Upgrade enclave dependency versions (#115)

jplock · web-flow · commit 5756cd38e3fa · 2024-12-20T16:38:46.000-05:00
diff --git a/.github/workflows/docker-bake.yml b/.github/workflows/docker-bake.yml
@@ -0,0 +1,33 @@
+name: docker bake
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref_name }}
+  cancel-in-progress: true
+
+env:
+  RUST_BACKTRACE: 1
+  CARGO_TERM_COLOR: never
+
+jobs:
+  docker:
+    if: github.repository_owner == 'aws-samples'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Set up Docker buildx
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
+      - name: Build
+        uses: docker/bake-action@3fc70e1131fee40a422dd8dd0ff22014ae20a1f3 # v5.11.0
+        env:
+          SOURCE_DATE_EPOCH: 0
+        with:
+          push: false
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
@@ -1,4 +1,4 @@
-name: Rust
+name: rust tests
 
 on:
   push:
@@ -14,15 +14,17 @@ concurrency:
 
 env:
   RUST_BACKTRACE: 1
-  CARGO_TERM_COLOR: always
+  CARGO_TERM_COLOR: never
 
 jobs:
   test:
     if: github.repository_owner == 'aws-samples'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-      - uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab # v2
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Cache
+        uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab # v2.7.5
       - name: Format
         run: cargo fmt --all -- --check --verbose
       - name: Build
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/api/dependencies/requirements.txt b/api/dependencies/requirements.txt
@@ -1,4 +1,4 @@
-aws-lambda-powertools[tracer,parser]==3.3.0
+aws-lambda-powertools[tracer,parser]==3.4.0
 cryptography==43.0.3
 hpke==0.3.2
 pksuid==1.1.2
diff --git a/api/requirements-dev.txt b/api/requirements-dev.txt
@@ -1,3 +1,3 @@
 black==24.10.0
-aws-lambda-powertools[all,aws-sdk]==3.3.0
-boto3-stubs[dynamodb,kms]==1.35.81
+aws-lambda-powertools[all,aws-sdk]==3.4.0
+boto3-stubs[dynamodb,kms]
diff --git a/canary/dependencies/requirements.txt b/canary/dependencies/requirements.txt
@@ -1 +1 @@
-aws-lambda-powertools==3.3.0
+aws-lambda-powertools==3.4.0
diff --git a/canary/requirements-dev.txt b/canary/requirements-dev.txt
@@ -1,3 +1,3 @@
 black==24.10.0
-aws-lambda-powertools[all,aws-sdk]==3.3.0
-boto3-stubs[dynamodb,kms]==1.35.81
+aws-lambda-powertools[all,aws-sdk]==3.4.0
+boto3-stubs[dynamodb,kms]
diff --git a/docker-bake.hcl b/docker-bake.hcl
@@ -0,0 +1,25 @@
+group "default" {
+    targets = ["parent", "enclave"]
+}
+
+target "parent" {
+    context = "./parent"
+    dockerfile = "Dockerfile"
+    args = {
+        TARGETPLATFORM = "x86_64-unknown-linux-gnu"
+    }
+    tags = ["parent-vault:latest"]
+    cache-to = ["type=gha,ignore-error=true,mode=max,scope=parent"]
+    cache-from = ["type=gha,scope=parent"]
+}
+
+target "enclave" {
+    context = "./enclave"
+    dockerfile = "Dockerfile"
+    args = {
+        TARGETPLATFORM = "x86_64-unknown-linux-musl"
+    }
+    tags = ["enclave-vault:latest"]
+    cache-to = ["type=gha,ignore-error=true,mode=max,scope=enclave"]
+    cache-from = ["type=gha,scope=enclave"]
+}
diff --git a/enclave/Dockerfile b/enclave/Dockerfile
@@ -6,7 +6,7 @@
 ##
 ## based on https://github.com/aws/aws-nitro-enclaves-acm/blob/main/env/enclave/Dockerfile
 ####################################################################################################
-FROM public.ecr.aws/docker/library/rust:alpine as kmstool
+FROM public.ecr.aws/docker/library/rust:alpine AS kmstool
 
 ARG TARGETPLATFORM
 ENV RUSTFLAGS="-C target-feature=-crt-static"
@@ -32,7 +32,7 @@ RUN ln -s /usr/lib /usr/lib64
 WORKDIR /tmp/crt-builder
 
 # Build AWS libcrypto
-RUN git clone --depth 1 -b v1.12.0 https://github.com/awslabs/aws-lc.git
+RUN git clone --depth 1 -b v1.41.1 https://github.com/awslabs/aws-lc.git
 RUN cmake \
     -DCMAKE_PREFIX_PATH=/usr \
     -DCMAKE_INSTALL_PREFIX=/usr \
@@ -123,7 +123,7 @@ RUN cmake \
 RUN cmake --build aws-c-auth/build --parallel $(nproc) --target install
 
 # JSON-C library
-RUN git clone --depth 1 -b json-c-0.16-20220414 https://github.com/json-c/json-c.git
+RUN git clone --depth 1 -b json-c-0.18-20240915 https://github.com/json-c/json-c.git
 RUN cmake \
     -DCMAKE_PREFIX_PATH=/usr \
     -DCMAKE_INSTALL_PREFIX=/usr \
@@ -134,6 +134,7 @@ RUN cmake --build json-c/build --parallel $(nproc) --target install
 
 # NSM LIB
 RUN git clone --depth 1 -b v0.4.0 "https://github.com/aws/aws-nitro-enclaves-nsm-api"
+RUN rustup target add $TARGETPLATFORM
 RUN cd aws-nitro-enclaves-nsm-api \
     && PATH="$PATH:/root/.cargo/bin" cargo build --release --target $TARGETPLATFORM --jobs $(nproc) -p nsm-lib \
     && mv target/$TARGETPLATFORM/release/libnsm.so /usr/lib/ \
@@ -152,22 +153,25 @@ RUN cmake --build aws-nitro-enclaves-sdk-c/build --parallel $(nproc) --target in
 ####################################################################################################
 ## Chef image
 ####################################################################################################
-FROM public.ecr.aws/docker/library/rust:alpine as chef
+FROM public.ecr.aws/docker/library/rust:alpine AS chef
+ARG TARGETPLATFORM
+
 WORKDIR /app
 RUN apk add --no-cache build-base
+RUN rustup target add $TARGETPLATFORM
 RUN cargo install cargo-chef --locked
 
 ####################################################################################################
 ## Planner image
 ####################################################################################################
-FROM chef as planner
+FROM chef AS planner
 COPY . .
 RUN cargo chef prepare --recipe-path recipe.json
 
 ####################################################################################################
 ## Builder image
 ####################################################################################################
-FROM chef as builder
+FROM chef AS builder
 ARG TARGETPLATFORM
 
 COPY --from=planner /app/recipe.json recipe.json
diff --git a/parent/Dockerfile b/parent/Dockerfile
@@ -4,7 +4,7 @@
 ####################################################################################################
 ## Chef image
 ####################################################################################################
-FROM public.ecr.aws/docker/library/rust:latest as chef
+FROM public.ecr.aws/docker/library/rust:latest AS chef
 ARG TARGETPLATFORM
 
 WORKDIR /app
@@ -15,14 +15,14 @@ RUN cargo install cargo-chef --locked
 ####################################################################################################
 ## Planner image
 ####################################################################################################
-FROM chef as planner
+FROM chef AS planner
 COPY . .
 RUN cargo chef prepare  --recipe-path recipe.json
 
 ####################################################################################################
 ## Builder image
 ####################################################################################################
-FROM chef as builder
+FROM chef AS builder
 ARG TARGETPLATFORM
 
 COPY --from=planner /app/recipe.json recipe.json

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-aws-lambda-powertools[tracer,parser]==3.3.0`
	`1`	`+aws-lambda-powertools[tracer,parser]==3.4.0`
`2`	`2`	`cryptography==43.0.3`
`3`	`3`	`hpke==0.3.2`
`4`	`4`	`pksuid==1.1.2`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-aws-lambda-powertools==3.3.0`
	`1`	`+aws-lambda-powertools==3.4.0`