [
-                "kms:Encrypt",
                 "kms:Decrypt",
                 "kms:GenerateDataKey",
                 "kms:GenerateDataKeyPair"
               ]
             }
           ]
         }
-      ManagedPolicyName: S3EC-Release-Test-KMS-Key-Policy
+      ManagedPolicyName: S3EC-Release-KMS-Key-Policy-Alternate
+
+  S3ECReleaseTestRoleAlternate:
+    Type: 'AWS::IAM::Role'
+    Properties:
+      Path: /service-role/
+      RoleName: S3EC-Release-test-role-alternate
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: "Allow"
+            Principal:
+              Service: codebuild.amazonaws.com
+            Action:
+              - "sts:AssumeRole"
+      Description: >-
+        Grant S3 put and get and KMS (alt key) encrypt, decrypt, and generate access
+        for testing
+      ManagedPolicyArns:
+        - !Ref S3ECReleaseKMSKeyPolicyAlternate
+        - !Ref S3ECReleaseS3BucketPolicy
diff --git a/codebuild/release/release-prod.yml b/codebuild/release/release-prod.yml
@@ -20,8 +20,8 @@ phases:
   pre_build:
     commands:
       # Test execution environment variables
-      - export AWS_S3EC_TEST_ALT_KMS_KEY_ARN=arn:aws:kms:us-west-2:${ACCOUNT}:key/ee97fd02-6bb3-4b60-88c1-4ccb18ee978b
-      - export AWS_S3EC_TEST_ALT_ROLE_ARN=arn:aws:iam::${ACCOUNT}:role/service-role/S3EC-GitHub-test-role-alternate
+      - export AWS_S3EC_TEST_ALT_KMS_KEY_ARN=arn:aws:kms:us-west-2:${ACCOUNT}:key/94f7843c-ec71-4abd-957c-2fb67c991a37
+      - export AWS_S3EC_TEST_ALT_ROLE_ARN=arn:aws:iam::${ACCOUNT}:role/service-role/S3EC-Release-test-role-alternate
       - export AWS_S3EC_TEST_BUCKET=s3ec-release-test-bucket
       - export AWS_S3EC_TEST_KMS_KEY_ID=arn:aws:kms:us-west-2:${ACCOUNT}:key/af4ce40a-05ab-4f7c-b3fa-97bd0c9b7fb1
       - export AWS_S3EC_TEST_KMS_KEY_ALIAS=arn:aws:kms:us-west-2:${ACCOUNT}:alias/S3EC-Release-Testing-KMS-Key
diff --git a/codebuild/release/release-staging.yml b/codebuild/release/release-staging.yml
@@ -26,8 +26,8 @@ phases:
       - aws secretsmanager get-secret-value --region us-west-2 --secret-id Maven-GPG-Keys-CI --query SecretBinary --output text | base64 -d > ~/mvn_gpg.tgz
       - tar -xvf ~/mvn_gpg.tgz -C ~
       # Test execution environment variables
-      - export AWS_S3EC_TEST_ALT_KMS_KEY_ARN=arn:aws:kms:us-west-2:${ACCOUNT}:key/ee97fd02-6bb3-4b60-88c1-4ccb18ee978b
-      - export AWS_S3EC_TEST_ALT_ROLE_ARN=arn:aws:iam::${ACCOUNT}:role/service-role/S3EC-GitHub-test-role-alternate
+      - export AWS_S3EC_TEST_ALT_KMS_KEY_ARN=arn:aws:kms:us-west-2:${ACCOUNT}:key/94f7843c-ec71-4abd-957c-2fb67c991a37
+      - export AWS_S3EC_TEST_ALT_ROLE_ARN=arn:aws:iam::${ACCOUNT}:role/service-role/S3EC-Release-test-role-alternate
       - export AWS_S3EC_TEST_BUCKET=s3ec-release-test-bucket
       - export AWS_S3EC_TEST_KMS_KEY_ID=arn:aws:kms:us-west-2:${ACCOUNT}:key/af4ce40a-05ab-4f7c-b3fa-97bd0c9b7fb1
       - export AWS_S3EC_TEST_KMS_KEY_ALIAS=arn:aws:kms:us-west-2:${ACCOUNT}:alias/S3EC-Release-Testing-KMS-Key
diff --git a/codebuild/release/validate-staging.yml b/codebuild/release/validate-staging.yml
@@ -23,8 +23,8 @@ phases:
       - export CODEARTIFACT_TOKEN=$(aws codeartifact get-authorization-token --domain $DOMAIN --domain-owner $ACCOUNT --query authorizationToken --output text --region ${REGION})
       - export CODEARTIFACT_REPO_URL=https://${DOMAIN}-${ACCOUNT}.d.codeartifact.${REGION}.amazonaws.com/maven/${REPOSITORY}
       # Test execution environment variables
-      - export AWS_S3EC_TEST_ALT_KMS_KEY_ARN=arn:aws:kms:us-west-2:${ACCOUNT}:key/ee97fd02-6bb3-4b60-88c1-4ccb18ee978b
-      - export AWS_S3EC_TEST_ALT_ROLE_ARN=arn:aws:iam::${ACCOUNT}:role/service-role/S3EC-GitHub-test-role-alternate
+      - export AWS_S3EC_TEST_ALT_KMS_KEY_ARN=arn:aws:kms:us-west-2:${ACCOUNT}:key/94f7843c-ec71-4abd-957c-2fb67c991a37
+      - export AWS_S3EC_TEST_ALT_ROLE_ARN=arn:aws:iam::${ACCOUNT}:role/service-role/S3EC-Release-test-role-alternate
       - export AWS_S3EC_TEST_BUCKET=s3ec-release-test-bucket
       - export AWS_S3EC_TEST_KMS_KEY_ID=arn:aws:kms:us-west-2:${ACCOUNT}:key/af4ce40a-05ab-4f7c-b3fa-97bd0c9b7fb1
       - export AWS_S3EC_TEST_KMS_KEY_ALIAS=arn:aws:kms:us-west-2:${ACCOUNT}:alias/S3EC-Release-Testing-KMS-Key
