Merge pull request #67 from aws4embeddedlinux/bucket-reduction

add parameters to embedded-linux-pipeline: accessLoggingBucket, artif…
aws4embeddedlinux · Oct 15, 2024 · 0d4acaa · 0d4acaa
2 parents 3f9d517 + 5ea4daa
commit 0d4acaa
Show file tree

Hide file tree

Showing 2 changed files with 113 additions and 52 deletions.
diff --git a/lib/build-image-pipeline.ts b/lib/build-image-pipeline.ts
@@ -29,6 +29,13 @@ export interface BuildImagePipelineProps extends cdk.StackProps {
   readonly dataBucket: s3.IBucket;
   /** The ECR Repository to push to. */
   readonly repository: IRepository;
+  /** Access logging bucket to use */
+  readonly accessLoggingBucket?: s3.Bucket;
+  /** Access logging prefix to use */
+  readonly serverAccessLogsPrefix?: string;
+  /** Artifact bucket to use */
+  readonly artifactBucket?: s3.Bucket;
+
 }
 
 /**
@@ -98,24 +105,38 @@ export class BuildImagePipelineStack extends cdk.Stack {
       input: sourceOutput,
     });
 
-    const accessLoggingBucket = new s3.Bucket(this, 'ArtifactAccessLogging', {
-      versioned: true,
-      enforceSSL: true,
-    });
-    const encryptionKey = new kms.Key(this, 'PipelineArtifactKey', {
-      removalPolicy: RemovalPolicy.DESTROY,
-      enableKeyRotation: true,
-    });
-    const artifactBucket = new s3.Bucket(this, 'PipelineArtifacts', {
-      versioned: true,
-      enforceSSL: true,
-      serverAccessLogsBucket: accessLoggingBucket,
-      encryptionKey,
-      encryption: s3.BucketEncryption.KMS,
-      blockPublicAccess: new s3.BlockPublicAccess(
-        s3.BlockPublicAccess.BLOCK_ALL
-      ),
-    });
+    let accessLoggingBucket: s3.IBucket;
+
+    if (props.accessLoggingBucket){
+      accessLoggingBucket = props.accessLoggingBucket;
+    } else {
+     accessLoggingBucket = new s3.Bucket(this, 'ArtifactAccessLogging', {
+        versioned: true,
+        enforceSSL: true,
+      });
+    }
+
+    let artifactBucket: s3.IBucket;
+
+    if (props.artifactBucket){
+      artifactBucket = props.artifactBucket;
+    } else {
+      const encryptionKey = new kms.Key(this, 'PipelineArtifactKey', {
+       removalPolicy: RemovalPolicy.DESTROY,
+       enableKeyRotation: true,
+     });
+      artifactBucket = new s3.Bucket(this, 'PipelineArtifacts', {
+        versioned: true,
+        enforceSSL: true,
+        serverAccessLogsBucket: accessLoggingBucket,
+        serverAccessLogsPrefix: props.serverAccessLogsPrefix,
+        encryptionKey,
+        encryption: s3.BucketEncryption.KMS,
+        blockPublicAccess: new s3.BlockPublicAccess(
+          s3.BlockPublicAccess.BLOCK_ALL
+        ),
+      });
+    }
 
     const pipeline = new codepipeline.Pipeline(this, 'BuildImagePipeline', {
       artifactBucket,

diff --git a/lib/embedded-linux-pipeline.ts b/lib/embedded-linux-pipeline.ts
@@ -50,7 +50,17 @@ export interface EmbeddedLinuxPipelineProps extends cdk.StackProps {
   readonly layerRepoName?: string;
   /** Additional policy statements to add to the build project. */
   readonly buildPolicyAdditions?: iam.PolicyStatement[];
-}
+  /** Access logging bucket to use */
+  readonly accessLoggingBucket?: s3.Bucket;
+  /** Access logging prefix to use */
+  readonly serverAccessLogsPrefix?: string;
+  /** Artifact bucket to use */
+  readonly artifactBucket?: s3.Bucket;
+  /** Output bucket to use */
+  readonly outputBucket?: s3.Bucket | VMImportBucket;
+  /** Prefix for S3 object within bucket */
+  readonly subDirectoryName?: string;
+  }
 
 /**
  * The stack for creating a build pipeline.
@@ -80,11 +90,16 @@ export class EmbeddedLinuxPipelineStack extends cdk.Stack {
     let outputBucket: s3.IBucket | VMImportBucket;
     let environmentVariables = {};
     let scriptAsset!: Asset;
+    let accessLoggingBucket: s3.IBucket;
 
-    const accessLoggingBucket = new s3.Bucket(this, 'ArtifactAccessLogging', {
-      versioned: true,
-      enforceSSL: true,
-    });
+    if (props.accessLoggingBucket){
+      accessLoggingBucket = props.accessLoggingBucket;
+    } else {
+     accessLoggingBucket = new s3.Bucket(this, 'ArtifactAccessLogging', {
+        versioned: true,
+        enforceSSL: true,
+      });
+    }
 
     if (props.projectKind && props.projectKind == ProjectKind.PokyAmi) {
       scriptAsset = new Asset(this, 'CreateAMIScript', {
@@ -99,14 +114,18 @@ export class EmbeddedLinuxPipelineStack extends cdk.Stack {
           enableKeyRotation: true,
         }
       );
-
-      outputBucket = new VMImportBucket(this, 'PipelineOutput', {
-        versioned: true,
-        enforceSSL: true,
-        encryptionKey: outputBucketEncryptionKey,
-        encryptionKeyArn: outputBucketEncryptionKey.keyArn,
-        serverAccessLogsBucket: accessLoggingBucket,
-      });
+      if (props.outputBucket){
+        outputBucket = props.outputBucket;
+      } else {
+        outputBucket = new VMImportBucket(this, 'PipelineOutput', {
+          versioned: true,
+          enforceSSL: true,
+          encryptionKey: outputBucketEncryptionKey,
+          encryptionKeyArn: outputBucketEncryptionKey.keyArn,
+          serverAccessLogsBucket: accessLoggingBucket,
+          serverAccessLogsPrefix: props.serverAccessLogsPrefix,
+        });
+      }
       environmentVariables = {
         IMPORT_BUCKET: {
           type: BuildEnvironmentVariableType.PLAINTEXT,
@@ -122,28 +141,38 @@ export class EmbeddedLinuxPipelineStack extends cdk.Stack {
         },
       };
     } else {
-      outputBucket = new s3.Bucket(this, 'PipelineOutput', {
+      if (props.outputBucket){
+        outputBucket = props.outputBucket;
+      } else {
+        outputBucket = new s3.Bucket(this, 'PipelineOutput', {
+          versioned: true,
+          enforceSSL: true,
+          serverAccessLogsBucket: accessLoggingBucket,
+        });
+      }
+    }
+
+    let artifactBucket: s3.IBucket;
+
+    if (props.artifactBucket){
+      artifactBucket = props.artifactBucket;
+    } else {
+      const encryptionKey = new kms.Key(this, 'PipelineArtifactKey', {
+       removalPolicy: RemovalPolicy.DESTROY,
+       enableKeyRotation: true,
+     });
+      artifactBucket = new s3.Bucket(this, 'PipelineArtifacts', {
         versioned: true,
         enforceSSL: true,
         serverAccessLogsBucket: accessLoggingBucket,
+        encryptionKey,
+        encryption: s3.BucketEncryption.KMS,
+        blockPublicAccess: new s3.BlockPublicAccess(
+          s3.BlockPublicAccess.BLOCK_ALL
+        ),
       });
     }
 
-    const encryptionKey = new kms.Key(this, 'PipelineArtifactKey', {
-      removalPolicy: RemovalPolicy.DESTROY,
-      enableKeyRotation: true,
-    });
-    const artifactBucket = new s3.Bucket(this, 'PipelineArtifacts', {
-      versioned: true,
-      enforceSSL: true,
-      serverAccessLogsBucket: accessLoggingBucket,
-      encryptionKey,
-      encryption: s3.BucketEncryption.KMS,
-      blockPublicAccess: new s3.BlockPublicAccess(
-        s3.BlockPublicAccess.BLOCK_ALL
-      ),
-    });
-
     /** Create our CodePipeline Actions. */
     const sourceRepo = new SourceRepo(this, 'SourceRepo', {
       ...props,
@@ -236,11 +265,22 @@ export class EmbeddedLinuxPipelineStack extends cdk.Stack {
       project,
     });
 
-    const artifactAction = new codepipeline_actions.S3DeployAction({
-      actionName: 'Artifact',
-      input: buildOutput,
-      bucket: outputBucket,
-    });
+    let artifactAction: codepipeline_actions.S3DeployAction;
+
+    if (props.subDirectoryName){
+      artifactAction = new codepipeline_actions.S3DeployAction({
+        actionName: 'Artifact',
+        input: buildOutput,
+        bucket: outputBucket,
+        objectKey: props.subDirectoryName
+      });
+    } else {
+      artifactAction = new codepipeline_actions.S3DeployAction({
+        actionName: 'Artifact',
+        input: buildOutput,
+        bucket: outputBucket,
+      });
+    }
 
     /** Here we create the logic to check for presence of ECR image on the CodePipeline automatic triggering upon resource creation,
      * and stop the execution if the image does not exist.  */