aws
diff --git a/‎tests/ci/cdk/README.md‎
Lines changed: 36 additions & 9 deletions b/‎tests/ci/cdk/README.md‎
Lines changed: 36 additions & 9 deletions
diff --git a/‎tests/ci/cdk/app.py‎
Lines changed: 0 additions & 24 deletions b/‎tests/ci/cdk/app.py‎
Lines changed: 0 additions & 24 deletions
diff --git a/‎tests/ci/cdk/cdk/aws_lc_github_actions_stack.py‎
Lines changed: 14 additions & 12 deletions b/‎tests/ci/cdk/cdk/aws_lc_github_actions_stack.py‎
Lines changed: 14 additions & 12 deletions
diff --git a/‎tests/ci/cdk/cdk/aws_lc_github_ci_stack.py‎
Lines changed: 0 additions & 11 deletions b/‎tests/ci/cdk/cdk/aws_lc_github_ci_stack.py‎
Lines changed: 0 additions & 11 deletions
diff --git a/‎tests/ci/cdk/cdk/aws_lc_github_docker_actions_stack.py‎
Lines changed: 126 additions & 0 deletions b/‎tests/ci/cdk/cdk/aws_lc_github_docker_actions_stack.py‎
Lines changed: 126 additions & 0 deletions
@@ -134,6 +134,21 @@ Use these commands if you wish to deploy individual stacks instead of the entire
 
 1. Ensure you are in `aws-lc/tests/ci/cdk`
 2. Export the relevant environment variables:
+
+  If you wish deploy to your personal account:
+  ```shell
+  # Ensure AWS Credentials are configured for your account and then execute
+  eval "$(./run-cdk.sh --action clear-env)"
+  eval "$(./run-cdk.sh --deploy-account ${DEPLOY_ACCOUNT_ID} --github-repo-owner ${GITHUB_REPO_OWNER} --action setup-dev-env)"
+  ```
+
+  If you wish to deploy to team account manually:
+  ```shell
+  # Ensure the AWS credentials are configured for the pipeline account and then execute
+  eval "$(./run-cdk.sh --action clear-env)"
+  eval "$(./run-cdk.sh --action setup-prod-env)"
+  ```
+
   - `DEPLOY_ACCOUNT_ID` (required): AWS account you wish to deploy the CI stacks to
   - `GITHUB_REPO_OWNER` (required): the GitHub repo targeted by this CI setup.
 
@@ -148,27 +163,39 @@ Use these commands if you wish to deploy individual stacks instead of the entire
     ```
     Set EC2-VPC Elastic IPs = 20 (default is only 5)
 
+4. Synthesize the Cloudformation Stacks
+  ```shell
+  cdk synth
+  ```
 
 4. Choose 1 of the following command options:
-   - To set up AWS-LC CI, run command:
+   - List the stacks available for deployment
     ```shell
-    ./run-cdk.sh --github-repo-owner ${GITHUB_REPO_OWNER} --action deploy-ci --deploy-account ${DEPLOY_ACCOUNT_ID}
+    cdk list
     ```
 
-   - To update AWS-LC CI, run command:
+   - Example: To setup or update AWS-LC Docker Repositories:
     ```shell
-    ./run-cdk.sh --github-repo-owner ${GITHUB_REPO_OWNER} --action update-ci --deploy-account ${DEPLOY_ACCOUNT_ID}
+    # Replace Dev with Staging or Prod as neccessary
+    cdk deploy AwsLcCiPipeline/Dev-EcrRepositories/aws-lc-private-ecr-stack
     ```
-   - To create/update Linux Docker images, run command:
+
+   - Example: To set up or deploy AWS-LC CI stacks, run command:
     ```shell
-    ./run-cdk.sh --github-repo-owner ${GITHUB_REPO_OWNER} --action build-linux-img --deploy-account ${DEPLOY_ACCOUNT_ID}
+    # Replace Dev with Staging or Prod as neccessary
+    cdk deploy AwsLcCiPipeline/Dev-CiTests/aws-lc-ci-*
     ```
 
-   - To destroy AWS-LC CI resources created above, run command:
+   - Example: To setup or deploy AWS-LC GitHub Actions:
+    ```shell
+    # Replace Dev with Staging or Prod as neccessary
+    cdk deploy AwsLcCiPipeline/Dev-GithubActions/*
+    ```
+   - To destroy all CDK resources run command (NOTE: this command will destroy all resources (AWS CodeBuild and ECR).):
     ```shell
-    ./run-cdk.sh --github-repo-owner ${GITHUB_REPO_OWNER} --action destroy-ci --deploy-account ${DEPLOY_ACCOUNT_ID}
+    # Replace Dev with Staging or Prod as neccessary
+    cdk destroy AwsLcCiPipeline/Dev-*
     ```
-   NOTE: this command will destroy all resources (AWS CodeBuild and ECR).
 
 For help, run command:
 ```
 
@@ -11,13 +11,8 @@
 from cdk.windows_docker_image_build_stack import WindowsDockerImageBuildStack
 from cdk.ecr_stack import EcrStack
 from util.metadata import (
-    LINUX_X86_ECR_REPO,
-    LINUX_AARCH_ECR_REPO,
-    WINDOWS_X86_ECR_REPO,
     PIPELINE_ACCOUNT,
     PIPELINE_REGION,
-    DEPLOY_ACCOUNT,
-    DEPLOY_REGION,
 )
 
 # Initialize app.
@@ -29,23 +24,4 @@
     env=Environment(account=PIPELINE_ACCOUNT, region=PIPELINE_REGION),
 )
 
-if DEPLOY_ACCOUNT and DEPLOY_REGION:
-    # Initialize env.
-    env = Environment(account=DEPLOY_ACCOUNT, region=DEPLOY_REGION)
-
-    # Define AWS ECR stacks.
-    # ECR holds the docker images, which are pre-built to accelerate the code builds/tests of git pull requests.
-    EcrStack(app, "aws-lc-ecr-linux-x86", LINUX_X86_ECR_REPO, env=env)
-    EcrStack(app, "aws-lc-ecr-linux-aarch", LINUX_AARCH_ECR_REPO, env=env)
-    EcrStack(app, "aws-lc-ecr-windows-x86", WINDOWS_X86_ECR_REPO, env=env)
-
-    # Define CodeBuild Batch job for building Docker images.
-    LinuxDockerImageBatchBuildStack(app, "aws-lc-docker-image-build-linux", env=env)
-
-    # AWS CodeBuild cannot build Windows Docker images because DIND (Docker In Docker) is not supported on Windows.
-    # Windows Docker images are created by running commands in Windows EC2 instance.
-    WindowsDockerImageBuildStack(app, "aws-lc-docker-image-build-windows", env=env)
-
-    add_ci_stacks(app, env=env)
-
 app.synth()
@@ -4,11 +4,10 @@
 
 from aws_cdk import (
     Duration,
-    Stack,
     aws_codebuild as codebuild,
     aws_iam as iam,
-    aws_s3_assets,
     aws_logs as logs,
+    aws_ecr as ecr,
     Environment,
 )
 from constructs import Construct
@@ -18,7 +17,7 @@
 from util.iam_policies import (
     code_build_publish_metrics_in_json,
 )
-from util.metadata import LINUX_X86_ECR_REPO, LINUX_AARCH_ECR_REPO, WINDOWS_X86_ECR_REPO
+from util.metadata import AMAZONLINUX_ECR_REPO, CENTOS_ECR_REPO, FEDORA_ECR_REPO, LINUX_X86_ECR_REPO, LINUX_AARCH_ECR_REPO, UBUNTU_ECR_REPO, WINDOWS_X86_ECR_REPO
 
 class AwsLcGitHubActionsStack(AwsLcBaseCiStack):
     """Define a stack used to execute AWS-LC self-hosted GitHub Actions Runners."""
@@ -32,6 +31,12 @@ def __init__(
     ) -> None:
         super().__init__(scope, id, env=env, timeout=180, **kwargs)
 
+        # TODO: First 3 indices ordering is important for now as they are referenced directly for now.
+        repo_names = [LINUX_X86_ECR_REPO, LINUX_AARCH_ECR_REPO, WINDOWS_X86_ECR_REPO, UBUNTU_ECR_REPO,
+                      AMAZONLINUX_ECR_REPO, CENTOS_ECR_REPO, FEDORA_ECR_REPO]
+        ecr_repos = [ecr.Repository.from_repository_name(self, x.replace('/', '-'), repository_name=x)
+                     for x in repo_names]
+
         # Define a IAM role for this stack.
         metrics_policy = iam.PolicyDocument.from_json(
             code_build_publish_metrics_in_json(env)
@@ -55,12 +60,7 @@ def __init__(
                             "ecr:BatchCheckLayerAvailability",
                             "ecr:GetDownloadUrlForLayer",
                         ],
-                        resources=[
-                            "arn:aws:ecr:{}:{}:repository/{}"
-                                .format(env.region, env.account, repo) for repo in [LINUX_X86_ECR_REPO,
-                                                                                    LINUX_AARCH_ECR_REPO,
-                                                                                    WINDOWS_X86_ECR_REPO]
-                        ],
+                        resources=[x.repository_arn for x in ecr_repos],
                     ),
                 ],
             )
@@ -105,16 +105,18 @@ def __init__(
                 environment_variables={
                     "AWS_ACCOUNT_ID": codebuild.BuildEnvironmentVariable(value=env.account),
                     "AWS_ECR_REPO_LINUX_X86": codebuild.BuildEnvironmentVariable(
-                        value="{}.dkr.ecr.{}.amazonaws.com/{}".format(env.account, env.region, LINUX_X86_ECR_REPO)
+                        value=ecr_repos[0].repository_uri
                     ),
                     "AWS_ECR_REPO_LINUX_AARCH": codebuild.BuildEnvironmentVariable(
-                        value="{}.dkr.ecr.{}.amazonaws.com/{}".format(env.account, env.region, LINUX_AARCH_ECR_REPO)
+                        value=ecr_repos[1].repository_uri
                     ),
                     "AWS_ECR_REPO_WINDOWS_X86": codebuild.BuildEnvironmentVariable(
-                        value="{}.dkr.ecr.{}.amazonaws.com/{}".format(env.account, env.region, WINDOWS_X86_ECR_REPO)
+                        value=ecr_repos[2].repository_uri
                     ),
+                    "ECR_REGISTRY_URL": codebuild.BuildEnvironmentVariable(value=ecr_repos[0].registry_uri),
                 },
             ),
+            # TODO: We can do away with this if we use aws-actions/amazon-ecr-login@v2, just need to migrate
             build_spec=codebuild.BuildSpec.from_object({
                 "version": 0.2,
                 "phases": {
 
@@ -4,10 +4,8 @@
 
 from aws_cdk import (
     Duration,
-    Stack,
     aws_codebuild as codebuild,
     aws_iam as iam,
-    aws_s3_assets,
     aws_logs as logs,
     Environment,
 )
@@ -20,17 +18,8 @@
     code_build_publish_metrics_in_json,
     code_build_cloudwatch_logs_policy_in_json,
 )
-from util.metadata import (
-    GITHUB_PUSH_CI_BRANCH_TARGETS,
-    GITHUB_REPO_OWNER,
-    GITHUB_REPO_NAME,
-    PRE_PROD_ACCOUNT,
-    STAGING_GITHUB_REPO_OWNER,
-    STAGING_GITHUB_REPO_NAME,
-)
 from util.build_spec_loader import BuildSpecLoader
 
-
 class AwsLcGitHubCIStack(AwsLcBaseCiStack):
     """Define a stack used to batch execute AWS-LC tests in GitHub."""
 
 
@@ -0,0 +1,126 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+import itertools
+import typing
+
+from aws_cdk import (
+    Duration,
+    aws_codebuild as codebuild,
+    aws_iam as iam,
+    aws_logs as logs,
+    aws_ecr as ecr,
+    Environment,
+)
+from constructs import Construct
+
+from cdk.aws_lc_base_ci_stack import AwsLcBaseCiStack
+from util.iam_policies import (
+    code_build_publish_metrics_in_json,
+)
+from util.metadata import UBUNTU_ECR_REPO, AMAZONLINUX_ECR_REPO, CENTOS_ECR_REPO, FEDORA_ECR_REPO
+
+class AwsLcGitHubDockerActionsStack(AwsLcBaseCiStack):
+    """Define a stack used to execute AWS-LC self-hosted GitHub Actions Runners on Docker Images."""
+
+    def __init__(
+        self,
+        scope: Construct,
+        id: str,
+        env: typing.Union[Environment, typing.Dict[str, typing.Any]],
+        **kwargs
+    ) -> None:
+        super().__init__(scope, id, env=env, timeout=180, **kwargs)
+
+        # Define a IAM role for this stack.
+        metrics_policy = iam.PolicyDocument.from_json(
+            code_build_publish_metrics_in_json(env)
+        )
+
+        repo_names = [UBUNTU_ECR_REPO, AMAZONLINUX_ECR_REPO, CENTOS_ECR_REPO, FEDORA_ECR_REPO]
+        ecr_repos = [ecr.Repository.from_repository_name(self, x.replace('/', '-'), repository_name=x)
+                     for x in repo_names]
+        
+        staging_repo = ecr.Repository(self, "aws-lc-ecr-staging",
+                              image_tag_mutability=ecr.TagMutability.IMMUTABLE,
+                              lifecycle_rules=[ecr.LifecycleRule(
+                                  max_image_age=Duration.days(7),
+                              )])
+        
+        ecr_repos.append(staging_repo)
+
+        inline_policies = {
+            "metrics_policy": metrics_policy,
+            "ecr": iam.PolicyDocument(
+                statements=[
+                    iam.PolicyStatement(
+                        effect=iam.Effect.ALLOW,
+                        actions=[
+                            "ecr:GetAuthorizationToken",
+                        ],
+                        resources=["*"],
+                    ),
+                    iam.PolicyStatement(
+                        effect=iam.Effect.ALLOW,
+                        actions=[
+                            "ecr:BatchGetImage",
+                            "ecr:BatchCheckLayerAvailability",
+                            "ecr:CompleteLayerUpload",
+                            "ecr:GetDownloadUrlForLayer",
+                            "ecr:InitiateLayerUpload",
+                            "ecr:PutImage",
+                            "ecr:UploadLayerPart",
+                        ],
+                        resources=[x for x in itertools.chain([
+                            x.repository_arn for x in ecr_repos
+                        ], [ecr.Repository.from_repository_name(self, "quay-io", "quay.io/*").repository_arn])],
+                    ),
+                ],
+            )
+        }
+        role = iam.Role(
+            scope=self,
+            id="{}-role".format(id),
+            assumed_by=iam.ServicePrincipal("codebuild.amazonaws.com"),
+            inline_policies=inline_policies,
+        )
+
+        logging_options = codebuild.LoggingOptions(
+            cloud_watch=codebuild.CloudWatchLoggingOptions(log_group=logs.LogGroup(
+                self, id="{}-logs".format(id)))
+        )
+
+        # Override base class provided configuration
+        self.git_hub_source = codebuild.Source.git_hub(
+            owner=self.github_repo_owner,
+            repo=self.github_repo_name,
+            webhook=True,
+            webhook_filters=[
+                codebuild.FilterGroup.in_event_of(
+                    codebuild.EventAction.WORKFLOW_JOB_QUEUED
+                ),
+            ],
+        )
+
+        # Define CodeBuild.
+        project = codebuild.Project(
+            scope=self,
+            id=id,
+            project_name=id,
+            source=self.git_hub_source,
+            role=role,
+            timeout=Duration.minutes(self.timeout),
+            logging=logging_options,
+            environment=codebuild.BuildEnvironment(
+                compute_type=codebuild.ComputeType.SMALL,
+                privileged=True,
+                build_image=codebuild.LinuxBuildImage.STANDARD_7_0,
+                environment_variables={
+                    "AWS_ACCOUNT_ID": codebuild.BuildEnvironmentVariable(value=env.account),
+                    "ECR_REGISTRY_URL": codebuild.BuildEnvironmentVariable(value=staging_repo.registry_uri),
+                    "ECR_STAGING_REPO": codebuild.BuildEnvironmentVariable(value=staging_repo.repository_uri),
+                },
+            ),
+        )
+
+        cfn_project = project.node.default_child
+        cfn_project.add_property_override("Triggers.PullRequestBuildPolicy", self.pull_request_policy)