Add signing parameters to cfn template

packer/linux/conf/bin/bk-install-elastic-stack.sh

@@ -254,6 +254,7 @@ else
   BUILDKITE_AGENT_TIMESTAMPS_LINES="false"
   BUILDKITE_AGENT_NO_ANSI_TIMESTAMPS="false"
 fi
+
 echo Setting \$BUILDKITE_AGENT_NO_ANSI_TIMESTAMPS to \$BUILDKITE_AGENT_TIMESTAMP_LINES
 echo "BUILDKITE_AGENT_TIMESTAMP_LINES is $BUILDKITE_AGENT_TIMESTAMPS_LINES"
 echo "BUILDKITE_AGENT_NO_ANSI_TIMESTAMPS is $BUILDKITE_AGENT_NO_ANSI_TIMESTAMPS"
@@ -292,6 +293,48 @@ tracing-backend=${BUILDKITE_AGENT_TRACING_BACKEND}
 cancel-grace-period=${BUILDKITE_AGENT_CANCEL_GRACE_PERIOD}
 EOF
 
+if [[ -n "$BUILDKITE_AGENT_SIGNING_KEY_PATH" ]]; then
+  echo "Fetching signing key from ssm: $BUILDKITE_AGENT_SIGNING_KEY_PATH..."
+
+  keyfile=/etc/buildkite-agent/signing-key.json
+
+  aws ssm get-parameter \
+    --name "$BUILDKITE_AGENT_SIGNING_KEY_PATH" \
+    --with-decryption \
+    --query Parameter.Value \
+    --output text >"$keyfile"
+
+  echo "Setting ownership of $keyfile to buildkite-agent..."
+  chown buildkite-agent: "$keyfile"
+
+  echo "signing-jwks-file=$keyfile" >>/etc/buildkite-agent/buildkite-agent.cfg
+fi
+
+if [[ -n "$BUILDKITE_AGENT_SIGNING_KEY_ID" ]]; then
+  echo "signing-jwks-key-id=$BUILDKITE_AGENT_SIGNING_KEY_ID" >>/etc/buildkite-agent/buildkite-agent.cfg
+fi
+
+if [[ -n "$BUILDKITE_AGENT_VERIFICATION_FAILURE_BEHAVIOR" ]]; then
+  echo "verification-failure-behavior=$BUILDKITE_AGENT_VERIFICATION_FAILURE_BEHAVIOR" >>/etc/buildkite-agent/buildkite-agent.cfg
+fi
+
+if [[ -n "$BUILDKITE_AGENT_VERIFICATION_KEY_PATH" ]]; then
+  echo "Fetching signing key from ssm: $BUILDKITE_AGENT_VERIFICATION_KEY_PATH..."
+
+  keyfile=/etc/buildkite-agent/verification-key.json
+
+  aws ssm get-parameter \
+    --name "$BUILDKITE_AGENT_VERIFICATION_KEY_PATH" \
+    --with-decryption \
+    --query Parameter.Value \
+    --output text >"$keyfile"
+
+  echo "Setting ownership of $keyfile to buildkite-agent..."
+  chown buildkite-agent: "$keyfile"
+
+  echo "verification-jwks-file=$keyfile" >>/etc/buildkite-agent/buildkite-agent.cfg
+fi
+
 if [[ "${BUILDKITE_ENV_FILE_URL}" != "" ]]; then
   echo "Fetching env file from ${BUILDKITE_ENV_FILE_URL}..."
   /usr/local/bin/bk-fetch.sh "${BUILDKITE_ENV_FILE_URL}" /var/lib/buildkite-agent/env

packer/windows/conf/bin/bk-install-elastic-stack.ps1

@@ -150,6 +150,42 @@ tracing-backend=${Env:BUILDKITE_AGENT_TRACING_BACKEND}
 "@
 $OFS=" "
 
+If (![string]::IsNullOrEmpty($Env:BUILDKITE_AGENT_SIGNING_KEY_PATH)) {
+  Write-Output "Fetching signing key from ssm: $Env:BUILDKITE_AGENT_SIGNING_KEY_PATH..."
+
+  $keyfile=C:\buildkite-agent\signing-key.json
+
+  aws ssm get-parameter `
+    --name "$Env:BUILDKITE_AGENT_SIGNING_KEY_PATH" `
+    --with-decryption `
+    --query Parameter.Value `
+    --output text >"$keyfile"
+
+  Add-Content -Path C:\buildkite-agent\buildkite-agent.cfg -Value "signing-jwks-file=$keyfile"
+}
+
+if (![string]::IsNullOrEmpty($Env:BUILDKITE_AGENT_SIGNING_KEY_ID)) {
+  Add-Content -Path C:\buildkite-agent\buildkite-agent.cfg -Value "signing-jwks-key-id=$Env:BUILDKITE_AGENT_SIGNING_KEY_ID"
+}
+
+if (![string]::IsNullOrEmpty($Env:BUILDKITE_AGENT_VERIFICATION_FAILURE_BEHAVIOR)) {
+  Add-Content -Path C:\buildkite-agent\buildkite-agent.cfg -Value "verification-failure-behavior=$Env:BUILDKITE_AGENT_VERIFICATION_FAILURE_BEHAVIOR"
+}
+
+if (![string]::IsNullOrEmpty($Env:BUILDKITE_AGENT_VERIFICATION_KEY_PATH)) {
+  Write-Output "Fetching verification key from ssm: $Env:BUILDKITE_AGENT_VERIFICATION_KEY_PATH..."
+
+  $keyfile=C:\buildkite-agent\verification-key.json
+
+  aws ssm get-parameter `
+    --name "$Env:BUILDKITE_AGENT_VERIFICATION_KEY_PATH" `
+    --with-decryption `
+    --query Parameter.Value `
+    --output text >"$keyfile"
+
+  Add-Content -Path C:\buildkite-agent\buildkite-agent.cfg -Value "verification-jwks-file=$keyfile"
+}
+
 nssm set lifecycled AppEnvironmentExtra +AWS_REGION=$Env:AWS_REGION
 nssm set lifecycled AppEnvironmentExtra +LIFECYCLED_HANDLER="C:\buildkite-agent\bin\stop-agent-gracefully.ps1"
 Restart-Service lifecycled

templates/aws-stack.yml

@@ -50,6 +50,10 @@ Metadata:
         - BuildkiteAgentScalerServerlessARN
         - BuildkiteAgentScalerVersion
         - LogRetentionDays
+        - BuildkiteAgentSigningKeySSMParameter
+        - BuildkiteAgentSigningKeyID
+        - BuildkiteAgentVerificationKeySSMParameter
+        - BuildkiteAgentVerificationFailureBehavior
 
       - Label:
           default: Network Configuration
@@ -202,6 +206,34 @@ Parameters:
       - "opentelemetry"
     Default: ""
 
+  BuildkiteAgentSigningKeySSMParameter:
+    Description: Existing SSM Parameter Store path to the to a JSON Web Key Set (JWKS) containing a key to sign jobs with.
+    Type: String
+    Default: ""
+    AllowedPattern: "^$|^/[a-zA-Z0-9_.\\-/]+$"
+    ConstraintDescription: "Expects a leading forward slash"
+
+  BuildkiteAgentSigningKeyID:
+    Description: The ID of the key in the JWKS to use for signing jobs. If not specified, and the JWKS contains only one key, that key will be used.
+    Type: String
+    Default: ""
+
+  BuildkiteAgentVerificationKeySSMParameter:
+    Description: Existing SSM Parameter Store path to the to a JSON Web Key Set (JWKS) containing keys with which to verify jobs.
+    Type: String
+    Default: ""
+    AllowedPattern: "^$|^/[a-zA-Z0-9_.\\-/]+$"
+    ConstraintDescription: "Expects a leading forward slash"
+
+  BuildkiteAgentVerificationFailureBehavior:
+    Description: "How the agent should respond when a job signature fails verification"
+    Type: String
+    AllowedValues:
+      - "block"
+      - "warn"
+      - ""
+    Default: ""
+
   BuildkiteAgentCancelGracePeriod:
     Description: The number of seconds a canceled or timed out job is given to gracefully terminate and upload its artifacts.
     Type: Number
@@ -1218,6 +1250,10 @@ Resources:
                   $Env:BUILDKITE_AGENT_TIMESTAMP_LINES="${BuildkiteAgentTimestampLines}"
                   $Env:BUILDKITE_AGENT_EXPERIMENTS="${BuildkiteAgentExperiments}"
                   $Env:BUILDKITE_AGENT_TRACING_BACKEND="${BuildkiteAgentTracingBackend}"
+                  $Env:BUILDKITE_AGENT_SIGNING_KEY_PATH="${BuildkiteAgentSigningKeySSMParameter}"
+                  $Env:BUILDKITE_AGENT_SIGNING_KEY_ID="${BuildkiteAgentSigningKeyID}"
+                  $Env:BUILDKITE_AGENT_VERIFICATION_KEY_PATH="${BuildkiteAgentVerificationKeySSMParameter}"
+                  $Env:BUILDKITE_AGENT_VERIFICATION_FAILURE_BEHAVIOR="${BuildkiteAgentVerificationFailureBehavior}"
                   $Env:BUILDKITE_AGENT_RELEASE="${BuildkiteAgentRelease}"
                   $Env:BUILDKITE_QUEUE="${BuildkiteQueue}"
                   $Env:BUILDKITE_AGENT_ENABLE_GIT_MIRRORS="${BuildkiteAgentEnableGitMirrors}"
@@ -1276,6 +1312,10 @@ Resources:
                   BUILDKITE_AGENT_TIMESTAMP_LINES="${BuildkiteAgentTimestampLines}" \
                   BUILDKITE_AGENT_EXPERIMENTS="${BuildkiteAgentExperiments}" \
                   BUILDKITE_AGENT_TRACING_BACKEND="${BuildkiteAgentTracingBackend}" \
+                  BUILDKITE_AGENT_SIGNING_KEY_PATH="${BuildkiteAgentSigningKeySSMParameter}" \
+                  BUILDKITE_AGENT_SIGNING_KEY_ID="${BuildkiteAgentSigningKeyID}" \
+                  BUILDKITE_AGENT_VERIFICATION_KEY_PATH="${BuildkiteAgentVerificationKeySSMParameter}" \
+                  BUILDKITE_AGENT_VERIFICATION_FAILURE_BEHAVIOR="${BuildkiteAgentVerificationFailureBehavior}" \
                   BUILDKITE_AGENT_RELEASE="${BuildkiteAgentRelease}" \
                   BUILDKITE_AGENT_CANCEL_GRACE_PERIOD="${BuildkiteAgentCancelGracePeriod}" \
                   BUILDKITE_QUEUE="${BuildkiteQueue}" \