From a4e9d27db22ae2c6d993be12a78a02f3e9699c85 Mon Sep 17 00:00:00 2001 From: Narthana Epa Date: Tue, 28 Nov 2023 12:48:29 +1100 Subject: [PATCH 1/5] Add ECR policies that support pull through cache transparency --- templates/aws-stack.yml | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/templates/aws-stack.yml b/templates/aws-stack.yml index 6b0dd4329..1ee46ecc0 100644 --- a/templates/aws-stack.yml +++ b/templates/aws-stack.yml @@ -429,11 +429,13 @@ Parameters: ECRAccessPolicy: Type: String - Description: ECR access policy to give container instances + Description: ECR access policy to give instances. The +pullthrough variants add `ecr:BatchImportUpstreamImage` which allows ECR pull through cache to work transparently. AllowedValues: - none - readonly + - readonly+pullthrough - poweruser + - poweruser+pullthrough - full Default: "none" @@ -640,6 +642,11 @@ Conditions: UseECR: !Not [ !Equals [ !Ref ECRAccessPolicy, "none" ] ] + AddECRPullThrough: + !Or + - !Equals [ !Ref ECRAccessPolicy, "readonly+pullthrough" ] + - !Equals [ !Ref ECRAccessPolicy, "poweruser+pullthrough" ] + UseCustomerManagedParameterPath: !Not [ !Equals [ !Ref BuildkiteAgentTokenParameterStorePath, "" ] ] UseCustomerManagedKeyForParameterStore: @@ -861,6 +868,16 @@ Resources: - !Ref 'AWS::NoValue' - !Ref 'AWS::NoValue' Policies: + - !If + - AddECRPullThrough + - PolicyName: ECRPullThrough + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - ecr:BatchImportUpstreamImage + - !Ref 'AWS::NoValue' - !If - UseCustomerManagedKeyForParameterStore - PolicyName: DecryptAgentToken From 0ba7c09f55d61edb3115bee6d008f4a655d340f7 Mon Sep 17 00:00:00 2001 From: Narthana Epa Date: Thu, 7 Dec 2023 12:22:51 +1100 Subject: [PATCH 2/5] Update description of RootVolumneType to mention when to specify RootVolumeIops --- templates/aws-stack.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/aws-stack.yml b/templates/aws-stack.yml index 1ee46ecc0..fc641c299 100644 --- a/templates/aws-stack.yml +++ b/templates/aws-stack.yml @@ -369,7 +369,7 @@ Parameters: Default: "" RootVolumeType: - Description: Type of root volume to use + Description: Type of root volume to use. If you are specifying `io1` or `io2`, you will most likely want to specify `RootVolumeIOPS` as well. Type: String Default: "gp3" From cc346a5132bbef08da5941031db5467d9fd370a0 Mon Sep 17 00:00:00 2001 From: Narthana Epa Date: Thu, 7 Dec 2023 15:40:33 +1100 Subject: [PATCH 3/5] Add `ecr:CreateRepository` This is needed for create the repository for the image in the pull-through cache. While there is a risk that users could create repositories in non-pull-through caches, they won't necessarily be able to upload any layers to that repository. --- templates/aws-stack.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/templates/aws-stack.yml b/templates/aws-stack.yml index fc641c299..16c3888a7 100644 --- a/templates/aws-stack.yml +++ b/templates/aws-stack.yml @@ -429,7 +429,7 @@ Parameters: ECRAccessPolicy: Type: String - Description: ECR access policy to give instances. The +pullthrough variants add `ecr:BatchImportUpstreamImage` which allows ECR pull through cache to work transparently. + Description: ECR access policy to give instances. The `+pullthrough` variants add `ecr:CreateRepository` and `ecr:BatchImportUpstreamImage` which allows ECR pull through cache to work transparently. AllowedValues: - none - readonly @@ -876,6 +876,7 @@ Resources: Statement: - Effect: Allow Action: + - ecr:CreateRepository - ecr:BatchImportUpstreamImage - !Ref 'AWS::NoValue' - !If From f05a53af5c32fd64a5476b9da9586bf31e207369 Mon Sep 17 00:00:00 2001 From: Narthana Epa Date: Thu, 7 Dec 2023 17:04:05 +1100 Subject: [PATCH 4/5] Add missing maps --- templates/aws-stack.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/templates/aws-stack.yml b/templates/aws-stack.yml index 16c3888a7..bef3a878a 100644 --- a/templates/aws-stack.yml +++ b/templates/aws-stack.yml @@ -718,10 +718,12 @@ Conditions: Mappings: ECRManagedPolicy: - none : { Policy: '' } - readonly : { Policy: 'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly' } - poweruser : { Policy: 'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser' } - full : { Policy: 'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess' } + none : { Policy: '' } + readonly : { Policy: 'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly' } + readonly+pullthrough : { Policy: 'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly' } + poweruser : { Policy: 'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser' } + poweruser+pullthrough : { Policy: 'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser' } + full : { Policy: 'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess' } # Generated from Makefile via build/mappings.yml AWSRegion2AMI: { linuxamd64: !Ref ImageId, linuxarm64: !Ref ImageId, windows: !Ref ImageId } From 68d92cc1f537048855a9cadc0a60d01a695ef28f Mon Sep 17 00:00:00 2001 From: Narthana Epa Date: Thu, 7 Dec 2023 17:09:46 +1100 Subject: [PATCH 5/5] s/+pullthrough/-pullthrough/g + is not a valid character in a mapping name for CloudFormation, even though it is for YAML. --- templates/aws-stack.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/templates/aws-stack.yml b/templates/aws-stack.yml index bef3a878a..67ce6dc79 100644 --- a/templates/aws-stack.yml +++ b/templates/aws-stack.yml @@ -429,13 +429,13 @@ Parameters: ECRAccessPolicy: Type: String - Description: ECR access policy to give instances. The `+pullthrough` variants add `ecr:CreateRepository` and `ecr:BatchImportUpstreamImage` which allows ECR pull through cache to work transparently. + Description: ECR access policy to give instances. The `-pullthrough` variants add `ecr:CreateRepository` and `ecr:BatchImportUpstreamImage` which allows ECR pull through cache to work transparently. AllowedValues: - none - readonly - - readonly+pullthrough + - readonly-pullthrough - poweruser - - poweruser+pullthrough + - poweruser-pullthrough - full Default: "none" @@ -644,8 +644,8 @@ Conditions: AddECRPullThrough: !Or - - !Equals [ !Ref ECRAccessPolicy, "readonly+pullthrough" ] - - !Equals [ !Ref ECRAccessPolicy, "poweruser+pullthrough" ] + - !Equals [ !Ref ECRAccessPolicy, "readonly-pullthrough" ] + - !Equals [ !Ref ECRAccessPolicy, "poweruser-pullthrough" ] UseCustomerManagedParameterPath: !Not [ !Equals [ !Ref BuildkiteAgentTokenParameterStorePath, "" ] ] @@ -720,9 +720,9 @@ Mappings: ECRManagedPolicy: none : { Policy: '' } readonly : { Policy: 'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly' } - readonly+pullthrough : { Policy: 'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly' } + readonly-pullthrough : { Policy: 'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly' } poweruser : { Policy: 'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser' } - poweruser+pullthrough : { Policy: 'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser' } + poweruser-pullthrough : { Policy: 'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser' } full : { Policy: 'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess' } # Generated from Makefile via build/mappings.yml