Python: Commit current CFN state (#781)

aws · Oct 1, 2024 · 4c84a4a · 4c84a4a
1 parent 6fcbd89
commit 4c84a4a
Showing 1 changed file with 160 additions and 162 deletions.
diff --git a/cfn/python/MPL-Python.yml b/cfn/python/MPL-Python.yml
@@ -1,6 +1,5 @@
 # Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0AWSTemplateFormatVersion: "2010-09-09"
-Description: "Template to build a CodeBuild Project, assumes that GitHub credentials are already set up."
 AWSTemplateFormatVersion: 2010-09-09
 Description: >-
   Template to build a CodeBuild Project, assumes that GitHub credentials are
@@ -57,7 +56,7 @@ Resources:
         Type: NO_CACHE
       Environment:
         ComputeType: BUILD_GENERAL1_LARGE
-        Image: "aws/codebuild/standard:5.0"
+        Image: "aws/codebuild/standard:7.0"
         ImagePullCredentialsType: CODEBUILD
         PrivilegedMode: false
         Type: LINUX_CONTAINER
@@ -82,52 +81,52 @@ Resources:
           Status: DISABLED
           EncryptionDisabled: false
 
-  CodeBuildProjectProdRelease:
-    Type: "AWS::CodeBuild::Project"
-    Properties:
-      Name: !Sub "${ProjectName}-prod-release"
-      Description: !Sub "CodeBuild project for ${ProjectName} to release to prod PyPi."
-      Source:
-        Location: !Ref SourceLocation
-        BuildSpec: codebuild/release-python/prod-release.yml
-        ## https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codebuild-project-source.html#cfn-codebuild-project-source-gitclonedepth
-        ## If this value is 0, greater than 25, or not provided then the full history is downloaded with each build project.
-        GitCloneDepth: 0
-        GitSubmodulesConfig:
-          FetchSubmodules: true
-        InsecureSsl: false
-        ReportBuildStatus: false
-        Type: GITHUB
-      Artifacts:
-        Type: NO_ARTIFACTS
-      Cache:
-        Type: NO_CACHE
-      Environment:
-        ComputeType: BUILD_GENERAL1_LARGE
-        Image: "aws/codebuild/standard:5.0"
-        ImagePullCredentialsType: CODEBUILD
-        PrivilegedMode: false
-        Type: LINUX_CONTAINER
-      ServiceRole: !GetAtt CodeBuildProdReleaseServiceRole.Arn
-      TimeoutInMinutes: 60
-      QueuedTimeoutInMinutes: 480
-      EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3"
-      BadgeEnabled: false
-      BuildBatchConfig:
-        ServiceRole: !GetAtt CodeBuildProdReleaseServiceRole.Arn
-        Restrictions:
-          MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch
-          ComputeTypesAllowed:
-            - BUILD_GENERAL1_SMALL
-            - BUILD_GENERAL1_MEDIUM
-            - BUILD_GENERAL1_LARGE
-        TimeoutInMins: 480
-      LogsConfig:
-        CloudWatchLogs:
-          Status: ENABLED
-        S3Logs:
-          Status: DISABLED
-          EncryptionDisabled: false
+  # CodeBuildProjectProdRelease:
+  #   Type: "AWS::CodeBuild::Project"
+  #   Properties:
+  #     Name: !Sub "${ProjectName}-prod-release"
+  #     Description: !Sub "CodeBuild project for ${ProjectName} to release to prod PyPi."
+  #     Source:
+  #       Location: !Ref SourceLocation
+  #       BuildSpec: codebuild/release-python/prod-release.yml
+  #       ## https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codebuild-project-source.html#cfn-codebuild-project-source-gitclonedepth
+  #       ## If this value is 0, greater than 25, or not provided then the full history is downloaded with each build project.
+  #       GitCloneDepth: 0
+  #       GitSubmodulesConfig:
+  #         FetchSubmodules: true
+  #       InsecureSsl: false
+  #       ReportBuildStatus: false
+  #       Type: GITHUB
+  #     Artifacts:
+  #       Type: NO_ARTIFACTS
+  #     Cache:
+  #       Type: NO_CACHE
+  #     Environment:
+  #       ComputeType: BUILD_GENERAL1_LARGE
+  #       Image: "aws/codebuild/standard:7.0"
+  #       ImagePullCredentialsType: CODEBUILD
+  #       PrivilegedMode: false
+  #       Type: LINUX_CONTAINER
+  #     ServiceRole: !GetAtt CodeBuildProdReleaseServiceRole.Arn
+  #     TimeoutInMinutes: 60
+  #     QueuedTimeoutInMinutes: 480
+  #     EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3"
+  #     BadgeEnabled: false
+  #     BuildBatchConfig:
+  #       ServiceRole: !GetAtt CodeBuildProdReleaseServiceRole.Arn
+  #       Restrictions:
+  #         MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch
+  #         ComputeTypesAllowed:
+  #           - BUILD_GENERAL1_SMALL
+  #           - BUILD_GENERAL1_MEDIUM
+  #           - BUILD_GENERAL1_LARGE
+  #       TimeoutInMins: 480
+  #     LogsConfig:
+  #       CloudWatchLogs:
+  #         Status: ENABLED
+  #       S3Logs:
+  #         Status: DISABLED
+  #         EncryptionDisabled: false
 
   CodeBuildTestReleaseServiceRole:
     Type: "AWS::IAM::Role"
@@ -143,25 +142,23 @@ Resources:
         - !Ref CodeBuildTestReleaseBasePolicy
         - !Ref SecretsManagerTestReleasePolicy
         - !Ref CodeBuildCISTSAllow
-        # - "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess"
-        # - "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess"
-
-    CodeBuildProdReleaseServiceRole:
-    Type: "AWS::IAM::Role"
-    Properties:
-      Path: /service-role/
-      RoleName: !Sub "codebuild-${ProjectName}-prod-service-role"
-      AssumeRolePolicyDocument: >-
-        {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"codebuild.amazonaws.com"},"Action":"sts:AssumeRole"}]}
-      MaxSessionDuration: 3600
-      ManagedPolicyArns:
-        - !Ref CryptoToolsKMS
-        - !Ref CodeBuildProdReleaseBatchPolicy
-        - !Ref CodeBuildProdReleaseBasePolicy
-        - !Ref SecretsManagerProdReleasePolicy
-        - !Ref CodeBuildCISTSAllow
-        # - "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess"
-        # - "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess"
+
+  # CodeBuildProdReleaseServiceRole:
+  #   Type: "AWS::IAM::Role"
+  #   Properties:
+  #     Path: /service-role/
+  #     RoleName: !Sub "codebuild-${ProjectName}-prod-service-role"
+  #     AssumeRolePolicyDocument: >-
+  #       {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"codebuild.amazonaws.com"},"Action":"sts:AssumeRole"}]}
+  #     MaxSessionDuration: 3600
+  #     ManagedPolicyArns:
+  #       - !Ref CryptoToolsKMS
+  #       - !Ref CodeBuildProdReleaseBatchPolicy
+  #       - !Ref CodeBuildProdReleaseBasePolicy
+  #       - !Ref SecretsManagerProdReleasePolicy
+  #       - !Ref CodeBuildCISTSAllow
+  #       # - "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess"
+  #       # - "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess"
 
   CodeBuildTestReleaseBatchPolicy:
     Type: "AWS::IAM::ManagedPolicy"
@@ -188,30 +185,30 @@ Resources:
           ]
         }
 
-  CodeBuildProdReleaseBatchPolicy:
-    Type: "AWS::IAM::ManagedPolicy"
-    Properties:
-      ManagedPolicyName: !Sub >-
-        CodeBuildBuildBatchPolicy-${ProjectName}-${AWS::Region}-codebuild-${ProjectName}-prod-service-role
-      Path: /service-role/
-      PolicyDocument: !Sub |
-        {
-          "Version": "2012-10-17",
-          "Statement": [
-            {
-              "Effect": "Allow",
-              "Resource": [
-                "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}",
-                "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-prod-release"
-              ],
-              "Action": [
-                "codebuild:StartBuild",
-                "codebuild:StopBuild",
-                "codebuild:RetryBuild"
-              ]
-            }
-          ]
-        }
+  # CodeBuildProdReleaseBatchPolicy:
+  #   Type: "AWS::IAM::ManagedPolicy"
+  #   Properties:
+  #     ManagedPolicyName: !Sub >-
+  #       CodeBuildBuildBatchPolicy-${ProjectName}-${AWS::Region}-codebuild-${ProjectName}-prod-service-role
+  #     Path: /service-role/
+  #     PolicyDocument: !Sub |
+  #       {
+  #         "Version": "2012-10-17",
+  #         "Statement": [
+  #           {
+  #             "Effect": "Allow",
+  #             "Resource": [
+  #               "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}",
+  #               "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-prod-release"
+  #             ],
+  #             "Action": [
+  #               "codebuild:StartBuild",
+  #               "codebuild:StopBuild",
+  #               "codebuild:RetryBuild"
+  #             ]
+  #           }
+  #         ]
+  #       }
 
   CodeBuildTestReleaseBasePolicy:
     Type: "AWS::IAM::ManagedPolicy"
@@ -266,58 +263,58 @@ Resources:
           ]
         }
 
-  CodeBuildProdReleaseBasePolicy:
-    Type: "AWS::IAM::ManagedPolicy"
-    Properties:
-      ManagedPolicyName: !Sub "CodeBuildProdBasePolicy-${ProjectName}-${AWS::Region}"
-      Path: /service-role/
-      PolicyDocument: !Sub |
-        {
-          "Version": "2012-10-17",
-          "Statement": [
-            {
-              "Effect": "Allow",
-              "Resource": [
-                "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}",
-                "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}:*",
-                "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-prod-release",
-                "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-prod-release:*"
-              ],
-              "Action": [
-                "logs:CreateLogGroup",
-                "logs:CreateLogStream",
-                "logs:PutLogEvents",
-                "logs:GetLogEvents"
-              ]
-            },
-            {
-              "Effect": "Allow",
-              "Resource": [
-                "arn:aws:s3:::codepipeline-${AWS::Region}-*"
-              ],
-              "Action": [
-                "s3:PutObject",
-                "s3:GetObject",
-                "s3:GetObjectVersion",
-                "s3:GetBucketAcl",
-                "s3:GetBucketLocation"
-              ]
-            },
-            {
-              "Effect": "Allow",
-              "Action": [
-                "codebuild:CreateReportGroup",
-                "codebuild:CreateReport",
-                "codebuild:UpdateReport",
-                "codebuild:BatchPutTestCases",
-                "codebuild:BatchPutCodeCoverages"
-              ],
-              "Resource": [
-                "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/${ProjectName}-*"
-              ]
-            }
-          ]
-        }
+  # CodeBuildProdReleaseBasePolicy:
+  #   Type: "AWS::IAM::ManagedPolicy"
+  #   Properties:
+  #     ManagedPolicyName: !Sub "CodeBuildProdBasePolicy-${ProjectName}-${AWS::Region}"
+  #     Path: /service-role/
+  #     PolicyDocument: !Sub |
+  #       {
+  #         "Version": "2012-10-17",
+  #         "Statement": [
+  #           {
+  #             "Effect": "Allow",
+  #             "Resource": [
+  #               "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}",
+  #               "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}:*",
+  #               "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-prod-release",
+  #               "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-prod-release:*"
+  #             ],
+  #             "Action": [
+  #               "logs:CreateLogGroup",
+  #               "logs:CreateLogStream",
+  #               "logs:PutLogEvents",
+  #               "logs:GetLogEvents"
+  #             ]
+  #           },
+  #           {
+  #             "Effect": "Allow",
+  #             "Resource": [
+  #               "arn:aws:s3:::codepipeline-${AWS::Region}-*"
+  #             ],
+  #             "Action": [
+  #               "s3:PutObject",
+  #               "s3:GetObject",
+  #               "s3:GetObjectVersion",
+  #               "s3:GetBucketAcl",
+  #               "s3:GetBucketLocation"
+  #             ]
+  #           },
+  #           {
+  #             "Effect": "Allow",
+  #             "Action": [
+  #               "codebuild:CreateReportGroup",
+  #               "codebuild:CreateReport",
+  #               "codebuild:UpdateReport",
+  #               "codebuild:BatchPutTestCases",
+  #               "codebuild:BatchPutCodeCoverages"
+  #             ],
+  #             "Resource": [
+  #               "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/${ProjectName}-*"
+  #             ]
+  #           }
+  #         ]
+  #       }
 
   SecretsManagerTestReleasePolicy:
     Type: "AWS::IAM::ManagedPolicy"
@@ -331,31 +328,32 @@ Resources:
             {
               "Effect": "Allow",
               "Resource": [
-                "arn:aws:secretsmanager:us-west-2:587316601012:secret:TestPyPiCryptoTools-SxeLBh"
+                "arn:aws:secretsmanager:us-west-2:587316601012:secret:TestPyPiCryptoTools-SxeLBh",
+                "arn:aws:secretsmanager:us-west-2:587316601012:secret:TestPyPiAPIToken-uERFjs"
               ],
               "Action": "secretsmanager:GetSecretValue"
             }
           ]
         }
 
-    SecretsManagerProdReleasePolicy:
-    Type: "AWS::IAM::ManagedPolicy"
-    Properties:
-      ManagedPolicyName: !Sub "CryptoTools-SecretsManagerProd-${ProjectName}-release"
-      Path: /service-role/
-      PolicyDocument: !Sub |
-        {
-          "Version": "2012-10-17",
-          "Statement": [
-            {
-              "Effect": "Allow",
-              "Resource": [
-                "arn:aws:secretsmanager:us-west-2:587316601012:secret:PyPiAdmin-ZWyd1T"
-              ],
-              "Action": "secretsmanager:GetSecretValue"
-            }
-          ]
-        }
+  # SecretsManagerProdReleasePolicy:
+  #   Type: "AWS::IAM::ManagedPolicy"
+  #   Properties:
+  #     ManagedPolicyName: !Sub "CryptoTools-SecretsManagerProd-${ProjectName}-release"
+  #     Path: /service-role/
+  #     PolicyDocument: !Sub |
+  #       {
+  #         "Version": "2012-10-17",
+  #         "Statement": [
+  #           {
+  #             "Effect": "Allow",
+  #             "Resource": [
+  #               "arn:aws:secretsmanager:us-west-2:587316601012:secret:PyPiAdmin-ZWyd1T"
+  #             ],
+  #             "Action": "secretsmanager:GetSecretValue"
+  #           }
+  #         ]
+  #       }
 
   # There exist public AWS KMS CMKs that are used for testing
   # Take care with these CMKs they are **ONLY** for testing!!!