xref: /aosp_15_r20/external/aws-sdk-java-v2/buildspecs/resources/ci.cloudformation.yml (revision 8a52c7834d808308836a99fc2a6e0ed8db339086) 
1*8a52c783SCole FaustParameters:
2*8a52c783SCole Faust  GitHubOrg:
3*8a52c783SCole Faust    Type: String
4*8a52c783SCole Faust    Default: "aws"
5*8a52c783SCole Faust    Description: The GitHub organization to use for the repository.
6*8a52c783SCole Faust  GitHubRepositoryName:
7*8a52c783SCole Faust    Description: The name of the GitHub repository to create the role template in and to use for the CodeBuild.
8*8a52c783SCole Faust    Type: String
9*8a52c783SCole Faust    Default: "aws-sdk-java-v2"
10*8a52c783SCole Faust  OIDCProviderArn:
11*8a52c783SCole Faust    Description: Arn for the GitHub OIDC Provider.
12*8a52c783SCole Faust    Default: ""
13*8a52c783SCole Faust    Type: String
14*8a52c783SCole Faust  OidcRoleRoleName:
15*8a52c783SCole Faust    Description: Name of the role to use for the OIDC provider.
16*8a52c783SCole Faust    Default: "aws-sdk-for-java-v2-ci-role"
17*8a52c783SCole Faust    Type: String
18*8a52c783SCole Faust
19*8a52c783SCole Faust
20*8a52c783SCole FaustConditions:
21*8a52c783SCole Faust  CreateOIDCProvider: !Equals
22*8a52c783SCole Faust    - !Ref OIDCProviderArn
23*8a52c783SCole Faust    - ""
24*8a52c783SCole Faust
25*8a52c783SCole FaustResources:
26*8a52c783SCole Faust  OidcRole:
27*8a52c783SCole Faust    Type: AWS::IAM::Role
28*8a52c783SCole Faust    Properties:
29*8a52c783SCole Faust      RoleName: !Ref OidcRoleRoleName
30*8a52c783SCole Faust      AssumeRolePolicyDocument:
31*8a52c783SCole Faust        Statement:
32*8a52c783SCole Faust          - Effect: Allow
33*8a52c783SCole Faust            Action: sts:AssumeRoleWithWebIdentity
34*8a52c783SCole Faust            Principal:
35*8a52c783SCole Faust              Federated: !If
36*8a52c783SCole Faust                - CreateOIDCProvider
37*8a52c783SCole Faust                - !Ref GithubOidc
38*8a52c783SCole Faust                - !Ref OIDCProviderArn
39*8a52c783SCole Faust            Condition:
40*8a52c783SCole Faust              StringLike:
41*8a52c783SCole Faust                token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrg}/${GitHubRepositoryName}:*
42*8a52c783SCole Faust      Policies:
43*8a52c783SCole Faust        - PolicyName: !Sub "${AWS::StackName}-OIDC-Policy"
44*8a52c783SCole Faust          PolicyDocument:
45*8a52c783SCole Faust            Version: "2012-10-17"
46*8a52c783SCole Faust            Statement:
47*8a52c783SCole Faust              - Effect: Allow
48*8a52c783SCole Faust                Action:
49*8a52c783SCole Faust                  - codebuild:StartBuild
50*8a52c783SCole Faust                  - codebuild:BatchGetBuilds
51*8a52c783SCole Faust                Resource:
52*8a52c783SCole Faust                  - !Sub arn:aws:codebuild:${ AWS::Region }:${ AWS::AccountId }:project/aws-sdk-java-v2
53*8a52c783SCole Faust                  - !Sub arn:aws:codebuild:${ AWS::Region }:${ AWS::AccountId }:project/aws-sdk-java-v2-JDK11
54*8a52c783SCole Faust                  - !Sub arn:aws:codebuild:${ AWS::Region }:${ AWS::AccountId }:project/aws-sdk-java-v2-JDK17
55*8a52c783SCole Faust                  - !Sub arn:aws:codebuild:${ AWS::Region }:${ AWS::AccountId }:project/aws-java-sdk-v2-JDK21
56*8a52c783SCole Faust                  - !Sub arn:aws:codebuild:${ AWS::Region }:${ AWS::AccountId }:project/aws-sdk-java-v2-JDK8-windows
57*8a52c783SCole Faust                  - !Sub arn:aws:codebuild:${ AWS::Region }:${ AWS::AccountId }:project/aws-sdk-java-v2-native-image-test
58*8a52c783SCole Faust                  - !Sub arn:aws:codebuild:${ AWS::Region }:${ AWS::AccountId }:project/aws-sdk-java-v2-sonar
59*8a52c783SCole Faust                  - !Sub arn:aws:codebuild:${ AWS::Region }:${ AWS::AccountId }:project/aws-sdk-java-v2-endpoints-test
60*8a52c783SCole Faust              - Effect: Allow
61*8a52c783SCole Faust                Action:
62*8a52c783SCole Faust                  - logs:GetLogEvents
63*8a52c783SCole Faust                Resource:
64*8a52c783SCole Faust                  - !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/aws-sdk-java-v2:*
65*8a52c783SCole Faust                  - !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/aws-sdk-java-v2-JDK11:*
66*8a52c783SCole Faust                  - !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/aws-sdk-java-v2-JDK17:*
67*8a52c783SCole Faust                  - !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/aws-java-sdk-v2-JDK21:*
68*8a52c783SCole Faust                  - !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/aws-sdk-java-v2-JDK8-windows:*
69*8a52c783SCole Faust                  - !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/aws-sdk-java-v2-native-image-test:*
70*8a52c783SCole Faust                  - !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/aws-sdk-java-v2-sonar:*
71*8a52c783SCole Faust                  - !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/aws-sdk-java-v2-endpoints-test:*
72*8a52c783SCole Faust
73*8a52c783SCole Faust  GithubOidc:
74*8a52c783SCole Faust    Type: AWS::IAM::OIDCProvider
75*8a52c783SCole Faust    Condition: CreateOIDCProvider
76*8a52c783SCole Faust    Properties:
77*8a52c783SCole Faust      Url: https://token.actions.githubusercontent.com
78*8a52c783SCole Faust      ClientIdList:
79*8a52c783SCole Faust        - sts.amazonaws.com
80*8a52c783SCole Faust      ThumbprintList:
81*8a52c783SCole Faust        - 6938fd4d98bab03faadb97b34396831e3780aea1
82*8a52c783SCole Faust
83*8a52c783SCole FaustOutputs:
84*8a52c783SCole Faust  OidcRole:
85*8a52c783SCole Faust    Value: !GetAtt OidcRole.Arn