aws · bryce-shang · Mar 22, 2021 · Mar 1, 2021 · Mar 1, 2021 · Mar 2, 2021
diff --git a/tests/ci/cdk/README.md b/tests/ci/cdk/README.md
@@ -8,8 +8,11 @@ AWS-LC CI uses AWS CDK to define and deploy AWS resources (e.g. AWS CodeBuild, E
 
 * Install [AWS CDK](https://docs.aws.amazon.com/cdk/latest/guide/getting_started.html#getting_started_install)
 * Install [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html)
-* [Connect GitHub and AWS account using access token](https://docs.aws.amazon.com/codebuild/latest/userguide/sample-access-tokens.html)
+* [Connect AWS CodeBuild with GitHub](https://docs.aws.amazon.com/codebuild/latest/userguide/sample-access-tokens.html)
   * Note: This step should grant AWS CodeBuild with access to create WebHook.
+* [Create GitHub Personal Access Token](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token)
+  * Note: This token ONLY needs ['read:packages' permission](https://docs.github.com/en/packages/learn-github-packages/about-github-packages#authenticating-to-github-packages), and should be deleted from GitHub account after docker image build.
+  * This token is needed when pulling images from 'docker.pkg.github.com'.
 
 ### Minimal permissions:
 
@@ -46,34 +49,32 @@ To setup or update the CI in your account you will need the following IAM permis
   * ssm:Put*
   * ssm:Update*
   * ssm:List*
+* SecretsManager
+  * secretsmanager:CreateSecret
+  * secretsmanager:PutSecretValue
+  * secretsmanager:DeleteSecret
+  * secretsmanager:GetSecretValue
 
 ### Command
 
+To set up AWS-LC CI, run command:
 ```
-$ ./run-cdk.sh {aws-account-id} {region} {github-repo-owner} {github-repo-name} {ACTION}
+./run-cdk.sh --action deploy-ci --github-access-token 123456
 ```
 
-#### Examples
-
-To see the synthesized CloudFormation template, run command:
+To create/udpate Docker images, run command:
 ```
-./run-cdk.sh 123456789 us-west-2 GitHubUserName aws-lc SYNTH
+./run-cdk.sh --action build-img --github-access-token 123456
 ```
 
-To set up AWS-LC CI in AWS account `123456789` for the forked GitHub repository `https://github.com/GitHubUserName/aws-lc`, run command:
+To destroy AWS-LC CI resources created above, run command:
 ```
-./run-cdk.sh 123456789 us-west-2 GitHubUserName aws-lc DEPLOY
+./run-cdk.sh --action destroy-ci
 ```
 
-To destroy all AWS resources created above, run command:
+For help, run command:
 ```
-# This command does not delete S3 and ECR, which require manually deletion.
-./run-cdk.sh 123456789 us-west-2 GitHubUserName aws-lc DESTROY
-```
-
-To compare deployed stack with current state, run command:
-```
-./run-cdk.sh 123456789 us-west-2 GitHubUserName aws-lc DIFF
+./run-cdk.sh --help
 ```
 
 ## Files
@@ -171,6 +172,12 @@ command.
 #### Linux Docker image build
 
 ```bash
+# Create GitHub personal access token, which is needed when pulling Docker images from 'docker.pkg.github.com'.
+export AWS_LC_CI_SECRET_NAME='aws-lc-ci-external-credential'
+secret_arn=$(aws secretsmanager create-secret --name "${AWS_LC_CI_SECRET_NAME}" --secret-string "${GITHUB_ACCESS_TOKEN}" | jq -r '.ARN')
+# Export this variable so CDK can create related IAM policy on this ARN.
+export EXTERNAL_CREDENTIAL_SECRET_ARN="${secret_arn}"
+
 # Launch Linux Docker image CodeBuild resources.
 cdk deploy aws-lc-docker-image-build-linux --require-approval never
 
@@ -186,12 +193,12 @@ Below are some commands specific to windows docker image build.
 
 ```bash
 # Define environment variables needed by Windows docker image build.
-export AWS_LC_S3_BUCKET_PREFIX="aws-lc-windows-docker-image-build"
-export DATE_NOW="$(date +%Y-%m-%d-%H-%M)"
+DATE_NOW="$(date +%Y-%m-%d-%H-%M)"
+export AWS_LC_S3_BUCKET_PREFIX='aws-lc-windows-docker-image-build-s3'
 export S3_FOR_WIN_DOCKER_IMG_BUILD="${AWS_LC_S3_BUCKET_PREFIX}-${DATE_NOW}"
-export WIN_EC2_TAG_KEY="aws-lc"
+export WIN_EC2_TAG_KEY='aws-lc'
 export WIN_EC2_TAG_VALUE="aws-lc-windows-docker-image-build-${DATE_NOW}"
-export WIN_DOCKER_BUILD_SSM_DOCUMENT="windows-ssm-document-${DATE_NOW}"
+export WIN_DOCKER_BUILD_SSM_DOCUMENT="windows-ssm-document"
 
 # Clean up all Windows docker image build resources.
 cdk destroy aws-lc-docker-image-build-windows --force

diff --git a/tests/ci/cdk/cdk/linux_docker_image_batch_build_stack.py b/tests/ci/cdk/cdk/linux_docker_image_batch_build_stack.py
@@ -2,9 +2,11 @@
 # SPDX-License-Identifier: Apache-2.0
 
 from aws_cdk import core, aws_codebuild as codebuild, aws_iam as iam
+
 from util.metadata import AWS_ACCOUNT, GITHUB_REPO_OWNER, GITHUB_REPO_NAME, GITHUB_SOURCE_VERSION, LINUX_AARCH_ECR_REPO, \
-    LINUX_X86_ECR_REPO
-from util.iam_policies import codebuild_batch_policy_in_json, ecr_power_user_policy_in_json
+    LINUX_X86_ECR_REPO, EXTERNAL_CREDENTIAL_SECRET_ARN
+from util.iam_policies import codebuild_batch_policy_in_json, ecr_power_user_policy_in_json, \
+    aws_secrets_manager_get_secret_policy_in_json
 from util.yml_loader import YmlLoader
 
 
@@ -26,6 +28,12 @@ def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
         ecr_power_user_policy = iam.PolicyDocument.from_json(ecr_power_user_policy_in_json())
         inline_policies = {"codebuild_batch_policy": codebuild_batch_policy,
                            "ecr_power_user_policy": ecr_power_user_policy}
+        # GitHub access token is only needed during CI setup.
+        # The token is used to pull Docker images hosted in 'docker.pkg.github.com'.
+        if EXTERNAL_CREDENTIAL_SECRET_ARN:
+            secrets_manager_get_secret_policy = iam.PolicyDocument.from_json(
+                aws_secrets_manager_get_secret_policy_in_json(EXTERNAL_CREDENTIAL_SECRET_ARN))
+            inline_policies["secrets_manager_get_secret_policy"] = secrets_manager_get_secret_policy
         role = iam.Role(scope=self,
                         id="{}-role".format(id),
                         assumed_by=iam.ServicePrincipal("codebuild.amazonaws.com"),
@@ -34,6 +42,20 @@ def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
         # Create build spec.
         build_spec_content = YmlLoader.load("./cdk/codebuild/linux_img_build_omnibus.yaml")
 
+        # Define environment variables.
+        environment_variables = {
+            "AWS_ACCOUNT_ID": codebuild.BuildEnvironmentVariable(value=AWS_ACCOUNT),
+            "AWS_ECR_REPO_X86": codebuild.BuildEnvironmentVariable(value=LINUX_X86_ECR_REPO),
+            "AWS_ECR_REPO_AARCH": codebuild.BuildEnvironmentVariable(value=LINUX_AARCH_ECR_REPO),
+            "GITHUB_REPO_OWNER": codebuild.BuildEnvironmentVariable(value=GITHUB_REPO_OWNER),
+        }
+        if EXTERNAL_CREDENTIAL_SECRET_ARN:
+            # See secrets-manager https://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html
+            github_access_token = "{}:GITHUB_PERSONAL_ACCESS_TOKEN".format(EXTERNAL_CREDENTIAL_SECRET_ARN)
+            environment_variables["GITHUB_READ_PKG_ACCESS_TOKEN"] = codebuild.BuildEnvironmentVariable(
+                value=github_access_token,
+                type=codebuild.BuildEnvironmentVariableType.SECRETS_MANAGER)
+
         # Define CodeBuild project.
         project = codebuild.Project(
             scope=self,
@@ -44,11 +66,7 @@ def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
                 compute_type=codebuild.ComputeType.SMALL,
                 privileged=False,
                 build_image=codebuild.LinuxBuildImage.STANDARD_4_0),
-            environment_variables={
-                "AWS_ACCOUNT_ID": codebuild.BuildEnvironmentVariable(value=AWS_ACCOUNT),
-                "AWS_ECR_REPO_X86": codebuild.BuildEnvironmentVariable(value=LINUX_X86_ECR_REPO),
-                "AWS_ECR_REPO_AARCH": codebuild.BuildEnvironmentVariable(value=LINUX_AARCH_ECR_REPO)
-            },
+            environment_variables=environment_variables,
             role=role,
             timeout=core.Duration.minutes(120),
             build_spec=codebuild.BuildSpec.from_object(build_spec_content))