buildkite · wolfeidau · Sep 11, 2024 · Sep 6, 2024 · Sep 6, 2024 · Sep 6, 2024
@@ -291,6 +291,7 @@ disconnect-after-idle-timeout=${BUILDKITE_SCALE_IN_IDLE_PERIOD}
 disconnect-after-job=${BUILDKITE_TERMINATE_INSTANCE_AFTER_JOB}
 tracing-backend=${BUILDKITE_AGENT_TRACING_BACKEND}
 cancel-grace-period=${BUILDKITE_AGENT_CANCEL_GRACE_PERIOD}
+signing-aws-kms-key=${BUILDKITE_AGENT_SIGNING_KMS_KEY}
 EOF
 
 if [[ "${BUILDKITE_ENV_FILE_URL}" != "" ]]; then

@@ -147,6 +147,7 @@ shell=powershell
 disconnect-after-idle-timeout=${Env:BUILDKITE_SCALE_IN_IDLE_PERIOD}
 disconnect-after-job=${Env:BUILDKITE_TERMINATE_INSTANCE_AFTER_JOB}
 tracing-backend=${Env:BUILDKITE_AGENT_TRACING_BACKEND}
+signing-jwks-key-id=${Env:BUILDKITE_AGENT_SIGNING_KMS_KEY}
 "@
 $OFS=" "
 

@@ -568,6 +568,14 @@ Parameters:
     Description: Optional - Customise the EC2 instance Name tag
     Default: ""
 
+  PipelineSigningKMSKeySpec:
+    Type: String
+    Description: The key spec for the KMS key used to sign and verify pipelines
+    AllowedValues:
+      - "ECC_NIST_P256"
+      - "none"
+    Default: "none"
+
 Rules:
   HasToken:
     Assertions:
@@ -685,6 +693,9 @@ Conditions:
 
     UseCostAllocationTags:
       !Equals [ !Ref EnableCostAllocationTags, "true" ]
+
+    CreatePipelineSigningKMSKey:
+      !Not [ !Equals [ !Ref PipelineSigningKMSKeySpec, "none" ] ]
 
     HasKeyName:
       !Not [ !Equals [ !Ref KeyName, "" ] ]
@@ -871,6 +882,17 @@ Resources:
       Name: !Sub "/${AWS::StackName}/buildkite/agent-token"
       Type: String
       Value: !Ref BuildkiteAgentToken
+
+  PipelineSigningKMSKey:
+    Type: AWS::KMS::Key
+    Condition: CreatePipelineSigningKMSKey
+    Properties:
+      Description: Key used to sign and verify pipelines
+      KeySpec: !Ref PipelineSigningKMSKeySpec
+      KeyUsage: SIGN_VERIFY
+      Tags:
+        - Key: Name
+          Value: !Sub '${AWS::StackName}-PipelineSigningKey'
 
   # Allow ec2 instances to assume a role and be granted the IAMPolicies
   IAMInstanceProfile:
@@ -903,6 +925,19 @@ Resources:
                  - !Ref 'AWS::NoValue'
           - !Ref 'AWS::NoValue'
       Policies:
+        - !If
+          - CreatePipelineSigningKMSKey
+          - PolicyName: PipelineSigningKMSKeyAccess
+            PolicyDocument:
+              Version: '2012-10-17'
+              Statement:
+                - Effect: Allow
+                  Action:
+                    - kms:GetPublicKey
+                    - kms:Sign
+                    - kms:Verify
+                  Resource: !Sub arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/${PipelineSigningKMSKey}
+          - !Ref 'AWS::NoValue'
         - !If
           - UseCustomerManagedKeyForParameterStore
           - PolicyName: DecryptAgentToken
@@ -1231,6 +1266,7 @@ Resources:
                   $Env:BUILDKITE_QUEUE="${BuildkiteQueue}"
                   $Env:BUILDKITE_AGENT_ENABLE_GIT_MIRRORS="${BuildkiteAgentEnableGitMirrors}"
                   $Env:BUILDKITE_ELASTIC_BOOTSTRAP_SCRIPT="${BootstrapScriptUrl}"
+                  $Env:BUILDKITE_AGENT_SIGNING_KMS_KEY="${PipelineSigningKMSKey}"
                   $Env:BUILDKITE_ENV_FILE_URL="${AgentEnvFileUrl}"
                   $Env:BUILDKITE_AUTHORIZED_USERS_URL="${AuthorizedUsersUrl}"
                   $Env:BUILDKITE_ECR_POLICY="${ECRAccessPolicy}"
@@ -1248,6 +1284,7 @@ Resources:
                     LocalSecretsBucket: !If [ CreateSecretsBucket, !Ref ManagedSecretsBucket, !Ref SecretsBucket ],
                     LocalSecretsBucketRegion: !If [ CreateSecretsBucket, !Ref "AWS::Region", !Ref SecretsBucketRegion ],
                     AgentTokenPath: !If [ UseCustomerManagedParameterPath, !Ref BuildkiteAgentTokenParameterStorePath, !Ref BuildkiteAgentTokenParameter ],
+                    PipelineSigningKMSKey: !If [ CreatePipelineSigningKMSKey, !Ref PipelineSigningKMSKey, "" ],
                   }
               - !Sub
                 - |
@@ -1288,6 +1325,7 @@ Resources:
                   BUILDKITE_AGENT_TRACING_BACKEND="${BuildkiteAgentTracingBackend}" \
                   BUILDKITE_AGENT_RELEASE="${BuildkiteAgentRelease}" \
                   BUILDKITE_AGENT_CANCEL_GRACE_PERIOD="${BuildkiteAgentCancelGracePeriod}" \
+                  BUILDKITE_AGENT_SIGNING_KMS_KEY="${PipelineSigningKMSKey}" \
                   BUILDKITE_QUEUE="${BuildkiteQueue}" \
                   BUILDKITE_AGENT_ENABLE_GIT_MIRRORS="${BuildkiteAgentEnableGitMirrors}" \
                   BUILDKITE_ELASTIC_BOOTSTRAP_SCRIPT="${BootstrapScriptUrl}" \
@@ -1310,6 +1348,7 @@ Resources:
                     LocalSecretsBucket: !If [ CreateSecretsBucket, !Ref ManagedSecretsBucket, !Ref SecretsBucket ],
                     LocalSecretsBucketRegion: !If [ CreateSecretsBucket, !Ref "AWS::Region", !Ref SecretsBucketRegion ],
                     AgentTokenPath: !If [ UseCustomerManagedParameterPath, !Ref BuildkiteAgentTokenParameterStorePath, !Ref BuildkiteAgentTokenParameter ],
+                    PipelineSigningKMSKey: !If [ CreatePipelineSigningKMSKey, !Ref PipelineSigningKMSKey, "" ],
                   }
 
   AgentAutoScaleGroup: