diff --git a/src/release_artifacts_resources/ios/cdk/app.py b/src/release_artifacts_resources/ios/cdk/app.py index 1dda69f..d24fd12 100644 --- a/src/release_artifacts_resources/ios/cdk/app.py +++ b/src/release_artifacts_resources/ios/cdk/app.py @@ -1,28 +1,10 @@ #!/usr/bin/env python3 from aws_cdk import core -from cdk.credential_rotation_stack import CredentialRotationStack from cdk.distribution_stack import DistributionStack app = core.App() -distribution_stack = DistributionStack(app, "DistributionStack") - -bucket_arn = distribution_stack.s3.bucket.bucket_arn -bucket_name = distribution_stack.s3.bucket.bucket_name -cloudfront_distribution_id = distribution_stack.cloudfront.distribution.distribution_id -arn_components = core.ArnComponents( - resource="distribution/" + cloudfront_distribution_id, service="cloudfront", region="" -) -cloudfront_arn = core.Arn.format(components=arn_components, stack=distribution_stack) - -credential_rotation_stack = CredentialRotationStack( - app, - "CredentialRotationStack", - bucket_name=bucket_name, - bucket_arn=bucket_arn, - cloudfront_distribution_id=cloudfront_distribution_id, - cloudfront_arn=cloudfront_arn, -) +DistributionStack(app, "DistributionStack") app.synth() diff --git a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/__init__.py b/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/cloudwatch_construct.py b/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/cloudwatch_construct.py deleted file mode 100644 index d8b115f..0000000 --- a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/cloudwatch_construct.py +++ /dev/null @@ -1,23 +0,0 @@ -from aws_cdk import aws_cloudwatch, core -from cdk.credential_rotation.lambda_construct import LambdaConstruct - - -class CloudWatchConstruct(core.Construct): - def __init__( - self, scope: core.Construct, construct_id: str, lambda_construct: LambdaConstruct, **kwargs - ) -> None: - super().__init__(scope, construct_id, **kwargs) - - lambda_error_metrics = lambda_construct.credential_rotator.metric_errors( - period=core.Duration.hours(2) - ) - aws_cloudwatch.Alarm( - self, - "credential_rotator_error_metrics", - metric=lambda_error_metrics, - evaluation_periods=1, - threshold=1, - alarm_description=""" - Alarm if the number of errors in credential rotator increase to a threshold - """ - ) diff --git a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/events_construct.py b/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/events_construct.py deleted file mode 100644 index dec60d8..0000000 --- a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/events_construct.py +++ /dev/null @@ -1,30 +0,0 @@ -import json -import os - -from aws_cdk import aws_events, aws_events_targets, core -from cdk.credential_rotation.lambda_construct import LambdaConstruct - - -class EventsConstruct(core.Construct): - def __init__( - self, scope: core.Construct, construct_id: str, lambda_construct: LambdaConstruct, **kwargs - ) -> None: - super().__init__(scope, construct_id, **kwargs) - file_name = os.path.join(os.path.dirname(__file__), "./utils/lambda_event_data.json") - event_data_file = open(file_name, "r") - event_data = json.loads(event_data_file.read()) - rule_target = aws_events.RuleTargetInput.from_object(event_data) - - target = aws_events_targets.LambdaFunction( - handler=lambda_construct.credential_rotator, event=rule_target - ) - schedule_duration = core.Duration.hours(2) - - aws_events.Rule( - self, - "credential_rotator_event", - rule_name="credential_rotation_lambda_trigger", - description="Event to trigger CircleCI credential rotation every two hours", - schedule=aws_events.Schedule.rate(schedule_duration), - targets=[target], - ) diff --git a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/iam_construct.py b/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/iam_construct.py deleted file mode 100644 index 4ae1258..0000000 --- a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/iam_construct.py +++ /dev/null @@ -1,70 +0,0 @@ -from aws_cdk import aws_iam, core - - -class IAMConstruct(core.Construct): - def __init__( - self, - scope: core.Construct, - construct_id: str, - bucket_arn: str, - cloudfront_arn: str, - **kwargs - ) -> None: - - super().__init__(scope, construct_id, **kwargs) - self.create_circleci_release_user() - self.create_circleci_release_proceess_role( - bucket_arn=bucket_arn, cloudfront_arn=cloudfront_arn - ) - self.create_lambda_execution_role() - - def create_circleci_release_user(self) -> None: - self.circleci_user = aws_iam.User( - self, "circleci_iam_user", user_name="CircleCIReleaseProcessIAMUser" - ) - - def create_circleci_release_proceess_role(self, bucket_arn: str, cloudfront_arn: str) -> None: - self.circleci_release_role = aws_iam.Role( - self, - "circleci_release_role", - assumed_by=self.circleci_user, - role_name="CircleCIReleaseProcessRole", - max_session_duration=core.Duration.hours(4), - ) - bucket_resource = bucket_arn + "/aws-sdk-ios/*" - bucket_policy = aws_iam.PolicyStatement( - effect=aws_iam.Effect.ALLOW, - actions=["s3:PutObject"], - resources=[bucket_resource], - ) - self.circleci_release_role.add_to_policy(bucket_policy) - - cloudfront_policy = aws_iam.PolicyStatement( - effect=aws_iam.Effect.ALLOW, - actions=["cloudfront:CreateInvalidation"], - resources=[cloudfront_arn], - ) - self.circleci_release_role.add_to_policy(cloudfront_policy) - - def create_lambda_execution_role(self) -> None: - self.lambda_role = aws_iam.Role( - self, - "lambda_key_rotation_execution_role", - assumed_by=aws_iam.ServicePrincipal("lambda.amazonaws.com"), - role_name="LambdaKeyRotationExecutionRole", - ) - self.lambda_role.add_managed_policy( - aws_iam.ManagedPolicy.from_aws_managed_policy_name( - "service-role/AWSLambdaBasicExecutionRole" - ) - ) - - lambda_role_rotate_keys_policy = aws_iam.PolicyStatement( - effect=aws_iam.Effect.ALLOW, - actions=["iam:CreateAccessKey", "iam:DeleteAccessKey"], - resources=[self.circleci_user.user_arn], - ) - self.lambda_role.add_to_policy(lambda_role_rotate_keys_policy) - - def add_policy_to_lambda_role(self, policy: aws_iam.PolicyStatement) -> None: - self.lambda_role.add_to_policy(policy) diff --git a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_construct.py b/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_construct.py deleted file mode 100644 index af7cafa..0000000 --- a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_construct.py +++ /dev/null @@ -1,68 +0,0 @@ -import cdk.credential_rotation.utils.lambda_constants as lambda_constants -from aws_cdk import aws_lambda, aws_lambda_python, core -from cdk.credential_rotation.iam_construct import IAMConstruct -from cdk.credential_rotation.secretsmanager_construct import SecretsManagerConstruct - - -class LambdaConstruct(core.Construct): - def __init__( - self, - scope: core.Construct, - construct_id: str, - bucket_name: str, - cloudfront_distribution_id: str, - iam_construct: IAMConstruct, - secretsmanager_construct: SecretsManagerConstruct, - **kwargs - ) -> None: - super().__init__(scope, construct_id, **kwargs) - - self.credential_rotator = aws_lambda_python.PythonFunction( - self, - "credential_rotation_lambda", - entry="cdk/credential_rotation/lambda_functions/src", - index="handler.py", - runtime=aws_lambda.Runtime.PYTHON_3_7, - role=iam_construct.lambda_role, - timeout=core.Duration.minutes(5), - retry_attempts=1, - description="Credential rotation script for the AWS iOS SDK CircleCI pipeline", - current_version_options=aws_lambda.VersionOptions( - removal_policy=core.RemovalPolicy.DESTROY - ), - ) - self.credential_rotator.add_environment( - lambda_constants.CIRCLE_CI_IOS_SDK_API_TOKEN_ENV, - secretsmanager_construct.circleci_aws_ios_sdk_api_key.secret_full_arn, - ) - - self.credential_rotator.add_environment( - lambda_constants.CIRCLE_CI_IOS_SDK_SPM_API_TOKEN_ENV, - secretsmanager_construct.circleci_aws_ios_sdk_spm_api_key.secret_full_arn, - ) - - self.credential_rotator.add_environment( - lambda_constants.GITHUB_CREDENTIALS_SECRET_ENV, - secretsmanager_construct.github_release_api_key.secret_full_arn, - ) - - self.credential_rotator.add_environment( - lambda_constants.IAM_ROLE_ENV, - iam_construct.circleci_release_role.role_arn, - ) - - self.credential_rotator.add_environment( - lambda_constants.IAM_USERNAME_ENV, iam_construct.circleci_user.user_name - ) - - self.credential_rotator.add_environment( - lambda_constants.GITHUB_PROJECT_PATH_ENV, "aws-amplify/aws-sdk-ios" - ) - - self.credential_rotator.add_environment( - lambda_constants.RELEASE_BUCKET_NAME_ENV, bucket_name - ) - - self.credential_rotator.add_environment( - lambda_constants.RELEASE_CLOUDFRONT_DISTRIBUTION_ID_ENV, cloudfront_distribution_id - ) diff --git a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/__init__.py b/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/__init__.py b/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/destination/__init__.py b/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/destination/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/destination/circleci.py b/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/destination/circleci.py deleted file mode 100644 index d529587..0000000 --- a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/destination/circleci.py +++ /dev/null @@ -1,86 +0,0 @@ -"""Utilities to update CircleCI environment variables - -This module propagates values to CircleCI environment variables. In the -CircleCI V2 API, permissions are managed via API tokens tied to a specific -user, and environment variables are stored per project. - -**Prerequisites for storing environment variables in CircleCI** -- A **GitHub User** with `Write` permissions to a **GitHub Repo**. This should - be a repo-specific "bot" user--that is, the user should have permissions to - only the repo being updated. -- A **CircleCI API token** with `Admin` permissions, created by authenticating - in CircleCI as that GitHub User - -**Flow** - -The actual process is quite simple - -1. This Lambda function retrieves the **CircleCI API token** from AWS Secrets - Manager -2. The Lambda function invokes the CircleCI V2 API endpoint to update - environment variables, authenticating with the **CircleCI API token** -""" -import requests -from utils.retry import retry -from utils.secrets_manager_helper import retrieve_secret - -CIRCLECI_URL_TEMPLATE = "https://circleci.com/api/v2/project/gh/{project_path}/envvar" - - -def update_environment_variables(variables: map, configuration: map): - """Updates CircleCI environment variables - - Args: - variables: - - configuration: - - - Raises - KeyError: if `configuration` does not contain the expected keys - ValueError: if `configuration` is `None`, or if any required Lambda environment - variables are missing. - """ - if not configuration: - raise RuntimeError("Configuration is required to update CircleCI environment variables") - - github_path = configuration["github_path"] - circleci_api_token_secret_id_lambda_env_var_key = configuration[ - "circleci_api_token_secret_id_lambda_env_var_key" - ] - circleci_api_token = retrieve_secret(circleci_api_token_secret_id_lambda_env_var_key) - - for key, value in variables.items(): - update_env_vars( - env_var_name=key, - env_var_value=value, - token=circleci_api_token, - project_path=github_path, - ) - - -def get_secret_value(secret_id: str, *, secretsmanager) -> str: - response = secretsmanager.get_secret_value(SecretId=secret_id) - api_key = response["SecretString"] - return api_key - - -@retry() -def update_env_vars(env_var_name: str, env_var_value: str, token: str, project_path: str): - url = CIRCLECI_URL_TEMPLATE.format(project_path=project_path) - headers = {"Circle-Token": token} - payload = {"name": env_var_name, "value": env_var_value} - response = requests.post(url, json=payload, headers=headers) - if not is_successful_response(response): - safe_content = response.text.replace(env_var_value, "*" * len(env_var_value)) - - raise RuntimeError( - "Could not update env var " - + f"key={env_var_name} " - + f"status_code={response.status_code} " - + f"body={safe_content}" - ) - - -def is_successful_response(response): - return response.status_code == 200 or response.status_code == 201 diff --git a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/handler.py b/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/handler.py deleted file mode 100644 index ae8c2f6..0000000 --- a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/handler.py +++ /dev/null @@ -1,126 +0,0 @@ -from destination import circleci -from models.destination_type import DestinationType -from models.source_type import SourceType -from source_data_generator import ( - aws_session_credential_source, - lambda_env_var_data_source, - secrets_data_source, -) - - -def handler(event, context, *, iam=None, sts=None, secretsmanager=None): - """ - Invoked with the following event structure: - ``` - { - "sources": [ - { - "type": "aws_session_cred", - "description": "Temporary AWS Credentials to upload the release artifacts to S3 and invalidate Cloudfront", - "configuration": { - "user_env_variable": "IAM_USERNAME", - "iam_role_env_variable": "IAM_ROLE" - }, - "destination": { - "specifier": "aws-sdk-ios-cci", - "mapping_to_destination": [ - { - "destination_key_name": "XCF_ACCESS_KEY_ID", - "result_value_key": "access_key_id" - }, - { - "destination_key_name": "XCF_SECRET_ACCESS_KEY", - "result_value_key": "secret_access_key" - }, - { - "destination_key_name": "XCF_SESSION_TOKEN", - "result_value_key": "session_token" - } - ] - } - }, - { - "type": "secrets_manager", - "description": "", - "configuration": { - "secret_key_env_variable": "GITHUB_CREDENTIALS_SECRET" - }, - "destination": { - "specifier": "aws-sdk-ios-cci", - "mapping_to_destination": [ - { - "destination_key_name": "GITHUB_SPM_TOKEN", - "result_value_key": "GITHUB_SPM_TOKEN" - }, - { - "destination_key_name": "GITHUB_SPM_USER", - "result_value_key": "GITHUB_SPM_USER" - } - ] - } - }, - { - "type": "lambda_env_variables", - "description": "", - "configuration": { - "lambda_env_var_key": "SPM_S3_BUCKET_NAME" - }, - "destination": { - "specifier": "aws-sdk-ios-cci", - "mapping_to_destination": [ - { - "destination_key_name": "XCF_S3_BUCKET_NAME" - } - ] - } - } - ], - "destinations": { - "aws-sdk-ios-cci": { - "type": "cci_env_variable", - "description": "Circle CI environment variable for AWS SDK iOS repo", - "github_path": "aws-amplify/aws-sdk-ios", - "circleci_api_token_secret_id_lambda_env_var_key": "CIRCLE_CI_IOS_SDK_API_TOKEN" - } - } - } - ``` - """ - - sources = event["sources"] - destinations = event["destinations"] - - destination_values_map = {} - for source in sources: - source_type = source["type"] - destination_specifier = source["destination"]["specifier"] - destination_mapping = source["destination"]["mapping_to_destination"] - configuration = source["configuration"] - - source_map = {} - - if source_type == SourceType.AWS_SESSION_CREDENTIALS: - source_map = aws_session_credential_source.generate_session_credentials(configuration) - - elif source_type == SourceType.SECRETS_MANAGER: - source_map = secrets_data_source.retrieve_secrets(configuration) - - elif source_type == SourceType.LAMBDA_ENVIRONMENT_VARIABLE: - source_map = lambda_env_var_data_source.retrieve_lambda_env_var_value(configuration) - - mapped_result = {} - for item in destination_mapping: - destination_key_name = item["destination_key_name"] - result_value_key = item.get("result_value_key", "result") - if result_value_key in source_map: - mapped_result[destination_key_name] = source_map[result_value_key] - - destination_values_map.setdefault(destination_specifier, {}).update(mapped_result) - - for name, destination_configuration in destinations.items(): - - destination_type = destination_configuration["type"] - mapped_result = destination_values_map.get(name, {}) - - if destination_type == DestinationType.CIRCLECI_ENVIRONMENT_VARIABLE: - circleci.update_environment_variables(mapped_result, destination_configuration) diff --git a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/models/__init__.py b/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/models/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/models/destination_type.py b/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/models/destination_type.py deleted file mode 100644 index b61f28f..0000000 --- a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/models/destination_type.py +++ /dev/null @@ -1,7 +0,0 @@ -from enum import Enum - - -class DestinationType(str, Enum): - """A destination that rotated values are pushed to""" - - CIRCLECI_ENVIRONMENT_VARIABLE = "cci_env_variable" diff --git a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/models/source_type.py b/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/models/source_type.py deleted file mode 100644 index 871819a..0000000 --- a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/models/source_type.py +++ /dev/null @@ -1,11 +0,0 @@ -from enum import Enum - - -class SourceType(str, Enum): - """The source of a value to push to a destination""" - - AWS_SESSION_CREDENTIALS = "aws_session_credentials" - - SECRETS_MANAGER = "secrets_manager" - - LAMBDA_ENVIRONMENT_VARIABLE = "lambda_environment_variable" diff --git a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/requirements.txt b/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/requirements.txt deleted file mode 100644 index 5ece686..0000000 --- a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/requirements.txt +++ /dev/null @@ -1,2 +0,0 @@ -boto3 -requests \ No newline at end of file diff --git a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/source_data_generator/__init__.py b/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/source_data_generator/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/source_data_generator/aws_session_credential_source.py b/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/source_data_generator/aws_session_credential_source.py deleted file mode 100644 index cc75092..0000000 --- a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/source_data_generator/aws_session_credential_source.py +++ /dev/null @@ -1,94 +0,0 @@ -"""Creates static credentials, uses them to adopt the specified role and get temporary -session credentials, and deletes the static credentials. -""" - -import os -from datetime import datetime -from time import sleep -from typing import Dict, Tuple - -import boto3 -from utils.retry import retry - -DEFAULT_REGION = "us-west-2" - -# Make sure this is at least 2 hours longer than the key rotation schedule set up in the CFn. -# Currently, "2 hours" is an arbitrary value based on the fact that a few of our deployments -# take ~2 hour to run, so we want to leave sufficient time for executing the tests in cases where a -# test is invoked with session credentials created with access keys that are rotated immediately -# thereafter. -SESSION_DURATION_SECONDS = 14400 # 4 hours - -# Provided by Lambda -REGION = os.environ.get("AWS_REGION", DEFAULT_REGION) - - -def generate_session_credentials(configuration: map, iam=None, sts=None) -> Dict[str, str]: - - if not configuration: - raise RuntimeError("Configuration is required to generate session credentials") - - iam_user_key = configuration["user_env_variable"] - iam_role_key = configuration["iam_role_env_variable"] - iam_username = os.environ.get(iam_user_key) - iam_role = os.environ.get(iam_role_key) - - user_credentials: Tuple[str, str] = () - session_credentials: Dict[str, str] = {} - - try: - - iam_client = iam or boto3.client("iam", region_name=REGION) - user_credentials = create_user_credentials(iam_username, iam=iam_client) - wait_for_user_credentials() - session_credentials = get_session_credentials(user_credentials, role_arn=iam_role, sts=sts) - - finally: - if user_credentials: - iam_client.delete_access_key(UserName=iam_username, AccessKeyId=user_credentials[0]) - return session_credentials - - -def create_user_credentials(username: str, *, iam) -> Tuple[str, str]: - response = iam.create_access_key(UserName=username) - access_key_id = response["AccessKey"]["AccessKeyId"] - secret_access_key = response["AccessKey"]["SecretAccessKey"] - return access_key_id, secret_access_key - - -def wait_for_user_credentials(): - """ - Although the key creation via IAM immediately returns credentials, it takes a little time - (on the order of ~10s) before the key is propagated widely enough to allow it to be used in an - sts:AssumeRole call. Unfortunately, there isn't a good way to test for the propagation other - than simply trying to use them, but in practice we haven't seen these become available any - sooner than ~8s after creation. - The get_session_credentials call is wrapped in a @retry, so even if this hardcoded timeout isn't - quite long enough, the subsequent downstream calls will still gracefully handle propagation - delay. - """ - sleep(10) - - -@retry() -def get_session_credentials( - credentials: Tuple[str, str], *, role_arn, sts, now=None -) -> Dict[str, str]: - if not sts: - sts = boto3.client( - "sts", - region_name=REGION, - endpoint_url=f'https://sts.{REGION}.amazonaws.com', - aws_access_key_id=credentials[0], - aws_secret_access_key=credentials[1], - ) - - now = now or datetime.now() - timestamp = now.strftime("%Y%m%d%H%M%S") - - response = sts.assume_role( - RoleArn=role_arn, - RoleSessionName=f"CredentialRotationLambda-{timestamp}", - DurationSeconds=SESSION_DURATION_SECONDS, - ) - return response["Credentials"] diff --git a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/source_data_generator/lambda_env_var_data_source.py b/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/source_data_generator/lambda_env_var_data_source.py deleted file mode 100644 index d4e0bd1..0000000 --- a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/source_data_generator/lambda_env_var_data_source.py +++ /dev/null @@ -1,12 +0,0 @@ -import os -from typing import Dict - - -def retrieve_lambda_env_var_value(configuration: map) -> Dict[str, str]: - - if not configuration: - raise RuntimeError("Configuration is required to retrieve static data") - - lambda_env_variable = configuration["lambda_env_var_key"] - static_data = os.environ.get(lambda_env_variable) - return {"result": static_data} diff --git a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/source_data_generator/secrets_data_source.py b/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/source_data_generator/secrets_data_source.py deleted file mode 100644 index 92aef77..0000000 --- a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/source_data_generator/secrets_data_source.py +++ /dev/null @@ -1,18 +0,0 @@ -import json -from typing import Dict - -from utils.secrets_manager_helper import retrieve_secret - - -def retrieve_secrets(configuration: map) -> Dict[str, str]: - - if not configuration: - raise RuntimeError("Configuration is required to retrieve secrets") - - secret_key_env_variable = configuration["secret_key_env_variable"] - secret_value = retrieve_secret(secret_key_env_variable) - try: - json_value = json.loads(secret_value) - return json_value - except (json.decoder.JSONDecodeError): - return {"result": secret_value} diff --git a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/utils/__init__.py b/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/utils/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/utils/retry.py b/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/utils/retry.py deleted file mode 100644 index 885ccae..0000000 --- a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/utils/retry.py +++ /dev/null @@ -1,36 +0,0 @@ -import random -from time import sleep - -MAX_RETRY_ATTEMPTS = 10 -MAX_RETRY_WAIT = 10 - -random.seed() - - -def retry(max_attempts=MAX_RETRY_ATTEMPTS, max_wait=MAX_RETRY_WAIT, log=True): - def logger(*msgs): - if log: - for msg in msgs: - print(msg) - - def wrapper(func): - def retryer(*args, **kwargs): - for attempt in range(1, max_attempts + 1): - try: - return func(*args, **kwargs) - except Exception as ex: - logger("Exception caught: ", ex) - - if attempt != max_attempts: - secs = random.uniform(0, min(max_wait, 2 ** attempt)) - msecs = round(secs * 1000) - - logger(f"Waiting for {msecs}ms") - sleep(secs) - else: - logger(f"{max_attempts} retries failed; aborting") - raise - - return retryer - - return wrapper diff --git a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/utils/secrets_manager_helper.py b/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/utils/secrets_manager_helper.py deleted file mode 100644 index dd841da..0000000 --- a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/src/utils/secrets_manager_helper.py +++ /dev/null @@ -1,28 +0,0 @@ -import os - -import boto3 - -DEFAULT_REGION = "us-west-2" - -# Provided by Lambda -REGION = os.environ.get("AWS_REGION", DEFAULT_REGION) - - -def retrieve_secret(secret_id_lambda_env_var_key, secretsmanager=None): - """Retrieve an AWS SecretsManager whose Secret Id is contained in - the specified Lambda Env Var. - """ - - secretsmanager_client = secretsmanager or boto3.client("secretsmanager", region_name=REGION) - secret_id = os.environ.get(secret_id_lambda_env_var_key) - - if secret_id is None: - raise ValueError(f"Lambda env var {secret_id_lambda_env_var_key} is not set") - - return get_secret_value(secret_id, secretsmanager=secretsmanager_client) - - -def get_secret_value(secret_id: str, *, secretsmanager) -> str: - response = secretsmanager.get_secret_value(SecretId=secret_id) - secret_value = response["SecretString"] - return secret_value diff --git a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/test/__init__.py b/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/test/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/test/test_aws_credential_rotator.py b/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/test/test_aws_credential_rotator.py deleted file mode 100644 index a4d73d1..0000000 --- a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/test/test_aws_credential_rotator.py +++ /dev/null @@ -1,105 +0,0 @@ -import os -import unittest -from datetime import datetime -from unittest.mock import patch - -import botocore.session -from botocore.stub import ANY, Stubber -from src.source_data_generator import aws_session_credential_source as rotator -from src.source_data_generator.aws_session_credential_source import generate_session_credentials - -# IAM materials for stubs. These are not real credentials, rather they are -# conventional examples used in AWS documentation. See https://bit.ly/2XsAkBq. -access_key_id = "AKIAIOSFODNN7EXAMPLE" -secret_access_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY" -session_token = ( - "AQoDYXdzEPT//////////wEXAMPLEtc764bNrC9SAPBSM22wDOk" - + "4x4HIZ8j4FZTwdQWLWsKWHGBuFqwAeMicRXmxfpSPfIeoIYRqTf" - + "lfKD8YUuwthAx7mSEI/qkPpKPi/kMcGdQrmGdeehM4IC1NtBmUp" - + "p2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU9HF" - + "vlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPP" - + "kUL64lIZbqBAz+scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr" - + "4rvx3iSIlTJabIQwj2ICCR/oLxBA==" -) -expiration = datetime(2015, 1, 1) - - -session = botocore.session.get_session() -iam = session.create_client("iam", region_name=rotator.REGION) -sts = session.create_client("sts", region_name=rotator.REGION) - - -class TestAWSCredentialRotator(unittest.TestCase): - @patch.dict( - os.environ, {"IAM_USERNAME": "username", "IAM_ROLE": "arn:::CIRCLECI_EXECUTION_ROLE"} - ) - def test_handler_rotates_credentials(self): - # Initializer stubbers - iam_stubber = Stubber(iam) - sts_stubber = Stubber(sts) - stubbers = [iam_stubber, sts_stubber] - - # IAM stub - create_request = {"UserName": "username"} - create_response = { - "AccessKey": { - "UserName": "username", - "AccessKeyId": access_key_id, - "Status": "Active", - "SecretAccessKey": secret_access_key, - } - } - delete_request = {"UserName": "username", "AccessKeyId": access_key_id} - iam_stubber.add_response("create_access_key", create_response, create_request) - iam_stubber.add_response("delete_access_key", {}, delete_request) - - # STS stub - sts_request = { - "RoleArn": ANY, - "RoleSessionName": ANY, - "DurationSeconds": rotator.SESSION_DURATION_SECONDS, - } - sts_response = { - "Credentials": { - "AccessKeyId": access_key_id, - "SecretAccessKey": secret_access_key, - "SessionToken": session_token, - "Expiration": expiration, - } - } - sts_stubber.add_response("assume_role", sts_response, sts_request) - - for stubber in stubbers: - stubber.activate() - - result = generate_session_credentials( - configuration=self.mock_configuration(), iam=iam, sts=sts - ) - - for stubber in stubbers: - stubber.assert_no_pending_responses() - - self.assertIn("AccessKeyId", result) - self.assertIn("SecretAccessKey", result) - self.assertIn("SessionToken", result) - - def test_generate_credential_with_null_configuration(self): - with self.assertRaises(RuntimeError): - generate_session_credentials(configuration=None) - - def mock_configuration(self): - return {"user_env_variable": "IAM_USERNAME", "iam_role_env_variable": "IAM_ROLE"} - - def mock_destination_mapping(self): - return [ - {"destination_key_name": "XCF_ACCESS_KEY_ID", "result_value_key": "AccessKeyId"}, - { - "destination_key_name": "XCF_SECRET_ACCESS_KEY", - "result_value_key": "SecretAccessKey", - }, - {"destination_key_name": "XCF_SESSION_TOKEN", "result_value_key": "SessionToken"}, - ] - - -if __name__ == "__main__": - unittest.main() diff --git a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/test/test_circleci.py b/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/test/test_circleci.py deleted file mode 100644 index 23cf1b7..0000000 --- a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/test/test_circleci.py +++ /dev/null @@ -1,71 +0,0 @@ -import unittest -from unittest.mock import Mock, call, patch - -from src.destination import circleci - -access_key_id = "AKIAIOSFODNN7EXAMPLE" -secret_access_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY" -session_token = ( - "AQoDYXdzEPT//////////wEXAMPLEtc764bNrC9SAPBSM22wDOk" - + "4x4HIZ8j4FZTwdQWLWsKWHGBuFqwAeMicRXmxfpSPfIeoIYRqTf" - + "lfKD8YUuwthAx7mSEI/qkPpKPi/kMcGdQrmGdeehM4IC1NtBmUp" - + "p2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU9HF" - + "vlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPP" - + "kUL64lIZbqBAz+scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr" - + "4rvx3iSIlTJabIQwj2ICCR/oLxBA==" -) - - -class TestCircleCIDestination(unittest.TestCase): - def test_generate_credential_with_null_variables(self): - with self.assertRaises(RuntimeError): - circleci.update_environment_variables(variables=None, configuration=None) - - def test_generate_credential_with_null_configuration(self): - with self.assertRaises(RuntimeError): - circleci.update_environment_variables( - variables=self.mock_variables(), configuration=None - ) - - @patch("src.destination.circleci.requests.post") - @patch("src.destination.circleci.retrieve_secret") - def test_updates_variables(self, mock_retrieve_secret, post): - - post.return_value = Mock() - post.return_value.status_code = 200 - - mock_retrieve_secret.return_value = "SEKRET!" - circleci.update_environment_variables( - variables=self.mock_variables(), configuration=self.mock_configuration() - ) - - url = "https://circleci.com/api/v2/project/gh/aws-amplify/aws-sdk-ios/envvar" - header = {"Circle-Token": "SEKRET!"} - values = { - "XCF_ACCESS_KEY_ID": access_key_id, - "XCF_SECRET_ACCESS_KEY": secret_access_key, - "XCF_SESSION_TOKEN": session_token, - } - for i, (key, value) in enumerate(values.items()): - expected_json = {"name": key, "value": value} - expected = call(url, json=expected_json, headers=header) - self.assertEqual(post.mock_calls[i], expected) - - def mock_variables(self): - return { - "XCF_ACCESS_KEY_ID": access_key_id, - "XCF_SECRET_ACCESS_KEY": secret_access_key, - "XCF_SESSION_TOKEN": session_token, - } - - def mock_configuration(self): - return { - "type": "cci_env_variable", - "description": "Circle CI environment variable for AWS SDK iOS repo", - "github_path": "aws-amplify/aws-sdk-ios", - "circleci_api_token_secret_id_lambda_env_var_key": "CIRCLE_CI_IOS_SDK_API_TOKEN", - } - - -if __name__ == "__main__": - unittest.main() diff --git a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/test/test_retry.py b/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/test/test_retry.py deleted file mode 100644 index c67ada8..0000000 --- a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/test/test_retry.py +++ /dev/null @@ -1,35 +0,0 @@ -import unittest - -from src.utils.retry import retry - - -class TestRetry(unittest.TestCase): - def test_retry_retries(self): - self.retries = 0 - - @retry(max_wait=0.001, log=False) - def exercise(): - if self.retries == 1: - return "all good!" - else: - self.retries += 1 - raise RuntimeError("not good! not good at all!") - - self.assertEqual(exercise(), "all good!") - - def test_retry_raises_exception_if_retried_max_attempts(self): - self.retries = 0 - - @retry(max_attempts=3, max_wait=0.001, log=False) - def exercise(): - self.retries += 1 - raise RuntimeError - - with self.assertRaises(RuntimeError): - exercise() - - self.assertEqual(self.retries, 3) - - -if __name__ == "__main__": - unittest.main() diff --git a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/test/test_secrets_data_source.py b/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/test/test_secrets_data_source.py deleted file mode 100644 index 02ce1d2..0000000 --- a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/test/test_secrets_data_source.py +++ /dev/null @@ -1,44 +0,0 @@ -import unittest -from unittest.mock import patch - -from src.source_data_generator import secrets_data_source - - -class TestSecretsDataSource(unittest.TestCase): - def test_null_environment_value(self): - with self.assertRaises(RuntimeError): - secrets_data_source.retrieve_secrets(configuration=None) - - @patch("src.source_data_generator.secrets_data_source.retrieve_secret") - def test_valid_result(self, mock_retrieve_secret): - mock_retrieve_secret.return_value = "SEKRET!" - configuration = {"secret_key_env_variable": "secret_key"} - result = secrets_data_source.retrieve_secrets(configuration) - self.assertIsNotNone(result) - - @patch("src.source_data_generator.secrets_data_source.retrieve_secret") - def test_valid_result_string(self, mock_retrieve_secret): - mock_retrieve_secret.return_value = "SEKRET!" - configuration = {"secret_key_env_variable": "secret_key"} - result = secrets_data_source.retrieve_secrets(configuration) - self.assertTrue(isinstance(result, dict)) - secret_value = result["result"] - self.assertEqual(secret_value, "SEKRET!") - - @patch("src.source_data_generator.secrets_data_source.retrieve_secret") - def test_valid_result_json(self, mock_retrieve_secret): - mock_retrieve_secret.return_value = """{"GITHUB_SPM_RELEASE_USER": "user", - "GITHUB_SPM_RELEASE_TOKEN": "token"} - """ - configuration = {"secret_key_env_variable": "secret_key"} - result = secrets_data_source.retrieve_secrets(configuration) - self.assertTrue(isinstance(result, dict)) - - secret_value = result["GITHUB_SPM_RELEASE_USER"] - secret_token = result["GITHUB_SPM_RELEASE_TOKEN"] - self.assertEqual(secret_value, "user") - self.assertEqual(secret_token, "token") - - -if __name__ == "__main__": - unittest.main() diff --git a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/test/test_secrets_manager_helper.py b/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/test/test_secrets_manager_helper.py deleted file mode 100644 index b83cc85..0000000 --- a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/test/test_secrets_manager_helper.py +++ /dev/null @@ -1,35 +0,0 @@ -import os -import unittest -from unittest.mock import patch - -import botocore.session -from botocore.stub import Stubber -from src.utils import secrets_manager_helper - -session = botocore.session.get_session() -secretsmanager = session.create_client("secretsmanager", region_name=secrets_manager_helper.REGION) - - -class TestSecretsManagerHelper(unittest.TestCase): - def test_null_environment_value(self): - with self.assertRaises(ValueError): - secrets_manager_helper.retrieve_secret("variable") - - @patch.dict(os.environ, {"variable": "some_secret_id"}) - def test_retrieve_secret(self): - mock_secret = "SEKRET!" - secretsmanager_stubber = Stubber(secretsmanager) - request = {"SecretId": "some_secret_id"} - response = {"SecretString": mock_secret} - secretsmanager_stubber.add_response("get_secret_value", response, request) - secretsmanager_stubber.activate() - - secret_value = secrets_manager_helper.retrieve_secret("variable", secretsmanager) - - secretsmanager_stubber.assert_no_pending_responses() - - self.assertEqual(mock_secret, secret_value) - - -if __name__ == "__main__": - unittest.main() diff --git a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/test/test_static_data_source.py b/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/test/test_static_data_source.py deleted file mode 100644 index b9d88d1..0000000 --- a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/test/test_static_data_source.py +++ /dev/null @@ -1,29 +0,0 @@ -import os -import unittest -from unittest.mock import patch - -from src.source_data_generator import lambda_env_var_data_source - - -class TestSecretsDataSource(unittest.TestCase): - def test_null_environment_value(self): - with self.assertRaises(RuntimeError): - lambda_env_var_data_source.retrieve_lambda_env_var_value(configuration=None) - - @patch.dict(os.environ, {"variable": "SEKRET"}) - def test_valid_result(self): - configuration = {"lambda_env_var_key": "variable"} - result = lambda_env_var_data_source.retrieve_lambda_env_var_value(configuration) - self.assertIsNotNone(result) - - @patch.dict(os.environ, {"variable": "SEKRET!"}) - def test_valid_result_string(self): - configuration = {"lambda_env_var_key": "variable"} - result = lambda_env_var_data_source.retrieve_lambda_env_var_value(configuration) - self.assertTrue(isinstance(result, dict)) - secret_value = result["result"] - self.assertEqual(secret_value, "SEKRET!") - - -if __name__ == "__main__": - unittest.main() diff --git a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/tests.py b/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/tests.py deleted file mode 100644 index ff26366..0000000 --- a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/lambda_functions/tests.py +++ /dev/null @@ -1,15 +0,0 @@ -import unittest -from test import test_aws_credential_rotator, test_circleci, test_retry - - -def suite(): - suite = unittest.TestSuite() - suite.addTests(test_retry) - suite.addTests(test_aws_credential_rotator) - suite.addTests(test_circleci) - return suite - - -if __name__ == "__main__": - runner = unittest.TextTestRunner() - runner.run(suite()) diff --git a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/secretsmanager_construct.py b/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/secretsmanager_construct.py deleted file mode 100644 index 57a8ff3..0000000 --- a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/secretsmanager_construct.py +++ /dev/null @@ -1,42 +0,0 @@ -import cdk.credential_rotation.utils.secretmanager_constants as constants -from aws_cdk import aws_iam, aws_secretsmanager, core -from cdk.credential_rotation.iam_construct import IAMConstruct - - -class SecretsManagerConstruct(core.Construct): - def __init__( - self, scope: core.Construct, construct_id: str, iam_construct: IAMConstruct, **kwargs - ) -> None: - super().__init__(scope, construct_id, **kwargs) - - self.circleci_aws_ios_sdk_api_key = aws_secretsmanager.Secret( - self, - "circleCI_AWS_iOS_SDK_API_key", - description="CircleCI API key used by credential rotator lambda for AWS iOS SDK", - secret_name=constants.CIRCLECI_AWS_IOS_SDK_API_KEY, - ) - self.circleci_aws_ios_sdk_spm_api_key = aws_secretsmanager.Secret( - self, - "circleCI_AWS_iOS_SDK_SPM_API_key", - description="CircleCI API key used by credential rotator lambda for AWS iOS SDK SPM", - secret_name=constants.CIRCLECI_AWS_IOS_SDK_SPM_API_KEY, - ) - self.github_release_api_key = aws_secretsmanager.Secret( - self, - "github_release_api_key", - description="""GitHub username and API token for CircleCI to access - the aws-sdk-ios-spm repo to post PRs, merge from release to main - """, - secret_name=constants.GITHUB_SPM_RELEASE_API_TOKEN, - ) - - lambda_role_get_secret_policy = aws_iam.PolicyStatement( - effect=aws_iam.Effect.ALLOW, - actions=["secretsmanager:GetSecretValue"], - resources=[ - self.circleci_aws_ios_sdk_api_key.secret_full_arn, - self.circleci_aws_ios_sdk_spm_api_key.secret_full_arn, - self.github_release_api_key.secret_full_arn, - ], - ) - iam_construct.add_policy_to_lambda_role(lambda_role_get_secret_policy) diff --git a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/utils/__init__.py b/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/utils/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/utils/lambda_constants.py b/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/utils/lambda_constants.py deleted file mode 100644 index 78a47e2..0000000 --- a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/utils/lambda_constants.py +++ /dev/null @@ -1,36 +0,0 @@ -# Lambda environment variable key, whose value is the -# SecretsManager secret name of the CIrcleCI API key -CIRCLE_CI_IOS_SDK_API_TOKEN_ENV = "CIRCLE_CI_IOS_SDK_API_TOKEN" - -# Lambda environment variable key, whose value is the -# SecretsManager secret name of the CIrcleCI API key -CIRCLE_CI_IOS_SDK_SPM_API_TOKEN_ENV = "CIRCLE_CI_IOS_SDK_SPM_API_TOKEN" - -# Lambda environment variable key, whose value is the -# ARN of the Lambda execution IAM role -IAM_ROLE_ENV = "IAM_ROLE" - -# Lambda environment variable key, whose value is the -# IAM user for whom the rotator will generate static -# credentials -IAM_USERNAME_ENV = "IAM_USERNAME" - -# Lambda environment variable key, whose value is the -# GitHub "project path" (e.g., user or org plus project name, -# as in `aws-amplify/aws-sdk-ios`) -GITHUB_PROJECT_PATH_ENV = "GITHUB_PROJECT_PATH" - -# Lambda environment variable key, whose value is the -# GitHub username and API token used by CircleCI to -# create PRs in the SPM repo, and merge and tag release -# commits. -GITHUB_CREDENTIALS_SECRET_ENV = "GITHUB_CREDENTIALS_SECRET" - -# Lambda environment variable key, whose value is the -# bucket name where release artifacts are uploaded -RELEASE_BUCKET_NAME_ENV = "SPM_S3_BUCKET_NAME" - -# Lambda environment variable key, whose value is the -# CloudFront distribution id that gets invalidated during -# binary artifact releases. -RELEASE_CLOUDFRONT_DISTRIBUTION_ID_ENV = "SPM_RELEASE_CLOUDFRONT_DISTRIBUTION_ID" diff --git a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/utils/lambda_event_data.json b/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/utils/lambda_event_data.json deleted file mode 100644 index 20ef8bb..0000000 --- a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/utils/lambda_event_data.json +++ /dev/null @@ -1,113 +0,0 @@ -{ - "sources": [ - { - "type": "aws_session_credentials", - "description": "Temporary AWS Credentials to upload the release artifacts to S3 and invalidate Cloudfront", - "configuration": { - "user_env_variable": "IAM_USERNAME", - "iam_role_env_variable": "IAM_ROLE" - }, - "destination": { - "specifier": "aws-sdk-ios-cci", - "mapping_to_destination": [ - { - "destination_key_name": "XCF_AWS_ACCESS_KEY_ID", - "result_value_key": "AccessKeyId" - }, - { - "destination_key_name": "XCF_AWS_SECRET_ACCESS_KEY", - "result_value_key": "SecretAccessKey" - }, - { - "destination_key_name": "XCF_AWS_SESSION_TOKEN", - "result_value_key": "SessionToken" - } - ] - } - }, - { - "type": "secrets_manager", - "description": "GITHUB credentials to be used in aws-sdk-ios circleci scripts", - "configuration": { - "secret_key_env_variable": "GITHUB_CREDENTIALS_SECRET" - }, - "destination": { - "specifier": "aws-sdk-ios-cci", - "mapping_to_destination": [ - { - "destination_key_name": "GITHUB_SPM_RELEASE_TOKEN", - "result_value_key": "GITHUB_SPM_TOKEN" - }, - { - "destination_key_name": "GITHUB_SPM_RELEASE_USER", - "result_value_key": "GITHUB_SPM_USER" - } - ] - } - }, - { - "type": "secrets_manager", - "description": "GITHUB credentials to be used in aws-sdk-ios-spm circleci scripts", - "configuration": { - "secret_key_env_variable": "GITHUB_CREDENTIALS_SECRET" - }, - "destination": { - "specifier": "aws-sdk-ios-spm-cci", - "mapping_to_destination": [ - { - "destination_key_name": "GITHUB_SPM_RELEASE_TOKEN", - "result_value_key": "GITHUB_SPM_TOKEN" - }, - { - "destination_key_name": "GITHUB_SPM_RELEASE_USER", - "result_value_key": "GITHUB_SPM_USER" - } - ] - } - }, - { - "type": "lambda_environment_variable", - "description": "S3 bucket name used to upload the binary artifacts", - "configuration": { - "lambda_env_var_key": "SPM_S3_BUCKET_NAME" - }, - "destination": { - "specifier": "aws-sdk-ios-cci", - "mapping_to_destination": [ - { - "destination_key_name": "XCF_RELEASE_BUCKET" - } - ] - } - }, - { - "type": "lambda_environment_variable", - "description": "Release cloudfront distribution id used to host the binary artifacts", - "configuration": { - "lambda_env_var_key": "SPM_RELEASE_CLOUDFRONT_DISTRIBUTION_ID" - }, - "destination": { - "specifier": "aws-sdk-ios-cci", - "mapping_to_destination": [ - { - "destination_key_name": "XCF_RELEASE_DISTRIBUTION_ID" - } - ] - } - } - ], - "destinations": { - "aws-sdk-ios-cci": { - "type": "cci_env_variable", - "description": "Circle CI environment variable for AWS SDK iOS repo", - "github_path": "aws-amplify/aws-sdk-ios", - "circleci_api_token_secret_id_lambda_env_var_key": "CIRCLE_CI_IOS_SDK_API_TOKEN" - }, - "aws-sdk-ios-spm-cci": { - "type": "cci_env_variable", - "description": "Circle CI environment variable for AWS SDK iOS SPM repo", - "github_path": "aws-amplify/aws-sdk-ios-spm", - "circleci_api_token_secret_id_lambda_env_var_key": "CIRCLE_CI_IOS_SDK_SPM_API_TOKEN" - } - } -} \ No newline at end of file diff --git a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/utils/secretmanager_constants.py b/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/utils/secretmanager_constants.py deleted file mode 100644 index 99037e5..0000000 --- a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation/utils/secretmanager_constants.py +++ /dev/null @@ -1,15 +0,0 @@ -# Secrets Manager secret name, whose value is the -# CircleCI API key used by the Lambda credential rotator -# to update environment variables for aws ios sdk repo. -CIRCLECI_AWS_IOS_SDK_API_KEY = "CIRCLECI_AWS_IOS_SDK_API_KEY" - -# Secrets Manager secret name, whose value is the -# CircleCI API key used by the Lambda credential rotator -# to update environment variables for aws ios sdk spm repo. -CIRCLECI_AWS_IOS_SDK_SPM_API_KEY = "CIRCLECI_AWS_IOS_SDK_SPM_API_KEY" - -# Secrets Manager secret name, whose value is a -# JSON containing the GitHub API token for updating -# the Swift Package Manager manifest repo, and the -# GitHub username that owns that API token. -GITHUB_SPM_RELEASE_API_TOKEN = "GITHUB_SPM_RELEASE_API_TOKEN" diff --git a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation_stack.py b/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation_stack.py deleted file mode 100644 index 5a40bf4..0000000 --- a/src/release_artifacts_resources/ios/cdk/cdk/credential_rotation_stack.py +++ /dev/null @@ -1,39 +0,0 @@ -from aws_cdk import core as cdk -from cdk.credential_rotation.events_construct import EventsConstruct -from cdk.credential_rotation.iam_construct import IAMConstruct -from cdk.credential_rotation.lambda_construct import LambdaConstruct -from cdk.credential_rotation.secretsmanager_construct import SecretsManagerConstruct -from cdk.credential_rotation.cloudwatch_construct import CloudWatchConstruct - - -class CredentialRotationStack(cdk.Stack): - def __init__( - self, - scope: cdk.Construct, - construct_id: str, - bucket_name: str, - bucket_arn: str, - cloudfront_distribution_id: str, - cloudfront_arn: str, - **kwargs - ) -> None: - super().__init__(scope, construct_id, **kwargs) - iam_construct = IAMConstruct( - self, "credential_rotation_iam", bucket_arn=bucket_arn, cloudfront_arn=cloudfront_arn - ) - secretsmanager_construct = SecretsManagerConstruct( - self, "credential_rotation_secret", iam_construct=iam_construct - ) - lambda_construct = LambdaConstruct( - self, - "credential_rotation_lambda", - bucket_name=bucket_name, - cloudfront_distribution_id=cloudfront_distribution_id, - iam_construct=iam_construct, - secretsmanager_construct=secretsmanager_construct, - ) - - EventsConstruct(self, "credential_rotation_event", lambda_construct=lambda_construct) - CloudWatchConstruct( - self, "credential_rotation_cloudwatch", lambda_construct=lambda_construct - )