-
Notifications
You must be signed in to change notification settings - Fork 7
Expand file tree
/
Copy pathbuildspec.yml
More file actions
56 lines (53 loc) · 2.63 KB
/
buildspec.yml
File metadata and controls
56 lines (53 loc) · 2.63 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
version: 0.2
phases:
install:
commands:
- sudo dnf install --releasever=latest -y aws-nitro-enclaves-cli aws-nitro-enclaves-cli-devel
build:
commands:
- echo Build started on `date`
- export SOURCE_DATE_EPOCH=$(git log -1 --format=%ct)
# Build parent image with BuildKit
- docker buildx bake -f docker-bake.hcl parent
# Build enclave image with Kaniko for reproducible PCR0
- mkdir -p /tmp/enclave-output
- >-
docker run --rm
-v $(pwd)/enclave:/workspace
-v /tmp/enclave-output:/output
gcr.io/kaniko-project/executor:v1.23.2
--dockerfile /workspace/Dockerfile
--context /workspace
--reproducible
--no-push
--tarPath=/output/enclave.tar
--destination=enclave-vault:latest
--build-arg TARGETPLATFORM=aarch64-unknown-linux-musl
--build-arg SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH}
- docker load -i /tmp/enclave-output/enclave.tar
- echo Build completed on `date`
post_build:
commands:
- '[ ${CODEBUILD_BUILD_SUCCEEDING:-0} -eq 1 ] || exit 1'
- CONTAINER_ID=$(docker create parent-vault:latest)
- docker cp $CONTAINER_ID:/app/parent-vault ./parent-vault
- docker rm $CONTAINER_ID
- echo "${PRIVATE_KEY}" > nitro_vault_key.pem
- openssl req -new -key nitro_vault_key.pem -sha384 -nodes -subj "/CN=AWS/C=US/ST=WA/L=Seattle/O=Amazon/OU=AWS" -out nitro_vault_csr.pem
- openssl x509 -req -days 365 -in nitro_vault_csr.pem -out nitro_vault_cert.pem -sha384 -signkey nitro_vault_key.pem
- nitro-cli build-enclave --docker-uri "enclave-vault:latest" --output-file enclave-vault.eif --private-key nitro_vault_key.pem --signing-certificate nitro_vault_cert.pem > temp_measurements.json
#- nitro-cli build-enclave --docker-uri "enclave-vault:latest" --output-file enclave-vault.eif --private-key ${SIGNING_KEY_ARN} > temp_measurements.json
- PCR3=$(python -c"import hashlib; h=hashlib.sha384(); h.update(b'\0'*48); h.update(\"${INSTANCE_ROLE_ARN}\".encode('utf-8')); print(h.hexdigest())")
- jq --arg PCR3 "$PCR3" '.Measurements += {"PCR3":$PCR3}' temp_measurements.json > measurements.json
- aws secretsmanager put-secret-value --secret-id "${MEASUREMENT_SECRET_ID}" --secret-string file://measurements.json
artifacts:
discard-paths: yes
files:
- parent-vault # Used by Deploy:DeployVault
- enclave-vault.eif # Used by Deploy:DeployVault
- vault_template.yml # Used by Deploy:DeployVault
- vault_template_configuration.json # Used by Deploy:DeployVault
cache:
files:
- '/root/.cargo/registry/**/*'
- '/root/.docker/**/*'