update the aws elastic ci stack to v6.27.0

data/content/aws-stack.yml

@@ -1,6 +1,6 @@
 ---
 AWSTemplateFormatVersion: "2010-09-09"
-Description: "Buildkite stack v6.23.0"
+Description: "Buildkite stack v6.27.0"
 
 # The Buildkite Elastic CI Stack for AWS gives you a private,
 # autoscaling Buildkite Agent cluster. Use it to parallelize
@@ -27,15 +27,23 @@ Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
       - Label:
-          default: Buildkite Configuration
+          default: Base Configuration
         Parameters:
+        - BuildkiteAgentToken
         - BuildkiteAgentTokenParameterStorePath
         - BuildkiteAgentTokenParameterStoreKMSKey
-        - BuildkiteAgentToken
         - BuildkiteQueue
 
       - Label:
-          default: Advanced Buildkite Configuration
+          default: Signed Pipelines Configuration
+        Parameters:
+        - PipelineSigningKMSKeyId
+        - PipelineSigningKMSKeySpec
+        - PipelineSigningKMSAccess
+        - PipelineSigningVerificationFailureBehavior
+
+      - Label:
+          default: Advanced Configuration
         Parameters:
         - BuildkiteAgentRelease
         - BuildkiteAgentTags
@@ -386,7 +394,7 @@ Parameters:
     Default: 125
 
   RootVolumeIops:
-    Description: If the `RootVolumeType` is io1 or io2, the number of IOPS to provision for the root volume
+    Description: If the `RootVolumeType` is gp3, io1, or io2, the number of IOPS to provision for the root volume
     Type: Number
     Default: 1000
 
@@ -568,6 +576,35 @@ Parameters:
     Description: Optional - Customise the EC2 instance Name tag
     Default: ""
 
+  PipelineSigningKMSKeyId:
+    Type: String
+    Description: Optional - Identifier of the KMS key used to sign and verify pipelines (Created if left blank and PipelineSigningKMSKeySpec is selected)
+    Default: ""
+
+  PipelineSigningKMSKeySpec:
+    Type: String
+    Description: The key spec for the KMS key used to sign and verify pipelines
+    AllowedValues:
+      - "ECC_NIST_P256"
+      - "none"
+    Default: "none"
+
+  PipelineSigningKMSAccess:
+    Type: String
+    Description: The access level for the KMS key used to sign and verify pipelines
+    AllowedValues:
+      - "sign-and-verify"
+      - "verify"
+    Default: "sign-and-verify"
+
+  PipelineSigningVerificationFailureBehavior:
+    Type: String
+    Description: The behavior when a job is received without a valid verifiable signature (without a signature, with an invalid signature, or with a signature that fails verification)
+    AllowedValues:
+      - "block"
+      - "warn"
+    Default: "block"
+
 Rules:
   HasToken:
     Assertions:
@@ -582,6 +619,17 @@ Rules:
                 - !Ref BuildkiteAgentTokenParameterStorePath
                 - ""
         AssertDescription: "You must provide BuildkiteAgentToken or BuildkiteAgentTokenParameterStorePath"
+  HasPipelineSigningKMSKey:
+    Assertions:
+      - Assert:
+          !Or
+            - !Equals
+              - !Ref PipelineSigningKMSKeyId
+              - ""            
+            - !Equals
+              - !Ref PipelineSigningKMSKeySpec
+              - "none"
+        AssertDescription: "You must provide either provide a PipelineSigningKMSKeyId or select a PipelineSigningKMSKeySpec but not both"
 
 Outputs:
   VpcId:
@@ -602,6 +650,12 @@ Outputs:
     Export:
       Name: !Sub '${AWS::StackName}-ManagedSecretsLoggingBucket'
 
+  PipelineSigningKMSKey:
+    Value:
+      !If [ CreatePipelineSigningKMSKey, !Ref PipelineSigningKMSKey, "none" ]
+    Export:
+      Name: !Sub '${AWS::StackName}-PipelineSigningKMSKey'
+
   AutoScalingGroupName:
     Value: !Ref AgentAutoScaleGroup
     Export:
@@ -685,6 +739,20 @@ Conditions:
 
     UseCostAllocationTags:
       !Equals [ !Ref EnableCostAllocationTags, "true" ]
+
+    UsePipelineSigningKMSKey:
+      !Not [ !Equals [ !Ref PipelineSigningKMSKeyId, "" ] ]
+
+    CreatePipelineSigningKMSKey:
+      !And
+      - !Equals [ !Ref PipelineSigningKMSKeyId, "" ]
+      - !Not [ !Equals [ !Ref PipelineSigningKMSKeySpec, "none" ] ]
+
+    HasPipelineSigningKMSKey:
+      !Or [ !Condition CreatePipelineSigningKMSKey, !Condition UsePipelineSigningKMSKey ]
+
+    HasSigningKMSAccessSignAndVerify:
+      !Equals [ !Ref PipelineSigningKMSAccess, "sign-and-verify" ]
 
     HasKeyName:
       !Not [ !Equals [ !Ref KeyName, "" ] ]
@@ -760,26 +828,26 @@ Mappings:
 
   # Generated from Makefile via build/mappings.yml
   AWSRegion2AMI:
-    us-east-1 : { linuxamd64: ami-09dce4453e68fc5cd, linuxarm64: ami-0100de0b1e920f43a, windows: ami-0461661ce536ba218 }
-    us-east-2 : { linuxamd64: ami-01cde7aaf362f4aae, linuxarm64: ami-0ab8f88ac8c2c8d30, windows: ami-0b7b91b74290a35e1 }
-    us-west-1 : { linuxamd64: ami-045c6cf6c0dd4a9e4, linuxarm64: ami-0d5aec634b234e2a2, windows: ami-034824341c9421171 }
-    us-west-2 : { linuxamd64: ami-09132553fcbda5aee, linuxarm64: ami-0fd1d63fc28576e60, windows: ami-0116268efe38d10ea }
-    af-south-1 : { linuxamd64: ami-09c9633cb3f5e6fc3, linuxarm64: ami-09ba6dd6ae16f3d50, windows: ami-0fb7a12b133324fe7 }
-    ap-east-1 : { linuxamd64: ami-02a5f01ef4759b1c8, linuxarm64: ami-0deee5536e9c6a921, windows: ami-0c0a16b6ab6ba6660 }
-    ap-south-1 : { linuxamd64: ami-0217aeaac4339e394, linuxarm64: ami-06f31d79b57c0dbbf, windows: ami-0d10933d7e9a73e9e }
-    ap-northeast-2 : { linuxamd64: ami-092d6af0904c034b4, linuxarm64: ami-04329b443681048cd, windows: ami-0d9e4a96c235911de }
-    ap-northeast-1 : { linuxamd64: ami-0593f6abedb12612b, linuxarm64: ami-019d0ac19de3be566, windows: ami-02e7907798fd7f610 }
-    ap-southeast-2 : { linuxamd64: ami-0cc25f9f626518d8f, linuxarm64: ami-0e45dfa046084a2d3, windows: ami-0170122288687202b }
-    ap-southeast-1 : { linuxamd64: ami-03de8f54bc57a1397, linuxarm64: ami-046f6c2468548ca1a, windows: ami-0320407754d0bc85c }
-    ca-central-1 : { linuxamd64: ami-066d74f4d940d276e, linuxarm64: ami-09ef4b6d5cdb0c2e9, windows: ami-0570c4a6bb33ba9d4 }
-    eu-central-1 : { linuxamd64: ami-09e9769fb4085b24f, linuxarm64: ami-00c97f86e923e1020, windows: ami-08f61f9105d9e8a58 }
-    eu-west-1 : { linuxamd64: ami-05e7c8d4ade2095f3, linuxarm64: ami-07dd06558ae7a536d, windows: ami-0c90c3038b518ac09 }
-    eu-west-2 : { linuxamd64: ami-03ec96deaf3c2f04b, linuxarm64: ami-093477938aa7559d8, windows: ami-0d26fa7d30160237a }
-    eu-south-1 : { linuxamd64: ami-05cb67bc084762468, linuxarm64: ami-0e815380647635c63, windows: ami-0cee7ea24afffe195 }
-    eu-west-3 : { linuxamd64: ami-01700752047bdb1b2, linuxarm64: ami-046d7376033a1af0e, windows: ami-0358e8f0b406f3442 }
-    eu-north-1 : { linuxamd64: ami-0d62d22eacdc93353, linuxarm64: ami-01adb2cc0dd49e999, windows: ami-050cbc763f520f830 }
-    me-south-1 : { linuxamd64: ami-012fbb242739a1f1a, linuxarm64: ami-08d934ccc6cddc763, windows: ami-009277c4bc01371da }
-    sa-east-1 : { linuxamd64: ami-05d829f95ceb5f292, linuxarm64: ami-00390af183eab4b74, windows: ami-08e8e717a53b6b2b5 }
+    us-east-1 : { linuxamd64: ami-0d870d6249c932e3f, linuxarm64: ami-0a3d7a30823a79bed, windows: ami-0cc1cf707c9bde297 }
+    us-east-2 : { linuxamd64: ami-0f3019cc4ae209e8d, linuxarm64: ami-06fbf388ceadee136, windows: ami-0cf377d071681be17 }
+    us-west-1 : { linuxamd64: ami-0bc45e1a1e3b81024, linuxarm64: ami-03ccc79e335ddfeb2, windows: ami-0bf3b5f6168efcd16 }
+    us-west-2 : { linuxamd64: ami-0fb582405657e5e7d, linuxarm64: ami-019482f9dad0e6c6c, windows: ami-01a7cfec21679fdc6 }
+    af-south-1 : { linuxamd64: ami-0472a3974f5fc2b3e, linuxarm64: ami-031d70266097ac913, windows: ami-0c9d2380139ca74ae }
+    ap-east-1 : { linuxamd64: ami-0d01d071f6cb4531f, linuxarm64: ami-076b30b50dd891795, windows: ami-0047ed2d7146a7bfd }
+    ap-south-1 : { linuxamd64: ami-03dcda51307fc8cb5, linuxarm64: ami-012d6489d7405cac9, windows: ami-075d2d36dfbf32867 }
+    ap-northeast-2 : { linuxamd64: ami-0f2d7daa735810eee, linuxarm64: ami-0a2cc2b93142ea24a, windows: ami-08cb758a9ddc43059 }
+    ap-northeast-1 : { linuxamd64: ami-04051311bdfde36f3, linuxarm64: ami-09e4f9370ec79c3ba, windows: ami-05b6ec0208eb2a58a }
+    ap-southeast-2 : { linuxamd64: ami-0dca9e865ae37c7ed, linuxarm64: ami-05d80d286a7bade59, windows: ami-0667ba4d9ff4dc9d7 }
+    ap-southeast-1 : { linuxamd64: ami-041a2f49842dfedd1, linuxarm64: ami-04b58654a0075cf44, windows: ami-012d7bd61f9b1d6b7 }
+    ca-central-1 : { linuxamd64: ami-00e53b8bc82f9c9db, linuxarm64: ami-0f16c32fb617d5a48, windows: ami-088bf9470ff92506c }
+    eu-central-1 : { linuxamd64: ami-05c5209917612c4ef, linuxarm64: ami-08bb74ee0e90d2670, windows: ami-06826a0d3b4c7e1ab }
+    eu-west-1 : { linuxamd64: ami-06274dc3861664987, linuxarm64: ami-07ccdfbf8eaa3c951, windows: ami-036f1d5605b9dbf1e }
+    eu-west-2 : { linuxamd64: ami-086942d9992b4e6d3, linuxarm64: ami-0008aaf782bc53012, windows: ami-0825cacfdb3a8dcd6 }
+    eu-south-1 : { linuxamd64: ami-0e482f53f6f51d3e3, linuxarm64: ami-08c23003032d5ca62, windows: ami-0cb004f172e2b7007 }
+    eu-west-3 : { linuxamd64: ami-087631959c2b65a0b, linuxarm64: ami-08216f2c9c2778a91, windows: ami-03f5013af4a1e133b }
+    eu-north-1 : { linuxamd64: ami-0d769ff12cca6d68d, linuxarm64: ami-06ad99587f4894bbd, windows: ami-0406a7b8f45352245 }
+    me-south-1 : { linuxamd64: ami-0b82f151c4fed9e4a, linuxarm64: ami-00b941cafd5b87c70, windows: ami-0bf6572cc349f9447 }
+    sa-east-1 : { linuxamd64: ami-09db409e3b9399d3b, linuxarm64: ami-002802cb7c79d6fd8, windows: ami-0d9f87a270ecf8c21 }
 
 Resources:
   Vpc:
@@ -891,6 +959,18 @@ Resources:
       Name: !Sub "/${AWS::StackName}/buildkite/agent-token"
       Type: String
       Value: !Ref BuildkiteAgentToken
+
+  PipelineSigningKMSKey:
+    Type: AWS::KMS::Key
+    Condition: CreatePipelineSigningKMSKey
+    DeletionPolicy: Retain
+    Properties:
+      Description: Key used to sign and verify pipelines
+      KeySpec: !Ref PipelineSigningKMSKeySpec
+      KeyUsage: SIGN_VERIFY
+      Tags:
+        - Key: Name
+          Value: !Sub '${AWS::StackName}-PipelineSigningKey'
 
   # Allow ec2 instances to assume a role and be granted the IAMPolicies
   IAMInstanceProfile:
@@ -923,6 +1003,26 @@ Resources:
                  - !Ref 'AWS::NoValue'
           - !Ref 'AWS::NoValue'
       Policies:
+        - !If
+          - HasPipelineSigningKMSKey
+          - PolicyName: PipelineSigningKMSKeyAccess
+            PolicyDocument:
+              Version: '2012-10-17'
+              Statement:
+                - Effect: Allow
+                  Action:
+                    !If
+                      - HasSigningKMSAccessSignAndVerify
+                      - - kms:Sign
+                        - kms:Verify
+                        - kms:GetPublicKey
+                      - - kms:Verify
+                        - kms:GetPublicKey
+                  Resource: !If
+                              - CreatePipelineSigningKMSKey
+                              - !Sub arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/${PipelineSigningKMSKey}
+                              - !Sub arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/${PipelineSigningKMSKeyId}
+          - !Ref 'AWS::NoValue'
         - !If
           - UseCustomerManagedKeyForParameterStore
           - PolicyName: DecryptAgentToken
@@ -1237,7 +1337,7 @@ Resources:
                   powershell -file C:\buildkite-agent\bin\bk-configure-docker.ps1 >> C:\buildkite-agent\elastic-stack.log
 
                   $Env:BUILDKITE_STACK_NAME="${AWS::StackName}"
-                  $Env:BUILDKITE_STACK_VERSION="v6.23.0"
+                  $Env:BUILDKITE_STACK_VERSION="v6.27.0"
                   $Env:BUILDKITE_SCALE_IN_IDLE_PERIOD="${ScaleInIdlePeriod}"
                   $Env:BUILDKITE_SECRETS_BUCKET="${LocalSecretsBucket}"
                   $Env:BUILDKITE_SECRETS_BUCKET_REGION="${LocalSecretsBucketRegion}"
@@ -1251,6 +1351,8 @@ Resources:
                   $Env:BUILDKITE_QUEUE="${BuildkiteQueue}"
                   $Env:BUILDKITE_AGENT_ENABLE_GIT_MIRRORS="${BuildkiteAgentEnableGitMirrors}"
                   $Env:BUILDKITE_ELASTIC_BOOTSTRAP_SCRIPT="${BootstrapScriptUrl}"
+                  $Env:BUILDKITE_AGENT_SIGNING_KMS_KEY="${PipelineSigningKMSKey}"
+                  $Env:BUILDKITE_AGENT_SIGNING_FAILURE_BEHAVIOR="${PipelineSigningVerificationFailureBehavior}"
                   $Env:BUILDKITE_ENV_FILE_URL="${AgentEnvFileUrl}"
                   $Env:BUILDKITE_AUTHORIZED_USERS_URL="${AuthorizedUsersUrl}"
                   $Env:BUILDKITE_ECR_POLICY="${ECRAccessPolicy}"
@@ -1268,6 +1370,7 @@ Resources:
                     LocalSecretsBucket: !If [ CreateSecretsBucket, !Ref ManagedSecretsBucket, !Ref SecretsBucket ],
                     LocalSecretsBucketRegion: !If [ CreateSecretsBucket, !Ref "AWS::Region", !Ref SecretsBucketRegion ],
                     AgentTokenPath: !If [ UseCustomerManagedParameterPath, !Ref BuildkiteAgentTokenParameterStorePath, !Ref BuildkiteAgentTokenParameter ],
+                    PipelineSigningKMSKey: !If [ CreatePipelineSigningKMSKey, !Ref PipelineSigningKMSKey, !Ref PipelineSigningKMSKeyId ],
                   }
               - !Sub
                 - |
@@ -1296,7 +1399,7 @@ Resources:
                   Content-Type: text/x-shellscript; charset="us-ascii"
                   #!/bin/bash -v
                   BUILDKITE_STACK_NAME="${AWS::StackName}" \
-                  BUILDKITE_STACK_VERSION="v6.23.0" \
+                  BUILDKITE_STACK_VERSION="v6.27.0" \
                   BUILDKITE_SCALE_IN_IDLE_PERIOD="${ScaleInIdlePeriod}" \
                   BUILDKITE_SECRETS_BUCKET="${LocalSecretsBucket}" \
                   BUILDKITE_SECRETS_BUCKET_REGION="${LocalSecretsBucketRegion}" \
@@ -1308,6 +1411,8 @@ Resources:
                   BUILDKITE_AGENT_TRACING_BACKEND="${BuildkiteAgentTracingBackend}" \
                   BUILDKITE_AGENT_RELEASE="${BuildkiteAgentRelease}" \
                   BUILDKITE_AGENT_CANCEL_GRACE_PERIOD="${BuildkiteAgentCancelGracePeriod}" \
+                  BUILDKITE_AGENT_SIGNING_KMS_KEY="${PipelineSigningKMSKey}" \
+                  BUILDKITE_AGENT_SIGNING_FAILURE_BEHAVIOR="${PipelineSigningVerificationFailureBehavior}" \
                   BUILDKITE_QUEUE="${BuildkiteQueue}" \
                   BUILDKITE_AGENT_ENABLE_GIT_MIRRORS="${BuildkiteAgentEnableGitMirrors}" \
                   BUILDKITE_ELASTIC_BOOTSTRAP_SCRIPT="${BootstrapScriptUrl}" \
@@ -1330,6 +1435,7 @@ Resources:
                     LocalSecretsBucket: !If [ CreateSecretsBucket, !Ref ManagedSecretsBucket, !Ref SecretsBucket ],
                     LocalSecretsBucketRegion: !If [ CreateSecretsBucket, !Ref "AWS::Region", !Ref SecretsBucketRegion ],
                     AgentTokenPath: !If [ UseCustomerManagedParameterPath, !Ref BuildkiteAgentTokenParameterStorePath, !Ref BuildkiteAgentTokenParameter ],
+                    PipelineSigningKMSKey: !If [ CreatePipelineSigningKMSKey, !Ref PipelineSigningKMSKey, !Ref PipelineSigningKMSKeyId ],
                   }
 
   AgentAutoScaleGroup: