Skip to content

CodeBuild Setup for GitHub Docker Image Builds #2745

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 14, 2025
Merged

CodeBuild Setup for GitHub Docker Image Builds #2745

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 36 additions & 9 deletions tests/ci/cdk/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,21 @@ Use these commands if you wish to deploy individual stacks instead of the entire

1. Ensure you are in `aws-lc/tests/ci/cdk`
2. Export the relevant environment variables:

If you wish deploy to your personal account:
```shell
# Ensure AWS Credentials are configured for your account and then execute
eval "$(./run-cdk.sh --action clear-env)"
eval "$(./run-cdk.sh --deploy-account ${DEPLOY_ACCOUNT_ID} --github-repo-owner ${GITHUB_REPO_OWNER} --action setup-dev-env)"
```

If you wish to deploy to team account manually:
```shell
# Ensure the AWS credentials are configured for the pipeline account and then execute
eval "$(./run-cdk.sh --action clear-env)"
eval "$(./run-cdk.sh --action setup-prod-env)"
```

- `DEPLOY_ACCOUNT_ID` (required): AWS account you wish to deploy the CI stacks to
- `GITHUB_REPO_OWNER` (required): the GitHub repo targeted by this CI setup.

Expand All @@ -148,27 +163,39 @@ Use these commands if you wish to deploy individual stacks instead of the entire
```
Set EC2-VPC Elastic IPs = 20 (default is only 5)

4. Synthesize the Cloudformation Stacks
```shell
cdk synth
```

4. Choose 1 of the following command options:
- To set up AWS-LC CI, run command:
- List the stacks available for deployment
```shell
./run-cdk.sh --github-repo-owner ${GITHUB_REPO_OWNER} --action deploy-ci --deploy-account ${DEPLOY_ACCOUNT_ID}
cdk list
```

- To update AWS-LC CI, run command:
- Example: To setup or update AWS-LC Docker Repositories:
```shell
./run-cdk.sh --github-repo-owner ${GITHUB_REPO_OWNER} --action update-ci --deploy-account ${DEPLOY_ACCOUNT_ID}
# Replace Dev with Staging or Prod as neccessary
cdk deploy AwsLcCiPipeline/Dev-EcrRepositories/aws-lc-private-ecr-stack
```
- To create/update Linux Docker images, run command:

- Example: To set up or deploy AWS-LC CI stacks, run command:
```shell
./run-cdk.sh --github-repo-owner ${GITHUB_REPO_OWNER} --action build-linux-img --deploy-account ${DEPLOY_ACCOUNT_ID}
# Replace Dev with Staging or Prod as neccessary
cdk deploy AwsLcCiPipeline/Dev-CiTests/aws-lc-ci-*
```

- To destroy AWS-LC CI resources created above, run command:
- Example: To setup or deploy AWS-LC GitHub Actions:
```shell
# Replace Dev with Staging or Prod as neccessary
cdk deploy AwsLcCiPipeline/Dev-GithubActions/*
```
- To destroy all CDK resources run command (NOTE: this command will destroy all resources (AWS CodeBuild and ECR).):
```shell
./run-cdk.sh --github-repo-owner ${GITHUB_REPO_OWNER} --action destroy-ci --deploy-account ${DEPLOY_ACCOUNT_ID}
# Replace Dev with Staging or Prod as neccessary
cdk destroy AwsLcCiPipeline/Dev-*
```
NOTE: this command will destroy all resources (AWS CodeBuild and ECR).

For help, run command:
```
Expand Down
24 changes: 0 additions & 24 deletions tests/ci/cdk/app.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,13 +11,8 @@
from cdk.windows_docker_image_build_stack import WindowsDockerImageBuildStack
from cdk.ecr_stack import EcrStack
from util.metadata import (
LINUX_X86_ECR_REPO,
LINUX_AARCH_ECR_REPO,
WINDOWS_X86_ECR_REPO,
PIPELINE_ACCOUNT,
PIPELINE_REGION,
DEPLOY_ACCOUNT,
DEPLOY_REGION,
)

# Initialize app.
Expand All @@ -29,23 +24,4 @@
env=Environment(account=PIPELINE_ACCOUNT, region=PIPELINE_REGION),
)

if DEPLOY_ACCOUNT and DEPLOY_REGION:
# Initialize env.
env = Environment(account=DEPLOY_ACCOUNT, region=DEPLOY_REGION)

# Define AWS ECR stacks.
# ECR holds the docker images, which are pre-built to accelerate the code builds/tests of git pull requests.
EcrStack(app, "aws-lc-ecr-linux-x86", LINUX_X86_ECR_REPO, env=env)
EcrStack(app, "aws-lc-ecr-linux-aarch", LINUX_AARCH_ECR_REPO, env=env)
EcrStack(app, "aws-lc-ecr-windows-x86", WINDOWS_X86_ECR_REPO, env=env)

# Define CodeBuild Batch job for building Docker images.
LinuxDockerImageBatchBuildStack(app, "aws-lc-docker-image-build-linux", env=env)

# AWS CodeBuild cannot build Windows Docker images because DIND (Docker In Docker) is not supported on Windows.
# Windows Docker images are created by running commands in Windows EC2 instance.
WindowsDockerImageBuildStack(app, "aws-lc-docker-image-build-windows", env=env)

add_ci_stacks(app, env=env)

app.synth()
26 changes: 14 additions & 12 deletions tests/ci/cdk/cdk/aws_lc_github_actions_stack.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,10 @@

from aws_cdk import (
Duration,
Stack,
aws_codebuild as codebuild,
aws_iam as iam,
aws_s3_assets,
aws_logs as logs,
aws_ecr as ecr,
Environment,
)
from constructs import Construct
Expand All @@ -18,7 +17,7 @@
from util.iam_policies import (
code_build_publish_metrics_in_json,
)
from util.metadata import LINUX_X86_ECR_REPO, LINUX_AARCH_ECR_REPO, WINDOWS_X86_ECR_REPO
from util.metadata import AMAZONLINUX_ECR_REPO, CENTOS_ECR_REPO, FEDORA_ECR_REPO, LINUX_X86_ECR_REPO, LINUX_AARCH_ECR_REPO, UBUNTU_ECR_REPO, WINDOWS_X86_ECR_REPO

class AwsLcGitHubActionsStack(AwsLcBaseCiStack):
"""Define a stack used to execute AWS-LC self-hosted GitHub Actions Runners."""
Expand All @@ -32,6 +31,12 @@ def __init__(
) -> None:
super().__init__(scope, id, env=env, timeout=180, **kwargs)

# TODO: First 3 indices ordering is important for now as they are referenced directly for now.
repo_names = [LINUX_X86_ECR_REPO, LINUX_AARCH_ECR_REPO, WINDOWS_X86_ECR_REPO, UBUNTU_ECR_REPO,
AMAZONLINUX_ECR_REPO, CENTOS_ECR_REPO, FEDORA_ECR_REPO]
ecr_repos = [ecr.Repository.from_repository_name(self, x.replace('/', '-'), repository_name=x)
for x in repo_names]

# Define a IAM role for this stack.
metrics_policy = iam.PolicyDocument.from_json(
code_build_publish_metrics_in_json(env)
Expand All @@ -55,12 +60,7 @@ def __init__(
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
],
resources=[
"arn:aws:ecr:{}:{}:repository/{}"
.format(env.region, env.account, repo) for repo in [LINUX_X86_ECR_REPO,
LINUX_AARCH_ECR_REPO,
WINDOWS_X86_ECR_REPO]
],
resources=[x.repository_arn for x in ecr_repos],
),
],
)
Expand Down Expand Up @@ -105,16 +105,18 @@ def __init__(
environment_variables={
"AWS_ACCOUNT_ID": codebuild.BuildEnvironmentVariable(value=env.account),
"AWS_ECR_REPO_LINUX_X86": codebuild.BuildEnvironmentVariable(
value="{}.dkr.ecr.{}.amazonaws.com/{}".format(env.account, env.region, LINUX_X86_ECR_REPO)
value=ecr_repos[0].repository_uri
),
"AWS_ECR_REPO_LINUX_AARCH": codebuild.BuildEnvironmentVariable(
value="{}.dkr.ecr.{}.amazonaws.com/{}".format(env.account, env.region, LINUX_AARCH_ECR_REPO)
value=ecr_repos[1].repository_uri
),
"AWS_ECR_REPO_WINDOWS_X86": codebuild.BuildEnvironmentVariable(
value="{}.dkr.ecr.{}.amazonaws.com/{}".format(env.account, env.region, WINDOWS_X86_ECR_REPO)
value=ecr_repos[2].repository_uri
),
"ECR_REGISTRY_URL": codebuild.BuildEnvironmentVariable(value=ecr_repos[0].registry_uri),
},
),
# TODO: We can do away with this if we use aws-actions/amazon-ecr-login@v2, just need to migrate
build_spec=codebuild.BuildSpec.from_object({
"version": 0.2,
"phases": {
Expand Down
11 changes: 0 additions & 11 deletions tests/ci/cdk/cdk/aws_lc_github_ci_stack.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,8 @@

from aws_cdk import (
Duration,
Stack,
aws_codebuild as codebuild,
aws_iam as iam,
aws_s3_assets,
aws_logs as logs,
Environment,
)
Expand All @@ -20,17 +18,8 @@
code_build_publish_metrics_in_json,
code_build_cloudwatch_logs_policy_in_json,
)
from util.metadata import (
GITHUB_PUSH_CI_BRANCH_TARGETS,
GITHUB_REPO_OWNER,
GITHUB_REPO_NAME,
PRE_PROD_ACCOUNT,
STAGING_GITHUB_REPO_OWNER,
STAGING_GITHUB_REPO_NAME,
)
from util.build_spec_loader import BuildSpecLoader


class AwsLcGitHubCIStack(AwsLcBaseCiStack):
"""Define a stack used to batch execute AWS-LC tests in GitHub."""

Expand Down
126 changes: 126 additions & 0 deletions tests/ci/cdk/cdk/aws_lc_github_docker_actions_stack.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,126 @@
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0 OR ISC
import itertools
import typing

from aws_cdk import (
Duration,
aws_codebuild as codebuild,
aws_iam as iam,
aws_logs as logs,
aws_ecr as ecr,
Environment,
)
from constructs import Construct

from cdk.aws_lc_base_ci_stack import AwsLcBaseCiStack
from util.iam_policies import (
code_build_publish_metrics_in_json,
)
from util.metadata import UBUNTU_ECR_REPO, AMAZONLINUX_ECR_REPO, CENTOS_ECR_REPO, FEDORA_ECR_REPO

class AwsLcGitHubDockerActionsStack(AwsLcBaseCiStack):
"""Define a stack used to execute AWS-LC self-hosted GitHub Actions Runners on Docker Images."""

def __init__(
self,
scope: Construct,
id: str,
env: typing.Union[Environment, typing.Dict[str, typing.Any]],
**kwargs
) -> None:
super().__init__(scope, id, env=env, timeout=180, **kwargs)

# Define a IAM role for this stack.
metrics_policy = iam.PolicyDocument.from_json(
code_build_publish_metrics_in_json(env)
)

repo_names = [UBUNTU_ECR_REPO, AMAZONLINUX_ECR_REPO, CENTOS_ECR_REPO, FEDORA_ECR_REPO]
ecr_repos = [ecr.Repository.from_repository_name(self, x.replace('/', '-'), repository_name=x)
for x in repo_names]

staging_repo = ecr.Repository(self, "aws-lc-ecr-staging",
image_tag_mutability=ecr.TagMutability.IMMUTABLE,
lifecycle_rules=[ecr.LifecycleRule(
max_image_age=Duration.days(7),
Copy link
Contributor

@justsmth justsmth Oct 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NP: In what situations would an image hit the 7-day maximum? Do we need 7 days?

Copy link
Member Author

@skmcgrail skmcgrail Oct 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It can probably be shortened if we want. It's mainly for historical uses or to be able to look at an image that was staged if we forsee doing more extensive image testing in the future and want to deep dive into one of the docker images that failed to get to the publishing step.

)])

ecr_repos.append(staging_repo)

inline_policies = {
"metrics_policy": metrics_policy,
"ecr": iam.PolicyDocument(
statements=[
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
"ecr:GetAuthorizationToken",
],
resources=["*"],
),
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart",
],
resources=[x for x in itertools.chain([
x.repository_arn for x in ecr_repos
], [ecr.Repository.from_repository_name(self, "quay-io", "quay.io/*").repository_arn])],
),
],
)
}
role = iam.Role(
scope=self,
id="{}-role".format(id),
assumed_by=iam.ServicePrincipal("codebuild.amazonaws.com"),
inline_policies=inline_policies,
)

logging_options = codebuild.LoggingOptions(
cloud_watch=codebuild.CloudWatchLoggingOptions(log_group=logs.LogGroup(
self, id="{}-logs".format(id)))
)

# Override base class provided configuration
self.git_hub_source = codebuild.Source.git_hub(
owner=self.github_repo_owner,
repo=self.github_repo_name,
webhook=True,
webhook_filters=[
codebuild.FilterGroup.in_event_of(
codebuild.EventAction.WORKFLOW_JOB_QUEUED
),
],
)

# Define CodeBuild.
project = codebuild.Project(
scope=self,
id=id,
project_name=id,
source=self.git_hub_source,
role=role,
timeout=Duration.minutes(self.timeout),
logging=logging_options,
environment=codebuild.BuildEnvironment(
compute_type=codebuild.ComputeType.SMALL,
privileged=True,
build_image=codebuild.LinuxBuildImage.STANDARD_7_0,
environment_variables={
"AWS_ACCOUNT_ID": codebuild.BuildEnvironmentVariable(value=env.account),
"ECR_REGISTRY_URL": codebuild.BuildEnvironmentVariable(value=staging_repo.registry_uri),
"ECR_STAGING_REPO": codebuild.BuildEnvironmentVariable(value=staging_repo.repository_uri),
},
),
)

cfn_project = project.node.default_child
cfn_project.add_property_override("Triggers.PullRequestBuildPolicy", self.pull_request_policy)
Loading
Loading