diff --git a/packer/linux/conf/bin/bk-install-elastic-stack.sh b/packer/linux/conf/bin/bk-install-elastic-stack.sh index a499f77eb..0af54428a 100755 --- a/packer/linux/conf/bin/bk-install-elastic-stack.sh +++ b/packer/linux/conf/bin/bk-install-elastic-stack.sh @@ -314,6 +314,10 @@ if [[ -n "$BUILDKITE_AGENT_SIGNING_KEY_ID" ]]; then echo "signing-jwks-key-id=$BUILDKITE_AGENT_SIGNING_KEY_ID" >>/etc/buildkite-agent/buildkite-agent.cfg fi +if [[ -n "$BUILDKITE_AGENT_VERIFICATION_FAILURE_BEHAVIOR" ]]; then + echo "verification-failure-behavior=$BUILDKITE_AGENT_VERIFICATION_FAILURE_BEHAVIOR" >>/etc/buildkite-agent/buildkite-agent.cfg +fi + if [[ -n "$BUILDKITE_AGENT_VERIFICATION_KEY_PATH" ]]; then echo "Fetching signing key from ssm: $BUILDKITE_AGENT_VERIFICATION_KEY_PATH..." diff --git a/packer/windows/conf/bin/bk-install-elastic-stack.ps1 b/packer/windows/conf/bin/bk-install-elastic-stack.ps1 index 3beed2ec0..828791308 100644 --- a/packer/windows/conf/bin/bk-install-elastic-stack.ps1 +++ b/packer/windows/conf/bin/bk-install-elastic-stack.ps1 @@ -168,6 +168,10 @@ if (![string]::IsNullOrEmpty($Env:BUILDKITE_AGENT_SIGNING_KEY_ID)) { Add-Content -Path C:\buildkite-agent\buildkite-agent.cfg -Value "signing-jwks-key-id=$Env:BUILDKITE_AGENT_SIGNING_KEY_ID" } +if (![string]::IsNullOrEmpty($Env:BUILDKITE_AGENT_VERIFICATION_FAILURE_BEHAVIOR)) { + Add-Content -Path C:\buildkite-agent\buildkite-agent.cfg -Value "verification-failure-behavior=$Env:BUILDKITE_AGENT_VERIFICATION_FAILURE_BEHAVIOR" +} + if (![string]::IsNullOrEmpty($Env:BUILDKITE_AGENT_VERIFICATION_KEY_PATH)) { Write-Output "Fetching verification key from ssm: $Env:BUILDKITE_AGENT_VERIFICATION_KEY_PATH..." diff --git a/templates/aws-stack.yml b/templates/aws-stack.yml index ca4979277..a93efb17e 100644 --- a/templates/aws-stack.yml +++ b/templates/aws-stack.yml @@ -53,6 +53,7 @@ Metadata: - BuildkiteAgentSigningKeySSMParameter - BuildkiteAgentSigningKeyID - BuildkiteAgentVerificationKeySSMParameter + - BuildkiteAgentVerificationFailureBehavior - Label: default: Network Configuration @@ -224,6 +225,15 @@ Parameters: AllowedPattern: "^$|^/[a-zA-Z0-9_.\\-/]+$" ConstraintDescription: "Expects a leading forward slash" + BuildkiteAgentVerificationFailureBehavior: + Description: "How the agent should respond when a job signature fails verification" + Type: String + AllowedValues: + - "block" + - "warn" + - "" + Default: "" + BuildkiteAgentCancelGracePeriod: Description: The number of seconds a canceled or timed out job is given to gracefully terminate and upload its artifacts. Type: Number @@ -1243,6 +1253,7 @@ Resources: $Env:BUILDKITE_AGENT_SIGNING_KEY_PATH="${BuildkiteAgentSigningKeySSMParameter}" $Env:BUILDKITE_AGENT_SIGNING_KEY_ID="${BuildkiteAgentSigningKeyID}" $Env:BUILDKITE_AGENT_VERIFICATION_KEY_PATH="${BuildkiteAgentVerificationKeySSMParameter}" + $Env:BUILDKITE_AGENT_VERIFICATION_FAILURE_BEHAVIOR="${BuildkiteAgentVerificationFailureBehavior}" $Env:BUILDKITE_AGENT_RELEASE="${BuildkiteAgentRelease}" $Env:BUILDKITE_QUEUE="${BuildkiteQueue}" $Env:BUILDKITE_AGENT_ENABLE_GIT_MIRRORS="${BuildkiteAgentEnableGitMirrors}" @@ -1304,6 +1315,7 @@ Resources: BUILDKITE_AGENT_SIGNING_KEY_PATH="${BuildkiteAgentSigningKeySSMParameter}" \ BUILDKITE_AGENT_SIGNING_KEY_ID="${BuildkiteAgentSigningKeyID}" \ BUILDKITE_AGENT_VERIFICATION_KEY_PATH="${BuildkiteAgentVerificationKeySSMParameter}" \ + BUILDKITE_AGENT_VERIFICATION_FAILURE_BEHAVIOR="${BuildkiteAgentVerificationFailureBehavior}" \ BUILDKITE_AGENT_RELEASE="${BuildkiteAgentRelease}" \ BUILDKITE_AGENT_CANCEL_GRACE_PERIOD="${BuildkiteAgentCancelGracePeriod}" \ BUILDKITE_QUEUE="${BuildkiteQueue}" \