Merge pull request brefphp#1 from deleugpn/runtime-pr-test

Prepare automatic layer build
brefphp-bot · Nov 16, 2021 · f559f79 · f559f79
2 parents 3e6a3d9 + 5667169
commit f559f79
Show file tree

Hide file tree

Showing 4 changed files with 134 additions and 0 deletions.
diff --git a/runtime/aws/access.yml b/runtime/aws/access.yml
@@ -0,0 +1,31 @@
+Description: AWS IAM Role for publishing layers
+
+Parameters:
+  BuilderAccount:
+    Type: String
+
+Resources:
+  LayerPublisherRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: bref-layer-publisher
+      AssumeRolePolicyDocument:
+        Statement:
+          Effect: Allow
+          Principal:
+            AWS: !Sub "arn:aws:iam::${BuilderAccount}:role/bref-php-binary-builder"
+          Action: sts:AssumeRole
+      Policies:
+        - PolicyName: LayerPublisherRole
+          PolicyDocument:
+            Statement:
+              - Effect: Allow
+                Action:
+                  - lambda:PublishLayerVersion
+                  - lambda:AddLayerVersionPermission
+                  - lambda:GetLayerVersion
+                  - lambda:GetLayerVersionPolicy
+                  - lambda:ListLayers
+                  - lambda:ListLayerVersions
+                Resource:
+                  - '*'
diff --git a/runtime/aws/config b/runtime/aws/config
@@ -0,0 +1,3 @@
+[layer]
+role_arn = arn:aws:iam::209497400698:role/bref-layer-publisher
+credential_source = EcsContainer
diff --git a/runtime/aws/release.buildspec.yml b/runtime/aws/release.buildspec.yml
@@ -0,0 +1,32 @@
+version: 0.2
+
+# AWS suggests this file not be stored within the project itself for AWS Public CodeBuild
+# (https://docs.aws.amazon.com/codebuild/latest/userguide/public-builds.html).
+# However, what protects us here is the fact that this build WILL ONLY be executed if a PULL_REQUEST_MERGED event
+# is triggered. Therefore, only AFTER a Bref Maintainer has approved and merged the changes this file will
+# be executed. Changes made here that are not merged does not run the public build.
+# Even if a "contributor" makes changes to the release.yml template itself to include more triggers, it requires
+# manually applying those changes to AWS CloudFormation before they take effect.
+
+phases:
+  install:
+    runtime-versions:
+      docker: 19
+
+  pre_build:
+    commands:
+      # We need to resolve these variables on-the-fly because public AWS CodeBuild projects show them as plain-text
+      - export GITHUB_TOKEN=$(aws ssm get-parameter --name /bref-layers-builder/github/token --output text --query Parameter.Value)
+      - export DOCKER_HUB_USERNAME=$(aws ssm get-parameter --name /bref-layers-builder/docker/hub/username --output text --query Parameter.Value)
+      # WARNING: Be very careful when merging pull requests that change this line. If a "contributor" changes this line to echo ${DOCKER_HUB_PASSWORD}, it will show up on the public logs.
+      - export DOCKER_HUB_PASSWORD=$(aws ssm get-parameter --name /bref-layers-builder/docker/hub/username --output text --query Parameter.Value)
+      - export DOCKER_BUILDKIT=1
+      - export AWS_STS_REGIONAL_ENDPOINTS=regional
+
+      # WARNING: Be very careful when merging pull requests that change this file. If a "contributor" changes this line to echo ${DOCKER_HUB_PASSWORD}, it will show up on the public logs.
+      - echo $DOCKER_HUB_PASSWORD | docker login --username $DOCKER_HUB_USERNAME --password-stdin
+
+      - $(aws ecr get-login --region $AWS_REGION --no-include-email)
+
+  build:
+    commands:
diff --git a/runtime/aws/release.yml b/runtime/aws/release.yml
@@ -0,0 +1,68 @@
+Resources:
+  BrefLayersBuilder:
+    Type: AWS::CodeBuild::Project
+    Properties:
+      ServiceRole: !Ref BrefLayersBuilderRole
+      Artifacts:
+        Type: NO_ARTIFACTS
+      Environment:
+          # We cannot use credentials as environment variable anymore because `public` CodeBuild displays
+          # these variables to anyone on the internet.
+        Type: LINUX_CONTAINER
+        ComputeType: BUILD_GENERAL1_LARGE
+        Image: aws/codebuild/amazonlinux2-x86_64-standard:3.0
+      Source:
+        Location: https://github.com/deleugpn/bref.git
+        Type: GITHUB
+        BuildSpec: runtime/aws/release.buildspec.yaml
+      Visibility: PUBLIC_READ
+      Triggers:
+        Webhook: true
+        FilterGroups:
+          - - Type: EVENT
+              Pattern: PULL_REQUEST_MERGED
+            - Type: BASE_REF
+              Pattern: ^refs/heads/runtime$
+            - Type: FILE_PATH
+              Pattern: runtime/*
+
+  BrefLayersBuilderRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: bref-layer-builder
+      AssumeRolePolicyDocument:
+        Statement:
+          Effect: Allow
+          Principal:
+            Service: codebuild.amazonaws.com
+          Action: sts:AssumeRole
+      Policies:
+        - PolicyName: CodeBuildServicePermissions
+          PolicyDocument:
+            Statement:
+              - Effect: Allow
+                Action:
+                  - sts:AssumeRole
+                Resource:
+                  - 'arn:aws:iam::978790411843:role/bref-layer-publisher'
+
+              - Effect: Allow
+                Action:
+                  - logs:CreateLogGroup
+                  - logs:CreateLogStream
+                  - logs:PutLogEvents
+                Resource:
+                  - 'arn:aws:logs:*:*:*'
+
+              - Effect: Allow
+                Action:
+                  - ssm:GetParameter
+                Resource:
+                  - !Sub "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/bref-layers-builder/"
+
+              - Effect: Allow
+                Action:
+                  - lambda:PublishLayerVersion
+                  - lambda:AddLayerVersionPermission
+                Resource:
+                  - '*'