From afb50e4dc406c0bd57f5c2ee8a85cea0022529fb Mon Sep 17 00:00:00 2001 From: K Odewale Date: Tue, 19 Dec 2023 15:55:27 +0000 Subject: [PATCH 1/4] DS-571 Updated nonprod database SG name --- build/automation/var/profile/live.mk | 2 +- build/automation/var/profile/nonprod.mk | 2 +- build/automation/var/profile/put.mk | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/build/automation/var/profile/live.mk b/build/automation/var/profile/live.mk index f1ea02c..d92304e 100644 --- a/build/automation/var/profile/live.mk +++ b/build/automation/var/profile/live.mk @@ -24,5 +24,5 @@ TF_VAR_splunk_firehose_role := dos_cw_w_events_firehose_access_role LAMBDA_VERSIONS_TO_RETAIN = 5 -#TODO can be changed to new SG when available in live +#TODO can be changed to new SG when available in live TF_VAR_db_security_group_name = live-lk8s-prod-core-dos-db-rds-postgres-sg diff --git a/build/automation/var/profile/nonprod.mk b/build/automation/var/profile/nonprod.mk index 28b9f0e..8d3748d 100644 --- a/build/automation/var/profile/nonprod.mk +++ b/build/automation/var/profile/nonprod.mk @@ -27,4 +27,4 @@ TF_VAR_splunk_firehose_role := dos_cw_w_events_firehose_access_role LAMBDA_VERSIONS_TO_RETAIN = 5 -TF_VAR_db_security_group_name = uec-core-dos-pipeline-datastore-sg +TF_VAR_db_security_group_name = uec-core-dos-pipeline-datastore-hk-sg diff --git a/build/automation/var/profile/put.mk b/build/automation/var/profile/put.mk index 00df104..5d30c34 100644 --- a/build/automation/var/profile/put.mk +++ b/build/automation/var/profile/put.mk @@ -24,5 +24,5 @@ TF_VAR_splunk_firehose_role := dos-np_cw_w_events_firehose_access_role LAMBDA_VERSIONS_TO_RETAIN = 5 -#TODO can be changed to new SG when available in live +#TODO can be changed to new SG when available in live TF_VAR_db_security_group_name = live-lk8s-prod-core-dos-db-put-rds-postgres-sg From e24f1f393e9fdf1ddf0846941e77afebcc2a7914 Mon Sep 17 00:00:00 2001 From: K Odewale Date: Tue, 19 Dec 2023 16:29:10 +0000 Subject: [PATCH 2/4] DS-571 Adding token volume used in MoM --- build/automation/lib/docker.mk | 3 +++ 1 file changed, 3 insertions(+) diff --git a/build/automation/lib/docker.mk b/build/automation/lib/docker.mk index 20dbe15..47fc6e3 100644 --- a/build/automation/lib/docker.mk +++ b/build/automation/lib/docker.mk @@ -692,6 +692,7 @@ docker-run-tools: ### Run tools (Python) container - mandatory: CMD; optional: S make docker-config > /dev/null 2>&1 mkdir -p $(TMP_DIR)/.python/pip/{cache,packages} mkdir -p $(HOME)/.aws + aws_access_dir=$$(echo "--volume /var/run/secrets/eks.amazonaws.com/serviceaccount/token:/var/run/secrets/eks.amazonaws.com/serviceaccount/token") lib_volume_mount=$$(([ $(BUILD_ID) -eq 0 ] || [ "$(LIB_VOLUME_MOUNT)" == true ]) && echo "--volume $(TMP_DIR)/.python/pip/cache:/tmp/.cache/pip --volume $(TMP_DIR)/.python/pip/packages:/tmp/.packages" ||:) image=$$([ -n "$(IMAGE)" ] && echo $(IMAGE) || echo $(DOCKER_LIBRARY_REGISTRY)/tools:$(DOCKER_LIBRARY_TOOLS_VERSION)) container=$$([ -n "$(CONTAINER)" ] && echo $(CONTAINER) || echo tools-$(BUILD_COMMIT_HASH)-$(BUILD_ID)-$$(date --date=$$(date -u +"%Y-%m-%dT%H:%M:%S%z") -u +"%Y%m%d%H%M%S" 2> /dev/null)-$$(make secret-random LENGTH=8)) @@ -713,6 +714,7 @@ docker-run-tools: ### Run tools (Python) container - mandatory: CMD; optional: S --volume $(HOME)/bin:/tmp/bin \ --volume $(HOME)/etc:/tmp/etc \ --volume $(HOME)/usr:/tmp/usr \ + $$aws_access_dir \ $$lib_volume_mount \ --network $(DOCKER_NETWORK) \ --workdir /project/$(shell echo $(abspath $(DIR)) | sed "s;$(PROJECT_DIR);;g") \ @@ -736,6 +738,7 @@ docker-run-tools: ### Run tools (Python) container - mandatory: CMD; optional: S --volume $(HOME)/bin:/tmp/bin \ --volume $(HOME)/etc:/tmp/etc \ --volume $(HOME)/usr:/tmp/usr \ + $$aws_access_dir \ $$lib_volume_mount \ --network $(DOCKER_NETWORK) \ --workdir /project/$(shell echo $(abspath $(DIR)) | sed "s;$(PROJECT_DIR);;g") \ From 24a57381778a5cab500ad1b0684c9bca538afeea Mon Sep 17 00:00:00 2001 From: K Odewale Date: Tue, 19 Dec 2023 16:39:54 +0000 Subject: [PATCH 3/4] DS-571 updated Jenkins role --- .../lib/aws/aws-ecr-create-repository-policy.json | 9 ++++++--- build/automation/var/platform-texas/platform-texas-v1.mk | 2 +- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/build/automation/lib/aws/aws-ecr-create-repository-policy.json b/build/automation/lib/aws/aws-ecr-create-repository-policy.json index 228e280..acf7b75 100644 --- a/build/automation/lib/aws/aws-ecr-create-repository-policy.json +++ b/build/automation/lib/aws/aws-ecr-create-repository-policy.json @@ -44,12 +44,15 @@ "Effect": "Deny", "NotPrincipal": { "AWS": [ - "arn:aws:iam::AWS_ACCOUNT_ID_MGMT_TO_REPLACE:role/jenkins_assume_role", - "arn:aws:sts::AWS_ACCOUNT_ID_MGMT_TO_REPLACE:assumed-role/jenkins_assume_role/jenkins", + "arn:aws:iam::AWS_ACCOUNT_ID_MGMT_TO_REPLACE:role/uec-core-dos-jenkins-assume-role", + "arn:aws:sts::AWS_ACCOUNT_ID_MGMT_TO_REPLACE:assumed-role/uec-core-dos-jenkins-assume-role/jenkins", "arn:aws:iam::AWS_ACCOUNT_ID_MGMT_TO_REPLACE:root" ] }, - "Action": ["ecr:BatchDeleteImage", "ecr:DeleteRepository"] + "Action": [ + "ecr:BatchDeleteImage", + "ecr:DeleteRepository" + ] } ] } diff --git a/build/automation/var/platform-texas/platform-texas-v1.mk b/build/automation/var/platform-texas/platform-texas-v1.mk index e9de910..16f493c 100644 --- a/build/automation/var/platform-texas/platform-texas-v1.mk +++ b/build/automation/var/platform-texas/platform-texas-v1.mk @@ -4,7 +4,7 @@ AWS_ECR = $(or $(AWS_ACCOUNT_ID_MGMT), 000000000000).dkr.ecr.$(AWS_DEFAULT_REGIO AWS_REGION = eu-west-2 AWS_DEFAULT_REGION = $(AWS_REGION) AWS_ALTERNATIVE_REGION = eu-west-1 -AWS_ROLE_PIPELINE = jenkins_assume_role +AWS_ROLE_PIPELINE = uec-core-dos-jenkins-assume-role AWS_ROLE_SESSION = jenkins AWS_ROLE = $(if $(HUDSON_URL),$(AWS_ROLE_PIPELINE),Developer) AWS_ALB_SSL_TLS_POLICY = ELBSecurityPolicy-TLS-1-2-2017-01 From 8eeffe7de891adf79153ad0c4ed69371a9347efd Mon Sep 17 00:00:00 2001 From: K Odewale Date: Thu, 21 Dec 2023 14:15:48 +0000 Subject: [PATCH 4/4] DS-571 Updated Live and PUT Security Group --- build/automation/var/profile/live.mk | 2 +- build/automation/var/profile/put.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/build/automation/var/profile/live.mk b/build/automation/var/profile/live.mk index d92304e..ede5d72 100644 --- a/build/automation/var/profile/live.mk +++ b/build/automation/var/profile/live.mk @@ -25,4 +25,4 @@ TF_VAR_splunk_firehose_role := dos_cw_w_events_firehose_access_role LAMBDA_VERSIONS_TO_RETAIN = 5 #TODO can be changed to new SG when available in live -TF_VAR_db_security_group_name = live-lk8s-prod-core-dos-db-rds-postgres-sg +TF_VAR_db_security_group_name = uec-core-dos-live-datastore-hk-sg diff --git a/build/automation/var/profile/put.mk b/build/automation/var/profile/put.mk index 5d30c34..0455bdd 100644 --- a/build/automation/var/profile/put.mk +++ b/build/automation/var/profile/put.mk @@ -25,4 +25,4 @@ TF_VAR_splunk_firehose_role := dos-np_cw_w_events_firehose_access_role LAMBDA_VERSIONS_TO_RETAIN = 5 #TODO can be changed to new SG when available in live -TF_VAR_db_security_group_name = live-lk8s-prod-core-dos-db-put-rds-postgres-sg +TF_VAR_db_security_group_name = uec-core-dos-put-datastore-hk-sg