Merge branch 'main' into signing-params

mcncl · web-flow · commit ff9a5305df7e · 2025-10-08T09:36:00.000+11:00
diff --git a/.buildkite/docker-compose.yml b/.buildkite/docker-compose.yml
@@ -2,7 +2,7 @@ version: '3'
 
 services:
   fixperms-tests:
-    image: golang:1.24
+    image: golang:1.25
     working_dir: /code
     environment:
       CGO_ENABLED: 0
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,25 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 
+## [v6.42.0](https://github.com/buildkite/elastic-ci-stack-for-aws/compare/v6.41.6...v6.42.0) (2025-10-07)
+
+### Changed
+
+- Cleanup base AMI build logic by @scadu in https://github.com/buildkite/elastic-ci-stack-for-aws/pull/1597
+- Fix missing refresh_authorized_keys.timer by @scadu in https://github.com/buildkite/elastic-ci-stack-for-aws/pull/1604
+- Allow ECR Credential Helper to be disabled by @petetomasik in https://github.com/buildkite/elastic-ci-stack-for-aws/pull/1600
+- Support cross-account SSM Parameter Store paths by @petetomasik in https://github.com/buildkite/elastic-ci-stack-for-aws/pull/1605
+- Allow configurable Docker default bridge networks by @petetomasik in https://github.com/buildkite/elastic-ci-stack-for-aws/pull/1608
+- Support arm64 arch for Lambda functions by @petetomasik in https://github.com/buildkite/elastic-ci-stack-for-aws/pull/1606
+
+### Internal
+
+- Update golang Docker tag to v1.25 by @renovate[bot] in https://github.com/buildkite/elastic-ci-stack-for-aws/pull/1610
+- Updates to clarify `BootstrapScriptUrl` and `AgentEnvFileUrl` Stack params by @petetomasik in https://github.com/buildkite/elastic-ci-stack-for-aws/pull/1611
+- Update changelog for v6.41.6 release [#1602](https://github.com/buildkite/elastic-ci-stack-for-aws/pull/1602) ([scadu](https://github.com/scadu))
+
+[Full Changelog](https://github.com/buildkite/elastic-ci-stack-for-aws/compare/v6.41.6...v6.42.0)
+
 ## [v6.41.6](https://github.com/buildkite/elastic-ci-stack-for-aws/compare/v6.41.5...v6.41.6) (2025-09-24)
 
 ### Changed
diff --git a/packer/linux/stack/conf/bin/bk-configure-docker.sh b/packer/linux/stack/conf/bin/bk-configure-docker.sh
@@ -71,14 +71,26 @@ elif [[ "${DOCKER_NETWORKING_PROTOCOL}" == "dualstack" ]]; then
       --arg pool1 "${DOCKER_IPV4_ADDRESS_POOL_1:-172.17.0.0/12}" \
       --arg pool2 "${DOCKER_IPV4_ADDRESS_POOL_2:-192.168.0.0/16}" \
       --arg pool6 "${DOCKER_IPV6_ADDRESS_POOL:-2001:db8:2::/104}" \
-      '.ipv6=true | ."fixed-cidr-v6"="2001:db8:1::/64" | .ip6tables=true | ."default-address-pools"=[{"base":$pool1,"size":20},{"base":$pool2,"size":24},{"base":$pool6,"size":112}]' \
+      --arg cidrv6 "${DOCKER_FIXED_CIDR_V6:-2001:db8:1::/64}" \
+      '.ipv6=true | ."fixed-cidr-v6"=$cidrv6 | .ip6tables=true | ."default-address-pools"=[{"base":$pool1,"size":20},{"base":$pool2,"size":24},{"base":$pool6,"size":112}]' \
       /etc/docker/daemon.json
   )" >/etc/docker/daemon.json
 else
   # docker 25.0 doesn't support ipv6 only, so we don't support it either
   true
 fi
 
+# Configure fixed-cidr for IPv4 if provided (applies to both ipv4 and dualstack modes)
+if [[ -n "${DOCKER_FIXED_CIDR_V4:-}" ]]; then
+  echo "Configuring Docker fixed-cidr (IPv4): ${DOCKER_FIXED_CIDR_V4}"
+  cat <<<"$(
+    jq \
+      --arg cidr "${DOCKER_FIXED_CIDR_V4}" \
+      '."fixed-cidr"=$cidr' \
+      /etc/docker/daemon.json
+  )" >/etc/docker/daemon.json
+fi
+
 if [[ "${DOCKER_EXPERIMENTAL:-false}" == "true" ]]; then
   echo Configuring experiment flag for docker daemon...
   cat <<<"$(jq '.experimental=true' /etc/docker/daemon.json)" >/etc/docker/daemon.json
diff --git a/packer/linux/stack/conf/bin/bk-fetch.sh b/packer/linux/stack/conf/bin/bk-fetch.sh
@@ -21,13 +21,9 @@ fetch_ssm_parameters() {
   # trim off ssm: prefix
   ssm_path="${ssm_path//ssm:/}"
 
-  #
-  # NOTE: The maximum number of parameters that can be retrieved is 25 to avoid throttling
-  # in the case of misconfigured SSM path with a large number of child parameters
   aws ssm get-parameters-by-path \
     --path "${ssm_path}" \
     --recursive \
-    --max-items 25 \
     --with-decryption \
     --query 'Parameters[*].{Name: Name, Value: Value}' --output json \
     | jq -r '.[] | [(.Name | split("/")[-1] | ascii_upcase), (["\"", .Value, "\""] | join(""))] | join("=")' \
@@ -37,14 +33,23 @@ fetch_ssm_parameters() {
 FROM="$1"
 TO="$2"
 
+# Fetch content from various URI schemes:
+# - s3://bucket/key: S3 object URI (uses AWS S3 API)
+# - ssm:/path/to/param: SSM parameter path (uses AWS SSM API)
+# - https://example.com/file: HTTPS URL (uses curl)
+# - file:///path/to/file: Local file path (uses curl)
+# - http://example.com/file: HTTP URL (uses curl)
 case "$FROM" in
 s3://*)
+  # S3 object URI - use AWS CLI to fetch
   exec aws s3 cp "$FROM" "$TO"
   ;;
 ssm:*)
+  # SSM parameter path - fetch parameters recursively
   fetch_ssm_parameters "${FROM}" "${TO}"
   ;;
 *)
+  # All other URIs (HTTPS, HTTP, file://) - use curl
   exec curl -Lfs -o "$TO" "$FROM"
   ;;
 esac
diff --git a/packer/windows/stack/conf/bin/bk-fetch.ps1 b/packer/windows/stack/conf/bin/bk-fetch.ps1
@@ -3,10 +3,43 @@ param ([parameter(Mandatory=$true)][string]$From, [parameter(Mandatory=$true)][s
 # Stop script execution when a non-terminating error occurs
 $ErrorActionPreference = "Stop"
 
+# Fetch content from various URI schemes:
+# - s3://bucket/key: S3 object URI (uses AWS CLI)
+# - ssm:/path/to/param: SSM parameter path (uses AWS CLI)
+# - https://example.com/file: HTTPS URL (uses Invoke-WebRequest)
+# - file:///path/to/file: Local file path (uses Invoke-WebRequest)
+# - http://example.com/file: HTTP URL (uses Invoke-WebRequest)
+
 If ($From -Like "s3://*") {
+  # S3 object URI - use AWS CLI to fetch
   aws s3 cp $From $To
   If ($lastexitcode -ne 0) { Exit $lastexitcode }
 }
+ElseIf ($From -Like "ssm:*") {
+  # SSM parameter path - fetch parameters recursively
+  $SsmPath = $From -replace "^ssm:", ""
+
+  # Get parameters from SSM
+  $AwsOutput = aws ssm get-parameters-by-path `
+    --path $SsmPath `
+    --recursive `
+    --with-decryption `
+    --query 'Parameters[*].{Name: Name, Value: Value}' `
+    --output json
+
+  If ($lastexitcode -ne 0) { Exit $lastexitcode }
+
+  $Parameters = $AwsOutput | ConvertFrom-Json
+
+  # Format as environment variables: KEY="value"
+  $Parameters | ForEach-Object {
+    $Name = ($_.Name -split "/")[-1].ToUpper()
+    # Escape backslashes first, then quotes (order matters!)
+    $Value = $_.Value -replace '\\', '\\' -replace '"', '\"'
+    "$Name=`"$Value`""
+  } | Out-File -FilePath $To -Encoding UTF8
+}
 Else {
+  # All other URIs (HTTPS, HTTP, file://) - use Invoke-WebRequest
   Invoke-WebRequest -Uri $From -OutFile $To
 }
diff --git a/templates/aws-stack.yml b/templates/aws-stack.yml
@@ -67,6 +67,7 @@ Metadata:
         - EC2LogRetentionDays
         - LogRetentionDays
         - BuildkiteAgentEnableGracefulShutdown
+        - LambdaArchitecture
 
       - Label:
           default: Network Configuration
@@ -153,6 +154,16 @@ Metadata:
         - EnableDockerUserNamespaceRemap
         - EnableDockerExperimental
 
+      - Label:
+          default: Docker Networking Configuration
+        Parameters:
+        - DockerNetworkingProtocol
+        - DockerIPv4AddressPool1
+        - DockerIPv4AddressPool2
+        - DockerIPv6AddressPool
+        - DockerFixedCidrV4
+        - DockerFixedCidrV6
+
       - Label:
           default: Docker Registry Configuration
         Parameters:
@@ -566,13 +577,18 @@ Parameters:
     Default: "private"
 
   BootstrapScriptUrl:
-    Description: Optional - HTTPS or S3 URL for a script to run on each instance during boot.
+    Description: >
+      Optional - URI for a script to run on each instance during boot.
+      Supported URI schemes: S3 object URI (s3://bucket/key),
+      HTTPS URL (https://example.com/script.sh), or local file path (file:///path/to/script).
     Type: String
     Default: ""
 
   AgentEnvFileUrl:
     Description: >
-        Optional - HTTPS or S3 URL containing environment variables for the Buildkite agent process itself (not for builds).
+        Optional - URI containing environment variables for the Buildkite agent process itself (not for builds).
+        Supported URI schemes: S3 object URI (s3://bucket/key), SSM parameter path (ssm:/path/to/param),
+        HTTPS URL (https://example.com/script.sh), or local file path (file:///path/to/script).
         These variables configure agent behavior like proxy settings or debugging options.
         For build environment variables, use pipeline 'env' configuration instead.
     Type: String
@@ -847,16 +863,41 @@ Parameters:
     Type: String
     Description: Primary IPv4 CIDR block for Docker default address pools. Must not conflict with host network or VPC CIDR. Only applies to Linux instances, not Windows.
     Default: "172.17.0.0/12"
+    AllowedPattern: "^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\/(?:[0-9]|[12][0-9]|3[0-2])$"
+    ConstraintDescription: "Must be a valid IPv4 CIDR block (e.g., 172.17.0.0/12)"
 
   DockerIPv4AddressPool2:
     Type: String
     Description: Secondary IPv4 CIDR block for Docker default address pools. Only applies to Linux instances, not Windows.
     Default: "192.168.0.0/16"
+    AllowedPattern: "^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\/(?:[0-9]|[12][0-9]|3[0-2])$"
+    ConstraintDescription: "Must be a valid IPv4 CIDR block (e.g., 192.168.0.0/16)"
 
   DockerIPv6AddressPool:
     Type: String
     Description: IPv6 CIDR block for Docker default address pools in dualstack mode. Only applies to Linux instances, not Windows.
     Default: "2001:db8:2::/104"
+    AllowedPattern: "^(?:(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,7}:|(?:[0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,5}(?::[0-9a-fA-F]{1,4}){1,2}|(?:[0-9a-fA-F]{1,4}:){1,4}(?::[0-9a-fA-F]{1,4}){1,3}|(?:[0-9a-fA-F]{1,4}:){1,3}(?::[0-9a-fA-F]{1,4}){1,4}|(?:[0-9a-fA-F]{1,4}:){1,2}(?::[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:(?::[0-9a-fA-F]{1,4}){1,6}|:(?:(?::[0-9a-fA-F]{1,4}){1,7}|:))\\/(?:[0-9]|[1-9][0-9]|1[01][0-9]|12[0-8])$"
+    ConstraintDescription: "Must be a valid IPv6 CIDR block (e.g., 2001:db8:2::/104)"
+
+  DockerFixedCidrV4:
+    Type: String
+    Description: >
+      Optional IPv4 CIDR block for Docker's fixed-cidr option. Restricts the IP range Docker uses for container networking on the default bridge.
+      Must be a subset of the first pool in DockerIPv4AddressPool1 (Docker allocates docker0 from the first pool).
+      Leave empty to disable. Useful to prevent conflicts with external services like databases. Only applies to Linux instances, not Windows.
+    Default: ""
+    AllowedPattern: "^$|^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\/(?:[0-9]|[12][0-9]|3[0-2])$"
+    ConstraintDescription: "Must be empty or a valid IPv4 CIDR block (e.g., 172.17.1.0/24)"
+
+  DockerFixedCidrV6:
+    Type: String
+    Description: >
+      IPv6 CIDR block for Docker's fixed-cidr-v6 option in dualstack mode. Restricts the IP range Docker uses for IPv6 container networking.
+      Only applies to Linux instances in dualstack mode, not Windows.
+    Default: "2001:db8:1::/64"
+    AllowedPattern: "^(?:(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,7}:|(?:[0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,5}(?::[0-9a-fA-F]{1,4}){1,2}|(?:[0-9a-fA-F]{1,4}:){1,4}(?::[0-9a-fA-F]{1,4}){1,3}|(?:[0-9a-fA-F]{1,4}:){1,3}(?::[0-9a-fA-F]{1,4}){1,4}|(?:[0-9a-fA-F]{1,4}:){1,2}(?::[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:(?::[0-9a-fA-F]{1,4}){1,6}|:(?:(?::[0-9a-fA-F]{1,4}){1,7}|:))\\/(?:[0-9]|[1-9][0-9]|1[01][0-9]|12[0-8])$"
+    ConstraintDescription: "Must be a valid IPv6 CIDR block (e.g., 2001:db8:1::/64)"
 
   EnableSecretsPlugin:
     Type: String
@@ -996,6 +1037,14 @@ Parameters:
       - "warn"
     Default: "block"
 
+  LambdaArchitecture:
+    Type: String
+    Description: CPU architecture for Lambda functions (x86_64 or arm64). arm64 provides better price-performance but requires compatible dependencies.
+    AllowedValues:
+      - "x86_64"
+      - "arm64"
+    Default: "x86_64"
+
 Rules:
   HasToken:
     Assertions:
@@ -1967,6 +2016,8 @@ Resources:
                   DOCKER_IPV4_ADDRESS_POOL_1=${DockerIPv4AddressPool1} \
                   DOCKER_IPV4_ADDRESS_POOL_2=${DockerIPv4AddressPool2} \
                   DOCKER_IPV6_ADDRESS_POOL=${DockerIPv6AddressPool} \
+                  DOCKER_FIXED_CIDR_V4="${DockerFixedCidrV4}" \
+                  DOCKER_FIXED_CIDR_V6="${DockerFixedCidrV6}" \
                   BUILDKITE_ENABLE_INSTANCE_STORAGE="${EnableInstanceStorage}" \
                     /usr/local/bin/bk-configure-docker.sh
                   --==BOUNDARY==
@@ -2257,6 +2308,8 @@ Resources:
       Handler: index.handler
       Role: !GetAtt AsgProcessSuspenderRole.Arn
       Runtime: 'python3.13'
+      Architectures:
+        - !Ref LambdaArchitecture
 
   AzRebalancingSuspender:
     Type: AWS::CloudFormation::CustomResource
@@ -2396,7 +2449,9 @@ Resources:
               logger.info(f"SSM command response: {response}")
       Handler: index.handler
       Role: !GetAtt StopBuildkiteAgentsRole.Arn
-      Runtime: "python3.12"
+      Runtime: "python3.13"
+      Architectures:
+        - !Ref LambdaArchitecture
 
   StopBuildkiteAgents:
     Type: AWS::CloudFormation::CustomResource
