Skip to content

Commit 7cfe049

Browse files
RitvikKapilaRitvikKapila
authored
chore(cfn): Sonatype Migration to User Tokens; updated policies for CI project (#2043)
1 parent a479aa8 commit 7cfe049

File tree

2 files changed

+9
-13
lines changed

2 files changed

+9
-13
lines changed

cfn/ci_cd.yml

Lines changed: 7 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -137,10 +137,9 @@ Resources:
137137
ManagedPolicyArns:
138138
- !Ref CryptoToolsKMS
139139
- !Ref CodeBuildBatchPolicy
140-
- !Ref CodeBuildBasePolicy
140+
- !Ref CodeBuildBasePolicyCI
141141
- !Ref SecretsManagerPolicyCI
142142
- !Ref ParameterStorePolicy
143-
- !Ref CodeBuildBasePolicyCI
144143
- !Ref CodeBuildCISTSAllow
145144
- "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess"
146145
- "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess"
@@ -194,9 +193,7 @@ Resources:
194193
{
195194
"Effect": "Allow",
196195
"Resource": [
197-
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-Release",
198-
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-CI",
199-
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}"
196+
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-CI"
200197
],
201198
"Action": [
202199
"codebuild:StartBuild",
@@ -221,7 +218,7 @@ Resources:
221218
{
222219
"Effect": "Allow",
223220
"Resource": [
224-
"arn:aws:codebuild:us-west-2:${AWS::AccountId}:project/AWS-ESDK-Java-Release"
221+
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-Release"
225222
],
226223
"Action": [
227224
"codebuild:StartBuild",
@@ -244,8 +241,6 @@ Resources:
244241
{
245242
"Effect": "Allow",
246243
"Resource": [
247-
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}",
248-
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}:*",
249244
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-CI",
250245
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-CI:*",
251246
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-Release",
@@ -305,7 +300,8 @@ Resources:
305300
"Action": [
306301
"logs:CreateLogGroup",
307302
"logs:CreateLogStream",
308-
"logs:PutLogEvents"
303+
"logs:PutLogEvents",
304+
"logs:GetLogEvents"
309305
]
310306
},
311307
{
@@ -331,7 +327,7 @@ Resources:
331327
"codebuild:BatchPutCodeCoverages"
332328
],
333329
"Resource": [
334-
"arn:aws:codebuild:us-west-2:${AWS::AccountId}:report-group/AWS-ESDK-Java-CI-*"
330+
"arn:aws:codebuild:us-west-2:${AWS::AccountId}:report-group/${ProjectName}-CI-*"
335331
]
336332
}
337333
]
@@ -379,7 +375,7 @@ Resources:
379375
"Resource": [
380376
"arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-Release-haLIjZ",
381377
"arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-Release-Credentials-WgJanS",
382-
"arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Sonatype-Team-Account-0tWvZm",
378+
"arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Sonatype-User-Token-zK61bM",
383379
"arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Github/aws-crypto-tools-ci-bot-AGUB3U"
384380
],
385381
"Action": "secretsmanager:GetSecretValue"

codebuild/release/release-prod.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,8 +9,8 @@ env:
99
secrets-manager:
1010
GPG_KEY: Maven-GPG-Keys-Release-Credentials:Keyname
1111
GPG_PASS: Maven-GPG-Keys-Release-Credentials:Passphrase
12-
SONA_USERNAME: Sonatype-Team-Account:Username
13-
SONA_PASSWORD: Sonatype-Team-Account:Password
12+
SONA_USERNAME: Sonatype-User-Token:username
13+
SONA_PASSWORD: Sonatype-User-Token:password
1414

1515
phases:
1616
install:

0 commit comments

Comments
 (0)