diff --git a/cfn/ci_cd.yml b/cfn/ci_cd.yml index bee48fc6..e5636964 100644 --- a/cfn/ci_cd.yml +++ b/cfn/ci_cd.yml @@ -137,10 +137,9 @@ Resources: ManagedPolicyArns: - !Ref CryptoToolsKMS - !Ref CodeBuildBatchPolicy - - !Ref CodeBuildBasePolicy + - !Ref CodeBuildBasePolicyCI - !Ref SecretsManagerPolicyCI - !Ref ParameterStorePolicy - - !Ref CodeBuildBasePolicyCI - !Ref CodeBuildCISTSAllow - "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess" - "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess" @@ -194,9 +193,7 @@ Resources: { "Effect": "Allow", "Resource": [ - "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-Release", - "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-CI", - "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}" + "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-CI" ], "Action": [ "codebuild:StartBuild", @@ -221,7 +218,7 @@ Resources: { "Effect": "Allow", "Resource": [ - "arn:aws:codebuild:us-west-2:${AWS::AccountId}:project/AWS-ESDK-Java-Release" + "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-Release" ], "Action": [ "codebuild:StartBuild", @@ -244,8 +241,6 @@ Resources: { "Effect": "Allow", "Resource": [ - "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}", - "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}:*", "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-CI", "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-CI:*", "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-Release", @@ -305,7 +300,8 @@ Resources: "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", - "logs:PutLogEvents" + "logs:PutLogEvents", + "logs:GetLogEvents" ] }, { @@ -331,7 +327,7 @@ Resources: "codebuild:BatchPutCodeCoverages" ], "Resource": [ - "arn:aws:codebuild:us-west-2:${AWS::AccountId}:report-group/AWS-ESDK-Java-CI-*" + "arn:aws:codebuild:us-west-2:${AWS::AccountId}:report-group/${ProjectName}-CI-*" ] } ] @@ -379,7 +375,7 @@ Resources: "Resource": [ "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-Release-haLIjZ", "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-Release-Credentials-WgJanS", - "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Sonatype-Team-Account-0tWvZm", + "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Sonatype-User-Token-zK61bM", "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Github/aws-crypto-tools-ci-bot-AGUB3U" ], "Action": "secretsmanager:GetSecretValue" diff --git a/codebuild/release/release-prod.yml b/codebuild/release/release-prod.yml index b15b5c3f..a3e7e68b 100644 --- a/codebuild/release/release-prod.yml +++ b/codebuild/release/release-prod.yml @@ -9,8 +9,8 @@ env: secrets-manager: GPG_KEY: Maven-GPG-Keys-Release-Credentials:Keyname GPG_PASS: Maven-GPG-Keys-Release-Credentials:Passphrase - SONA_USERNAME: Sonatype-Team-Account:Username - SONA_PASSWORD: Sonatype-Team-Account:Password + SONA_USERNAME: Sonatype-User-Token:username + SONA_PASSWORD: Sonatype-User-Token:password phases: install: