aws
diff --git a/‎tests/ci/cdk/README.md
+20 b/‎tests/ci/cdk/README.md
+20
diff --git a/‎tests/ci/cdk/app.py
+6-2 b/‎tests/ci/cdk/app.py
+6-2
diff --git a/‎tests/ci/cdk/cdk/aws_lc_analytics_stack.py
+17-5 b/‎tests/ci/cdk/cdk/aws_lc_analytics_stack.py
+17-5
diff --git a/‎tests/ci/cdk/cdk/aws_lc_android_ci_stack.py
+15-5 b/‎tests/ci/cdk/cdk/aws_lc_android_ci_stack.py
+15-5
diff --git a/‎tests/ci/cdk/cdk/aws_lc_ec2_test_framework_ci_stack.py
+24-13 b/‎tests/ci/cdk/cdk/aws_lc_ec2_test_framework_ci_stack.py
+24-13
diff --git a/‎tests/ci/cdk/cdk/aws_lc_github_ci_stack.py
+31-8 b/‎tests/ci/cdk/cdk/aws_lc_github_ci_stack.py
+31-8
diff --git a/‎tests/ci/cdk/cdk/aws_lc_github_ci_x509_stack.py
+16-5 b/‎tests/ci/cdk/cdk/aws_lc_github_ci_x509_stack.py
+16-5
diff --git a/‎tests/ci/cdk/cdk/aws_lc_github_fuzz_ci_stack.py
+16-5 b/‎tests/ci/cdk/cdk/aws_lc_github_fuzz_ci_stack.py
+16-5
@@ -63,6 +63,26 @@ To setup or update the CI in your account you will need the following IAM permis
   * secretsmanager:DeleteSecret
   * secretsmanager:GetSecretValue
 
+### Pipeline Commands
+Bootstrap pipeline account
+```
+AWS_ACCOUNT_ID=183295444613
+PIPELINE_ACCOUNT_ID=774305600158
+cdk bootstrap aws://${PIPELINE_ACCOUNT_ID}/us-west-2
+```
+
+Give pipeline account administrator access to deployment account's CloudFormation
+```
+cdk bootstrap aws://${AWS_ACCOUNT_ID}/us-west-2 --trust ${PIPELINE_ACCOUNT_ID} --trust-for-lookup ${PIPELINE_ACCOUNT_ID} --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess
+```
+
+Deploy pipeline
+```
+GITHUB_REPO_OWNER=nhatnghiho
+GITHUB_SOURCE_VERSION=ci-pipeline
+./run-cdk.sh --github-repo-owner ${GITHUB_REPO_OWNER} --aws-account ${AWS_ACCOUNT_ID} --action invoke --command "cdk deploy AwsLcCiPipeline --require-approval never"
+```
+
 ### Commands
 
 These commands are run from `aws-lc/tests/ci/cdk`. \
 
@@ -12,17 +12,21 @@
 from cdk.aws_lc_github_fuzz_ci_stack import  AwsLcGitHubFuzzCIStack
 from cdk.aws_lc_ec2_test_framework_ci_stack import AwsLcEC2TestingCIStack
 from cdk.linux_docker_image_batch_build_stack import LinuxDockerImageBatchBuildStack
+from pipeline.pipeline_stack import AwsLcCiPipeline
 from cdk.windows_docker_image_build_stack import WindowsDockerImageBuildStack
 from cdk.aws_lc_github_ci_x509_stack import AwsLcGitHubX509CIStack
 from cdk.ecr_stack import EcrStack
-from util.metadata import AWS_ACCOUNT, AWS_REGION, LINUX_X86_ECR_REPO, LINUX_AARCH_ECR_REPO, WINDOWS_X86_ECR_REPO
+from util.metadata import AWS_ACCOUNT, AWS_REGION, LINUX_X86_ECR_REPO, LINUX_AARCH_ECR_REPO, WINDOWS_X86_ECR_REPO, \
+    PIPELINE_ACCOUNT, PIPELINE_REGION
 
 # Initialize app.
 app = App()
 
 # Initialize env.
 env = Environment(account=AWS_ACCOUNT, region=AWS_REGION)
 
+AwsLcCiPipeline(app, "AwsLcCiPipeline", env=Environment(account=PIPELINE_ACCOUNT, region=PIPELINE_REGION))
+
 # Define AWS ECR stacks.
 # ECR holds the docker images, which are pre-built to accelerate the code builds/tests of git pull requests.
 EcrStack(app, "aws-lc-ecr-linux-x86", LINUX_X86_ECR_REPO, env=env)
@@ -55,6 +59,6 @@
 AwsLcEC2TestingCIStack(app, "aws-lc-ci-ec2-test-framework", ec2_test_framework_build_spec_file, env=env)
 android_build_spec_file = "cdk/codebuild/github_ci_android_omnibus.yaml"
 AwsLcAndroidCIStack(app, "aws-lc-ci-devicefarm-android", android_build_spec_file, env=env)
-AwsLcGitHubX509CIStack(app, "aws-lc-ci-x509")
+AwsLcGitHubX509CIStack(app, "aws-lc-ci-x509", env=env)
 
 app.synth()
@@ -1,12 +1,15 @@
 # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0 OR ISC
+import typing
 
-from aws_cdk import Duration, Stack, aws_codebuild as codebuild, aws_iam as iam, aws_ec2 as ec2, aws_efs as efs
+from aws_cdk import Duration, Stack, aws_codebuild as codebuild, aws_iam as iam, aws_ec2 as ec2, aws_efs as efs, \
+    Environment
 from constructs import Construct
 
 from cdk.components import PruneStaleGitHubBuilds
 from util.iam_policies import code_build_publish_metrics_in_json
-from util.metadata import GITHUB_REPO_OWNER, GITHUB_REPO_NAME
+from util.metadata import GITHUB_REPO_OWNER, GITHUB_REPO_NAME, PRE_PROD_ACCOUNT, STAGING_GITHUB_REPO_OWNER, \
+    STAGING_GITHUB_REPO_NAME
 from util.build_spec_loader import BuildSpecLoader
 
 
@@ -17,13 +20,22 @@ def __init__(self,
                  scope: Construct,
                  id: str,
                  spec_file_path: str,
+                 env: typing.Optional[typing.Union[Environment, typing.Dict[str, typing.Any]]],
                  **kwargs) -> None:
-        super().__init__(scope, id, **kwargs)
+        super().__init__(scope, id, env=env, **kwargs)
+
+        # Define CodeBuild resource.
+        github_repo_owner = GITHUB_REPO_OWNER
+        github_repo_name = GITHUB_REPO_NAME
+
+        if env.account == PRE_PROD_ACCOUNT:
+            github_repo_owner = STAGING_GITHUB_REPO_OWNER
+            github_repo_name = STAGING_GITHUB_REPO_NAME
 
         # Define CodeBuild resource.
         git_hub_source = codebuild.Source.git_hub(
-            owner=GITHUB_REPO_OWNER,
-            repo=GITHUB_REPO_NAME,
+            owner=github_repo_owner,
+            repo=github_repo_name,
             webhook=True,
             webhook_filters=[
                 codebuild.FilterGroup.in_event_of(codebuild.EventAction.PUSH)
 
@@ -1,12 +1,14 @@
 # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0 OR ISC
+import typing
 
-from aws_cdk import Duration, Stack, aws_codebuild as codebuild, aws_iam as iam
+from aws_cdk import Duration, Stack, aws_codebuild as codebuild, aws_iam as iam, Environment
 from constructs import Construct
 
 from cdk.components import PruneStaleGitHubBuilds
 from util.iam_policies import code_build_batch_policy_in_json, device_farm_access_policy_in_json
-from util.metadata import GITHUB_REPO_OWNER, GITHUB_REPO_NAME, GITHUB_PUSH_CI_BRANCH_TARGETS
+from util.metadata import GITHUB_REPO_OWNER, GITHUB_REPO_NAME, GITHUB_PUSH_CI_BRANCH_TARGETS, PRE_PROD_ACCOUNT, \
+    STAGING_GITHUB_REPO_OWNER, STAGING_GITHUB_REPO_NAME
 from util.build_spec_loader import BuildSpecLoader
 
 
@@ -20,13 +22,21 @@ def __init__(self,
                  scope: Construct,
                  id: str,
                  spec_file_path: str,
+                 env: typing.Optional[typing.Union[Environment, typing.Dict[str, typing.Any]]],
                  **kwargs) -> None:
-        super().__init__(scope, id, **kwargs)
+        super().__init__(scope, id, env=env, **kwargs)
+
+        github_repo_owner = GITHUB_REPO_OWNER
+        github_repo_name = GITHUB_REPO_NAME
+
+        if env.account == PRE_PROD_ACCOUNT:
+            github_repo_owner = STAGING_GITHUB_REPO_OWNER
+            github_repo_name = STAGING_GITHUB_REPO_NAME
 
         # Define CodeBuild resource.
         git_hub_source = codebuild.Source.git_hub(
-            owner=GITHUB_REPO_OWNER,
-            repo=GITHUB_REPO_NAME,
+            owner=github_repo_owner,
+            repo=github_repo_name,
             webhook=True,
             webhook_filters=[
                 codebuild.FilterGroup.in_event_of(
 
@@ -2,15 +2,19 @@
 # SPDX-License-Identifier: Apache-2.0 OR ISC
 
 import subprocess
+import typing
+
 import boto3
 
 from botocore.exceptions import ClientError
-from aws_cdk import CfnTag, Duration, Stack, Tags, aws_ec2 as ec2, aws_codebuild as codebuild, aws_iam as iam, aws_s3 as s3, aws_logs as logs
+from aws_cdk import CfnTag, Duration, Stack, Tags, aws_ec2 as ec2, aws_codebuild as codebuild, aws_iam as iam, \
+    aws_s3 as s3, aws_logs as logs, Environment
 from constructs import Construct
 
 from cdk.components import PruneStaleGitHubBuilds
-from util.metadata import AWS_ACCOUNT, AWS_REGION, GITHUB_PUSH_CI_BRANCH_TARGETS, GITHUB_REPO_OWNER, GITHUB_REPO_NAME, LINUX_AARCH_ECR_REPO, \
-    LINUX_X86_ECR_REPO
+from util.metadata import AWS_ACCOUNT, AWS_REGION, GITHUB_PUSH_CI_BRANCH_TARGETS, GITHUB_REPO_OWNER, GITHUB_REPO_NAME, \
+    LINUX_AARCH_ECR_REPO, \
+    LINUX_X86_ECR_REPO, PRE_PROD_ACCOUNT, STAGING_GITHUB_REPO_OWNER, STAGING_GITHUB_REPO_NAME
 from util.iam_policies import code_build_batch_policy_in_json, ec2_policies_in_json, ssm_policies_in_json, s3_read_write_policy_in_json, ecr_power_user_policy_in_json
 from util.build_spec_loader import BuildSpecLoader
 
@@ -23,13 +27,21 @@ def __init__(self,
                  scope: Construct,
                  id: str,
                  spec_file_path: str,
+                 env: typing.Optional[typing.Union[Environment, typing.Dict[str, typing.Any]]],
                  **kwargs) -> None:
-        super().__init__(scope, id, **kwargs)
+        super().__init__(scope, id, env=env, **kwargs)
+
+        github_repo_owner = GITHUB_REPO_OWNER
+        github_repo_name = GITHUB_REPO_NAME
+
+        if env.account == PRE_PROD_ACCOUNT:
+            github_repo_owner = STAGING_GITHUB_REPO_OWNER
+            github_repo_name = STAGING_GITHUB_REPO_NAME
 
         # Define CodeBuild resource.
         git_hub_source = codebuild.Source.git_hub(
-            owner=GITHUB_REPO_OWNER,
-            repo=GITHUB_REPO_NAME,
+            owner=github_repo_owner,
+            repo=github_repo_name,
             webhook=True,
             webhook_filters=[
                 codebuild.FilterGroup.in_event_of(
@@ -62,15 +74,14 @@ def __init__(self,
         selected_subnets = vpc.select_subnets(subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS)
 
         # create security group with default rules
-        security_group = ec2.SecurityGroup(self, id="{}-ec2-sg".format(id),
-                          allow_all_outbound=True,
-                          vpc=vpc,
-                          security_group_name='codebuild_ec2_sg')
-
+        # security_group = ec2.SecurityGroup(self, id="{}-ec2-sg".format(id),
+        #                   allow_all_outbound=True,
+        #                   vpc=vpc,
+        #                   security_group_name='codebuild_ec2_sg')
 
         # Define a IAM role for this stack.
         code_build_batch_policy = iam.PolicyDocument.from_json(code_build_batch_policy_in_json([id]))
-        ec2_policy = iam.PolicyDocument.from_json(ec2_policies_in_json(ec2_role.role_name, security_group.security_group_id, selected_subnets.subnets[0].subnet_id, vpc.vpc_id))
+        ec2_policy = iam.PolicyDocument.from_json(ec2_policies_in_json(ec2_role.role_name, vpc.vpc_default_security_group, selected_subnets.subnets[0].subnet_id, vpc.vpc_id))
         ssm_policy = iam.PolicyDocument.from_json(ssm_policies_in_json())
         codebuild_inline_policies = {"code_build_batch_policy": code_build_batch_policy,
                                      "ec2_policy": ec2_policy,
@@ -97,7 +108,7 @@ def __init__(self,
             build_spec=BuildSpecLoader.load(spec_file_path),
             environment_variables= {
                 "EC2_SECURITY_GROUP_ID": codebuild.BuildEnvironmentVariable(
-                    value=security_group.security_group_id
+                    value=vpc.vpc_default_security_group
                 ),
                 "EC2_SUBNET_ID": codebuild.BuildEnvironmentVariable(
                     value=selected_subnets.subnets[0].subnet_id
 
@@ -1,12 +1,16 @@
 # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0 OR ISC
+import typing
 
-from aws_cdk import Duration, Stack, aws_codebuild as codebuild, aws_iam as iam, aws_s3_assets, aws_logs as logs
+from aws_cdk import Duration, Stack, aws_codebuild as codebuild, aws_iam as iam, aws_s3_assets, aws_logs as logs, \
+    Environment
 from constructs import Construct
 
 from cdk.components import PruneStaleGitHubBuilds
-from util.iam_policies import code_build_batch_policy_in_json, code_build_publish_metrics_in_json, code_build_cloudwatch_logs_policy_in_json
-from util.metadata import CAN_AUTOLOAD, GITHUB_PUSH_CI_BRANCH_TARGETS, GITHUB_REPO_OWNER, GITHUB_REPO_NAME
+from util.iam_policies import code_build_batch_policy_in_json, code_build_publish_metrics_in_json, \
+    code_build_cloudwatch_logs_policy_in_json, s3_read_policy_in_json
+from util.metadata import CAN_AUTOLOAD, GITHUB_PUSH_CI_BRANCH_TARGETS, GITHUB_REPO_OWNER, GITHUB_REPO_NAME, \
+    PIPELINE_ACCOUNT, PRE_PROD_ACCOUNT, STAGING_GITHUB_REPO_OWNER, STAGING_GITHUB_REPO_NAME
 from util.build_spec_loader import BuildSpecLoader
 
 
@@ -17,13 +21,21 @@ def __init__(self,
                  scope: Construct,
                  id: str,
                  spec_file_path: str,
+                 env: typing.Optional[typing.Union[Environment, typing.Dict[str, typing.Any]]],
                  **kwargs) -> None:
-        super().__init__(scope, id, **kwargs)
+        super().__init__(scope, id, env=env, **kwargs)
+
+        github_repo_owner = GITHUB_REPO_OWNER
+        github_repo_name = GITHUB_REPO_NAME
+
+        if env.account == PRE_PROD_ACCOUNT:
+            github_repo_owner = STAGING_GITHUB_REPO_OWNER
+            github_repo_name = STAGING_GITHUB_REPO_NAME
 
         # Define CodeBuild resource.
         git_hub_source = codebuild.Source.git_hub(
-            owner=GITHUB_REPO_OWNER,
-            repo=GITHUB_REPO_NAME,
+            owner=github_repo_owner,
+            repo=github_repo_name,
             webhook=True,
             webhook_filters=[
                 codebuild.FilterGroup.in_event_of(
@@ -40,18 +52,24 @@ def __init__(self,
         code_build_cloudwatch_logs_policy = iam.PolicyDocument.from_json(
             code_build_cloudwatch_logs_policy_in_json([log_group])
         )
+        s3_assets_policy = iam.PolicyDocument.from_json(s3_read_policy_in_json())
         resource_access_role = iam.Role(scope=self,
                                         id="{}-resource-role".format(id),
-                                        assumed_by=iam.ServicePrincipal("codebuild.amazonaws.com"),
+                                        assumed_by=iam.CompositePrincipal(
+                                            iam.ServicePrincipal("codebuild.amazonaws.com"),
+                                            iam.ArnPrincipal(f'arn:aws:iam::{PIPELINE_ACCOUNT}:role/CrossAccountCodeBuildRole')
+                                        ),
                                         inline_policies={
-                                            "code_build_cloudwatch_logs_policy": code_build_cloudwatch_logs_policy
+                                            "code_build_cloudwatch_logs_policy": code_build_cloudwatch_logs_policy,
+                                            "s3_assets_policy": s3_assets_policy
                                         })
 
         # Define a IAM role for this stack.
         code_build_batch_policy = iam.PolicyDocument.from_json(
             code_build_batch_policy_in_json([id])
         )
         metrics_policy = iam.PolicyDocument.from_json(code_build_publish_metrics_in_json())
+
         inline_policies = {"code_build_batch_policy": code_build_batch_policy,
                            "metrics_policy": metrics_policy,
                            }
@@ -66,6 +84,11 @@ def __init__(self,
             )
         )
 
+        # test = iam.Role(scope=self,
+        #                 id="test",
+        #                 assumed_by=iam.ServicePrincipal("codebuild.amazonaws.com"),
+        #                 inline_policies=inline_policies)
+
         # Define CodeBuild.
         project = codebuild.Project(
             scope=self,
 
@@ -1,10 +1,12 @@
-from aws_cdk import Duration, Stack, aws_codebuild as codebuild, aws_s3 as s3
+import typing
+
+from aws_cdk import Duration, Stack, aws_codebuild as codebuild, aws_s3 as s3, Environment
 from constructs import Construct
 from util.build_spec_loader import BuildSpecLoader
 from util.metadata import (
     GITHUB_PUSH_CI_BRANCH_TARGETS,
     GITHUB_REPO_NAME,
-    GITHUB_REPO_OWNER,
+    GITHUB_REPO_OWNER, PRE_PROD_ACCOUNT, STAGING_GITHUB_REPO_OWNER, STAGING_GITHUB_REPO_NAME,
 )
 
 
@@ -13,13 +15,22 @@ def __init__(
         self,
         scope: Construct,
         id: str,
+        env: typing.Optional[typing.Union[Environment, typing.Dict[str, typing.Any]]],
         **kwargs,
     ) -> None:
-        super().__init__(scope, id, **kwargs)
+        super().__init__(scope, id, env=env, **kwargs)
+
+        github_repo_owner = GITHUB_REPO_OWNER
+        github_repo_name = GITHUB_REPO_NAME
+
+        if env.account == PRE_PROD_ACCOUNT:
+            github_repo_owner = STAGING_GITHUB_REPO_OWNER
+            github_repo_name = STAGING_GITHUB_REPO_NAME
 
+        # Define CodeBuild resource.
         git_hub_source = codebuild.Source.git_hub(
-            owner=GITHUB_REPO_OWNER,
-            repo=GITHUB_REPO_NAME,
+            owner=github_repo_owner,
+            repo=github_repo_name,
             webhook=True,
             webhook_filters=[
                 codebuild.FilterGroup.in_event_of(
 
@@ -1,14 +1,17 @@
 # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0 OR ISC
+import typing
 
-from aws_cdk import Duration, Size, Stack, aws_codebuild as codebuild, aws_iam as iam, aws_ec2 as ec2, aws_efs as efs
+from aws_cdk import Duration, Size, Stack, aws_codebuild as codebuild, aws_iam as iam, aws_ec2 as ec2, aws_efs as efs, \
+    Environment
 from constructs import Construct
 
 from cdk.components import PruneStaleGitHubBuilds
 from util.ecr_util import ecr_arn
 from util.iam_policies import code_build_batch_policy_in_json, \
     code_build_publish_metrics_in_json
-from util.metadata import AWS_ACCOUNT, AWS_REGION, GITHUB_PUSH_CI_BRANCH_TARGETS, GITHUB_REPO_OWNER, GITHUB_REPO_NAME
+from util.metadata import AWS_ACCOUNT, AWS_REGION, GITHUB_PUSH_CI_BRANCH_TARGETS, GITHUB_REPO_OWNER, GITHUB_REPO_NAME, \
+    PRE_PROD_ACCOUNT, STAGING_GITHUB_REPO_OWNER, STAGING_GITHUB_REPO_NAME
 from util.build_spec_loader import BuildSpecLoader
 
 
@@ -19,13 +22,21 @@ def __init__(self,
                  scope: Construct,
                  id: str,
                  spec_file_path: str,
+                 env: typing.Optional[typing.Union[Environment, typing.Dict[str, typing.Any]]],
                  **kwargs) -> None:
-        super().__init__(scope, id, **kwargs)
+        super().__init__(scope, id, env=env, **kwargs)
+
+        github_repo_owner = GITHUB_REPO_OWNER
+        github_repo_name = GITHUB_REPO_NAME
+
+        if env.account == PRE_PROD_ACCOUNT:
+            github_repo_owner = STAGING_GITHUB_REPO_OWNER
+            github_repo_name = STAGING_GITHUB_REPO_NAME
 
         # Define CodeBuild resource.
         git_hub_source = codebuild.Source.git_hub(
-            owner=GITHUB_REPO_OWNER,
-            repo=GITHUB_REPO_NAME,
+            owner=github_repo_owner,
+            repo=github_repo_name,
             webhook=True,
             webhook_filters=[
                 codebuild.FilterGroup.in_event_of(