Skip to content

Commit

Permalink
Added export of KMS signing key and option to provide a signing key id
Browse files Browse the repository at this point in the history
  • Loading branch information
@wolfeidau
wolfeidau committed Sep 10, 2024
1 parent e4cd1c7 commit e2b6872
Showing 1 changed file with 39 additions and 5 deletions.
44 changes: 39 additions & 5 deletions templates/aws-stack.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -568,6 +568,11 @@ Parameters:
Description: Optional - Customise the EC2 instance Name tag
Default: ""

PipelineSigningKMSKeyId:
Type: String
Description: Optional - Identifier of the KMS key used to sign and verify pipelines (Created if left blank and PipelineSigningKMSKeySpec is selected)
Default: ""

PipelineSigningKMSKeySpec:
Type: String
Description: The key spec for the KMS key used to sign and verify pipelines
Expand All @@ -590,6 +595,17 @@ Rules:
- !Ref BuildkiteAgentTokenParameterStorePath
- ""
AssertDescription: "You must provide BuildkiteAgentToken or BuildkiteAgentTokenParameterStorePath"
HasPipelineSigningKMSKey:
Assertions:
- Assert:
!Or
- !Equals
- !Ref PipelineSigningKMSKeyId
- ""
- !Equals
- !Ref PipelineSigningKMSKeySpec
- "none"
AssertDescription: "You must provide either provide a PipelineSigningKMSKeyId or select a PipelineSigningKMSKeySpec but not both"

Outputs:
VpcId:
Expand All @@ -610,6 +626,12 @@ Outputs:
Export:
Name: !Sub '${AWS::StackName}-ManagedSecretsLoggingBucket'

PipelineSigningKMSKey:
Value:
!If [ CreatePipelineSigningKMSKey, !Ref PipelineSigningKMSKey, "none" ]
Export:
Name: !Sub '${AWS::StackName}-PipelineSigningKMSKey'

AutoScalingGroupName:
Value: !Ref AgentAutoScaleGroup
Export:
Expand Down Expand Up @@ -694,8 +716,16 @@ Conditions:
UseCostAllocationTags:
!Equals [ !Ref EnableCostAllocationTags, "true" ]

UsePipelineSigningKMSKey:
!Not [ !Equals [ !Ref PipelineSigningKMSKeyId, "" ] ]

CreatePipelineSigningKMSKey:
!Not [ !Equals [ !Ref PipelineSigningKMSKeySpec, "none" ] ]
!And
- !Equals [ !Ref PipelineSigningKMSKeyId, "" ]
- !Not [ !Equals [ !Ref PipelineSigningKMSKeySpec, "none" ] ]

HasPipelineSigningKMSKey:
!Or [ !Condition CreatePipelineSigningKMSKey, !Condition UsePipelineSigningKMSKey ]

HasKeyName:
!Not [ !Equals [ !Ref KeyName, "" ] ]
Expand Down Expand Up @@ -886,6 +916,7 @@ Resources:
PipelineSigningKMSKey:
Type: AWS::KMS::Key
Condition: CreatePipelineSigningKMSKey
DeletionPolicy: Retain
Properties:
Description: Key used to sign and verify pipelines
KeySpec: !Ref PipelineSigningKMSKeySpec
Expand Down Expand Up @@ -926,7 +957,7 @@ Resources:
- !Ref 'AWS::NoValue'
Policies:
- !If
- CreatePipelineSigningKMSKey
- HasPipelineSigningKMSKey
- PolicyName: PipelineSigningKMSKeyAccess
PolicyDocument:
Version: '2012-10-17'
Expand All @@ -936,7 +967,10 @@ Resources:
- kms:GetPublicKey
- kms:Sign
- kms:Verify
Resource: !Sub arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/${PipelineSigningKMSKey}
Resource: !If
- HasPipelineSigningKMSKey
- !Sub arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/${PipelineSigningKMSKeyId}
- !Sub arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/${PipelineSigningKMSKey}
- !Ref 'AWS::NoValue'
- !If
- UseCustomerManagedKeyForParameterStore
Expand Down Expand Up @@ -1284,7 +1318,7 @@ Resources:
LocalSecretsBucket: !If [ CreateSecretsBucket, !Ref ManagedSecretsBucket, !Ref SecretsBucket ],
LocalSecretsBucketRegion: !If [ CreateSecretsBucket, !Ref "AWS::Region", !Ref SecretsBucketRegion ],
AgentTokenPath: !If [ UseCustomerManagedParameterPath, !Ref BuildkiteAgentTokenParameterStorePath, !Ref BuildkiteAgentTokenParameter ],
PipelineSigningKMSKey: !If [ CreatePipelineSigningKMSKey, !Ref PipelineSigningKMSKey, "" ],
PipelineSigningKMSKey: !If [ CreatePipelineSigningKMSKey, !Ref PipelineSigningKMSKey, !Ref PipelineSigningKMSKeyId ],
}
- !Sub
- |
Expand Down Expand Up @@ -1348,7 +1382,7 @@ Resources:
LocalSecretsBucket: !If [ CreateSecretsBucket, !Ref ManagedSecretsBucket, !Ref SecretsBucket ],
LocalSecretsBucketRegion: !If [ CreateSecretsBucket, !Ref "AWS::Region", !Ref SecretsBucketRegion ],
AgentTokenPath: !If [ UseCustomerManagedParameterPath, !Ref BuildkiteAgentTokenParameterStorePath, !Ref BuildkiteAgentTokenParameter ],
PipelineSigningKMSKey: !If [ CreatePipelineSigningKMSKey, !Ref PipelineSigningKMSKey, "" ],
PipelineSigningKMSKey: !If [ CreatePipelineSigningKMSKey, !Ref PipelineSigningKMSKey, !Ref PipelineSigningKMSKeyId ],
}

AgentAutoScaleGroup:
Expand Down

0 comments on commit e2b6872

Please sign in to comment.