chore: fix release cfn and codebuild (#380)

Author: kessplas

cfn/release.yml

@@ -95,9 +95,7 @@ Resources:
         - !Ref SecretsManagerPolicyRelease
         - !Ref ParameterStorePolicy
         - !Ref S3ECReleaseTestKMSKeyPolicy
-        - !Ref S3ECReleaseTestKMSKeyPolicyTestVectors
         - !Ref S3ECReleaseS3BucketPolicy
-        - !Ref S3ECReleaseS3BucketPolicyTestVectors
         - "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess"
         - "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess"
 
@@ -297,29 +295,6 @@ Resources:
       AliasName: alias/S3EC-Release-Testing-KMS-Key
       TargetKeyId: !Ref S3ECReleaseTestingKMSKeyID
 
-  S3ECReleaseKMSKeyPolicyTestVectors:
-    Type: 'AWS::IAM::ManagedPolicy'
-    Properties:
-      PolicyDocument: !Sub |
-        {
-          "Version": "2012-10-17",
-          "Statement": [
-            {
-              "Effect": "Allow",
-              "Resource": [
-                "arn:aws:kms:*:${AWS::AccountId}:key/${S3ECReleaseKMSKeyIDTestVectors}",
-                "arn:aws:kms:*:${AWS::AccountId}:${S3ECReleaseKMSKeyAliasTestVectors}"
-              ],
-              "Action": [
-                "kms:Decrypt",
-                "kms:GenerateDataKey",
-                "kms:GenerateDataKeyPair"
-              ]
-            }
-          ]
-        }
-      ManagedPolicyName: S3EC-Release-KMS-Key-Policy-TestVectors
-
   S3ECReleaseTestS3BucketTestVectors:
     Type: 'AWS::S3::Bucket'
     Properties:
@@ -330,26 +305,6 @@ Resources:
         IgnorePublicAcls: false
         RestrictPublicBuckets: false
 
-  S3ECReleaseS3BucketPolicyTestVectors:
-    Type: 'AWS::IAM::ManagedPolicy'
-    Properties:
-      ManagedPolicyName: S3EC-Release-S3-Bucket-Policy-testvectors
-      PolicyDocument:
-        Version: 2012-10-17
-        Statement:
-          - Effect: Allow
-            Action:
-              - 's3:ListBucket'
-            Resource:
-              - !GetAtt S3ECReleaseTestS3BucketTestVectors.Arn
-          - Effect: Allow
-            Action:
-              - 's3:PutObject'
-              - 's3:GetObject'
-              - 's3:DeleteObject'
-            Resource:
-              - !Join [ "", [ !GetAtt S3ECReleaseTestS3BucketTestVectors.Arn, '/*'] ]
-
   S3ECReleaseTestS3Bucket:
     Type: 'AWS::S3::Bucket'
     Properties:
@@ -379,6 +334,12 @@ Resources:
               - 's3:DeleteObject'
             Resource:
               - !Join [ "", [ !GetAtt S3ECReleaseTestS3Bucket.Arn, '/*' ] ]
+              - !Join [ "", [ !GetAtt S3ECReleaseTestS3BucketTestVectors.Arn, '/*'] ]
+          - Effect: Allow
+            Action:
+              - 's3:ListBucket'
+            Resource:
+              - !GetAtt S3ECReleaseTestS3BucketTestVectors.Arn
 
   S3ECReleaseTestS3BucketAlternate:
     Type: 'AWS::S3::Bucket'
@@ -433,6 +394,14 @@ Resources:
           - Effect: Allow
             Action: sts:AssumeRole
             Resource: !Sub "arn:aws:iam::${AWS::AccountId}:role/service-role/S3EC-Release-test-role-alternate"
+          - Effect: Allow
+            Action:
+              - "kms:Decrypt"
+              - "kms:GenerateDataKey"
+              - "kms:GenerateDataKeyPair"
+            Resource:
+              - !Sub "arn:aws:kms:*:${AWS::AccountId}:key/${S3ECReleaseKMSKeyIDTestVectors}"
+              - !Sub "arn:aws:kms:*:${AWS::AccountId}:${S3ECReleaseKMSKeyAliasTestVectors}"
 
   S3ECReleaseKMSKeyPolicyAlternate:
     Type: 'AWS::IAM::ManagedPolicy'

codebuild/release/release-prod.yml

@@ -24,8 +24,10 @@ phases:
       - export AWS_S3EC_TEST_ALT_ROLE_ARN=arn:aws:iam::${ACCOUNT}:role/service-role/S3EC-Release-test-role-alternate
       - export AWS_S3EC_TEST_BUCKET=s3ec-release-test-bucket
       - export AWS_S3EC_TEST_ALT_BUCKET=s3ec-release-test-bucket-alternate
+      - export AWS_S3EC_TEST_TESTVECTORS_BUCKET=s3ec-release-test-bucket-testvectors
       - export AWS_S3EC_TEST_KMS_KEY_ID=arn:aws:kms:us-west-2:${ACCOUNT}:key/af4ce40a-05ab-4f7c-b3fa-97bd0c9b7fb1
       - export AWS_S3EC_TEST_KMS_KEY_ALIAS=arn:aws:kms:us-west-2:${ACCOUNT}:alias/S3EC-Release-Testing-KMS-Key
+      - export AWS_S3EC_TEST_TESTVECTORS_KMS_KEY_ARN=arn:aws:kms:us-west-2:${ACCOUNT}:key/38d132d7-c8ad-4699-a653-87caa9a4c13a
       - export AWS_REGION=us-west-2
       - git checkout $BRANCH
       - export SETTINGS_FILE=$(pwd)/codebuild/release/settings.xml

codebuild/release/release-staging.yml

@@ -30,8 +30,10 @@ phases:
       - export AWS_S3EC_TEST_ALT_ROLE_ARN=arn:aws:iam::${ACCOUNT}:role/service-role/S3EC-Release-test-role-alternate
       - export AWS_S3EC_TEST_BUCKET=s3ec-release-test-bucket
       - export AWS_S3EC_TEST_ALT_BUCKET=s3ec-release-test-bucket-alternate
+      - export AWS_S3EC_TEST_TESTVECTORS_BUCKET=s3ec-release-test-bucket-testvectors
       - export AWS_S3EC_TEST_KMS_KEY_ID=arn:aws:kms:us-west-2:${ACCOUNT}:key/af4ce40a-05ab-4f7c-b3fa-97bd0c9b7fb1
       - export AWS_S3EC_TEST_KMS_KEY_ALIAS=arn:aws:kms:us-west-2:${ACCOUNT}:alias/S3EC-Release-Testing-KMS-Key
+      - export AWS_S3EC_TEST_TESTVECTORS_KMS_KEY_ARN=arn:aws:kms:us-west-2:${ACCOUNT}:key/38d132d7-c8ad-4699-a653-87caa9a4c13a
       - export AWS_REGION=us-west-2
   build:
     commands:

codebuild/release/validate-staging.yml

@@ -27,8 +27,10 @@ phases:
       - export AWS_S3EC_TEST_ALT_ROLE_ARN=arn:aws:iam::${ACCOUNT}:role/service-role/S3EC-Release-test-role-alternate
       - export AWS_S3EC_TEST_BUCKET=s3ec-release-test-bucket
       - export AWS_S3EC_TEST_ALT_BUCKET=s3ec-release-test-bucket-alternate
+      - export AWS_S3EC_TEST_TESTVECTORS_BUCKET=s3ec-release-test-bucket-testvectors
       - export AWS_S3EC_TEST_KMS_KEY_ID=arn:aws:kms:us-west-2:${ACCOUNT}:key/af4ce40a-05ab-4f7c-b3fa-97bd0c9b7fb1
       - export AWS_S3EC_TEST_KMS_KEY_ALIAS=arn:aws:kms:us-west-2:${ACCOUNT}:alias/S3EC-Release-Testing-KMS-Key
+      - export AWS_S3EC_TEST_TESTVECTORS_KMS_KEY_ARN=arn:aws:kms:us-west-2:${ACCOUNT}:key/38d132d7-c8ad-4699-a653-87caa9a4c13a
       - export AWS_REGION=us-west-2
   build:
     commands: