You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
adding staging bucket stack, arm builds, some directions (#3205)
* separated the merge-build and pr-build buildspecs
* aim the codebuild stack at the right buildspec
* updated the buildspecs to release and sign arm variants as well
* updated the build infrastructure to build for arm as well as amd archs
* added a note about adding more artifacts to be signed and copied
* fixing a couple of other things found in review
* added a bucket stack with a bucket policy
* missed a letter in the arm build naming
* added a missed file in the build directory structure
* updated the descriptions for all of the codebuild projects
Copy file name to clipboardExpand all lines: build-infrastructure/README.md
+15-1
Original file line number
Diff line number
Diff line change
@@ -42,13 +42,27 @@ The directory structure that is expected is as follows,
42
42
43
43
```
44
44
buildspecs/
45
-
|- build.yml
45
+
|- merge-build.yml
46
+
|- pr-build.yml
46
47
|- signing.yml
47
48
|- copy.yml
48
49
```
49
50
50
51
Everything else is already set up for you.
51
52
53
+
## Adding a new artifact get signed and copied
54
+
55
+
There are a few changes that need to be made to add another artifact that needs to be signed and copied to the CodePipeline. They are as follows,
56
+
57
+
1. The CodeBuild project that feeds into the signer has to export a variable that carries the name of the artifact to sign. Check out the `exported-variables` key within `merge-build.yml` for an example of how to set this up. You create an environment variable and any defined environment variable can be exported from a codebuild project.
58
+
1. In `release-pipeline-stack.yml`, add the project that will feed into the signer, and add an IAM role to go with it. See the `AmdBuildCodeBuildProjectServiceRole` and `AmdBuildCodeBuildProject` keys in the file for examples. Follow established naming conventions.
59
+
1. In `release-pipeline-stack.yml`, add an action to the appropriate stage under the `BuildAndSignCodePipeline` key. Likely, you're going to want to define a new item in the `Actions` list under one of the `Stages`. Pay close attention to define both `OutputArtifacts` and `Namespace` for your new action. See `Action` with the `Name` called `MakeAmd` for an example.
60
+
1. In `release-pipeline-stack.yml`, add a new entry in the `InputArtifacts` list for the `Action` with `Name` called `GPG`. This name should correspond to the `OutputArtifacts` name that you defined above.
61
+
1. In `release-pipeline-stack.yml`, the `Action` with `Name` called `GPG` has a key called `EnvironmentVariables` with a JSON string as value. Be careful not to unstringify the JSON, CodePipeline through CloudFormation expects this key to have stringified JSON, and nothing else. Add an entry to this declaring the new artifact that you want to sign. Your exported variable from the CodeBuild buildspec and the `Namespace` that you declared comes into play here. You can find the name of the artifact in the value specified by `#{<namespace_name>.<exported_variable_name>}`. Create a new JSON object with the `name` key containing the environment variable name you'd like to be set, the `value` key containing something akin to `#{something.something}`, and the `type` key set to `PLAINTEXT`.
62
+
1. Within the signing CodeBuild environment, the primary source is the directory that the build starts out in. All the other input sources are what CodeBuild considers secondary sources and they get their own directories within the build environment. Those directories are stored in environment variables in the format `$CODEBUILD_SRC_DIR_<output_artifact_name>`. This allows you to locate the new artifact that needs to be signed and call the `sign_file` function with the new artifact.
63
+
1. The signing is going to generate a new file that ends in `.asc`. You have to export that out of the signing environment for it to be picked up by the Copy to S3 CodeBuild project.
64
+
1. The Copy to S3 CodeBuild project is already written to handle multiple files so no changes are required there.
65
+
52
66
## Secrets Manager access logs
53
67
54
68
There is a separate template called `audit-logs-stack.yml` that contains audit logging for the key stored in AWS Secrets Manager. You can use CloudTrail to find the `GetSecretValue` events using the Event Name filter or using `secretsmanager.amazonaws.com` as the Event Source. This applies for the last 90 days.
0 commit comments