-
Notifications
You must be signed in to change notification settings - Fork 0
/
Deploy-NitroImageBuilder-Cfn.yaml
137 lines (130 loc) · 5.37 KB
/
Deploy-NitroImageBuilder-Cfn.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
AWSTemplateFormatVersion: "2010-09-09"
Description: AWS resources for building and storing a nitro enclave image file in an external S3 bucket
Parameters:
CodeCommitRepositoryName:
Type: String
Description: CodeCommit repository name that contains the server application files
MinLength: 1
ExternalBucketName:
Type: String
Description: S3 bucket name to use for sharing files
MinLength: 1
ExternalBucketPath:
Type: String
Description: S3 path inside bucket where to store the nitro enclave image
MinLength: 1
Default: "enclave"
ExternalBucketEncryptionKeyArn:
Type: String
Description: ARN for the external bucket encryption key
MinLength: 1
ExternalBucketAWSAccountNumber:
Type: String
Description: AWS account number
MinLength: 12
MaxLength: 12
AllowedPattern: "[0-9]+"
Resources:
CodeBuildRole:
Type: AWS::IAM::Role
Metadata:
cfn_nag:
rules_to_suppress:
- id: W11
reason: "Asterisks are required"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- codebuild.amazonaws.com
Action:
- sts:AssumeRole
Policies:
- PolicyName: CodeBuildPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: CloudWatchLogsPolicy
Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource:
- "*"
- Sid: CodeCommitPolicy
Effect: Allow
Action:
- "codecommit:GitPull"
Resource:
- !Sub "arn:aws:codecommit:${AWS::Region}:${AWS::AccountId}:${CodeCommitRepositoryName}"
- Sid: S3WritePolicy
Effect: Allow
Action:
- s3:PutObject
- s3:PutObjectAcl
Resource:
- !Sub "arn:aws:s3:::${ExternalBucketName}/*"
- Sid: KMSPolicy
Effect: Allow
Action:
- kms:GetKeyPolicy
- kms:PutKeyPolicy
Resource:
- !ImportValue EnclaveKeyARN
- Sid: KMSAccessPolicyExternalKey
Effect: Allow
Action:
- kms:Decrypt
- kms:GenerateDataKey
Resource:
- !Ref ExternalBucketEncryptionKeyArn
CodeBuildProject:
Type: AWS::CodeBuild::Project
Metadata:
cfn_nag:
rules_to_suppress:
- id: W32
reason: "No build output artifacts to encrypt"
Properties:
Name: nitro-image-builder
Description: The project generates an enclave image file and uploads it to the provided target location. It also updates the KMS key resource policy to restrict decryption using the enclave's security attestation.
ServiceRole: !GetAtt CodeBuildRole.Arn
Artifacts:
Type: NO_ARTIFACTS
Environment:
ComputeType: BUILD_GENERAL1_LARGE
Type: ARM_CONTAINER
Image: "aws/codebuild/amazonlinux2-aarch64-standard:2.0"
PrivilegedMode: true
EnvironmentVariables:
- Name: ENCLAVE_KEY_ARN
Value: !ImportValue EnclaveKeyARN
Source:
BuildSpec: !Sub |
version: 0.2
phases:
install:
commands:
- "echo 'Installing required packages'"
- "PYTHON=python2 amazon-linux-extras install -y aws-nitro-enclaves-cli"
- "yum install aws-nitro-enclaves-cli-devel -y"
build:
commands:
- "echo 'Building enclave base image'"
- "docker build -t enclavebase containers/enclave_base"
- "echo 'Building enclave app image (Nitro) from enclave base'"
- "nitro-cli build-enclave --docker-uri enclaveapp --docker-dir containers/enclave_app --output-file nitro-enclave-image.eif > nitro_output.txt"
- "echo 'Writing enclave image file to the S3 bucket specified'"
- "aws s3api put-object --bucket ${ExternalBucketName} --key ${ExternalBucketPath}/nitro-enclave-image.eif --body nitro-enclave-image.eif --expected-bucket-owner ${ExternalBucketAWSAccountNumber} --acl bucket-owner-full-control --server-side-encryption aws:kms --ssekms-key-id ${ExternalBucketEncryptionKeyArn}"
post_build:
commands:
- "echo 'Updating key policy to allow enclave to decrypt with it'"
- "aws kms get-key-policy --key-id $ENCLAVE_KEY_ARN --policy-name default --region ${AWS::Region} --query Policy --output text > key_policy.txt"
- "sed -Ei.tmp 's/\"kms:RecipientAttestation:ImageSha384\" :.*/\"kms:RecipientAttestation:ImageSha384\" : '\"$(cat nitro_output.txt | jq '.[] | .PCR0')/g\" key_policy.txt"
- "aws kms put-key-policy --key-id $ENCLAVE_KEY_ARN --policy-name default --region ${AWS::Region} --policy file://key_policy.txt"
Type: CODECOMMIT
Location: !Sub "https://git-codecommit.${AWS::Region}.amazonaws.com/v1/repos/${CodeCommitRepositoryName}"