aws
diff --git a/‎tests/ci/cdk/README.md
Lines changed: 20 additions & 0 deletions b/‎tests/ci/cdk/README.md
Lines changed: 20 additions & 0 deletions
diff --git a/‎tests/ci/cdk/app.py
Lines changed: 42 additions & 37 deletions b/‎tests/ci/cdk/app.py
Lines changed: 42 additions & 37 deletions
diff --git a/‎tests/ci/cdk/cdk/aws_lc_analytics_stack.py
Lines changed: 20 additions & 8 deletions b/‎tests/ci/cdk/cdk/aws_lc_analytics_stack.py
Lines changed: 20 additions & 8 deletions
diff --git a/‎tests/ci/cdk/cdk/aws_lc_android_ci_stack.py
Lines changed: 19 additions & 9 deletions b/‎tests/ci/cdk/cdk/aws_lc_android_ci_stack.py
Lines changed: 19 additions & 9 deletions
diff --git a/‎tests/ci/cdk/cdk/aws_lc_ec2_test_framework_ci_stack.py
Lines changed: 29 additions & 18 deletions b/‎tests/ci/cdk/cdk/aws_lc_ec2_test_framework_ci_stack.py
Lines changed: 29 additions & 18 deletions
@@ -63,6 +63,26 @@ To setup or update the CI in your account you will need the following IAM permis
   * secretsmanager:DeleteSecret
   * secretsmanager:GetSecretValue
 
+### Pipeline Commands
+Bootstrap pipeline account
+```
+AWS_ACCOUNT_ID=183295444613
+PIPELINE_ACCOUNT_ID=774305600158
+cdk bootstrap aws://${PIPELINE_ACCOUNT_ID}/us-west-2
+```
+
+Give pipeline account administrator access to deployment account's CloudFormation
+```
+cdk bootstrap aws://${AWS_ACCOUNT_ID}/us-west-2 --trust ${PIPELINE_ACCOUNT_ID} --trust-for-lookup ${PIPELINE_ACCOUNT_ID} --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess
+```
+
+Deploy pipeline
+```
+GITHUB_REPO_OWNER=nhatnghiho
+GITHUB_SOURCE_VERSION=ci-pipeline
+./run-cdk.sh --github-repo-owner ${GITHUB_REPO_OWNER} --github-source-version ${GITHUB_SOURCE_VERSION} --aws-account ${AWS_ACCOUNT_ID} --action invoke --command "cdk deploy AwsLcCiPipeline --require-approval never"
+```
+
 ### Commands
 
 These commands are run from `aws-lc/tests/ci/cdk`. \
 
@@ -12,49 +12,54 @@
 from cdk.aws_lc_github_fuzz_ci_stack import  AwsLcGitHubFuzzCIStack
 from cdk.aws_lc_ec2_test_framework_ci_stack import AwsLcEC2TestingCIStack
 from cdk.linux_docker_image_batch_build_stack import LinuxDockerImageBatchBuildStack
+from pipeline.pipeline_stack import AwsLcCiPipeline
 from cdk.windows_docker_image_build_stack import WindowsDockerImageBuildStack
 from cdk.aws_lc_github_ci_x509_stack import AwsLcGitHubX509CIStack
 from cdk.ecr_stack import EcrStack
-from util.metadata import AWS_ACCOUNT, AWS_REGION, LINUX_X86_ECR_REPO, LINUX_AARCH_ECR_REPO, WINDOWS_X86_ECR_REPO
+from util.metadata import LINUX_X86_ECR_REPO, LINUX_AARCH_ECR_REPO, WINDOWS_X86_ECR_REPO, \
+    PIPELINE_ACCOUNT, PIPELINE_REGION, DEPLOY_ACCOUNT, DEPLOY_REGION
 
 # Initialize app.
 app = App()
 
-# Initialize env.
-env = Environment(account=AWS_ACCOUNT, region=AWS_REGION)
-
-# Define AWS ECR stacks.
-# ECR holds the docker images, which are pre-built to accelerate the code builds/tests of git pull requests.
-EcrStack(app, "aws-lc-ecr-linux-x86", LINUX_X86_ECR_REPO, env=env)
-EcrStack(app, "aws-lc-ecr-linux-aarch", LINUX_AARCH_ECR_REPO, env=env)
-EcrStack(app, "aws-lc-ecr-windows-x86", WINDOWS_X86_ECR_REPO, env=env)
-
-# Define CodeBuild Batch job for building Docker images.
-LinuxDockerImageBatchBuildStack(app, "aws-lc-docker-image-build-linux", env=env)
-
-# AWS CodeBuild cannot build Windows Docker images because DIND (Docker In Docker) is not supported on Windows.
-# Windows Docker images are created by running commands in Windows EC2 instance.
-WindowsDockerImageBuildStack(app, "aws-lc-docker-image-build-windows", env=env)
-
-# Define CodeBuild Batch job for testing code.
-x86_build_spec_file = "cdk/codebuild/github_ci_linux_x86_omnibus.yaml"
-AwsLcGitHubCIStack(app, "aws-lc-ci-linux-x86", x86_build_spec_file, env=env)
-arm_build_spec_file = "cdk/codebuild/github_ci_linux_arm_omnibus.yaml"
-AwsLcGitHubCIStack(app, "aws-lc-ci-linux-arm", arm_build_spec_file, env=env)
-integration_build_spec_file = "cdk/codebuild/github_ci_integration_omnibus.yaml"
-AwsLcGitHubCIStack(app, "aws-lc-ci-integration", integration_build_spec_file, env=env)
-win_x86_build_spec_file = "cdk/codebuild/github_ci_windows_x86_omnibus.yaml"
-AwsLcGitHubCIStack(app, "aws-lc-ci-windows-x86", win_x86_build_spec_file, env=env)
-fuzz_build_spec_file = "cdk/codebuild/github_ci_fuzzing_omnibus.yaml"
-AwsLcGitHubFuzzCIStack(app, "aws-lc-ci-fuzzing", fuzz_build_spec_file, env=env)
-analytics_build_spec_file = "cdk/codebuild/github_ci_analytics_omnibus.yaml"
-AwsLcGitHubAnalyticsStack(app, "aws-lc-ci-analytics", analytics_build_spec_file, env=env)
-# bm_framework_build_spec_file = "cdk/codebuild/bm_framework_omnibus.yaml"
-# BmFrameworkStack(app, "aws-lc-ci-bm-framework", bm_framework_build_spec_file, env=env)
-ec2_test_framework_build_spec_file = "cdk/codebuild/ec2_test_framework_omnibus.yaml"
-AwsLcEC2TestingCIStack(app, "aws-lc-ci-ec2-test-framework", ec2_test_framework_build_spec_file, env=env)
-android_build_spec_file = "cdk/codebuild/github_ci_android_omnibus.yaml"
-AwsLcAndroidCIStack(app, "aws-lc-ci-devicefarm-android", android_build_spec_file, env=env)
-AwsLcGitHubX509CIStack(app, "aws-lc-ci-x509")
+AwsLcCiPipeline(app, "AwsLcCiPipeline", env=Environment(account=PIPELINE_ACCOUNT, region=PIPELINE_REGION))
+
+if DEPLOY_ACCOUNT is not None and DEPLOY_REGION is not None:
+    # Initialize env.
+    env = Environment(account=DEPLOY_ACCOUNT, region=DEPLOY_REGION)
+
+    # Define AWS ECR stacks.
+    # ECR holds the docker images, which are pre-built to accelerate the code builds/tests of git pull requests.
+    EcrStack(app, "aws-lc-ecr-linux-x86", LINUX_X86_ECR_REPO, env=env)
+    EcrStack(app, "aws-lc-ecr-linux-aarch", LINUX_AARCH_ECR_REPO, env=env)
+    EcrStack(app, "aws-lc-ecr-windows-x86", WINDOWS_X86_ECR_REPO, env=env)
+
+    # Define CodeBuild Batch job for building Docker images.
+    LinuxDockerImageBatchBuildStack(app, "aws-lc-docker-image-build-linux", env=env)
+
+    # AWS CodeBuild cannot build Windows Docker images because DIND (Docker In Docker) is not supported on Windows.
+    # Windows Docker images are created by running commands in Windows EC2 instance.
+    WindowsDockerImageBuildStack(app, "aws-lc-docker-image-build-windows", env=env)
+
+    # Define CodeBuild Batch job for testing code.
+    x86_build_spec_file = "cdk/codebuild/github_ci_linux_x86_omnibus.yaml"
+    AwsLcGitHubCIStack(app, "aws-lc-ci-linux-x86", x86_build_spec_file, env=env)
+    arm_build_spec_file = "cdk/codebuild/github_ci_linux_arm_omnibus.yaml"
+    AwsLcGitHubCIStack(app, "aws-lc-ci-linux-arm", arm_build_spec_file, env=env)
+    integration_build_spec_file = "cdk/codebuild/github_ci_integration_omnibus.yaml"
+    AwsLcGitHubCIStack(app, "aws-lc-ci-integration", integration_build_spec_file, env=env)
+    win_x86_build_spec_file = "cdk/codebuild/github_ci_windows_x86_omnibus.yaml"
+    AwsLcGitHubCIStack(app, "aws-lc-ci-windows-x86", win_x86_build_spec_file, env=env)
+    fuzz_build_spec_file = "cdk/codebuild/github_ci_fuzzing_omnibus.yaml"
+    AwsLcGitHubFuzzCIStack(app, "aws-lc-ci-fuzzing", fuzz_build_spec_file, env=env)
+    analytics_build_spec_file = "cdk/codebuild/github_ci_analytics_omnibus.yaml"
+    AwsLcGitHubAnalyticsStack(app, "aws-lc-ci-analytics", analytics_build_spec_file, env=env)
+    # bm_framework_build_spec_file = "cdk/codebuild/bm_framework_omnibus.yaml"
+    # BmFrameworkStack(app, "aws-lc-ci-bm-framework", bm_framework_build_spec_file, env=env)
+    ec2_test_framework_build_spec_file = "cdk/codebuild/ec2_test_framework_omnibus.yaml"
+    AwsLcEC2TestingCIStack(app, "aws-lc-ci-ec2-test-framework", ec2_test_framework_build_spec_file, env=env)
+    android_build_spec_file = "cdk/codebuild/github_ci_android_omnibus.yaml"
+    AwsLcAndroidCIStack(app, "aws-lc-ci-devicefarm-android", android_build_spec_file, env=env)
+    AwsLcGitHubX509CIStack(app, "aws-lc-ci-x509", env=env)
 
 app.synth()
@@ -1,12 +1,15 @@
 # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0 OR ISC
+import typing
 
-from aws_cdk import Duration, Stack, aws_codebuild as codebuild, aws_iam as iam, aws_ec2 as ec2, aws_efs as efs
+from aws_cdk import Duration, Stack, aws_codebuild as codebuild, aws_iam as iam, aws_ec2 as ec2, aws_efs as efs, \
+    Environment
 from constructs import Construct
 
 from cdk.components import PruneStaleGitHubBuilds
 from util.iam_policies import code_build_publish_metrics_in_json
-from util.metadata import GITHUB_REPO_OWNER, GITHUB_REPO_NAME
+from util.metadata import GITHUB_REPO_OWNER, GITHUB_REPO_NAME, PRE_PROD_ACCOUNT, STAGING_GITHUB_REPO_OWNER, \
+    STAGING_GITHUB_REPO_NAME
 from util.build_spec_loader import BuildSpecLoader
 
 
@@ -17,13 +20,22 @@ def __init__(self,
                  scope: Construct,
                  id: str,
                  spec_file_path: str,
+                 env: typing.Optional[typing.Union[Environment, typing.Dict[str, typing.Any]]],
                  **kwargs) -> None:
-        super().__init__(scope, id, **kwargs)
+        super().__init__(scope, id, env=env, **kwargs)
+
+        # Define CodeBuild resource.
+        github_repo_owner = GITHUB_REPO_OWNER
+        github_repo_name = GITHUB_REPO_NAME
+
+        if env.account == PRE_PROD_ACCOUNT:
+            github_repo_owner = STAGING_GITHUB_REPO_OWNER
+            github_repo_name = STAGING_GITHUB_REPO_NAME
 
         # Define CodeBuild resource.
         git_hub_source = codebuild.Source.git_hub(
-            owner=GITHUB_REPO_OWNER,
-            repo=GITHUB_REPO_NAME,
+            owner=github_repo_owner,
+            repo=github_repo_name,
             webhook=True,
             webhook_filters=[
                 codebuild.FilterGroup.in_event_of(codebuild.EventAction.PUSH)
@@ -34,7 +46,7 @@ def __init__(self,
             webhook_triggers_batch_build=True)
 
         # Define a IAM role for this stack.
-        metrics_policy = iam.PolicyDocument.from_json(code_build_publish_metrics_in_json())
+        metrics_policy = iam.PolicyDocument.from_json(code_build_publish_metrics_in_json(env))
         inline_policies = {"metric_policy": metrics_policy}
         role = iam.Role(scope=self,
                         id="{}-role".format(id),
@@ -52,7 +64,7 @@ def __init__(self,
             environment=codebuild.BuildEnvironment(compute_type=codebuild.ComputeType.LARGE,
                                                    privileged=True,
                                                    build_image=codebuild.LinuxBuildImage.STANDARD_4_0),
-            build_spec=BuildSpecLoader.load(spec_file_path))
+            build_spec=BuildSpecLoader.load(spec_file_path, env))
         analytics.enable_batch_builds()
 
-        PruneStaleGitHubBuilds(scope=self, id="PruneStaleGitHubBuilds", project=analytics, ec2_permissions=False)
+        PruneStaleGitHubBuilds(scope=self, id="PruneStaleGitHubBuilds", project=analytics, ec2_permissions=False, env=env)
@@ -1,12 +1,14 @@
 # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0 OR ISC
+import typing
 
-from aws_cdk import Duration, Stack, aws_codebuild as codebuild, aws_iam as iam
+from aws_cdk import Duration, Stack, aws_codebuild as codebuild, aws_iam as iam, Environment
 from constructs import Construct
 
 from cdk.components import PruneStaleGitHubBuilds
 from util.iam_policies import code_build_batch_policy_in_json, device_farm_access_policy_in_json
-from util.metadata import GITHUB_REPO_OWNER, GITHUB_REPO_NAME, GITHUB_PUSH_CI_BRANCH_TARGETS
+from util.metadata import GITHUB_REPO_OWNER, GITHUB_REPO_NAME, GITHUB_PUSH_CI_BRANCH_TARGETS, PRE_PROD_ACCOUNT, \
+    STAGING_GITHUB_REPO_OWNER, STAGING_GITHUB_REPO_NAME
 from util.build_spec_loader import BuildSpecLoader
 
 
@@ -20,13 +22,21 @@ def __init__(self,
                  scope: Construct,
                  id: str,
                  spec_file_path: str,
+                 env: typing.Optional[typing.Union[Environment, typing.Dict[str, typing.Any]]],
                  **kwargs) -> None:
-        super().__init__(scope, id, **kwargs)
+        super().__init__(scope, id, env=env, **kwargs)
+
+        github_repo_owner = GITHUB_REPO_OWNER
+        github_repo_name = GITHUB_REPO_NAME
+
+        if env.account == PRE_PROD_ACCOUNT:
+            github_repo_owner = STAGING_GITHUB_REPO_OWNER
+            github_repo_name = STAGING_GITHUB_REPO_NAME
 
         # Define CodeBuild resource.
         git_hub_source = codebuild.Source.git_hub(
-            owner=GITHUB_REPO_OWNER,
-            repo=GITHUB_REPO_NAME,
+            owner=github_repo_owner,
+            repo=github_repo_name,
             webhook=True,
             webhook_filters=[
                 codebuild.FilterGroup.in_event_of(
@@ -40,10 +50,10 @@ def __init__(self,
 
         # Define a IAM role for this stack.
         code_build_batch_policy = iam.PolicyDocument.from_json(
-            code_build_batch_policy_in_json([id])
+            code_build_batch_policy_in_json([id], env)
         )
         device_farm_policy = iam.PolicyDocument.from_json(
-            device_farm_access_policy_in_json()
+            device_farm_access_policy_in_json(env)
         )
         inline_policies = {"code_build_batch_policy": code_build_batch_policy, "device_farm_policy": device_farm_policy}
         role = iam.Role(scope=self,
@@ -62,7 +72,7 @@ def __init__(self,
             environment=codebuild.BuildEnvironment(compute_type=codebuild.ComputeType.SMALL,
                                                    privileged=False,
                                                    build_image=codebuild.LinuxBuildImage.STANDARD_4_0),
-            build_spec=BuildSpecLoader.load(spec_file_path))
+            build_spec=BuildSpecLoader.load(spec_file_path, env))
         project.enable_batch_builds()
 
-        PruneStaleGitHubBuilds(scope=self, id="PruneStaleGitHubBuilds", project=project, ec2_permissions=False)
+        PruneStaleGitHubBuilds(scope=self, id="PruneStaleGitHubBuilds", project=project, ec2_permissions=False, env=env)
@@ -2,15 +2,19 @@
 # SPDX-License-Identifier: Apache-2.0 OR ISC
 
 import subprocess
+import typing
+
 import boto3
 
 from botocore.exceptions import ClientError
-from aws_cdk import CfnTag, Duration, Stack, Tags, aws_ec2 as ec2, aws_codebuild as codebuild, aws_iam as iam, aws_s3 as s3, aws_logs as logs
+from aws_cdk import CfnTag, Duration, Stack, Tags, aws_ec2 as ec2, aws_codebuild as codebuild, aws_iam as iam, \
+    aws_s3 as s3, aws_logs as logs, Environment
 from constructs import Construct
 
 from cdk.components import PruneStaleGitHubBuilds
-from util.metadata import AWS_ACCOUNT, AWS_REGION, GITHUB_PUSH_CI_BRANCH_TARGETS, GITHUB_REPO_OWNER, GITHUB_REPO_NAME, LINUX_AARCH_ECR_REPO, \
-    LINUX_X86_ECR_REPO
+from util.metadata import GITHUB_PUSH_CI_BRANCH_TARGETS, GITHUB_REPO_OWNER, GITHUB_REPO_NAME, \
+    LINUX_AARCH_ECR_REPO, \
+    LINUX_X86_ECR_REPO, PRE_PROD_ACCOUNT, STAGING_GITHUB_REPO_OWNER, STAGING_GITHUB_REPO_NAME
 from util.iam_policies import code_build_batch_policy_in_json, ec2_policies_in_json, ssm_policies_in_json, s3_read_write_policy_in_json, ecr_power_user_policy_in_json
 from util.build_spec_loader import BuildSpecLoader
 
@@ -23,13 +27,21 @@ def __init__(self,
                  scope: Construct,
                  id: str,
                  spec_file_path: str,
+                 env: typing.Optional[typing.Union[Environment, typing.Dict[str, typing.Any]]],
                  **kwargs) -> None:
-        super().__init__(scope, id, **kwargs)
+        super().__init__(scope, id, env=env, **kwargs)
+
+        github_repo_owner = GITHUB_REPO_OWNER
+        github_repo_name = GITHUB_REPO_NAME
+
+        if env.account == PRE_PROD_ACCOUNT:
+            github_repo_owner = STAGING_GITHUB_REPO_OWNER
+            github_repo_name = STAGING_GITHUB_REPO_NAME
 
         # Define CodeBuild resource.
         git_hub_source = codebuild.Source.git_hub(
-            owner=GITHUB_REPO_OWNER,
-            repo=GITHUB_REPO_NAME,
+            owner=github_repo_owner,
+            repo=github_repo_name,
             webhook=True,
             webhook_filters=[
                 codebuild.FilterGroup.in_event_of(
@@ -43,7 +55,7 @@ def __init__(self,
 
         # S3 bucket for testing internal fixes.
         s3_read_write_policy = iam.PolicyDocument.from_json(s3_read_write_policy_in_json("aws-lc-codebuild"))
-        ecr_power_user_policy = iam.PolicyDocument.from_json(ecr_power_user_policy_in_json([LINUX_X86_ECR_REPO, LINUX_AARCH_ECR_REPO]))
+        ecr_power_user_policy = iam.PolicyDocument.from_json(ecr_power_user_policy_in_json([LINUX_X86_ECR_REPO, LINUX_AARCH_ECR_REPO], env))
         ec2_inline_policies = {"s3_read_write_policy": s3_read_write_policy, "ecr_power_user_policy": ecr_power_user_policy}
         ec2_role = iam.Role(scope=self, id="{}-ec2-role".format(id),
                             role_name="{}-ec2-role".format(id),
@@ -62,16 +74,15 @@ def __init__(self,
         selected_subnets = vpc.select_subnets(subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS)
 
         # create security group with default rules
-        security_group = ec2.SecurityGroup(self, id="{}-ec2-sg".format(id),
-                          allow_all_outbound=True,
-                          vpc=vpc,
-                          security_group_name='codebuild_ec2_sg')
-
+        # security_group = ec2.SecurityGroup(self, id="{}-ec2-sg".format(id),
+        #                   allow_all_outbound=True,
+        #                   vpc=vpc,
+        #                   security_group_name='codebuild_ec2_sg')
 
         # Define a IAM role for this stack.
-        code_build_batch_policy = iam.PolicyDocument.from_json(code_build_batch_policy_in_json([id]))
-        ec2_policy = iam.PolicyDocument.from_json(ec2_policies_in_json(ec2_role.role_name, security_group.security_group_id, selected_subnets.subnets[0].subnet_id, vpc.vpc_id))
-        ssm_policy = iam.PolicyDocument.from_json(ssm_policies_in_json())
+        code_build_batch_policy = iam.PolicyDocument.from_json(code_build_batch_policy_in_json([id], env))
+        ec2_policy = iam.PolicyDocument.from_json(ec2_policies_in_json(ec2_role.role_name, vpc.vpc_default_security_group, selected_subnets.subnets[0].subnet_id, vpc.vpc_id, env))
+        ssm_policy = iam.PolicyDocument.from_json(ssm_policies_in_json(env))
         codebuild_inline_policies = {"code_build_batch_policy": code_build_batch_policy,
                                      "ec2_policy": ec2_policy,
                                      "ssm_policy": ssm_policy}
@@ -94,10 +105,10 @@ def __init__(self,
             environment=codebuild.BuildEnvironment(compute_type=codebuild.ComputeType.SMALL,
                                                    privileged=False,
                                                    build_image=codebuild.LinuxBuildImage.STANDARD_4_0),
-            build_spec=BuildSpecLoader.load(spec_file_path),
+            build_spec=BuildSpecLoader.load(spec_file_path, env),
             environment_variables= {
                 "EC2_SECURITY_GROUP_ID": codebuild.BuildEnvironmentVariable(
-                    value=security_group.security_group_id
+                    value=vpc.vpc_default_security_group
                 ),
                 "EC2_SUBNET_ID": codebuild.BuildEnvironmentVariable(
                     value=selected_subnets.subnets[0].subnet_id
@@ -108,7 +119,7 @@ def __init__(self,
             })
         project.enable_batch_builds()
 
-        PruneStaleGitHubBuilds(scope=self, id="PruneStaleGitHubBuilds", project=project, ec2_permissions=True)
+        PruneStaleGitHubBuilds(scope=self, id="PruneStaleGitHubBuilds", project=project, ec2_permissions=True, env=env)
 
         # Define logs for SSM.
         log_group_name = "{}-cw-logs".format(id)