Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: add AMI building harness and supporting tools #624

Merged
merged 2 commits into from
Jan 14, 2020
Merged

Conversation

jahkeup
Copy link
Member

@jahkeup jahkeup commented Jan 3, 2020

note: this PR is based on builder-container's changes

Issue #, if available:

#515

Description of changes:

This adds a CI specific harness for creating AMIs from built disk images. To accomplish the task at hand, the script "create-ami-image" manages the use of build artifacts and kicks off the amiize process according to its build environment. "ensure-key-pair" validates and/or creates an EC2 key pair for its use during automated builds. This key may be rotated (by way of deletion) as needed with additional straightforward & well scoped permissions needed for the build task to manage its own key pair (aside from the overlapping EC2 permissions needed for amiizing):

  • ssm:PutParameter
  • ssm:GetParameter
  • ec2:ImportKey
  • ec2:DescribeKeyPairs
  • kms:Encrypt
  • kms:Decrypt

The KMS documentation page regarding SSM Parameter Store has much more outlined on restricting the usage of SSM' AWS-Managed CMK to the SSM Parameters involved as well.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

bin/amiize.sh Outdated Show resolved Hide resolved
bin/amiize.sh Show resolved Hide resolved
tools/infra/env/bin/create-image-ami Outdated Show resolved Hide resolved
@jahkeup jahkeup force-pushed the ami-build branch 3 times, most recently from c991b95 to 8d9c2b5 Compare January 6, 2020 20:26
@jahkeup jahkeup requested a review from zmrow January 6, 2020 20:29
@jahkeup
Copy link
Member Author

jahkeup commented Jan 6, 2020

Flipping to full PR - there may relevant discussion found in #616 where the file structure and common container concept is introduced.

@jahkeup jahkeup marked this pull request as ready for review January 6, 2020 20:31
@jahkeup jahkeup force-pushed the builder-container branch from 6523041 to 376ff46 Compare January 6, 2020 22:28
Copy link
Contributor

@zmrow zmrow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple small things. Looks great!

tools/infra/container/runtime/bin/create-image-ami Outdated Show resolved Hide resolved
tools/infra/container/runtime/bin/create-image-ami Outdated Show resolved Hide resolved
@jahkeup
Copy link
Member Author

jahkeup commented Jan 9, 2020

Updated with feedback, will force push again to rebase on the correct builder-container branch and then merge into a "feature branch" for containerized builds (because additional work is needed to sync up container use in several stacks and buildspecs).

@jahkeup jahkeup force-pushed the builder-container branch 2 times, most recently from 5b96f43 to 5a39288 Compare January 9, 2020 01:07
@jahkeup jahkeup changed the base branch from builder-container to ci-containers January 9, 2020 01:15
@zmrow zmrow requested a review from etungsten January 9, 2020 18:59
This adds a CI specific harness for creating AMIs from built disk
images. To accomplish the task at hand, the script "create-ami-image"
manages the use of build artifacts and kicks off the amiize process
according to its build environment. "ensure-key-pair" validates and/or
creates an EC2 key pair for its use during automated builds. This key
may be rotated (by way of deletion) as needed with additional
straightforward & well scoped permissions needed for the build task to
manage its own key pair (aside from the overlapping EC2 permissions
needed for amiizing):

- ssm:PutParameter
- ssm:GetParameter
- ec2:ImportKey
- ec2:DescribeKeyPairs
- kms:Encrypt
- kms:Decrypt

The KMS documentation page regarding SSM Parameter Store has much more
outlined on restricting the usage of SSM' AWS-Managed CMK to the SSM
Parameters involved as well.

Signed-off-by: Jacob Vallejo <[email protected]>
@jahkeup jahkeup force-pushed the ami-build branch 2 times, most recently from 2fd99f7 to e83a912 Compare January 14, 2020 23:25
@jahkeup jahkeup merged commit 2f27dfe into ci-containers Jan 14, 2020
@jahkeup jahkeup deleted the ami-build branch January 14, 2020 23:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants