Add CodeBuild Infra containers supporting resources #634
Conversation
| SigningRepo: | ||
| Type: AWS::ECR::Repository | ||
| Metadata: | ||
| Source: tools/infra/container/Dockerfile.signing |
There was a problem hiding this comment.
Couple questions:
- Unless I missed it, I haven't seen this dockerfile yet
- Why do we need a separate repo for signing?
There was a problem hiding this comment.
Unless I missed it, I haven't seen this dockerfile yet
Right, it doesn't exist at this point in time.
Why do we need a separate repo for signing?
We don't necessarily have to, though my thinking is that we would want to keep the environments separate and build in the tools that are appropriately scoped to certain "boundaries" (coinciding on security and authorization boundaries). I think we could punt on this (I say "punt" because I really would like to see "principal of least privilege" at play down to the images in the form of a reduced, bespoke environment) and build/run using the same container image if its clear that's agreed upon.
Projects producing images will utilize this tool to push images to ECR repositories as part of their build.
This uses the SSM pointers defined and provisioned in another stack that provides a pre-established parameter with the Container Image and its Tag to use.
jahkeup
force-pushed
the
codebuild-infra-containers
branch
from
d0199f7
to
8ecb5fb
Compare
|
Force pushed with further updates to the other stacks present (and updated the base refs to use the merged |
This uses the SSM pointers defined and provisioned in another stack that provides a pre-established parameter with the Container Image and its Tag to use.
Related to: #630
Issue #, if available:
#592
Related PR: #616
Description of changes:
This stands up ECR repositories for use as a CodeBuild Environment Image. The required policies are applied directly to the Repository in addition to a provided Managed Policy which can be imported into other Stacks as needed to extend access to these ECR repositories.
I've wired up one of the build projects here and expect to get the others updated before this is merged (into the feature branch).
The SDK repository is added here to enable the builder to "cache" its own copy of the SDK image that can provide preloaded docker layers for buildsys to reuse if possible (its not wired up at this time, and can certainly be dropped if that is less confusing for the time being!).
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.