This repository has been archived by the owner on Oct 12, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathtemplate.yml
executable file
·254 lines (243 loc) · 8.36 KB
/
template.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
AWSTemplateFormatVersion: 2010-09-09
Description: >-
Buildkite On-Demand Agent Scheduler
Transform:
- AWS::Serverless-2016-10-31
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
-
Label:
default: Buildkite
Parameters:
- BuildkiteAgentTokenParameterPath
- BuildkiteQueue
-
Label:
default: AWS
Parameters:
- EventBridgeBusName
- VpcSubnetIds
- EcsClusterName
ParameterLabels:
VpcSubnetIds:
default: "Which VPC subnets should agent containers be scheduled in?"
Parameters:
EventBridgeBusName:
Type: String
Description: Name of an EventBridge Bus in this region that receives Buildkite Partner Events, see https://buildkite.com/docs/integrations/amazon-eventbridge.
AllowedPattern: ^[a-zA-Z0-9\-\._/]+
BuildkiteQueue:
Type: String
Description: Queue name that agents will be scheduled for on-demand, targeted in pipeline steps using an agent query rule "queue={value}".
AllowedPattern: ^[a-zA-Z0-9\-_]{1,50}
BuildkiteAgentTokenParameterPath:
Type: AWS::SSM::Parameter::Name
Description: Buildkite Agent registration token parameter path, can be a String or SecureString.
Default: /buildkite/agent-token
VpcSubnetIds:
Type: List<AWS::EC2::Subnet::Id>
Description: List of VPC subnets to launch agent containers in.
EcsClusterName:
Type: String
Description: Name of the ECS Cluster to schedule task definitions in.
EcsLaunchType:
Type: String
Description: How to launch the task definition containers.
AllowedValues:
- FARGATE
- EC2
Default: FARGATE
SshAgentBackend:
Type: String
Default: ''
Description: (Optional) API Gateway Stage ARN for an iam-ssh-agent backend.
ExecutionRolePrefix:
Type: String
Default: '/BuildkiteAgentExecution/'
AllowedPattern: (\u002F[\u0021-\u007F]+\u002F)
TaskRolePrefix:
Type: String
Default: '/BuildkiteAgentTask/'
AllowedPattern: (\u002F[\u0021-\u007F]+\u002F)
Conditions:
IncludeSshAgent: !Not [ !Equals [ !Ref SshAgentBackend, '' ] ]
Resources:
RunTaskQueue:
Type: AWS::SQS::Queue
Properties:
VisibilityTimeout: 300
BuildkiteJobScheduledRule:
Type: AWS::Events::Rule
Properties:
# Using BuildkiteQueue enforces that only one scheduler per queue is
# attached to the EventBridge Bus.
#
# BuildkiteQueue can be 50, AWS::Events::Rule Name is limited to 64
Name: !Sub "${BuildkiteQueue}-Queue"
Description: Enqueue Job Scheduled events on an SQS queue.
EventBusName: !Ref EventBridgeBusName
EventPattern:
account:
- !Ref 'AWS::AccountId'
detail-type:
- "Job Scheduled"
detail:
job:
agent_query_rules:
- !Sub "queue=${BuildkiteQueue}"
Targets:
- Id: Queue
Arn: !GetAtt RunTaskQueue.Arn
InputPath: $.detail
RunTaskQueuePolicy:
Type: AWS::SQS::QueuePolicy
Properties:
Queues:
- !Ref RunTaskQueue
PolicyDocument:
Version: "2012-10-17"
Id:
!Sub
- "${Queue}/SQSDefaultPolicy"
- Queue: !GetAtt RunTaskQueue.Arn
Statement:
- Effect: "Allow"
Principal:
Service: "events.amazonaws.com"
Action: "sqs:SendMessage"
Resource: !GetAtt RunTaskQueue.Arn
Condition:
ArnEquals:
"aws:SourceArn": !GetAtt BuildkiteJobScheduledRule.Arn
BuildkiteRunTask:
Type: AWS::Serverless::Function
Properties:
Description: A Lambda function that dequeues Buildkite Job Scheduled notifications from an SQS queue and runs an ECS task for them.
Runtime: nodejs12.x
Handler: buildkite-run-task.handler
CodeUri: src/handlers/
Events:
SQSQueueEvent:
Type: SQS
Properties:
Queue: !GetAtt RunTaskQueue.Arn
BatchSize: 1
MemorySize: 128
Timeout: 105
Policies:
- AWSLambdaBasicExecutionRole
- SQSPollerPolicy:
QueueName: !GetAtt RunTaskQueue.QueueName
- Statement:
- Effect: Allow
Action:
- ecs:RunTask
- ecs:RegisterTaskDefinition
Resource: "*"
- Effect: Allow
Action: iam:PassRole
Resource:
- !Sub arn:aws:iam::${AWS::AccountId}:role${ExecutionRolePrefix}*
- !Sub arn:aws:iam::${AWS::AccountId}:role${TaskRolePrefix}*
Version: "2012-10-17"
Environment:
Variables:
ECS_CLUSTER_NAME: !Ref EcsClusterName
VPC_SUBNETS: !Join [ ',', !Ref VpcSubnetIds ]
LAUNCH_TYPE: !Ref EcsLaunchType
TASK_ROLE_ARN_PREFIX: !Sub "arn:aws:iam::${AWS::AccountId}:role${TaskRolePrefix}"
DEFAULT_EXECUTION_ROLE_ARN: !GetAtt DefaultExecutionRole.Arn
BUILDKITE_AGENT_TOKEN_PARAMETER_PATH: !Ref BuildkiteAgentTokenParameterPath
IAM_SSH_AGENT_BACKEND_URL:
!If
- IncludeSshAgent
- {
"Fn::Sub": [
"https://${ApiId}.execute-api.${Region}.amazonaws.com/${Stage}",
{
ApiId: {
"Fn::Select": [
5,
{ "Fn::Split": [ ":", { "Fn::Select": [ 0, { "Fn::Split": [ "/", !Ref SshAgentBackend ] } ] } ] }
]
},
Region: {
"Fn::Select": [
3,
{ "Fn::Split": [ ":", { "Fn::Select": [ 0, { "Fn::Split": [ "/", !Ref SshAgentBackend ] } ] } ] }
]
},
Stage: {
"Fn::Select": [
1,
{ "Fn::Split": [ "/", !Ref SshAgentBackend ] }
]
},
},
]
}
- !Ref AWS::NoValue
RunTaskLogGroup:
Type: AWS::Logs::LogGroup
DependsOn: BuildkiteRunTask
Properties:
RetentionInDays: 1
LogGroupName:
!Sub
- '/aws/lambda/${LambdaName}'
- LambdaName: !Ref BuildkiteRunTask
DefaultExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [ecs-tasks.amazonaws.com]
Action: ['sts:AssumeRole']
Path: !Ref ExecutionRolePrefix
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
Policies:
- PolicyName: FetchDecryptSecrets
PolicyDocument:
Statement:
- Effect: Allow
Action:
- 'ssm:GetParameter'
- 'ssm:GetParameters'
Resource: !Sub arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter${BuildkiteAgentTokenParameterPath}
- Effect: Allow
Action: kms:Decrypt
Resource: !Sub arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/aws/ssm
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
- logs:DescribeLogStreams
Resource:
- !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/ecs/ondemand-*
- !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/ecs/ondemand-*:log-stream:*
BuildkiteEventsLog:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Sub /aws/events/buildkite/${AWS::StackName}
RetentionInDays: 1
BuildkiteEventsLogRule:
Type: AWS::Events::Rule
Properties:
# Using BuildkiteQueue enforces that only one scheduler per queue is
# attached to the EventBridge Bus.
#
# BuildkiteQueue can be 50, AWS::Events::Rule Name is limited to 64
Name: !Sub "${BuildkiteQueue}-Log"
Description: Log all Buildkite events to a CloudWatch Log Group
EventBusName: !Ref EventBridgeBusName
EventPattern:
account:
- !Ref 'AWS::AccountId'
Targets:
- Id: Log
Arn: !GetAtt BuildkiteEventsLog.Arn