From ec544dddf63058aaae676408aaa7b5709ae43df5 Mon Sep 17 00:00:00 2001 From: Sean McGrail Date: Tue, 14 Oct 2025 02:28:30 +0000 Subject: [PATCH] CodeBuild Setup for GitHub Docker Image Builds --- tests/ci/cdk/README.md | 45 +++++-- tests/ci/cdk/app.py | 24 ---- .../ci/cdk/cdk/aws_lc_github_actions_stack.py | 26 ++-- tests/ci/cdk/cdk/aws_lc_github_ci_stack.py | 11 -- .../cdk/aws_lc_github_docker_actions_stack.py | 126 ++++++++++++++++++ tests/ci/cdk/cdk/ecr_stack.py | 78 ++++++++++- tests/ci/cdk/pipeline/ci_stage.py | 4 +- tests/ci/cdk/pipeline/ci_util.py | 13 +- tests/ci/cdk/pipeline/ecr_stage.py | 37 +++++ tests/ci/cdk/pipeline/github_actions_stage.py | 47 +++++++ tests/ci/cdk/pipeline/pipeline_stack.py | 12 ++ tests/ci/cdk/pipeline/scripts/util.sh | 2 - tests/ci/cdk/run-cdk.sh | 35 ++++- tests/ci/cdk/util/metadata.py | 5 + 14 files changed, 391 insertions(+), 74 deletions(-) create mode 100644 tests/ci/cdk/cdk/aws_lc_github_docker_actions_stack.py create mode 100644 tests/ci/cdk/pipeline/ecr_stage.py create mode 100644 tests/ci/cdk/pipeline/github_actions_stage.py diff --git a/tests/ci/cdk/README.md b/tests/ci/cdk/README.md index 57d57afbe98..4ac1f8f9f01 100644 --- a/tests/ci/cdk/README.md +++ b/tests/ci/cdk/README.md @@ -134,6 +134,21 @@ Use these commands if you wish to deploy individual stacks instead of the entire 1. Ensure you are in `aws-lc/tests/ci/cdk` 2. Export the relevant environment variables: + + If you wish deploy to your personal account: + ```shell + # Ensure AWS Credentials are configured for your account and then execute + eval "$(./run-cdk.sh --action clear-env)" + eval "$(./run-cdk.sh --deploy-account ${DEPLOY_ACCOUNT_ID} --github-repo-owner ${GITHUB_REPO_OWNER} --action setup-dev-env)" + ``` + + If you wish to deploy to team account manually: + ```shell + # Ensure the AWS credentials are configured for the pipeline account and then execute + eval "$(./run-cdk.sh --action clear-env)" + eval "$(./run-cdk.sh --action setup-prod-env)" + ``` + - `DEPLOY_ACCOUNT_ID` (required): AWS account you wish to deploy the CI stacks to - `GITHUB_REPO_OWNER` (required): the GitHub repo targeted by this CI setup. @@ -148,27 +163,39 @@ Use these commands if you wish to deploy individual stacks instead of the entire ``` Set EC2-VPC Elastic IPs = 20 (default is only 5) +4. Synthesize the Cloudformation Stacks + ```shell + cdk synth + ``` 4. Choose 1 of the following command options: - - To set up AWS-LC CI, run command: + - List the stacks available for deployment ```shell - ./run-cdk.sh --github-repo-owner ${GITHUB_REPO_OWNER} --action deploy-ci --deploy-account ${DEPLOY_ACCOUNT_ID} + cdk list ``` - - To update AWS-LC CI, run command: + - Example: To setup or update AWS-LC Docker Repositories: ```shell - ./run-cdk.sh --github-repo-owner ${GITHUB_REPO_OWNER} --action update-ci --deploy-account ${DEPLOY_ACCOUNT_ID} + # Replace Dev with Staging or Prod as neccessary + cdk deploy AwsLcCiPipeline/Dev-EcrRepositories/aws-lc-private-ecr-stack ``` - - To create/update Linux Docker images, run command: + + - Example: To set up or deploy AWS-LC CI stacks, run command: ```shell - ./run-cdk.sh --github-repo-owner ${GITHUB_REPO_OWNER} --action build-linux-img --deploy-account ${DEPLOY_ACCOUNT_ID} + # Replace Dev with Staging or Prod as neccessary + cdk deploy AwsLcCiPipeline/Dev-CiTests/aws-lc-ci-* ``` - - To destroy AWS-LC CI resources created above, run command: + - Example: To setup or deploy AWS-LC GitHub Actions: + ```shell + # Replace Dev with Staging or Prod as neccessary + cdk deploy AwsLcCiPipeline/Dev-GithubActions/* + ``` + - To destroy all CDK resources run command (NOTE: this command will destroy all resources (AWS CodeBuild and ECR).): ```shell - ./run-cdk.sh --github-repo-owner ${GITHUB_REPO_OWNER} --action destroy-ci --deploy-account ${DEPLOY_ACCOUNT_ID} + # Replace Dev with Staging or Prod as neccessary + cdk destroy AwsLcCiPipeline/Dev-* ``` - NOTE: this command will destroy all resources (AWS CodeBuild and ECR). For help, run command: ``` diff --git a/tests/ci/cdk/app.py b/tests/ci/cdk/app.py index 6f198ceb9c6..a5428248783 100644 --- a/tests/ci/cdk/app.py +++ b/tests/ci/cdk/app.py @@ -11,13 +11,8 @@ from cdk.windows_docker_image_build_stack import WindowsDockerImageBuildStack from cdk.ecr_stack import EcrStack from util.metadata import ( - LINUX_X86_ECR_REPO, - LINUX_AARCH_ECR_REPO, - WINDOWS_X86_ECR_REPO, PIPELINE_ACCOUNT, PIPELINE_REGION, - DEPLOY_ACCOUNT, - DEPLOY_REGION, ) # Initialize app. @@ -29,23 +24,4 @@ env=Environment(account=PIPELINE_ACCOUNT, region=PIPELINE_REGION), ) -if DEPLOY_ACCOUNT and DEPLOY_REGION: - # Initialize env. - env = Environment(account=DEPLOY_ACCOUNT, region=DEPLOY_REGION) - - # Define AWS ECR stacks. - # ECR holds the docker images, which are pre-built to accelerate the code builds/tests of git pull requests. - EcrStack(app, "aws-lc-ecr-linux-x86", LINUX_X86_ECR_REPO, env=env) - EcrStack(app, "aws-lc-ecr-linux-aarch", LINUX_AARCH_ECR_REPO, env=env) - EcrStack(app, "aws-lc-ecr-windows-x86", WINDOWS_X86_ECR_REPO, env=env) - - # Define CodeBuild Batch job for building Docker images. - LinuxDockerImageBatchBuildStack(app, "aws-lc-docker-image-build-linux", env=env) - - # AWS CodeBuild cannot build Windows Docker images because DIND (Docker In Docker) is not supported on Windows. - # Windows Docker images are created by running commands in Windows EC2 instance. - WindowsDockerImageBuildStack(app, "aws-lc-docker-image-build-windows", env=env) - - add_ci_stacks(app, env=env) - app.synth() diff --git a/tests/ci/cdk/cdk/aws_lc_github_actions_stack.py b/tests/ci/cdk/cdk/aws_lc_github_actions_stack.py index 5a45a9715a4..9bcf2e97887 100644 --- a/tests/ci/cdk/cdk/aws_lc_github_actions_stack.py +++ b/tests/ci/cdk/cdk/aws_lc_github_actions_stack.py @@ -4,11 +4,10 @@ from aws_cdk import ( Duration, - Stack, aws_codebuild as codebuild, aws_iam as iam, - aws_s3_assets, aws_logs as logs, + aws_ecr as ecr, Environment, ) from constructs import Construct @@ -18,7 +17,7 @@ from util.iam_policies import ( code_build_publish_metrics_in_json, ) -from util.metadata import LINUX_X86_ECR_REPO, LINUX_AARCH_ECR_REPO, WINDOWS_X86_ECR_REPO +from util.metadata import AMAZONLINUX_ECR_REPO, CENTOS_ECR_REPO, FEDORA_ECR_REPO, LINUX_X86_ECR_REPO, LINUX_AARCH_ECR_REPO, UBUNTU_ECR_REPO, WINDOWS_X86_ECR_REPO class AwsLcGitHubActionsStack(AwsLcBaseCiStack): """Define a stack used to execute AWS-LC self-hosted GitHub Actions Runners.""" @@ -32,6 +31,12 @@ def __init__( ) -> None: super().__init__(scope, id, env=env, timeout=180, **kwargs) + # TODO: First 3 indices ordering is important for now as they are referenced directly for now. + repo_names = [LINUX_X86_ECR_REPO, LINUX_AARCH_ECR_REPO, WINDOWS_X86_ECR_REPO, UBUNTU_ECR_REPO, + AMAZONLINUX_ECR_REPO, CENTOS_ECR_REPO, FEDORA_ECR_REPO] + ecr_repos = [ecr.Repository.from_repository_name(self, x.replace('/', '-'), repository_name=x) + for x in repo_names] + # Define a IAM role for this stack. metrics_policy = iam.PolicyDocument.from_json( code_build_publish_metrics_in_json(env) @@ -55,12 +60,7 @@ def __init__( "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", ], - resources=[ - "arn:aws:ecr:{}:{}:repository/{}" - .format(env.region, env.account, repo) for repo in [LINUX_X86_ECR_REPO, - LINUX_AARCH_ECR_REPO, - WINDOWS_X86_ECR_REPO] - ], + resources=[x.repository_arn for x in ecr_repos], ), ], ) @@ -105,16 +105,18 @@ def __init__( environment_variables={ "AWS_ACCOUNT_ID": codebuild.BuildEnvironmentVariable(value=env.account), "AWS_ECR_REPO_LINUX_X86": codebuild.BuildEnvironmentVariable( - value="{}.dkr.ecr.{}.amazonaws.com/{}".format(env.account, env.region, LINUX_X86_ECR_REPO) + value=ecr_repos[0].repository_uri ), "AWS_ECR_REPO_LINUX_AARCH": codebuild.BuildEnvironmentVariable( - value="{}.dkr.ecr.{}.amazonaws.com/{}".format(env.account, env.region, LINUX_AARCH_ECR_REPO) + value=ecr_repos[1].repository_uri ), "AWS_ECR_REPO_WINDOWS_X86": codebuild.BuildEnvironmentVariable( - value="{}.dkr.ecr.{}.amazonaws.com/{}".format(env.account, env.region, WINDOWS_X86_ECR_REPO) + value=ecr_repos[2].repository_uri ), + "ECR_REGISTRY_URL": codebuild.BuildEnvironmentVariable(value=ecr_repos[0].registry_uri), }, ), + # TODO: We can do away with this if we use aws-actions/amazon-ecr-login@v2, just need to migrate build_spec=codebuild.BuildSpec.from_object({ "version": 0.2, "phases": { diff --git a/tests/ci/cdk/cdk/aws_lc_github_ci_stack.py b/tests/ci/cdk/cdk/aws_lc_github_ci_stack.py index cf32ab981ee..572ea03ac17 100644 --- a/tests/ci/cdk/cdk/aws_lc_github_ci_stack.py +++ b/tests/ci/cdk/cdk/aws_lc_github_ci_stack.py @@ -4,10 +4,8 @@ from aws_cdk import ( Duration, - Stack, aws_codebuild as codebuild, aws_iam as iam, - aws_s3_assets, aws_logs as logs, Environment, ) @@ -20,17 +18,8 @@ code_build_publish_metrics_in_json, code_build_cloudwatch_logs_policy_in_json, ) -from util.metadata import ( - GITHUB_PUSH_CI_BRANCH_TARGETS, - GITHUB_REPO_OWNER, - GITHUB_REPO_NAME, - PRE_PROD_ACCOUNT, - STAGING_GITHUB_REPO_OWNER, - STAGING_GITHUB_REPO_NAME, -) from util.build_spec_loader import BuildSpecLoader - class AwsLcGitHubCIStack(AwsLcBaseCiStack): """Define a stack used to batch execute AWS-LC tests in GitHub.""" diff --git a/tests/ci/cdk/cdk/aws_lc_github_docker_actions_stack.py b/tests/ci/cdk/cdk/aws_lc_github_docker_actions_stack.py new file mode 100644 index 00000000000..e25edf50dbb --- /dev/null +++ b/tests/ci/cdk/cdk/aws_lc_github_docker_actions_stack.py @@ -0,0 +1,126 @@ +# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 OR ISC +import itertools +import typing + +from aws_cdk import ( + Duration, + aws_codebuild as codebuild, + aws_iam as iam, + aws_logs as logs, + aws_ecr as ecr, + Environment, +) +from constructs import Construct + +from cdk.aws_lc_base_ci_stack import AwsLcBaseCiStack +from util.iam_policies import ( + code_build_publish_metrics_in_json, +) +from util.metadata import UBUNTU_ECR_REPO, AMAZONLINUX_ECR_REPO, CENTOS_ECR_REPO, FEDORA_ECR_REPO + +class AwsLcGitHubDockerActionsStack(AwsLcBaseCiStack): + """Define a stack used to execute AWS-LC self-hosted GitHub Actions Runners on Docker Images.""" + + def __init__( + self, + scope: Construct, + id: str, + env: typing.Union[Environment, typing.Dict[str, typing.Any]], + **kwargs + ) -> None: + super().__init__(scope, id, env=env, timeout=180, **kwargs) + + # Define a IAM role for this stack. + metrics_policy = iam.PolicyDocument.from_json( + code_build_publish_metrics_in_json(env) + ) + + repo_names = [UBUNTU_ECR_REPO, AMAZONLINUX_ECR_REPO, CENTOS_ECR_REPO, FEDORA_ECR_REPO] + ecr_repos = [ecr.Repository.from_repository_name(self, x.replace('/', '-'), repository_name=x) + for x in repo_names] + + staging_repo = ecr.Repository(self, "aws-lc-ecr-staging", + image_tag_mutability=ecr.TagMutability.IMMUTABLE, + lifecycle_rules=[ecr.LifecycleRule( + max_image_age=Duration.days(7), + )]) + + ecr_repos.append(staging_repo) + + inline_policies = { + "metrics_policy": metrics_policy, + "ecr": iam.PolicyDocument( + statements=[ + iam.PolicyStatement( + effect=iam.Effect.ALLOW, + actions=[ + "ecr:GetAuthorizationToken", + ], + resources=["*"], + ), + iam.PolicyStatement( + effect=iam.Effect.ALLOW, + actions=[ + "ecr:BatchGetImage", + "ecr:BatchCheckLayerAvailability", + "ecr:CompleteLayerUpload", + "ecr:GetDownloadUrlForLayer", + "ecr:InitiateLayerUpload", + "ecr:PutImage", + "ecr:UploadLayerPart", + ], + resources=[x for x in itertools.chain([ + x.repository_arn for x in ecr_repos + ], [ecr.Repository.from_repository_name(self, "quay-io", "quay.io/*").repository_arn])], + ), + ], + ) + } + role = iam.Role( + scope=self, + id="{}-role".format(id), + assumed_by=iam.ServicePrincipal("codebuild.amazonaws.com"), + inline_policies=inline_policies, + ) + + logging_options = codebuild.LoggingOptions( + cloud_watch=codebuild.CloudWatchLoggingOptions(log_group=logs.LogGroup( + self, id="{}-logs".format(id))) + ) + + # Override base class provided configuration + self.git_hub_source = codebuild.Source.git_hub( + owner=self.github_repo_owner, + repo=self.github_repo_name, + webhook=True, + webhook_filters=[ + codebuild.FilterGroup.in_event_of( + codebuild.EventAction.WORKFLOW_JOB_QUEUED + ), + ], + ) + + # Define CodeBuild. + project = codebuild.Project( + scope=self, + id=id, + project_name=id, + source=self.git_hub_source, + role=role, + timeout=Duration.minutes(self.timeout), + logging=logging_options, + environment=codebuild.BuildEnvironment( + compute_type=codebuild.ComputeType.SMALL, + privileged=True, + build_image=codebuild.LinuxBuildImage.STANDARD_7_0, + environment_variables={ + "AWS_ACCOUNT_ID": codebuild.BuildEnvironmentVariable(value=env.account), + "ECR_REGISTRY_URL": codebuild.BuildEnvironmentVariable(value=staging_repo.registry_uri), + "ECR_STAGING_REPO": codebuild.BuildEnvironmentVariable(value=staging_repo.repository_uri), + }, + ), + ) + + cfn_project = project.node.default_child + cfn_project.add_property_override("Triggers.PullRequestBuildPolicy", self.pull_request_policy) diff --git a/tests/ci/cdk/cdk/ecr_stack.py b/tests/ci/cdk/cdk/ecr_stack.py index 61cedad1487..8d670694cd2 100644 --- a/tests/ci/cdk/cdk/ecr_stack.py +++ b/tests/ci/cdk/cdk/ecr_stack.py @@ -1,8 +1,11 @@ # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 OR ISC -from aws_cdk import Stack, Duration, aws_ecr as ecr, aws_iam as iam +import dataclasses +import typing +from aws_cdk import Environment, RemovalPolicy, Stack, Duration, aws_ecr as ecr, aws_iam as iam from constructs import Construct +from util.metadata import AMAZONLINUX_ECR_REPO, CENTOS_ECR_REPO, FEDORA_ECR_REPO, UBUNTU_ECR_REPO class EcrStack(Stack): @@ -30,3 +33,76 @@ def __init__(self, scope: Construct, id: str, repo_name: str, **kwargs) -> None: tag_status=ecr.TagStatus.UNTAGGED, max_image_age=Duration.days(1), ) + + +@dataclasses.dataclass +class EcrRepoDataClass: + cdk_id: str + ecr_name: str + + +class PrivateEcrStackV2(Stack): + def __init__(self, + scope: Construct, + id: str, + env: typing.Union[Environment, typing.Dict[str, typing.Any]], + **kwargs) -> None: + super().__init__(scope, id, env=env, **kwargs) + + ecr.CfnRepositoryCreationTemplate(self, "pull-through-cache-template", + applied_for=["PULL_THROUGH_CACHE"], + description="Used to create pull through cache repositories", + prefix="ROOT", + image_tag_mutability="MUTABLE", + encryption_configuration={ + "encryptionType": "AES256" + }, + lifecycle_policy=""" +{ + "rules": [ + { + "rulePriority": 1, + "description": "Expire images older than 30 days", + "selection": { + "tagStatus": "untagged", + "countType": "sinceImagePushed", + "countUnit": "days", + "countNumber": 30 + }, + "action": { + "type": "expire" + } + } + ] +} +""") + + quay_io_prefixes = ["centos"] + for repo in quay_io_prefixes: + ecr.CfnPullThroughCacheRule(self, f"quay-io-{repo}", + ecr_repository_prefix=f"quay.io/{repo}", + upstream_registry_url="quay.io", + upstream_repository_prefix=repo) + + for x in [ + EcrRepoDataClass("aws-lc-ecr-ubuntu", UBUNTU_ECR_REPO), + EcrRepoDataClass("aws-lc-ecr-amazonlinux", AMAZONLINUX_ECR_REPO), + EcrRepoDataClass("aws-lc-ecr-fedora", FEDORA_ECR_REPO), + EcrRepoDataClass("aws-lc-ecr-centos", CENTOS_ECR_REPO), + ]: + EcrPrivateRepo(self, x.cdk_id, repo_name=x.ecr_name) + + +class EcrPrivateRepo(Construct): + """Define private ECR repository to store container images.""" + + def __init__(self, scope: Construct, id: str, repo_name: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + self.repo = ecr.Repository( + scope=self, id=id, repository_name=repo_name, removal_policy=RemovalPolicy.RETAIN) + self.repo.add_lifecycle_rule( + description="Remove untagged images after 1 day", + tag_status=ecr.TagStatus.UNTAGGED, + max_image_age=Duration.days(90), + ) diff --git a/tests/ci/cdk/pipeline/ci_stage.py b/tests/ci/cdk/pipeline/ci_stage.py index f228d00e2aa..74d3ed65aab 100644 --- a/tests/ci/cdk/pipeline/ci_stage.py +++ b/tests/ci/cdk/pipeline/ci_stage.py @@ -15,7 +15,6 @@ from constructs import Construct from cdk.aws_lc_base_ci_stack import AwsLcBaseCiStack -from cdk.aws_lc_github_actions_stack import AwsLcGitHubActionsStack from pipeline.ci_util import add_ci_stacks from pipeline.codebuild_batch_step import CodeBuildBatchStep from util.metadata import ( @@ -48,8 +47,7 @@ def __init__( @property def stacks(self) -> typing.List[AwsLcBaseCiStack]: return [ - child for child in self.node.children if isinstance(child, AwsLcBaseCiStack) and - not isinstance(child, AwsLcGitHubActionsStack) + child for child in self.node.children if isinstance(child, AwsLcBaseCiStack) ] def add_stage_to_pipeline( diff --git a/tests/ci/cdk/pipeline/ci_util.py b/tests/ci/cdk/pipeline/ci_util.py index 04d7d596826..537d0b126c8 100644 --- a/tests/ci/cdk/pipeline/ci_util.py +++ b/tests/ci/cdk/pipeline/ci_util.py @@ -6,12 +6,10 @@ from cdk.aws_lc_analytics_stack import AwsLcGitHubAnalyticsStack from cdk.aws_lc_android_ci_stack import AwsLcAndroidCIStack from cdk.aws_lc_ec2_test_framework_ci_stack import AwsLcEC2TestingCIStack -from cdk.aws_lc_github_actions_stack import AwsLcGitHubActionsStack from cdk.aws_lc_github_ci_stack import AwsLcGitHubCIStack from cdk.aws_lc_github_ci_x509_stack import AwsLcGitHubX509CIStack from cdk.aws_lc_github_fuzz_ci_stack import AwsLcGitHubFuzzCIStack - # Define CodeBuild Batch jobs for testing code. def add_ci_stacks( scope: Construct, @@ -19,15 +17,7 @@ def add_ci_stacks( ): # define customized settings to run CodeBuild jobs from CodePipeline build_options = [] - - AwsLcGitHubActionsStack( - scope, - "aws-lc-ci-github-actions", - env=env, - ignore_failure=False, - stack_name="aws-lc-ci-github-actions", - ) - + x86_build_spec_file = "cdk/codebuild/github_ci_linux_x86_omnibus.yaml" AwsLcGitHubCIStack( scope, @@ -115,3 +105,4 @@ def add_ci_stacks( ignore_failure=True, stack_name="aws-lc-ci-x509", ) + \ No newline at end of file diff --git a/tests/ci/cdk/pipeline/ecr_stage.py b/tests/ci/cdk/pipeline/ecr_stage.py new file mode 100644 index 00000000000..1477c905f78 --- /dev/null +++ b/tests/ci/cdk/pipeline/ecr_stage.py @@ -0,0 +1,37 @@ +import typing + +from aws_cdk import ( + Stage, + Environment, + Stack, + pipelines, +) +from cdk.ecr_stack import PrivateEcrStackV2 +from constructs import Construct + +class EcrStage(Stage): + """Define a stack of IAM role to allow cross-account deployment""" + + def __init__( + self, + scope: Construct, + id: str, + pipeline_environment: typing.Union[Environment, typing.Dict[str, typing.Any]], + deploy_environment: typing.Union[Environment, typing.Dict[str, typing.Any]], + **kwargs, + ): + super().__init__( + scope, + id, + env=pipeline_environment, + **kwargs, + ) + + PrivateEcrStackV2(self, "aws-lc-private-ecr-stack", env=deploy_environment, **kwargs) + + @property + def stacks(self): + return [child for child in self.node.children if isinstance(child, Stack)] + + def add_stage_to_wave(self, wave: pipelines.Wave): + wave.add_stage(self) diff --git a/tests/ci/cdk/pipeline/github_actions_stage.py b/tests/ci/cdk/pipeline/github_actions_stage.py new file mode 100644 index 00000000000..3300772f80e --- /dev/null +++ b/tests/ci/cdk/pipeline/github_actions_stage.py @@ -0,0 +1,47 @@ +import typing + +from aws_cdk import ( + Stage, + Environment, + Stack, + pipelines, +) +from cdk.aws_lc_github_actions_stack import AwsLcGitHubActionsStack +from cdk.aws_lc_github_docker_actions_stack import AwsLcGitHubDockerActionsStack +from constructs import Construct + + +class GitHubActionsStage(Stage): + """Define a stack of IAM role to allow cross-account deployment""" + + def __init__( + self, + scope: Construct, + id: str, + pipeline_environment: typing.Union[Environment, typing.Dict[str, typing.Any]], + deploy_environment: typing.Union[Environment, typing.Dict[str, typing.Any]], + **kwargs, + ): + super().__init__( + scope, + id, + env=pipeline_environment, + **kwargs, + ) + + AwsLcGitHubActionsStack( + self, + "aws-lc-ci-github-actions", + env=deploy_environment, + ignore_failure=False, + stack_name="aws-lc-ci-github-actions", + ) + + AwsLcGitHubDockerActionsStack(self, "aws-lc-github-docker-image-build", env=deploy_environment) + + @property + def stacks(self): + return [child for child in self.node.children if isinstance(child, Stack)] + + def add_stage_to_wave(self, wave: pipelines.Wave): + wave.add_stage(self) diff --git a/tests/ci/cdk/pipeline/pipeline_stack.py b/tests/ci/cdk/pipeline/pipeline_stack.py index 42427beb302..ee1b3625501 100644 --- a/tests/ci/cdk/pipeline/pipeline_stack.py +++ b/tests/ci/cdk/pipeline/pipeline_stack.py @@ -17,6 +17,8 @@ from constructs import Construct from pipeline.ci_stage import CiStage +from pipeline.ecr_stage import EcrStage +from pipeline.github_actions_stage import GitHubActionsStage from pipeline.linux_docker_image_build_stage import LinuxDockerImageBuildStage from pipeline.setup_stage import SetupStage from pipeline.windows_docker_image_build_stage import WindowsDockerImageBuildStage @@ -293,6 +295,16 @@ def deploy_to_environment( pipeline.add_stage(setup_stage) + ecr_stage = EcrStage(self, f"{deploy_environment_type.value}-EcrRepositories", + pipeline_environment=pipeline_environment, + deploy_environment=deploy_environment) + pipeline.add_stage(ecr_stage) + + gh_actions_stage = GitHubActionsStage(self, f"{deploy_environment_type.value}-GithubActions", + pipeline_environment=pipeline_environment, + deploy_environment=deploy_environment) + pipeline.add_stage(gh_actions_stage) + docker_build_wave = pipeline.add_wave( f"{deploy_environment_type.value}-DockerImageBuild" ) diff --git a/tests/ci/cdk/pipeline/scripts/util.sh b/tests/ci/cdk/pipeline/scripts/util.sh index 522f6227918..3ca5da5c097 100755 --- a/tests/ci/cdk/pipeline/scripts/util.sh +++ b/tests/ci/cdk/pipeline/scripts/util.sh @@ -2,8 +2,6 @@ # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 OR ISC -set -ex - if [[ -z "${PIPELINE_EXECUTION_ID:+x}" ]]; then TRIGGER_TYPE="manual" else diff --git a/tests/ci/cdk/run-cdk.sh b/tests/ci/cdk/run-cdk.sh index 9794ad41797..826cdf29ed6 100755 --- a/tests/ci/cdk/run-cdk.sh +++ b/tests/ci/cdk/run-cdk.sh @@ -2,7 +2,7 @@ # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 OR ISC -set -exuo pipefail +set -euo pipefail source pipeline/scripts/util.sh @@ -448,6 +448,39 @@ function main() { fi ${COMMAND:?} ;; + setup-dev-env) + cat<