From ec21928ca1b25b8cf4924bb64f1f6c13e06c3ac0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bence=20Horn=C3=A1k?= Date: Fri, 1 Dec 2023 14:09:38 +0100 Subject: [PATCH 1/9] fix: add ArtifactKeyARN param to backend services --- internal/pkg/cli/deploy/backend.go | 1 + internal/pkg/deploy/cloudformation/stack/backend_svc.go | 2 ++ internal/pkg/deploy/cloudformation/stack/workload.go | 6 ++++++ .../templates/workloads/partials/cf/executionrole.yml | 2 +- .../template/templates/workloads/services/backend/cf.yml | 3 +++ 5 files changed, 13 insertions(+), 1 deletion(-) diff --git a/internal/pkg/cli/deploy/backend.go b/internal/pkg/cli/deploy/backend.go index 8df9d749504..459363c03a7 100644 --- a/internal/pkg/cli/deploy/backend.go +++ b/internal/pkg/cli/deploy/backend.go @@ -106,6 +106,7 @@ func (d *backendSvcDeployer) stackConfiguration(in *StackRuntimeConfiguration) ( Manifest: d.backendMft, RawManifest: d.rawMft, ArtifactBucketName: d.resources.S3Bucket, + ArtifactKey: d.resources.KMSKeyARN, RuntimeConfig: *rc, Addons: d.addons, }) diff --git a/internal/pkg/deploy/cloudformation/stack/backend_svc.go b/internal/pkg/deploy/cloudformation/stack/backend_svc.go index 61e37c55efc..175350e37d3 100644 --- a/internal/pkg/deploy/cloudformation/stack/backend_svc.go +++ b/internal/pkg/deploy/cloudformation/stack/backend_svc.go @@ -34,6 +34,7 @@ type BackendServiceConfig struct { EnvManifest *manifest.Environment Manifest *manifest.BackendService ArtifactBucketName string + ArtifactKey string RawManifest string RuntimeConfig RuntimeConfig Addons NestedStackConfigurer @@ -55,6 +56,7 @@ func NewBackendService(conf BackendServiceConfig) (*BackendService, error) { app: conf.App.Name, permBound: conf.App.PermissionsBoundary, artifactBucketName: conf.ArtifactBucketName, + artifactKey: conf.ArtifactKey, rc: conf.RuntimeConfig, image: conf.Manifest.ImageConfig.Image, rawManifest: conf.RawManifest, diff --git a/internal/pkg/deploy/cloudformation/stack/workload.go b/internal/pkg/deploy/cloudformation/stack/workload.go index d639fc98c4c..d49c9c221e0 100644 --- a/internal/pkg/deploy/cloudformation/stack/workload.go +++ b/internal/pkg/deploy/cloudformation/stack/workload.go @@ -37,6 +37,7 @@ const ( WorkloadTaskCountParamKey = "TaskCount" WorkloadLogRetentionParamKey = "LogRetention" WorkloadEnvFileARNParamKey = "EnvFileARN" + WorkloadArtifactKeyARNParamKey = "ArtifactKeyARN" WorkloadLoggingEnvFileARNParamKey = "LoggingEnvFileARN" FmtSidecarEnvFileARNParamKey = "EnvFileARNFor%s" @@ -152,6 +153,7 @@ type wkld struct { app string permBound string artifactBucketName string + artifactKey string rc RuntimeConfig image location rawManifest string @@ -374,6 +376,10 @@ func (w *ecsWkld) envFileParams() []*cloudformation.Parameter { ParameterKey: aws.String(WorkloadEnvFileARNParamKey), ParameterValue: aws.String(w.rc.EnvFileARNs[w.name]), }, + { + ParameterKey: aws.String(WorkloadArtifactKeyARNParamKey), + ParameterValue: aws.String(w.wkld.artifactKey), + }, } // Decide whether to inject a Log container env file. If there is log configuration // in the manifest, we should inject either an empty string or the configured env file arn, diff --git a/internal/pkg/template/templates/workloads/partials/cf/executionrole.yml b/internal/pkg/template/templates/workloads/partials/cf/executionrole.yml index 88b7ef5b3c9..e0f25772c1a 100644 --- a/internal/pkg/template/templates/workloads/partials/cf/executionrole.yml +++ b/internal/pkg/template/templates/workloads/partials/cf/executionrole.yml @@ -40,7 +40,7 @@ ExecutionRole: Action: - 'kms:Decrypt' Resource: - - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + - !Ref ArtifactKeyARN # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam # Example EnvFileARN: arn:aws:s3:::stackset-demo-infrastruc-pipelinebuiltartifactbuc-11dj7ctf52wyf/manual/1638391936/env diff --git a/internal/pkg/template/templates/workloads/services/backend/cf.yml b/internal/pkg/template/templates/workloads/services/backend/cf.yml index 5ec9c6ededf..c64f5bb3734 100644 --- a/internal/pkg/template/templates/workloads/services/backend/cf.yml +++ b/internal/pkg/template/templates/workloads/services/backend/cf.yml @@ -45,6 +45,9 @@ Parameters: Description: 'URL of the environment file for the {{$sidecar.Name}} sidecar.' Default: "" {{- end }} + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' LogRetention: Type: Number Default: 30 From cd3bb1820bfae5627c1054f45323734ba6118435 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bence=20Horn=C3=A1k?= Date: Fri, 1 Dec 2023 14:15:18 +0100 Subject: [PATCH 2/9] fix: add ArtifactKeyARN param to Scheduled Jobs --- internal/pkg/cli/deploy/job.go | 1 + internal/pkg/deploy/cloudformation/stack/scheduled_job.go | 2 ++ .../pkg/template/templates/workloads/jobs/scheduled-job/cf.yml | 3 +++ 3 files changed, 6 insertions(+) diff --git a/internal/pkg/cli/deploy/job.go b/internal/pkg/cli/deploy/job.go index 671ffdecf09..b27e64819a0 100644 --- a/internal/pkg/cli/deploy/job.go +++ b/internal/pkg/cli/deploy/job.go @@ -109,6 +109,7 @@ func (d *jobDeployer) stackConfiguration(in *StackRuntimeConfiguration) (*jobSta Manifest: d.jobMft, RawManifest: d.rawMft, ArtifactBucketName: d.resources.S3Bucket, + ArtifactKey: d.resources.KMSKeyARN, RuntimeConfig: *rc, Addons: d.addons, }) diff --git a/internal/pkg/deploy/cloudformation/stack/scheduled_job.go b/internal/pkg/deploy/cloudformation/stack/scheduled_job.go index 26ebd9b335c..f68ac97b1ef 100644 --- a/internal/pkg/deploy/cloudformation/stack/scheduled_job.go +++ b/internal/pkg/deploy/cloudformation/stack/scheduled_job.go @@ -92,6 +92,7 @@ type ScheduledJobConfig struct { Env string Manifest *manifest.ScheduledJob ArtifactBucketName string + ArtifactKey string RawManifest string RuntimeConfig RuntimeConfig Addons NestedStackConfigurer @@ -113,6 +114,7 @@ func NewScheduledJob(cfg ScheduledJobConfig) (*ScheduledJob, error) { app: cfg.App.Name, permBound: cfg.App.PermissionsBoundary, artifactBucketName: cfg.ArtifactBucketName, + artifactKey: cfg.ArtifactKey, rc: cfg.RuntimeConfig, image: cfg.Manifest.ImageConfig.Image, rawManifest: cfg.RawManifest, diff --git a/internal/pkg/template/templates/workloads/jobs/scheduled-job/cf.yml b/internal/pkg/template/templates/workloads/jobs/scheduled-job/cf.yml index 00837e73904..d5626edb72a 100644 --- a/internal/pkg/template/templates/workloads/jobs/scheduled-job/cf.yml +++ b/internal/pkg/template/templates/workloads/jobs/scheduled-job/cf.yml @@ -47,6 +47,9 @@ Parameters: Description: 'URL of the environment file for the {{$sidecar.Name}} sidecar.' Default: "" {{- end }} + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' Conditions: HasAddons: # If a bucket URL is specified, that means the template exists. !Not [!Equals [!Ref AddonsTemplateURL, ""]] From 07b0dc95761bbbe3946f99c6d5a9df8608e24e42 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bence=20Horn=C3=A1k?= Date: Fri, 1 Dec 2023 14:17:45 +0100 Subject: [PATCH 3/9] fix: add ArtifactKeyARN param to LB web services --- internal/pkg/cli/deploy/lbws.go | 2 ++ internal/pkg/deploy/cloudformation/stack/lb_web_svc.go | 5 ++++- .../pkg/template/templates/workloads/services/lb-web/cf.yml | 3 +++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/internal/pkg/cli/deploy/lbws.go b/internal/pkg/cli/deploy/lbws.go index 226ff4bc03a..565667801c3 100644 --- a/internal/pkg/cli/deploy/lbws.go +++ b/internal/pkg/cli/deploy/lbws.go @@ -5,6 +5,7 @@ package deploy import ( "fmt" + "github.com/aws/copilot-cli/internal/pkg/aws/elbv2" "github.com/aws/aws-sdk-go/aws" @@ -195,6 +196,7 @@ func (d *lbWebSvcDeployer) stackConfiguration(in *StackRuntimeConfiguration) (*s Manifest: d.lbMft, RawManifest: d.rawMft, ArtifactBucketName: d.resources.S3Bucket, + ArtifactKey: d.resources.KMSKeyARN, RuntimeConfig: *rc, RootUserARN: in.RootUserARN, Addons: d.addons, diff --git a/internal/pkg/deploy/cloudformation/stack/lb_web_svc.go b/internal/pkg/deploy/cloudformation/stack/lb_web_svc.go index fe42a01fee3..1804c90470e 100644 --- a/internal/pkg/deploy/cloudformation/stack/lb_web_svc.go +++ b/internal/pkg/deploy/cloudformation/stack/lb_web_svc.go @@ -5,10 +5,11 @@ package stack import ( "fmt" - "github.com/aws/copilot-cli/internal/pkg/aws/elbv2" "strconv" "strings" + "github.com/aws/copilot-cli/internal/pkg/aws/elbv2" + "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/service/cloudformation" "github.com/aws/copilot-cli/internal/pkg/config" @@ -67,6 +68,7 @@ type LoadBalancedWebServiceConfig struct { RuntimeConfig RuntimeConfig RootUserARN string ArtifactBucketName string + ArtifactKey string Addons NestedStackConfigurer AppHostedZoneID string } @@ -109,6 +111,7 @@ func NewLoadBalancedWebService(conf LoadBalancedWebServiceConfig, app: conf.App.Name, permBound: conf.App.PermissionsBoundary, artifactBucketName: conf.ArtifactBucketName, + artifactKey: conf.ArtifactKey, rc: conf.RuntimeConfig, image: conf.Manifest.ImageConfig.Image, rawManifest: conf.RawManifest, diff --git a/internal/pkg/template/templates/workloads/services/lb-web/cf.yml b/internal/pkg/template/templates/workloads/services/lb-web/cf.yml index b42fc9801cd..62341cb0aed 100644 --- a/internal/pkg/template/templates/workloads/services/lb-web/cf.yml +++ b/internal/pkg/template/templates/workloads/services/lb-web/cf.yml @@ -50,6 +50,9 @@ Parameters: Description: 'URL of the environment file for the {{$sidecar.Name}} sidecar.' Default: "" {{- end }} + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' TargetContainer: Type: String TargetPort: From 6cd0b135dc85504451d6c14cb9bfdb64dd0f32de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bence=20Horn=C3=A1k?= Date: Fri, 1 Dec 2023 14:19:14 +0100 Subject: [PATCH 4/9] fix: add ArtifactKeyARN param to Worker services --- internal/pkg/cli/deploy/worker.go | 1 + internal/pkg/deploy/cloudformation/stack/worker_svc.go | 2 ++ .../pkg/template/templates/workloads/services/worker/cf.yml | 3 +++ 3 files changed, 6 insertions(+) diff --git a/internal/pkg/cli/deploy/worker.go b/internal/pkg/cli/deploy/worker.go index faeef576a55..72a1721e666 100644 --- a/internal/pkg/cli/deploy/worker.go +++ b/internal/pkg/cli/deploy/worker.go @@ -186,6 +186,7 @@ func (d *workerSvcDeployer) stackConfiguration(in *StackRuntimeConfiguration) (* Manifest: d.wsMft, RawManifest: d.rawMft, ArtifactBucketName: d.resources.S3Bucket, + ArtifactKey: d.resources.KMSKeyARN, RuntimeConfig: *rc, Addons: d.addons, }) diff --git a/internal/pkg/deploy/cloudformation/stack/worker_svc.go b/internal/pkg/deploy/cloudformation/stack/worker_svc.go index 52cc24c8fa5..2e05280fe62 100644 --- a/internal/pkg/deploy/cloudformation/stack/worker_svc.go +++ b/internal/pkg/deploy/cloudformation/stack/worker_svc.go @@ -32,6 +32,7 @@ type WorkerServiceConfig struct { Env string Manifest *manifest.WorkerService ArtifactBucketName string + ArtifactKey string RawManifest string RuntimeConfig RuntimeConfig Addons NestedStackConfigurer @@ -53,6 +54,7 @@ func NewWorkerService(cfg WorkerServiceConfig) (*WorkerService, error) { app: cfg.App.Name, permBound: cfg.App.PermissionsBoundary, artifactBucketName: cfg.ArtifactBucketName, + artifactKey: cfg.ArtifactKey, rc: cfg.RuntimeConfig, image: cfg.Manifest.ImageConfig.Image, rawManifest: cfg.RawManifest, diff --git a/internal/pkg/template/templates/workloads/services/worker/cf.yml b/internal/pkg/template/templates/workloads/services/worker/cf.yml index d09915ef55c..a9898300e5d 100644 --- a/internal/pkg/template/templates/workloads/services/worker/cf.yml +++ b/internal/pkg/template/templates/workloads/services/worker/cf.yml @@ -43,6 +43,9 @@ Parameters: Description: 'URL of the environment file for the {{$sidecar.Name}} sidecar.' Default: "" {{- end }} + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' LogRetention: Type: Number Default: 30 From f9dcaa1d0fdcec7565fb440efc8d4a675e85dc77 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bence=20Horn=C3=A1k?= Date: Fri, 1 Dec 2023 14:33:36 +0100 Subject: [PATCH 5/9] fix: fix broken unit tests --- internal/pkg/deploy/cloudformation/stack/backend_svc_test.go | 4 ++++ internal/pkg/deploy/cloudformation/stack/lb_web_svc_test.go | 5 +++++ .../pkg/deploy/cloudformation/stack/scheduled_job_test.go | 5 +++++ internal/pkg/deploy/cloudformation/stack/worker_svc_test.go | 4 ++++ 4 files changed, 18 insertions(+) diff --git a/internal/pkg/deploy/cloudformation/stack/backend_svc_test.go b/internal/pkg/deploy/cloudformation/stack/backend_svc_test.go index d1e77c199b1..27a5ab25927 100644 --- a/internal/pkg/deploy/cloudformation/stack/backend_svc_test.go +++ b/internal/pkg/deploy/cloudformation/stack/backend_svc_test.go @@ -680,6 +680,10 @@ func TestBackendService_Parameters(t *testing.T) { ParameterKey: aws.String(WorkloadEnvFileARNParamKey), ParameterValue: aws.String(""), }, + { + ParameterKey: aws.String(WorkloadArtifactKeyARNParamKey), + ParameterValue: aws.String(""), + }, { ParameterKey: aws.String(WorkloadTargetContainerParamKey), ParameterValue: aws.String("frontend"), diff --git a/internal/pkg/deploy/cloudformation/stack/lb_web_svc_test.go b/internal/pkg/deploy/cloudformation/stack/lb_web_svc_test.go index 7f7da14378e..3679ecb1e95 100644 --- a/internal/pkg/deploy/cloudformation/stack/lb_web_svc_test.go +++ b/internal/pkg/deploy/cloudformation/stack/lb_web_svc_test.go @@ -552,6 +552,10 @@ func TestLoadBalancedWebService_Parameters(t *testing.T) { ParameterKey: aws.String(WorkloadEnvFileARNParamKey), ParameterValue: aws.String(""), }, + { + ParameterKey: aws.String(WorkloadArtifactKeyARNParamKey), + ParameterValue: aws.String(""), + }, } testCases := map[string]struct { httpsEnabled bool @@ -966,6 +970,7 @@ func TestLoadBalancedWebService_SerializedParameters(t *testing.T) { "Parameters": { "AddonsTemplateURL": "", "AppName": "phonetool", + "ArtifactKeyARN": "", "ContainerImage": "111111111111.dkr.ecr.us-west-2.amazonaws.com/phonetool/frontend:manual-bf3678c", "ContainerPort": "80", "DNSDelegated": "false", diff --git a/internal/pkg/deploy/cloudformation/stack/scheduled_job_test.go b/internal/pkg/deploy/cloudformation/stack/scheduled_job_test.go index be36a178b8d..fc0bae78ffd 100644 --- a/internal/pkg/deploy/cloudformation/stack/scheduled_job_test.go +++ b/internal/pkg/deploy/cloudformation/stack/scheduled_job_test.go @@ -496,6 +496,10 @@ func TestScheduledJob_Parameters(t *testing.T) { ParameterKey: aws.String(WorkloadEnvFileARNParamKey), ParameterValue: aws.String(""), }, + { + ParameterKey: aws.String(WorkloadArtifactKeyARNParamKey), + ParameterValue: aws.String(""), + }, { ParameterKey: aws.String(ScheduledJobScheduleParamKey), ParameterValue: aws.String("cron(0 0 * * ? *)"), @@ -590,6 +594,7 @@ func TestScheduledJob_SerializedParameters(t *testing.T) { "Parameters": { "AddonsTemplateURL": "", "AppName": "phonetool", + "ArtifactKeyARN": "", "ContainerImage": "111111111111.dkr.ecr.us-west-2.amazonaws.com/phonetool/frontend:manual-bf3678c", "EnvFileARN": "", "EnvName": "test", diff --git a/internal/pkg/deploy/cloudformation/stack/worker_svc_test.go b/internal/pkg/deploy/cloudformation/stack/worker_svc_test.go index d59863b3191..507900bfef1 100644 --- a/internal/pkg/deploy/cloudformation/stack/worker_svc_test.go +++ b/internal/pkg/deploy/cloudformation/stack/worker_svc_test.go @@ -325,5 +325,9 @@ func TestWorkerService_Parameters(t *testing.T) { ParameterKey: aws.String(WorkloadEnvFileARNParamKey), ParameterValue: aws.String(""), }, + { + ParameterKey: aws.String(WorkloadArtifactKeyARNParamKey), + ParameterValue: aws.String(""), + }, }, params) } From 203193edfe3d0bbe7094dfd3fc4dbb979c2c4944 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bence=20Horn=C3=A1k?= Date: Sat, 2 Dec 2023 08:51:12 +0100 Subject: [PATCH 6/9] test: adjust test cases --- .../cloudformation/stack/testdata/stacklocal/cf.params.json | 1 + .../testdata/workloads/backend/http-autoscaling-params.json | 1 + .../testdata/workloads/backend/http-autoscaling-template.yml | 5 ++++- .../testdata/workloads/backend/http-full-config-params.json | 1 + .../testdata/workloads/backend/http-full-config-template.yml | 5 ++++- .../testdata/workloads/backend/http-only-path-params.json | 1 + .../testdata/workloads/backend/http-only-path-template.yml | 5 ++++- .../testdata/workloads/backend/https-path-alias-params.json | 1 + .../testdata/workloads/backend/https-path-alias-template.yml | 5 ++++- .../workloads/backend/simple-params-without-port-config.json | 1 + .../stack/testdata/workloads/backend/simple-params.json | 1 + .../backend/simple-template-without-port-config.yml | 5 ++++- .../stack/testdata/workloads/backend/simple-template.yml | 5 ++++- .../stack/testdata/workloads/job-test.params.json | 1 + .../stack/testdata/workloads/job-test.stack.yml | 5 ++++- .../stack/testdata/workloads/svc-grpc-test.params.json | 1 + .../stack/testdata/workloads/svc-grpc-test.stack.yml | 5 ++++- .../stack/testdata/workloads/svc-nlb-dev.params.json | 1 + .../stack/testdata/workloads/svc-nlb-dev.stack.yml | 5 ++++- .../stack/testdata/workloads/svc-nlb-prod.params.json | 1 + .../stack/testdata/workloads/svc-nlb-prod.stack.yml | 5 ++++- .../stack/testdata/workloads/svc-nlb-test.params.json | 1 + .../stack/testdata/workloads/svc-nlb-test.stack.yml | 5 ++++- .../stack/testdata/workloads/svc-prod.params.json | 1 + .../stack/testdata/workloads/svc-prod.stack.yml | 5 ++++- .../stack/testdata/workloads/svc-staging.params.json | 1 + .../stack/testdata/workloads/svc-staging.stack.yml | 5 ++++- .../stack/testdata/workloads/svc-test.params.json | 1 + .../stack/testdata/workloads/svc-test.stack.yml | 5 ++++- .../stack/testdata/workloads/windows-svc-test.params.json | 1 + .../stack/testdata/workloads/windows-svc-test.stack.yml | 5 ++++- .../stack/testdata/workloads/worker-test.params.json | 1 + .../stack/testdata/workloads/worker-test.stack.yml | 5 ++++- 33 files changed, 81 insertions(+), 16 deletions(-) diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/stacklocal/cf.params.json b/internal/pkg/deploy/cloudformation/stack/testdata/stacklocal/cf.params.json index d092a66f1ba..5daccff785b 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/stacklocal/cf.params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/stacklocal/cf.params.json @@ -2,6 +2,7 @@ "Parameters": { "AddonsTemplateURL": "", "AppName": "my-app", + "ArtifactKeyARN": "", "ContainerImage": "mockImageURL:latest", "ContainerPort": "5000", "DNSDelegated": "false", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-autoscaling-params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-autoscaling-params.json index 8bf31af09cb..cac4dc7fdcf 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-autoscaling-params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-autoscaling-params.json @@ -11,6 +11,7 @@ "LogRetention": "30", "ContainerPort": "8080", "EnvFileARN": "", + "ArtifactKeyARN": "", "TargetContainer": "http-autoscaling", "TargetPort": "8080", "RulePath": "http-autoscaling-path", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-autoscaling-template.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-autoscaling-template.yml index 3462caf5799..7fd26eba2bd 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-autoscaling-template.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-autoscaling-template.yml @@ -29,6 +29,9 @@ Parameters: Description: "URL of the environment file." Type: String Default: "" + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' LogRetention: Type: Number Default: 30 @@ -153,7 +156,7 @@ Resources: Action: - "kms:Decrypt" Resource: - - !Sub "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*" + - !Ref ArtifactKeyARN - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-full-config-params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-full-config-params.json index d8d06a99bc9..5c8b14f203b 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-full-config-params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-full-config-params.json @@ -11,6 +11,7 @@ "LogRetention": "30", "ContainerPort": "8080", "EnvFileARN": "", + "ArtifactKeyARN": "", "EnvFileARNForfluentbit": "", "TargetContainer": "http-full-config", "TargetPort": "8081", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-full-config-template.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-full-config-template.yml index 17a2b2c2bf0..5aad68427ca 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-full-config-template.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-full-config-template.yml @@ -33,6 +33,9 @@ Parameters: Description: "URL of the environment file." Type: String Default: "" + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' LogRetention: Type: Number Default: 30 @@ -188,7 +191,7 @@ Resources: Action: - "kms:Decrypt" Resource: - - !Sub "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*" + - !Ref ArtifactKeyARN - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-only-path-params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-only-path-params.json index 56ec85eff0a..4753dd68554 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-only-path-params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-only-path-params.json @@ -11,6 +11,7 @@ "LogRetention": "30", "ContainerPort": "8080", "EnvFileARN": "", + "ArtifactKeyARN": "", "TargetContainer": "http-only-path", "TargetPort": "8080", "RulePath": "http-only-path-path", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-only-path-template.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-only-path-template.yml index 4a8419b5a1d..212cd72614d 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-only-path-template.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-only-path-template.yml @@ -29,6 +29,9 @@ Parameters: Description: "URL of the environment file." Type: String Default: "" + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' LogRetention: Type: Number Default: 30 @@ -153,7 +156,7 @@ Resources: Action: - "kms:Decrypt" Resource: - - !Sub "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*" + - !Ref ArtifactKeyARN - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/https-path-alias-params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/https-path-alias-params.json index a4dd3947157..def3457f8f0 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/https-path-alias-params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/https-path-alias-params.json @@ -11,6 +11,7 @@ "LogRetention": "30", "ContainerPort": "80", "EnvFileARN": "", + "ArtifactKeyARN": "", "TargetContainer": "https-path-alias", "TargetPort": "80", "RulePath": "https-path-alias-path", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/https-path-alias-template.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/https-path-alias-template.yml index 226f8d55589..768bc6b95f4 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/https-path-alias-template.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/https-path-alias-template.yml @@ -29,6 +29,9 @@ Parameters: Description: 'URL of the environment file.' Type: String Default: "" + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' LogRetention: Type: Number Default: 30 @@ -137,7 +140,7 @@ Resources: Action: - 'kms:Decrypt' Resource: - - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + - !Ref ArtifactKeyARN - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-params-without-port-config.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-params-without-port-config.json index 7ae5bceaab2..4f622357822 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-params-without-port-config.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-params-without-port-config.json @@ -11,6 +11,7 @@ "LogRetention": "30", "ContainerPort": "-1", "EnvFileARN": "", + "ArtifactKeyARN": "", "TargetContainer": "simple-backend", "TargetPort": "-1" }, diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-params.json index b323326f94d..18d412f267f 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-params.json @@ -11,6 +11,7 @@ "LogRetention": "30", "ContainerPort": "8080", "EnvFileARN": "", + "ArtifactKeyARN": "", "TargetContainer": "simple-backend", "TargetPort": "8080" }, diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-template-without-port-config.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-template-without-port-config.yml index 058aa9b0c62..050ed625703 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-template-without-port-config.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-template-without-port-config.yml @@ -29,6 +29,9 @@ Parameters: Description: "URL of the environment file." Type: String Default: "" + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' LogRetention: Type: Number Default: 30 @@ -143,7 +146,7 @@ Resources: Action: - "kms:Decrypt" Resource: - - !Sub "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*" + - !Ref ArtifactKeyARN - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-template.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-template.yml index 3a5e0a544d5..4725ef12beb 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-template.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-template.yml @@ -29,6 +29,9 @@ Parameters: Description: "URL of the environment file." Type: String Default: "" + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' LogRetention: Type: Number Default: 30 @@ -146,7 +149,7 @@ Resources: Action: - "kms:Decrypt" Resource: - - !Sub "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*" + - !Ref ArtifactKeyARN - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/job-test.params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/job-test.params.json index 873a9d82462..81d86c5e96a 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/job-test.params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/job-test.params.json @@ -2,6 +2,7 @@ "Parameters": { "AddonsTemplateURL": "", "AppName": "my-app", + "ArtifactKeyARN": "", "ContainerImage": "alpine", "EnvFileARN": "", "EnvFileARNFornginx": "", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/job-test.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/job-test.stack.yml index 7fbea528fe3..1f8c72375ad 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/job-test.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/job-test.stack.yml @@ -31,6 +31,9 @@ Parameters: Description: 'URL of the environment file.' Type: String Default: "" + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' EnvFileARNFornginx: Description: 'URL of the environment file for the nginx sidecar.' Type: String @@ -283,7 +286,7 @@ Resources: Action: - 'kms:Decrypt' Resource: - - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + - !Ref ArtifactKeyARN - !If - HasEnvFile - PolicyName: !Join ['', [!Ref AppName, '-', !Ref EnvName, '-', !Ref WorkloadName, GetEnvFilePolicy]] diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-grpc-test.params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-grpc-test.params.json index d2416d9429e..aa503a518bf 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-grpc-test.params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-grpc-test.params.json @@ -2,6 +2,7 @@ "Parameters": { "AddonsTemplateURL": "", "AppName": "my-app", + "ArtifactKeyARN": "", "ContainerImage": "", "ContainerPort": "50051", "DNSDelegated": "false", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-grpc-test.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-grpc-test.stack.yml index 7bd4f2aec59..d72629ee460 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-grpc-test.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-grpc-test.stack.yml @@ -34,6 +34,9 @@ Parameters: Description: 'URL of the environment file.' Type: String Default: "" + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' TargetContainer: Type: String TargetPort: @@ -151,7 +154,7 @@ Resources: # If a bucket URL is specified, that means the template exists. Action: - 'kms:Decrypt' Resource: - - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + - !Ref ArtifactKeyARN - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-dev.params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-dev.params.json index 3e6cc384e65..04fa788e6f1 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-dev.params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-dev.params.json @@ -2,6 +2,7 @@ "Parameters": { "AddonsTemplateURL": "", "AppName": "my-app", + "ArtifactKeyARN": "", "ContainerImage": "", "ContainerPort": "80", "DNSDelegated": "true", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-dev.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-dev.stack.yml index aa5de012278..6c9f42d152e 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-dev.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-dev.stack.yml @@ -34,6 +34,9 @@ Parameters: Description: 'URL of the environment file.' Type: String Default: "" + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' NLBAliases: Type: String Default: "" @@ -150,7 +153,7 @@ Resources: # If a bucket URL is specified, that means the template exists. Action: - 'kms:Decrypt' Resource: - - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + - !Ref ArtifactKeyARN - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-prod.params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-prod.params.json index 09bfe66c09e..c3db5a3aad6 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-prod.params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-prod.params.json @@ -2,6 +2,7 @@ "Parameters": { "AddonsTemplateURL": "", "AppName": "my-app", + "ArtifactKeyARN": "", "ContainerImage": "", "ContainerPort": "80", "DNSDelegated": "true", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-prod.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-prod.stack.yml index 28ba3105731..11bf6e9634d 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-prod.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-prod.stack.yml @@ -34,6 +34,9 @@ Parameters: Description: 'URL of the environment file.' Type: String Default: "" + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' EnvFileARNFornginx: Description: 'URL of the environment file for the nginx sidecar.' Type: String @@ -208,7 +211,7 @@ Resources: # If a bucket URL is specified, that means the template exists. Action: - 'kms:Decrypt' Resource: - - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + - !Ref ArtifactKeyARN - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-test.params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-test.params.json index 59c43adb725..0fb0d2ecb29 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-test.params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-test.params.json @@ -2,6 +2,7 @@ "Parameters": { "AddonsTemplateURL": "", "AppName": "my-app", + "ArtifactKeyARN": "", "ContainerImage": "", "ContainerPort": "80", "DNSDelegated": "true", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-test.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-test.stack.yml index 0548fb3cf0e..23bfd98c1f2 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-test.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-test.stack.yml @@ -34,6 +34,9 @@ Parameters: Description: 'URL of the environment file.' Type: String Default: "" + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' NLBAliases: Type: String Default: "" @@ -145,7 +148,7 @@ Resources: # If a bucket URL is specified, that means the template exists. Action: - 'kms:Decrypt' Resource: - - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + - !Ref ArtifactKeyARN - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-prod.params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-prod.params.json index 44a0e1d56e9..83f9c696e03 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-prod.params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-prod.params.json @@ -2,6 +2,7 @@ "Parameters": { "AddonsTemplateURL": "", "AppName": "my-app", + "ArtifactKeyARN": "", "ContainerImage": "", "ContainerPort": "4000", "DNSDelegated": "false", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-prod.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-prod.stack.yml index ee8b5829916..287e183479a 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-prod.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-prod.stack.yml @@ -34,6 +34,9 @@ Parameters: Description: 'URL of the environment file.' Type: String Default: "" + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' LoggingEnvFileARN: Description: 'URL of the environment file for the logging sidecar.' Type: String @@ -309,7 +312,7 @@ Resources: # If a bucket URL is specified, that means the template exists. Action: - 'kms:Decrypt' Resource: - - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + - !Ref ArtifactKeyARN - !If - HasEnvFile - PolicyName: !Join ['', [!Ref AppName, '-', !Ref EnvName, '-', !Ref WorkloadName, GetEnvFilePolicy]] diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-staging.params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-staging.params.json index 74ede637a1c..e83a62bdd16 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-staging.params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-staging.params.json @@ -2,6 +2,7 @@ "Parameters": { "AddonsTemplateURL": "", "AppName": "my-app", + "ArtifactKeyARN": "", "ContainerImage": "123456789000.dkr.ecr.us-east-1.amazonaws.com/vault/e2e:cicdtest", "ContainerPort": "4000", "DNSDelegated": "false", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-staging.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-staging.stack.yml index a5547f648f7..5bb7172eb61 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-staging.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-staging.stack.yml @@ -34,6 +34,9 @@ Parameters: Description: 'URL of the environment file.' Type: String Default: "" + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' TargetContainer: Type: String TargetPort: @@ -153,7 +156,7 @@ Resources: # If a bucket URL is specified, that means the template exists. Action: - 'kms:Decrypt' Resource: - - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + - !Ref ArtifactKeyARN - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-test.params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-test.params.json index 1ad135acb1d..b361a5f7b64 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-test.params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-test.params.json @@ -2,6 +2,7 @@ "Parameters": { "AddonsTemplateURL": "", "AppName": "my-app", + "ArtifactKeyARN": "", "ContainerImage": "", "ContainerPort": "4000", "DNSDelegated": "false", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-test.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-test.stack.yml index 7ee2f7c9a41..0e646a28113 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-test.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-test.stack.yml @@ -34,6 +34,9 @@ Parameters: Description: 'URL of the environment file.' Type: String Default: "" + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' TargetContainer: Type: String TargetPort: @@ -151,7 +154,7 @@ Resources: # If a bucket URL is specified, that means the template exists. Action: - 'kms:Decrypt' Resource: - - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + - !Ref ArtifactKeyARN - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/windows-svc-test.params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/windows-svc-test.params.json index 7222f6607db..c5db4193c67 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/windows-svc-test.params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/windows-svc-test.params.json @@ -2,6 +2,7 @@ "Parameters": { "AddonsTemplateURL": "", "AppName": "my-app", + "ArtifactKeyARN": "", "ContainerImage": "", "ContainerPort": "80", "DNSDelegated": "false", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/windows-svc-test.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/windows-svc-test.stack.yml index 40b7a16c9ab..93dea51c69e 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/windows-svc-test.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/windows-svc-test.stack.yml @@ -34,6 +34,9 @@ Parameters: Description: 'URL of the environment file.' Type: String Default: "" + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' TargetContainer: Type: String TargetPort: @@ -142,7 +145,7 @@ Resources: # If a bucket URL is specified, that means the template exists. Action: - 'kms:Decrypt' Resource: - - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + - !Ref ArtifactKeyARN - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.params.json index 752c4dd48eb..29d8499e050 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.params.json @@ -2,6 +2,7 @@ "Parameters": { "AddonsTemplateURL": "", "AppName": "my-app", + "ArtifactKeyARN": "", "ContainerImage": "amazon/ecs-example", "EnvFileARN": "", "EnvName": "test", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.stack.yml index 5c449beb4a1..93b4a61f9f9 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.stack.yml @@ -130,6 +130,9 @@ Parameters: Description: 'URL of the environment file.' Type: String Default: "" + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' LogRetention: Type: Number Default: 30 @@ -251,7 +254,7 @@ Resources: Action: - 'kms:Decrypt' Resource: - - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + - !Ref ArtifactKeyARN - !If - HasEnvFile - PolicyName: !Join ['', [!Ref AppName, '-', !Ref EnvName, '-', !Ref WorkloadName, GetEnvFilePolicy]] From 6308cf60278e84a25666565c213591a27489ac04 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bence=20Horn=C3=A1k?= Date: Sat, 2 Dec 2023 09:06:31 +0100 Subject: [PATCH 7/9] fix: add ArtifactKeyARN param to RD web services --- internal/pkg/cli/deploy/rdws.go | 1 + internal/pkg/deploy/cloudformation/stack/rd_web_svc.go | 2 ++ .../stack/testdata/workloads/rdws-prod.stack.yml | 3 +++ .../stack/testdata/workloads/rdws-test.stack.yml | 5 ++++- .../templates/workloads/partials/cf/instancerole.yml | 2 +- .../pkg/template/templates/workloads/services/rd-web/cf.yml | 3 +++ 6 files changed, 14 insertions(+), 2 deletions(-) diff --git a/internal/pkg/cli/deploy/rdws.go b/internal/pkg/cli/deploy/rdws.go index c13ef5581e3..afbdc9c11a8 100644 --- a/internal/pkg/cli/deploy/rdws.go +++ b/internal/pkg/cli/deploy/rdws.go @@ -153,6 +153,7 @@ func (d *rdwsDeployer) stackConfiguration(in *StackRuntimeConfiguration) (*rdwsS Manifest: d.rdwsMft, RawManifest: d.rawMft, ArtifactBucketName: d.resources.S3Bucket, + ArtifactKey: d.resources.KMSKeyARN, RuntimeConfig: *rc, Addons: d.addons, }) diff --git a/internal/pkg/deploy/cloudformation/stack/rd_web_svc.go b/internal/pkg/deploy/cloudformation/stack/rd_web_svc.go index a6f3f55a9b7..53d9f3a2a20 100644 --- a/internal/pkg/deploy/cloudformation/stack/rd_web_svc.go +++ b/internal/pkg/deploy/cloudformation/stack/rd_web_svc.go @@ -55,6 +55,7 @@ type RequestDrivenWebServiceConfig struct { Manifest *manifest.RequestDrivenWebService RawManifest string ArtifactBucketName string + ArtifactKey string RuntimeConfig RuntimeConfig Addons NestedStackConfigurer } @@ -75,6 +76,7 @@ func NewRequestDrivenWebService(cfg RequestDrivenWebServiceConfig) (*RequestDriv app: cfg.App.Name, permBound: cfg.App.PermissionsBoundary, artifactBucketName: cfg.ArtifactBucketName, + artifactKey: cfg.ArtifactKey, rc: cfg.RuntimeConfig, image: cfg.Manifest.ImageConfig.Image, rawManifest: cfg.RawManifest, diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/rdws-prod.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/rdws-prod.stack.yml index 5e1a6ed2aa7..2b84e637823 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/rdws-prod.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/rdws-prod.stack.yml @@ -40,6 +40,9 @@ Parameters: Description: 'URL of the addons nested stack template within the S3 bucket.' Type: String Default: '' + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' Conditions: # App Runner will not accept an AccessRole for ImageRepositoryTypes other than ECR. diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/rdws-test.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/rdws-test.stack.yml index adfc49dcbd7..afc31e355ca 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/rdws-test.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/rdws-test.stack.yml @@ -40,6 +40,9 @@ Parameters: Description: 'URL of the addons nested stack template within the S3 bucket.' Type: String Default: '' + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' Conditions: # App Runner will not accept an AccessRole for ImageRepositoryTypes other than ECR. @@ -125,7 +128,7 @@ Resources: Action: - 'kms:Decrypt' Resource: - - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + - !Ref ArtifactKeyARN - PolicyName: 'Publish2SNS' PolicyDocument: Version: '2012-10-17' diff --git a/internal/pkg/template/templates/workloads/partials/cf/instancerole.yml b/internal/pkg/template/templates/workloads/partials/cf/instancerole.yml index 31f0f991f9d..8d6342822b5 100644 --- a/internal/pkg/template/templates/workloads/partials/cf/instancerole.yml +++ b/internal/pkg/template/templates/workloads/partials/cf/instancerole.yml @@ -57,7 +57,7 @@ InstanceRole: Action: - 'kms:Decrypt' Resource: - - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + - !Ref ArtifactKeyARN {{- end }} {{- if .Publish }} {{- if .Publish.Topics }} diff --git a/internal/pkg/template/templates/workloads/services/rd-web/cf.yml b/internal/pkg/template/templates/workloads/services/rd-web/cf.yml index 6602f010ee8..ff8bbe3d2ff 100644 --- a/internal/pkg/template/templates/workloads/services/rd-web/cf.yml +++ b/internal/pkg/template/templates/workloads/services/rd-web/cf.yml @@ -44,6 +44,9 @@ Parameters: Description: 'URL of the addons nested stack template within the S3 bucket.' Type: String Default: '' + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' Conditions: # App Runner will not accept an AccessRole for ImageRepositoryTypes other than ECR. From 29105f03f9bed57688117f7b1c3ab2962c4fb8e7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bence=20Horn=C3=A1k?= Date: Mon, 4 Dec 2023 09:37:24 +0100 Subject: [PATCH 8/9] test: add dummy ArtifactKey params --- .../deploy/cloudformation/stack/backend_svc_integration_test.go | 1 + .../stack/lb_grpc_web_service_integration_test.go | 1 + .../stack/lb_network_web_service_integration_test.go | 1 + .../cloudformation/stack/lb_web_service_integration_test.go | 1 + .../cloudformation/stack/scheduled_job_integration_test.go | 1 + .../testdata/workloads/backend/http-autoscaling-params.json | 2 +- .../testdata/workloads/backend/http-full-config-params.json | 2 +- .../stack/testdata/workloads/backend/http-only-path-params.json | 2 +- .../testdata/workloads/backend/https-path-alias-params.json | 2 +- .../workloads/backend/simple-params-without-port-config.json | 2 +- .../stack/testdata/workloads/backend/simple-params.json | 2 +- .../stack/testdata/workloads/job-test.params.json | 2 +- .../stack/testdata/workloads/svc-grpc-test.params.json | 2 +- .../stack/testdata/workloads/svc-nlb-dev.params.json | 2 +- .../stack/testdata/workloads/svc-nlb-prod.params.json | 2 +- .../stack/testdata/workloads/svc-nlb-test.params.json | 2 +- .../stack/testdata/workloads/svc-prod.params.json | 2 +- .../stack/testdata/workloads/svc-staging.params.json | 2 +- .../stack/testdata/workloads/svc-test.params.json | 2 +- .../stack/testdata/workloads/windows-svc-test.params.json | 2 +- .../stack/testdata/workloads/worker-test.params.json | 2 +- .../stack/windows_lb_web_service_integration_test.go | 1 + .../cloudformation/stack/worker_service_integration_test.go | 1 + 23 files changed, 23 insertions(+), 16 deletions(-) diff --git a/internal/pkg/deploy/cloudformation/stack/backend_svc_integration_test.go b/internal/pkg/deploy/cloudformation/stack/backend_svc_integration_test.go index 86055313494..7967e09e455 100644 --- a/internal/pkg/deploy/cloudformation/stack/backend_svc_integration_test.go +++ b/internal/pkg/deploy/cloudformation/stack/backend_svc_integration_test.go @@ -98,6 +98,7 @@ func TestBackendService_TemplateAndParamsGeneration(t *testing.T) { }, EnvManifest: envConfig, ArtifactBucketName: "bucket", + ArtifactKey: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", Manifest: mft.(*manifest.BackendService), RuntimeConfig: stack.RuntimeConfig{ ServiceDiscoveryEndpoint: fmt.Sprintf("%s.%s.local", envName, appName), diff --git a/internal/pkg/deploy/cloudformation/stack/lb_grpc_web_service_integration_test.go b/internal/pkg/deploy/cloudformation/stack/lb_grpc_web_service_integration_test.go index d57166869da..bd14b078577 100644 --- a/internal/pkg/deploy/cloudformation/stack/lb_grpc_web_service_integration_test.go +++ b/internal/pkg/deploy/cloudformation/stack/lb_grpc_web_service_integration_test.go @@ -86,6 +86,7 @@ func TestGrpcLoadBalancedWebService_Template(t *testing.T) { EnvManifest: envConfig, Manifest: v, ArtifactBucketName: "bucket", + ArtifactKey: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", RuntimeConfig: stack.RuntimeConfig{ ServiceDiscoveryEndpoint: svcDiscoveryEndpointName, AccountID: "123456789123", diff --git a/internal/pkg/deploy/cloudformation/stack/lb_network_web_service_integration_test.go b/internal/pkg/deploy/cloudformation/stack/lb_network_web_service_integration_test.go index d61176f6d51..4d3a61b3f88 100644 --- a/internal/pkg/deploy/cloudformation/stack/lb_network_web_service_integration_test.go +++ b/internal/pkg/deploy/cloudformation/stack/lb_network_web_service_integration_test.go @@ -106,6 +106,7 @@ func TestNetworkLoadBalancedWebService_Template(t *testing.T) { EnvManifest: envConfig, Manifest: v, ArtifactBucketName: "bucket", + ArtifactKey: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", RuntimeConfig: stack.RuntimeConfig{ ServiceDiscoveryEndpoint: svcDiscoveryEndpointName, AccountID: "123456789123", diff --git a/internal/pkg/deploy/cloudformation/stack/lb_web_service_integration_test.go b/internal/pkg/deploy/cloudformation/stack/lb_web_service_integration_test.go index 98dfe46aeeb..5853afcbcc9 100644 --- a/internal/pkg/deploy/cloudformation/stack/lb_web_service_integration_test.go +++ b/internal/pkg/deploy/cloudformation/stack/lb_web_service_integration_test.go @@ -132,6 +132,7 @@ func TestLoadBalancedWebService_TemplateInteg(t *testing.T) { EnvManifest: envConfig, Manifest: v, ArtifactBucketName: "bucket", + ArtifactKey: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", RuntimeConfig: stack.RuntimeConfig{ ServiceDiscoveryEndpoint: svcDiscoveryEndpointName, AccountID: "123456789123", diff --git a/internal/pkg/deploy/cloudformation/stack/scheduled_job_integration_test.go b/internal/pkg/deploy/cloudformation/stack/scheduled_job_integration_test.go index ecccb46de19..ee61dd7ba3c 100644 --- a/internal/pkg/deploy/cloudformation/stack/scheduled_job_integration_test.go +++ b/internal/pkg/deploy/cloudformation/stack/scheduled_job_integration_test.go @@ -69,6 +69,7 @@ func TestScheduledJob_Template(t *testing.T) { Env: envName, Manifest: v, ArtifactBucketName: "bucket", + ArtifactKey: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", RuntimeConfig: stack.RuntimeConfig{ ServiceDiscoveryEndpoint: "test.my-app.local", AccountID: "123456789123", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-autoscaling-params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-autoscaling-params.json index cac4dc7fdcf..d924c14223f 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-autoscaling-params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-autoscaling-params.json @@ -11,7 +11,7 @@ "LogRetention": "30", "ContainerPort": "8080", "EnvFileARN": "", - "ArtifactKeyARN": "", + "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "TargetContainer": "http-autoscaling", "TargetPort": "8080", "RulePath": "http-autoscaling-path", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-full-config-params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-full-config-params.json index 5c8b14f203b..5d5d88d972b 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-full-config-params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-full-config-params.json @@ -11,7 +11,7 @@ "LogRetention": "30", "ContainerPort": "8080", "EnvFileARN": "", - "ArtifactKeyARN": "", + "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "EnvFileARNForfluentbit": "", "TargetContainer": "http-full-config", "TargetPort": "8081", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-only-path-params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-only-path-params.json index 4753dd68554..5f3f64b6075 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-only-path-params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-only-path-params.json @@ -11,7 +11,7 @@ "LogRetention": "30", "ContainerPort": "8080", "EnvFileARN": "", - "ArtifactKeyARN": "", + "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "TargetContainer": "http-only-path", "TargetPort": "8080", "RulePath": "http-only-path-path", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/https-path-alias-params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/https-path-alias-params.json index def3457f8f0..a5da4ce5482 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/https-path-alias-params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/https-path-alias-params.json @@ -11,7 +11,7 @@ "LogRetention": "30", "ContainerPort": "80", "EnvFileARN": "", - "ArtifactKeyARN": "", + "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "TargetContainer": "https-path-alias", "TargetPort": "80", "RulePath": "https-path-alias-path", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-params-without-port-config.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-params-without-port-config.json index 4f622357822..193e4ab8564 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-params-without-port-config.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-params-without-port-config.json @@ -11,7 +11,7 @@ "LogRetention": "30", "ContainerPort": "-1", "EnvFileARN": "", - "ArtifactKeyARN": "", + "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "TargetContainer": "simple-backend", "TargetPort": "-1" }, diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-params.json index 18d412f267f..4aff9fd94cb 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-params.json @@ -11,7 +11,7 @@ "LogRetention": "30", "ContainerPort": "8080", "EnvFileARN": "", - "ArtifactKeyARN": "", + "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "TargetContainer": "simple-backend", "TargetPort": "8080" }, diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/job-test.params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/job-test.params.json index 81d86c5e96a..bfa8723f9c3 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/job-test.params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/job-test.params.json @@ -2,7 +2,7 @@ "Parameters": { "AddonsTemplateURL": "", "AppName": "my-app", - "ArtifactKeyARN": "", + "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "ContainerImage": "alpine", "EnvFileARN": "", "EnvFileARNFornginx": "", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-grpc-test.params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-grpc-test.params.json index aa503a518bf..fdcfd38d1c3 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-grpc-test.params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-grpc-test.params.json @@ -2,7 +2,7 @@ "Parameters": { "AddonsTemplateURL": "", "AppName": "my-app", - "ArtifactKeyARN": "", + "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "ContainerImage": "", "ContainerPort": "50051", "DNSDelegated": "false", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-dev.params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-dev.params.json index 04fa788e6f1..1c8a1c4616d 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-dev.params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-dev.params.json @@ -2,7 +2,7 @@ "Parameters": { "AddonsTemplateURL": "", "AppName": "my-app", - "ArtifactKeyARN": "", + "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "ContainerImage": "", "ContainerPort": "80", "DNSDelegated": "true", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-prod.params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-prod.params.json index c3db5a3aad6..aea1666ad7e 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-prod.params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-prod.params.json @@ -2,7 +2,7 @@ "Parameters": { "AddonsTemplateURL": "", "AppName": "my-app", - "ArtifactKeyARN": "", + "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "ContainerImage": "", "ContainerPort": "80", "DNSDelegated": "true", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-test.params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-test.params.json index 0fb0d2ecb29..d6ab0166b8c 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-test.params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-test.params.json @@ -2,7 +2,7 @@ "Parameters": { "AddonsTemplateURL": "", "AppName": "my-app", - "ArtifactKeyARN": "", + "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "ContainerImage": "", "ContainerPort": "80", "DNSDelegated": "true", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-prod.params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-prod.params.json index 83f9c696e03..32ccf5eb4c2 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-prod.params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-prod.params.json @@ -2,7 +2,7 @@ "Parameters": { "AddonsTemplateURL": "", "AppName": "my-app", - "ArtifactKeyARN": "", + "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "ContainerImage": "", "ContainerPort": "4000", "DNSDelegated": "false", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-staging.params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-staging.params.json index e83a62bdd16..0f528e74f3f 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-staging.params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-staging.params.json @@ -2,7 +2,7 @@ "Parameters": { "AddonsTemplateURL": "", "AppName": "my-app", - "ArtifactKeyARN": "", + "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "ContainerImage": "123456789000.dkr.ecr.us-east-1.amazonaws.com/vault/e2e:cicdtest", "ContainerPort": "4000", "DNSDelegated": "false", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-test.params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-test.params.json index b361a5f7b64..5cdcaaaf330 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-test.params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-test.params.json @@ -2,7 +2,7 @@ "Parameters": { "AddonsTemplateURL": "", "AppName": "my-app", - "ArtifactKeyARN": "", + "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "ContainerImage": "", "ContainerPort": "4000", "DNSDelegated": "false", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/windows-svc-test.params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/windows-svc-test.params.json index c5db4193c67..c63c12b5c11 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/windows-svc-test.params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/windows-svc-test.params.json @@ -2,7 +2,7 @@ "Parameters": { "AddonsTemplateURL": "", "AppName": "my-app", - "ArtifactKeyARN": "", + "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "ContainerImage": "", "ContainerPort": "80", "DNSDelegated": "false", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.params.json index 29d8499e050..238d4bded46 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.params.json @@ -2,7 +2,7 @@ "Parameters": { "AddonsTemplateURL": "", "AppName": "my-app", - "ArtifactKeyARN": "", + "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "ContainerImage": "amazon/ecs-example", "EnvFileARN": "", "EnvName": "test", diff --git a/internal/pkg/deploy/cloudformation/stack/windows_lb_web_service_integration_test.go b/internal/pkg/deploy/cloudformation/stack/windows_lb_web_service_integration_test.go index 4b18af30301..20fa8ed3160 100644 --- a/internal/pkg/deploy/cloudformation/stack/windows_lb_web_service_integration_test.go +++ b/internal/pkg/deploy/cloudformation/stack/windows_lb_web_service_integration_test.go @@ -71,6 +71,7 @@ func TestWindowsLoadBalancedWebService_Template(t *testing.T) { }, }, ArtifactBucketName: "bucket", + ArtifactKey: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", Manifest: v, RuntimeConfig: stack.RuntimeConfig{ AccountID: "123456789123", diff --git a/internal/pkg/deploy/cloudformation/stack/worker_service_integration_test.go b/internal/pkg/deploy/cloudformation/stack/worker_service_integration_test.go index 84c42fa623f..671f3d00f1e 100644 --- a/internal/pkg/deploy/cloudformation/stack/worker_service_integration_test.go +++ b/internal/pkg/deploy/cloudformation/stack/worker_service_integration_test.go @@ -69,6 +69,7 @@ func TestWorkerService_Template(t *testing.T) { Env: envName, Manifest: v, ArtifactBucketName: "bucket", + ArtifactKey: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", RawManifest: string(manifestBytes), RuntimeConfig: stack.RuntimeConfig{ ServiceDiscoveryEndpoint: "test.my-app.local", From 2b82bb3a7f43ce7e6560b5728ebfcc267aa0a51c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bence=20Horn=C3=A1k?= Date: Mon, 4 Dec 2023 10:00:50 +0100 Subject: [PATCH 9/9] refactor: add ArtifactKeyARN parameter to Static Site --- internal/pkg/cli/deploy/static_site.go | 1 + internal/pkg/deploy/cloudformation/stack/static_site.go | 6 ++++++ .../cloudformation/stack/static_site_integration_test.go | 1 + .../pkg/deploy/cloudformation/stack/static_site_test.go | 9 ++++++++- .../testdata/workloads/static-site-test.params.json | 1 + .../stack/testdata/workloads/static-site-test.stack.yml | 7 ++++--- .../stack/testdata/workloads/static-site.params.json | 1 + .../stack/testdata/workloads/static-site.stack.yml | 7 ++++--- .../templates/workloads/services/static-site/cf.yml | 7 ++++--- 9 files changed, 30 insertions(+), 10 deletions(-) diff --git a/internal/pkg/cli/deploy/static_site.go b/internal/pkg/cli/deploy/static_site.go index 92426cabbab..794825e23e3 100644 --- a/internal/pkg/cli/deploy/static_site.go +++ b/internal/pkg/cli/deploy/static_site.go @@ -177,6 +177,7 @@ func (d *staticSiteDeployer) stackConfiguration(in *StackRuntimeConfiguration) ( Manifest: d.staticSiteMft, RawManifest: d.rawMft, ArtifactBucketName: d.resources.S3Bucket, + ArtifactKey: d.resources.KMSKeyARN, RuntimeConfig: *rc, RootUserARN: in.RootUserARN, Addons: d.addons, diff --git a/internal/pkg/deploy/cloudformation/stack/static_site.go b/internal/pkg/deploy/cloudformation/stack/static_site.go index 6c2280bb224..40cd2511a27 100644 --- a/internal/pkg/deploy/cloudformation/stack/static_site.go +++ b/internal/pkg/deploy/cloudformation/stack/static_site.go @@ -37,6 +37,7 @@ type StaticSiteConfig struct { RuntimeConfig RuntimeConfig RootUserARN string ArtifactBucketName string + ArtifactKey string Addons NestedStackConfigurer AssetMappingURL string AppHostedZoneID string @@ -69,6 +70,7 @@ func NewStaticSite(cfg *StaticSiteConfig) (*StaticSite, error) { app: cfg.App.Name, permBound: cfg.App.PermissionsBoundary, artifactBucketName: cfg.ArtifactBucketName, + artifactKey: cfg.ArtifactKey, rc: cfg.RuntimeConfig, rawManifest: cfg.RawManifest, parser: fs, @@ -167,6 +169,10 @@ func (s *StaticSite) Parameters() ([]*cloudformation.Parameter, error) { ParameterKey: aws.String(WorkloadAddonsTemplateURLParamKey), ParameterValue: aws.String(s.rc.AddonsTemplateURL), }, + { + ParameterKey: aws.String(WorkloadArtifactKeyARNParamKey), + ParameterValue: aws.String(s.wkld.artifactKey), + }, }, nil } diff --git a/internal/pkg/deploy/cloudformation/stack/static_site_integration_test.go b/internal/pkg/deploy/cloudformation/stack/static_site_integration_test.go index cd2706f339c..cb965e3861e 100644 --- a/internal/pkg/deploy/cloudformation/stack/static_site_integration_test.go +++ b/internal/pkg/deploy/cloudformation/stack/static_site_integration_test.go @@ -103,6 +103,7 @@ func TestStaticSiteService_TemplateAndParamsGeneration(t *testing.T) { Region: "us-west-2", }, ArtifactBucketName: "stackset-bucket", + ArtifactKey: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", AssetMappingURL: "s3://stackset-bucket/mappingfile", RootUserARN: "arn:aws:iam::123456789123:root", AppHostedZoneID: "Z00DEF", diff --git a/internal/pkg/deploy/cloudformation/stack/static_site_test.go b/internal/pkg/deploy/cloudformation/stack/static_site_test.go index b67e8f8bd2d..8fa6265d85f 100644 --- a/internal/pkg/deploy/cloudformation/stack/static_site_test.go +++ b/internal/pkg/deploy/cloudformation/stack/static_site_test.go @@ -269,6 +269,10 @@ func TestStaticSite_Parameters(t *testing.T) { ParameterKey: aws.String(WorkloadAddonsTemplateURLParamKey), ParameterValue: aws.String("mockURL"), }, + { + ParameterKey: aws.String(WorkloadArtifactKeyARNParamKey), + ParameterValue: aws.String("arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"), + }, }, }, } @@ -291,7 +295,8 @@ func TestStaticSite_Parameters(t *testing.T) { Name: aws.String(testEnvName), }, }, - Manifest: testManifest, + Manifest: testManifest, + ArtifactKey: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", }) require.NoError(t, err) @@ -328,6 +333,7 @@ func TestStaticSite_SerializedParameters(t *testing.T) { "owner": "copilot", }, }, + ArtifactKey: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", }) params, err := c.SerializedParameters() require.NoError(t, err) @@ -335,6 +341,7 @@ func TestStaticSite_SerializedParameters(t *testing.T) { "Parameters": { "AddonsTemplateURL": "", "AppName": "phonetool", + "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "EnvName": "test", "WorkloadName": "frontend" }, diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site-test.params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site-test.params.json index 9f107ee1f44..f5a7e13d05a 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site-test.params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site-test.params.json @@ -2,6 +2,7 @@ "Parameters": { "AddonsTemplateURL": "", "AppName": "my-app", + "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "EnvName": "test", "WorkloadName": "static" }, diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site-test.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site-test.stack.yml index 3445c5205d6..3a822c9a3c6 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site-test.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site-test.stack.yml @@ -15,6 +15,9 @@ Parameters: Description: URL of the addons nested stack template within the S3 bucket. Type: String Default: "" + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' Conditions: HasAddons: !Not [!Equals [!Ref AddonsTemplateURL, ""]] @@ -286,9 +289,7 @@ Resources: - arn:aws:s3:::stackset-bucket/local-assets/* - Effect: Allow Action: kms:Decrypt - Resource: - Fn::ImportValue: - !Sub "${AppName}-ArtifactKey" + Resource: !Ref ArtifactKeyARN Condition: StringEquals: kms:EncryptionContext:aws:s3:arn: "arn:aws:s3:::stackset-bucket" diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site.params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site.params.json index 9276eab4a18..cab0cc72033 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site.params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site.params.json @@ -2,6 +2,7 @@ "Parameters": { "AddonsTemplateURL": "", "AppName": "my-app", + "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "EnvName": "my-env", "WorkloadName": "static" }, diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site.stack.yml index bfaa26debdc..2f05401cedf 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site.stack.yml @@ -15,6 +15,9 @@ Parameters: Description: URL of the addons nested stack template within the S3 bucket. Type: String Default: "" + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' Conditions: HasAddons: !Not [!Equals [!Ref AddonsTemplateURL, ""]] @@ -292,9 +295,7 @@ Resources: - arn:aws:s3:::stackset-bucket/local-assets/* - Effect: Allow Action: kms:Decrypt - Resource: - Fn::ImportValue: - !Sub "${AppName}-ArtifactKey" + Resource: !Ref ArtifactKeyARN Condition: StringEquals: kms:EncryptionContext:aws:s3:arn: "arn:aws:s3:::stackset-bucket" diff --git a/internal/pkg/template/templates/workloads/services/static-site/cf.yml b/internal/pkg/template/templates/workloads/services/static-site/cf.yml index 886624acc84..5458dd63b30 100644 --- a/internal/pkg/template/templates/workloads/services/static-site/cf.yml +++ b/internal/pkg/template/templates/workloads/services/static-site/cf.yml @@ -27,6 +27,9 @@ Parameters: Description: URL of the addons nested stack template within the S3 bucket. Type: String Default: "" + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' Conditions: HasAddons: !Not [!Equals [!Ref AddonsTemplateURL, ""]] @@ -329,9 +332,7 @@ Resources: - arn:aws:s3:::{{.AssetMappingFileBucket}}/local-assets/* - Effect: Allow Action: kms:Decrypt - Resource: - Fn::ImportValue: - !Sub "${AppName}-ArtifactKey" + Resource: !Ref ArtifactKeyARN Condition: StringEquals: kms:EncryptionContext:aws:s3:arn: "arn:aws:s3:::{{.AssetMappingFileBucket}}"