Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow ARN to be provided for pipeline signing KMS key #1424

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Allow ARN to be provided for pipeline signing KMS key #1424

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
ab3e6ae
allow KMS key ARN to be provided to support cross-account or cross-re…
MathewBoyles Dec 31, 2024
10f1f04
update comment
MathewBoyles Dec 31, 2024
cd5ddc2
use conditions for If
MathewBoyles Dec 31, 2024
48c50be
add rules for providing ARN and Key IDs
MathewBoyles Dec 31, 2024
f237319
make key description more clear
MathewBoyles Dec 31, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
117 changes: 97 additions & 20 deletions templates/aws-stack.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ Metadata:
default: Signed Pipelines Configuration
Parameters:
- PipelineSigningKMSKeyId
- PipelineSigningKMSKeyARN
- PipelineSigningKMSKeySpec
- PipelineSigningKMSAccess
- PipelineSigningVerificationFailureBehavior
Expand Down Expand Up @@ -578,7 +579,12 @@ Parameters:

PipelineSigningKMSKeyId:
Type: String
Description: Optional - Identifier of the KMS key used to sign and verify pipelines (Created if left blank and PipelineSigningKMSKeySpec is selected)
Description: Optional - Identifier of the KMS key to use for pipeline signatures & verification (if both PipelineSigningKMSKeyId and PipelineSigningKMSKeyARN are left blank, and PipelineSigningKMSKeySpec is selected, a fresh signing key will automatically be created)
Default: ""

PipelineSigningKMSKeyARN:
Type: String
Description: Optional - ARN of the KMS key to use for pipeline signatures & verification (if both PipelineSigningKMSKeyId and PipelineSigningKMSKeyArn are left blank, and PipelineSigningKMSKeySpec is selected, a fresh signing key will automatically be created)
Default: ""

PipelineSigningKMSKeySpec:
Expand Down Expand Up @@ -622,14 +628,49 @@ Rules:
HasPipelineSigningKMSKey:
Assertions:
- Assert:
!Or
- !Or
- !Not
- !Equals
- !Ref PipelineSigningKMSKeyId
- ""
- !Not
- !Equals
- !Ref PipelineSigningKMSKeyARN
- ""
- !Not
- !Equals
- !Ref PipelineSigningKMSKeySpec
- "none"
AssertDescription: "You must provide either provide a PipelineSigningKMSKeyId or select a PipelineSigningKMSKeySpec but not both"
AssertDescription: "You must provide one of: PipelineSigningKMSKeyId, PipelineSigningKMSKeyARN, or select a PipelineSigningKMSKeySpec"
- Assert:
- !Not
- !And
- !Not
- !Equals
- !Ref PipelineSigningKMSKeyId
- ""
- !Not
- !Equals
- !Ref PipelineSigningKMSKeyARN
- ""
AssertDescription: "You must not provide both a PipelineSigningKMSKeyId and PipelineSigningKMSKeyARN"
- Assert:
- !Not
- !And
- !Or
- !Not
- !Equals
- !Ref PipelineSigningKMSKeyId
- ""
- !Not
- !Equals
- !Ref PipelineSigningKMSKeyARN
- ""
- !Not
- !Equals
- !Ref PipelineSigningKMSKeySpec
- "none"
AssertDescription: "You must provide either a PipelineSigningKMSKeyId or PipelineSigningKMSKeyARN, or select a PipelineSigningKMSKeySpec, but not both"

Outputs:
VpcId:
Expand Down Expand Up @@ -759,11 +800,17 @@ Conditions:
!Equals [ !Ref EnableCostAllocationTags, "true" ]

UsePipelineSigningKMSKey:
!Not [ !Equals [ !Ref PipelineSigningKMSKeyId, "" ] ]
!Or
- !Not [ !Equals [ !Ref PipelineSigningKMSKeyId, "" ] ]
- !Not [ !Equals [ !Ref PipelineSigningKMSKeyARN, "" ] ]

HasPipelineSigningKMSKeyARN:
!Not [!Equals [!Ref PipelineSigningKMSKeyARN, ""]]

CreatePipelineSigningKMSKey:
!And
- !Equals [ !Ref PipelineSigningKMSKeyId, "" ]
- !Equals [ !Ref PipelineSigningKMSKeyARN, "" ]
- !Not [ !Equals [ !Ref PipelineSigningKMSKeySpec, "none" ] ]

HasPipelineSigningKMSKey:
Expand Down Expand Up @@ -1019,10 +1066,14 @@ Resources:
- kms:GetPublicKey
- - kms:Verify
- kms:GetPublicKey
Resource: !If
- CreatePipelineSigningKMSKey
- !Sub arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/${PipelineSigningKMSKey}
- !Sub arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/${PipelineSigningKMSKeyId}
Resource:
!If
- CreatePipelineSigningKMSKey
- !Sub arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/${PipelineSigningKMSKey}
- !If
- HasPipelineSigningKMSKeyARN
- !Ref PipelineSigningKMSKeyARN
- !Sub arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/${PipelineSigningKMSKeyId}
- !Ref 'AWS::NoValue'
- !If
- UseCustomerManagedKeyForParameterStore
Expand Down Expand Up @@ -1367,12 +1418,25 @@ Resources:
$Env:AWS_REGION="${AWS::Region}"
powershell -file C:\buildkite-agent\bin\bk-install-elastic-stack.ps1 >> C:\buildkite-agent\elastic-stack.log
</powershell>
- {
LocalSecretsBucket: !If [ CreateSecretsBucket, !Ref ManagedSecretsBucket, !Ref SecretsBucket ],
LocalSecretsBucketRegion: !If [ CreateSecretsBucket, !Ref "AWS::Region", !Ref SecretsBucketRegion ],
AgentTokenPath: !If [ UseCustomerManagedParameterPath, !Ref BuildkiteAgentTokenParameterStorePath, !Ref BuildkiteAgentTokenParameter ],
PipelineSigningKMSKey: !If [ CreatePipelineSigningKMSKey, !Ref PipelineSigningKMSKey, !Ref PipelineSigningKMSKeyId ],
}
- LocalSecretsBucket: !If
- CreateSecretsBucket
- !Ref ManagedSecretsBucket
- !Ref SecretsBucket
LocalSecretsBucketRegion: !If
- CreateSecretsBucket
- !Ref "AWS::Region"
- !Ref SecretsBucketRegion
AgentTokenPath: !If
- UseCustomerManagedParameterPath
- !Ref BuildkiteAgentTokenParameterStorePath
- !Ref BuildkiteAgentTokenParameter
PipelineSigningKMSKey: !If
- CreatePipelineSigningKMSKey
- !Sub arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/${PipelineSigningKMSKey}
- !If
- HasPipelineSigningKMSKeyARN
- !Ref PipelineSigningKMSKeyARN
- !Sub arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/${PipelineSigningKMSKeyId}
- !Sub
- |
Content-Type: multipart/mixed; boundary="==BOUNDARY=="
Expand Down Expand Up @@ -1432,12 +1496,25 @@ Resources:
AWS_REGION="${AWS::Region}" \
/usr/local/bin/bk-install-elastic-stack.sh
--==BOUNDARY==--
- {
LocalSecretsBucket: !If [ CreateSecretsBucket, !Ref ManagedSecretsBucket, !Ref SecretsBucket ],
LocalSecretsBucketRegion: !If [ CreateSecretsBucket, !Ref "AWS::Region", !Ref SecretsBucketRegion ],
AgentTokenPath: !If [ UseCustomerManagedParameterPath, !Ref BuildkiteAgentTokenParameterStorePath, !Ref BuildkiteAgentTokenParameter ],
PipelineSigningKMSKey: !If [ CreatePipelineSigningKMSKey, !Ref PipelineSigningKMSKey, !Ref PipelineSigningKMSKeyId ],
}
- LocalSecretsBucket: !If
- CreateSecretsBucket
- !Ref ManagedSecretsBucket
- !Ref SecretsBucket
LocalSecretsBucketRegion: !If
- CreateSecretsBucket
- !Ref "AWS::Region"
- !Ref SecretsBucketRegion
AgentTokenPath: !If
- UseCustomerManagedParameterPath
- !Ref BuildkiteAgentTokenParameterStorePath
- !Ref BuildkiteAgentTokenParameter
PipelineSigningKMSKey: !If
- CreatePipelineSigningKMSKey
- !Sub arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/${PipelineSigningKMSKey}
- !If
- HasPipelineSigningKMSKeyARN
- !Ref PipelineSigningKMSKeyARN
- !Sub arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/${PipelineSigningKMSKeyId}

AgentAutoScaleGroup:
Type: AWS::AutoScaling::AutoScalingGroup
Expand Down