From e558a8ef114b5efb674a45626389223658befa87 Mon Sep 17 00:00:00 2001 From: Thomas Roos Date: Tue, 23 Jan 2024 10:04:04 +0100 Subject: [PATCH] add parameters to embedded-linux-pipeline: accessLoggingBucket, artifactBucket, outputBucket --- lib/build-image-pipeline.ts | 53 ++++++++---- lib/embedded-linux-pipeline.ts | 82 ++++++++++++------- source-repo/kas/build.buildspec.yml | 1 + source-repo/meta-aws-demo/build.buildspec.yml | 1 + source-repo/nxp-imx/build.buildspec.yml | 1 + source-repo/poky-ami/build.buildspec.yml | 1 + source-repo/poky/build.buildspec.yml | 1 + source-repo/renesas/build.buildspec.yml | 1 + 8 files changed, 94 insertions(+), 47 deletions(-) diff --git a/lib/build-image-pipeline.ts b/lib/build-image-pipeline.ts index b6cf6de..11a6c73 100644 --- a/lib/build-image-pipeline.ts +++ b/lib/build-image-pipeline.ts @@ -29,6 +29,10 @@ export interface BuildImagePipelineProps extends cdk.StackProps { readonly dataBucket: s3.IBucket; /** The ECR Repository to push to. */ readonly repository: IRepository; + /** Access logging bucket to use */ + accessLoggingBucket?: s3.Bucket; + /** Artifact bucket to use */ + artifactBucket?: s3.Bucket; } /** @@ -98,24 +102,37 @@ export class BuildImagePipelineStack extends cdk.Stack { input: sourceOutput, }); - const accessLoggingBucket = new s3.Bucket(this, 'ArtifactAccessLogging', { - versioned: true, - enforceSSL: true, - }); - const encryptionKey = new kms.Key(this, 'PipelineArtifactKey', { - removalPolicy: RemovalPolicy.DESTROY, - enableKeyRotation: true, - }); - const artifactBucket = new s3.Bucket(this, 'PipelineArtifacts', { - versioned: true, - enforceSSL: true, - serverAccessLogsBucket: accessLoggingBucket, - encryptionKey, - encryption: s3.BucketEncryption.KMS, - blockPublicAccess: new s3.BlockPublicAccess( - s3.BlockPublicAccess.BLOCK_ALL - ), - }); + let accessLoggingBucket: s3.IBucket; + + if (props.accessLoggingBucket){ + accessLoggingBucket = props.accessLoggingBucket; + } else { + accessLoggingBucket = new s3.Bucket(this, 'ArtifactAccessLogging', { + versioned: true, + enforceSSL: true, + }); + } + + let artifactBucket: s3.IBucket; + + if (props.artifactBucket){ + artifactBucket = props.artifactBucket; + } else { + const encryptionKey = new kms.Key(this, 'PipelineArtifactKey', { + removalPolicy: RemovalPolicy.DESTROY, + enableKeyRotation: true, + }); + artifactBucket = new s3.Bucket(this, 'PipelineArtifacts', { + versioned: true, + enforceSSL: true, + serverAccessLogsBucket: accessLoggingBucket, + encryptionKey, + encryption: s3.BucketEncryption.KMS, + blockPublicAccess: new s3.BlockPublicAccess( + s3.BlockPublicAccess.BLOCK_ALL + ), + }); + } const pipeline = new codepipeline.Pipeline(this, 'BuildImagePipeline', { artifactBucket, diff --git a/lib/embedded-linux-pipeline.ts b/lib/embedded-linux-pipeline.ts index e01f932..a80b2e4 100644 --- a/lib/embedded-linux-pipeline.ts +++ b/lib/embedded-linux-pipeline.ts @@ -50,7 +50,13 @@ export interface EmbeddedLinuxPipelineProps extends cdk.StackProps { readonly layerRepoName?: string; /** Additional policy statements to add to the build project. */ readonly buildPolicyAdditions?: iam.PolicyStatement[]; -} + /** Access logging bucket to use */ + readonly accessLoggingBucket?: s3.Bucket; + /** Artifact bucket to use */ + readonly artifactBucket?: s3.Bucket; + /** Output bucket to use */ + readonly outputBucket?: s3.Bucket | VMImportBucket; + } /** * The stack for creating a build pipeline. @@ -80,11 +86,16 @@ export class EmbeddedLinuxPipelineStack extends cdk.Stack { let outputBucket: s3.IBucket | VMImportBucket; let environmentVariables = {}; let scriptAsset!: Asset; + let accessLoggingBucket: s3.IBucket; - const accessLoggingBucket = new s3.Bucket(this, 'ArtifactAccessLogging', { - versioned: true, - enforceSSL: true, - }); + if (props.accessLoggingBucket){ + accessLoggingBucket = props.accessLoggingBucket; + } else { + accessLoggingBucket = new s3.Bucket(this, 'ArtifactAccessLogging', { + versioned: true, + enforceSSL: true, + }); + } if (props.projectKind && props.projectKind == ProjectKind.PokyAmi) { scriptAsset = new Asset(this, 'CreateAMIScript', { @@ -99,14 +110,17 @@ export class EmbeddedLinuxPipelineStack extends cdk.Stack { enableKeyRotation: true, } ); - - outputBucket = new VMImportBucket(this, 'PipelineOutput', { - versioned: true, - enforceSSL: true, - encryptionKey: outputBucketEncryptionKey, - encryptionKeyArn: outputBucketEncryptionKey.keyArn, - serverAccessLogsBucket: accessLoggingBucket, - }); + if (props.outputBucket){ + outputBucket = props.outputBucket; + } else { + outputBucket = new VMImportBucket(this, 'PipelineOutput', { + versioned: true, + enforceSSL: true, + encryptionKey: outputBucketEncryptionKey, + encryptionKeyArn: outputBucketEncryptionKey.keyArn, + serverAccessLogsBucket: accessLoggingBucket, + }); + } environmentVariables = { IMPORT_BUCKET: { type: BuildEnvironmentVariableType.PLAINTEXT, @@ -122,28 +136,38 @@ export class EmbeddedLinuxPipelineStack extends cdk.Stack { }, }; } else { - outputBucket = new s3.Bucket(this, 'PipelineOutput', { + if (props.outputBucket){ + outputBucket = props.outputBucket; + } else { + outputBucket = new s3.Bucket(this, 'PipelineOutput', { + versioned: true, + enforceSSL: true, + serverAccessLogsBucket: accessLoggingBucket, + }); + } + } + + let artifactBucket: s3.IBucket; + + if (props.artifactBucket){ + artifactBucket = props.artifactBucket; + } else { + const encryptionKey = new kms.Key(this, 'PipelineArtifactKey', { + removalPolicy: RemovalPolicy.DESTROY, + enableKeyRotation: true, + }); + artifactBucket = new s3.Bucket(this, 'PipelineArtifacts', { versioned: true, enforceSSL: true, serverAccessLogsBucket: accessLoggingBucket, + encryptionKey, + encryption: s3.BucketEncryption.KMS, + blockPublicAccess: new s3.BlockPublicAccess( + s3.BlockPublicAccess.BLOCK_ALL + ), }); } - const encryptionKey = new kms.Key(this, 'PipelineArtifactKey', { - removalPolicy: RemovalPolicy.DESTROY, - enableKeyRotation: true, - }); - const artifactBucket = new s3.Bucket(this, 'PipelineArtifacts', { - versioned: true, - enforceSSL: true, - serverAccessLogsBucket: accessLoggingBucket, - encryptionKey, - encryption: s3.BucketEncryption.KMS, - blockPublicAccess: new s3.BlockPublicAccess( - s3.BlockPublicAccess.BLOCK_ALL - ), - }); - /** Create our CodePipeline Actions. */ const sourceRepo = new SourceRepo(this, 'SourceRepo', { ...props, diff --git a/source-repo/kas/build.buildspec.yml b/source-repo/kas/build.buildspec.yml index d7d0513..d0b7a04 100644 --- a/source-repo/kas/build.buildspec.yml +++ b/source-repo/kas/build.buildspec.yml @@ -39,6 +39,7 @@ phases: artifacts: discard-paths: true + base-directory: kas/ files: - $TMP_DIR/build/tmp/deploy/images/qemux86-64/aws-biga-image-qemux86-64* - $TMP_DIR/build/tmp/log/cve/cve-summary* diff --git a/source-repo/meta-aws-demo/build.buildspec.yml b/source-repo/meta-aws-demo/build.buildspec.yml index 6ad5c62..5340a9b 100644 --- a/source-repo/meta-aws-demo/build.buildspec.yml +++ b/source-repo/meta-aws-demo/build.buildspec.yml @@ -46,6 +46,7 @@ phases: artifacts: discard-paths: true + base-directory: meta-aws-demo/ files: - $TMP_DIR/tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64* - $TMP_DIR/tmp/log/cve/cve-summary* diff --git a/source-repo/nxp-imx/build.buildspec.yml b/source-repo/nxp-imx/build.buildspec.yml index 03b2003..0c57010 100644 --- a/source-repo/nxp-imx/build.buildspec.yml +++ b/source-repo/nxp-imx/build.buildspec.yml @@ -52,6 +52,7 @@ phases: artifacts: discard-paths: true + base-directory: nxp-imx/ files: # $TMP_DIR is not supported by imx bsp / distro - build/tmp/deploy/images/imx93evk/* diff --git a/source-repo/poky-ami/build.buildspec.yml b/source-repo/poky-ami/build.buildspec.yml index ee3946e..a8c1e42 100644 --- a/source-repo/poky-ami/build.buildspec.yml +++ b/source-repo/poky-ami/build.buildspec.yml @@ -65,6 +65,7 @@ phases: - find /downloads -atime +30 -type d -empty -delete artifacts: discard-paths: true + base-directory: poky-ami/ files: - $TMP_DIR/tmp/deploy/images/aws-ec2-arm64/core-image-minimal* - $TMP_DIR/tmp/log/cve/cve-summary* diff --git a/source-repo/poky/build.buildspec.yml b/source-repo/poky/build.buildspec.yml index fe6a682..fec24d2 100644 --- a/source-repo/poky/build.buildspec.yml +++ b/source-repo/poky/build.buildspec.yml @@ -46,6 +46,7 @@ phases: artifacts: discard-paths: true + base-directory: poky/ files: - $TMP_DIR/tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64* - $TMP_DIR/tmp/log/cve/cve-summary* diff --git a/source-repo/renesas/build.buildspec.yml b/source-repo/renesas/build.buildspec.yml index 225d1ee..aa0ef30 100644 --- a/source-repo/renesas/build.buildspec.yml +++ b/source-repo/renesas/build.buildspec.yml @@ -41,5 +41,6 @@ phases: artifacts: discard-paths: true + base-directory: renesas/ files: - h3ulcb/build/tmp/deploy/images/h3ulcb/*