diff --git a/build/automation/lib/aws/aws-ecr-create-repository-policy.json b/build/automation/lib/aws/aws-ecr-create-repository-policy.json index 228e2808..acf7b756 100644 --- a/build/automation/lib/aws/aws-ecr-create-repository-policy.json +++ b/build/automation/lib/aws/aws-ecr-create-repository-policy.json @@ -44,12 +44,15 @@ "Effect": "Deny", "NotPrincipal": { "AWS": [ - "arn:aws:iam::AWS_ACCOUNT_ID_MGMT_TO_REPLACE:role/jenkins_assume_role", - "arn:aws:sts::AWS_ACCOUNT_ID_MGMT_TO_REPLACE:assumed-role/jenkins_assume_role/jenkins", + "arn:aws:iam::AWS_ACCOUNT_ID_MGMT_TO_REPLACE:role/uec-core-dos-jenkins-assume-role", + "arn:aws:sts::AWS_ACCOUNT_ID_MGMT_TO_REPLACE:assumed-role/uec-core-dos-jenkins-assume-role/jenkins", "arn:aws:iam::AWS_ACCOUNT_ID_MGMT_TO_REPLACE:root" ] }, - "Action": ["ecr:BatchDeleteImage", "ecr:DeleteRepository"] + "Action": [ + "ecr:BatchDeleteImage", + "ecr:DeleteRepository" + ] } ] } diff --git a/build/automation/lib/docker.mk b/build/automation/lib/docker.mk index 20dbe15d..47fc6e39 100644 --- a/build/automation/lib/docker.mk +++ b/build/automation/lib/docker.mk @@ -692,6 +692,7 @@ docker-run-tools: ### Run tools (Python) container - mandatory: CMD; optional: S make docker-config > /dev/null 2>&1 mkdir -p $(TMP_DIR)/.python/pip/{cache,packages} mkdir -p $(HOME)/.aws + aws_access_dir=$$(echo "--volume /var/run/secrets/eks.amazonaws.com/serviceaccount/token:/var/run/secrets/eks.amazonaws.com/serviceaccount/token") lib_volume_mount=$$(([ $(BUILD_ID) -eq 0 ] || [ "$(LIB_VOLUME_MOUNT)" == true ]) && echo "--volume $(TMP_DIR)/.python/pip/cache:/tmp/.cache/pip --volume $(TMP_DIR)/.python/pip/packages:/tmp/.packages" ||:) image=$$([ -n "$(IMAGE)" ] && echo $(IMAGE) || echo $(DOCKER_LIBRARY_REGISTRY)/tools:$(DOCKER_LIBRARY_TOOLS_VERSION)) container=$$([ -n "$(CONTAINER)" ] && echo $(CONTAINER) || echo tools-$(BUILD_COMMIT_HASH)-$(BUILD_ID)-$$(date --date=$$(date -u +"%Y-%m-%dT%H:%M:%S%z") -u +"%Y%m%d%H%M%S" 2> /dev/null)-$$(make secret-random LENGTH=8)) @@ -713,6 +714,7 @@ docker-run-tools: ### Run tools (Python) container - mandatory: CMD; optional: S --volume $(HOME)/bin:/tmp/bin \ --volume $(HOME)/etc:/tmp/etc \ --volume $(HOME)/usr:/tmp/usr \ + $$aws_access_dir \ $$lib_volume_mount \ --network $(DOCKER_NETWORK) \ --workdir /project/$(shell echo $(abspath $(DIR)) | sed "s;$(PROJECT_DIR);;g") \ @@ -736,6 +738,7 @@ docker-run-tools: ### Run tools (Python) container - mandatory: CMD; optional: S --volume $(HOME)/bin:/tmp/bin \ --volume $(HOME)/etc:/tmp/etc \ --volume $(HOME)/usr:/tmp/usr \ + $$aws_access_dir \ $$lib_volume_mount \ --network $(DOCKER_NETWORK) \ --workdir /project/$(shell echo $(abspath $(DIR)) | sed "s;$(PROJECT_DIR);;g") \ diff --git a/build/automation/var/platform-texas/platform-texas-v1.mk b/build/automation/var/platform-texas/platform-texas-v1.mk index e9de9101..16f493c6 100644 --- a/build/automation/var/platform-texas/platform-texas-v1.mk +++ b/build/automation/var/platform-texas/platform-texas-v1.mk @@ -4,7 +4,7 @@ AWS_ECR = $(or $(AWS_ACCOUNT_ID_MGMT), 000000000000).dkr.ecr.$(AWS_DEFAULT_REGIO AWS_REGION = eu-west-2 AWS_DEFAULT_REGION = $(AWS_REGION) AWS_ALTERNATIVE_REGION = eu-west-1 -AWS_ROLE_PIPELINE = jenkins_assume_role +AWS_ROLE_PIPELINE = uec-core-dos-jenkins-assume-role AWS_ROLE_SESSION = jenkins AWS_ROLE = $(if $(HUDSON_URL),$(AWS_ROLE_PIPELINE),Developer) AWS_ALB_SSL_TLS_POLICY = ELBSecurityPolicy-TLS-1-2-2017-01 diff --git a/build/automation/var/profile/live.mk b/build/automation/var/profile/live.mk index f1ea02c7..ede5d72f 100644 --- a/build/automation/var/profile/live.mk +++ b/build/automation/var/profile/live.mk @@ -24,5 +24,5 @@ TF_VAR_splunk_firehose_role := dos_cw_w_events_firehose_access_role LAMBDA_VERSIONS_TO_RETAIN = 5 -#TODO can be changed to new SG when available in live -TF_VAR_db_security_group_name = live-lk8s-prod-core-dos-db-rds-postgres-sg +#TODO can be changed to new SG when available in live +TF_VAR_db_security_group_name = uec-core-dos-live-datastore-hk-sg diff --git a/build/automation/var/profile/nonprod.mk b/build/automation/var/profile/nonprod.mk index 28b9f0eb..8d3748d2 100644 --- a/build/automation/var/profile/nonprod.mk +++ b/build/automation/var/profile/nonprod.mk @@ -27,4 +27,4 @@ TF_VAR_splunk_firehose_role := dos_cw_w_events_firehose_access_role LAMBDA_VERSIONS_TO_RETAIN = 5 -TF_VAR_db_security_group_name = uec-core-dos-pipeline-datastore-sg +TF_VAR_db_security_group_name = uec-core-dos-pipeline-datastore-hk-sg diff --git a/build/automation/var/profile/put.mk b/build/automation/var/profile/put.mk index 00df1048..0455bdd1 100644 --- a/build/automation/var/profile/put.mk +++ b/build/automation/var/profile/put.mk @@ -24,5 +24,5 @@ TF_VAR_splunk_firehose_role := dos-np_cw_w_events_firehose_access_role LAMBDA_VERSIONS_TO_RETAIN = 5 -#TODO can be changed to new SG when available in live -TF_VAR_db_security_group_name = live-lk8s-prod-core-dos-db-put-rds-postgres-sg +#TODO can be changed to new SG when available in live +TF_VAR_db_security_group_name = uec-core-dos-put-datastore-hk-sg