Skip to content

chore: update CDK for S3EC-net#14

Merged
rishav-karanjit merged 7 commits into
fireegg-test-serversfrom
dotnet/cdk
Sep 23, 2025
Merged

chore: update CDK for S3EC-net#14
rishav-karanjit merged 7 commits into
fireegg-test-serversfrom
dotnet/cdk

Conversation

@rishav-karanjit

@rishav-karanjit rishav-karanjit commented Sep 22, 2025
edited
Loading

Copy link
Copy Markdown
Member

Issue #, if available:

Description of changes:
Add resources to run CI for private dotnet repo. I am re-using the same IAM role of python for .NET which is not suboptimal but is optimal for time saving purpose.

cdk diff:

Stack S3ECPythonGithub
IAM Statement Changes
┌───┬─────────────────────────────┬────────┬───────────────────────────────┬────────────────────────────────────────────────────────────────────────────────────────────┬──────────────────────────────────────────────────────────────────────────────────────────────┐
│   │ Resource                    │ Effect │ Action                        │ Principal                                                                                  │ Condition                                                                                    │
├───┼─────────────────────────────┼────────┼───────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ ${S3ECGithubKMSKey.Arn}     │ Allow  │ kms:*                         │ AWS:arn:aws:iam::370957321024:root                                                         │                                                                                              │
├───┼─────────────────────────────┼────────┼───────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ ${S3ECTestServerKMSKey.Arn} │ Allow  │ kms:*                         │ AWS:arn:aws:iam::370957321024:root                                                         │                                                                                              │
├───┼─────────────────────────────┼────────┼───────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ ${s3-github-test-role.Arn}  │ Allow  │ sts:AssumeRoleWithWebIdentity │ Federated:arn:aws:iam::370957321024:oidc-provider/token.actions.githubusercontent.com      │ "StringEquals": {                                                                            │
│   │                             │        │                               │                                                                                            │   "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"                             │
│   │                             │        │                               │                                                                                            │ },                                                                                           │
│   │                             │        │                               │                                                                                            │ "StringLike": {                                                                              │
│   │                             │        │                               │                                                                                            │   "token.actions.githubusercontent.com:sub": "repo:aws/amazon-s3-encryption-client-python:*" │
│   │                             │        │                               │                                                                                            │ }                                                                                            │
├───┼─────────────────────────────┼────────┼───────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────┤
│ + │ ${S3ECGithubKMSKey.Arn}     │ Allow  │ kms:*                         │ AWS:arn:${AWS::Partition}:iam::${AWS::AccountId}:root                                      │                                                                                              │
├───┼─────────────────────────────┼────────┼───────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────┤
│ + │ ${S3ECTestServerKMSKey.Arn} │ Allow  │ kms:*                         │ AWS:arn:${AWS::Partition}:iam::${AWS::AccountId}:root                                      │                                                                                              │
├───┼─────────────────────────────┼────────┼───────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────┤
│ + │ ${s3-github-test-role.Arn}  │ Allow  │ sts:AssumeRoleWithWebIdentity │ Federated:arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com │ "StringEquals": {                                                                            │
│   │                             │        │                               │                                                                                            │   "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"                             │
│   │                             │        │                               │                                                                                            │ },                                                                                           │
│   │                             │        │                               │                                                                                            │ "StringLike": {                                                                              │
│   │                             │        │                               │                                                                                            │   "token.actions.githubusercontent.com:sub": [                                               │
│   │                             │        │                               │                                                                                            │     "repo:aws/amazon-s3-encryption-client-python:*",                                         │
│   │                             │        │                               │                                                                                            │     "repo:aws/private-amazon-s3-encryption-client-dotnet-staging:*"                          │
│   │                             │        │                               │                                                                                            │   ]                                                                                          │
│   │                             │        │                               │                                                                                            │ }                                                                                            │
└───┴─────────────────────────────┴────────┴───────────────────────────────┴────────────────────────────────────────────────────────────────────────────────────────────┴──────────────────────────────────────────────────────────────────────────────────────────────┘
(NOTE: There may be security-related changes not in this list. See https://github.com/aws/aws-cdk/issues/1299)

Conditions
[+] Condition CDKMetadata/Condition CDKMetadataAvailable: {"Fn::Or":[{"Fn::Or":[{"Fn::Equals":[{"Ref":"AWS::Region"},"af-south-1"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"ap-east-1"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"ap-northeast-1"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"ap-northeast-2"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"ap-south-1"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"ap-southeast-1"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"ap-southeast-2"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"ca-central-1"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"cn-north-1"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"cn-northwest-1"]}]},{"Fn::Or":[{"Fn::Equals":[{"Ref":"AWS::Region"},"eu-central-1"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"eu-north-1"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"eu-south-1"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"eu-west-1"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"eu-west-2"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"eu-west-3"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"me-south-1"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"sa-east-1"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"us-east-1"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"us-east-2"]}]},{"Fn::Or":[{"Fn::Equals":[{"Ref":"AWS::Region"},"us-west-1"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"us-west-2"]}]}]}

Resources
[~] AWS::IAM::ManagedPolicy S3EC-Python-Github-S3-Bucket-Policy S3ECPythonGithubS3BucketPolicyDF829B5E
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -2,11 +2,13 @@
            [ ] {
            [ ]   "Action": [
            [ ]     "s3:DeleteObject",
            [+]     "s3:DeleteObjectVersion",
            [ ]     "s3:GetObject",
            [ ]     "s3:PutObject"
            [ ]   ],
            [ ]   "Effect": "Allow",
            [ ]   "Resource": [
            [+]     "arn:aws:s3:::aws-net-sdk-*/*",
            [ ]     {
            [ ]       "Fn::Join": [
            [ ]         "",
            @@ -38,9 +40,16 @@
            [ ]   ]
            [ ] },
            [ ] {
            [-]   "Action": "s3:ListBucket",
            [+]   "Action": [
            [+]     "s3:CreateBucket",
            [+]     "s3:DeleteBucket",
            [+]     "s3:GetBucketAcl",
            [+]     "s3:ListBucket",
            [+]     "s3:ListBucketVersions"
            [+]   ],
            [ ]   "Effect": "Allow",
            [ ]   "Resource": [
            [+]     "arn:aws:s3:::aws-net-sdk-*",
            [ ]     {
            [ ]       "Fn::GetAtt": [
            [ ]         "S3ECGithubTestS3Bucket36A6F2D0",
[~] AWS::IAM::Role s3-github-test-role s3githubtestrole80B9D269
 └─ [~] AssumeRolePolicyDocument
     └─ [~] .Statement:
         └─ @@ -6,12 +6,26 @@
            [ ]         "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
            [ ]       },
            [ ]       "StringLike": {
            [-]         "token.actions.githubusercontent.com:sub": "repo:aws/amazon-s3-encryption-client-python:*"
            [+]         "token.actions.githubusercontent.com:sub": [
            [+]           "repo:aws/amazon-s3-encryption-client-python:*",
            [+]           "repo:aws/private-amazon-s3-encryption-client-dotnet-staging:*"
            [+]         ]
            [ ]       }
            [ ]     },
            [ ]     "Effect": "Allow",
            [ ]     "Principal": {
            [-]       "Federated": "arn:aws:iam::370957321024:oidc-provider/token.actions.githubusercontent.com"
            [+]       "Federated": {
            [+]         "Fn::Join": [
            [+]           "",
            [+]           [
            [+]             "arn:aws:iam::",
            [+]             {
            [+]               "Ref": "AWS::AccountId"
            [+]             },
            [+]             ":oidc-provider/token.actions.githubusercontent.com"
            [+]           ]
            [+]         ]
            [+]       }
            [ ]     }
            [ ]   }
            [ ] ]



✨  Number of stacks with differences: 1

Tested the infrastructure by deploying in personal account in https://github.com/aws/private-amazon-s3-encryption-client-dotnet-staging/pull/6/files#diff-faff1af3d8ff408964a57b2e475f69a6b7c7b71c9978cccc8f471798caac2c88R1-R45

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@rishav-karanjit rishav-karanjit marked this pull request as ready for review September 23, 2025 21:19
rishav-karanjit
rishav-karanjit commented Sep 23, 2025
View reviewed changes
Comment thread test-server/cpp-v2-server/Makefile
build/s3ec-server:
brew install libmicrohttpd nlohmann-json ossp-uuid
git clone --recurse-submodules https://github.com/aws/aws-sdk-cpp.git
cd aws-sdk-cpp && git checkout --track remotes/origin/ajewell/ec-for-get-object

@rishav-karanjit rishav-karanjit Sep 23, 2025

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Background: Andy had a PR from this branch to in aws sdk cpp previously. Now, this branch does not exists and we don't need to switch to any other branch as PR is merged.

@rishav-karanjit rishav-karanjit changed the title chore: add .net CDK chore: update CDK for S3EC-net Sep 23, 2025
@rishav-karanjit rishav-karanjit merged commit a693390 into fireegg-test-servers Sep 23, 2025
2 checks passed
@rishav-karanjit rishav-karanjit deleted the dotnet/cdk branch September 23, 2025 22:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@texastony texastony texastony approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rishav-karanjit @texastony