[feat] Graviton support (#194)

jplock · web-flow · commit 7d8e0d612070 · 2025-06-11T11:18:49.000-04:00
diff --git a/.github/workflows/docker-bake.yml b/.github/workflows/docker-bake.yml
@@ -20,7 +20,7 @@ env:
 jobs:
   docker:
     if: github.repository_owner == 'aws-samples'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04-arm
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
@@ -20,7 +20,7 @@ env:
 jobs:
   test:
     if: github.repository_owner == 'aws-samples'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04-arm
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git a/.github/workflows/security_audit.yml b/.github/workflows/security_audit.yml
@@ -8,7 +8,7 @@ on:
       - '**/Cargo.lock'
 jobs:
   security_audit:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04-arm
     if: github.repository_owner == 'aws-samples'
     permissions:
       issues: write
diff --git a/ci_template.yml b/ci_template.yml
@@ -431,7 +431,7 @@ Resources:
     Properties:
       BaseCapacity: 1
       ComputeType: BUILD_GENERAL1_SMALL
-      EnvironmentType: LINUX_CONTAINER
+      EnvironmentType: ARM_CONTAINER
 
   rPermissionsBoundary:
     Type: "AWS::IAM::ManagedPolicy"
@@ -1121,9 +1121,6 @@ Resources:
       Environment:
         ComputeType: BUILD_GENERAL1_SMALL
         EnvironmentVariables:
-          - Name: ARCH
-            Type: PLAINTEXT
-            Value: x86_64
           - Name: INSTANCE_ROLE_ARN
             Type: PLAINTEXT
             Value: !GetAtt rInstanceRole.Arn
@@ -1140,10 +1137,10 @@ Resources:
           - cUseCodeBuildFleet
           - FleetArn: !Ref rCodeBuildFleet
           - !Ref "AWS::NoValue"
-        Image: aws/codebuild/amazonlinux-x86_64-standard:5.0
+        Image: aws/codebuild/amazonlinux-aarch64-standard:3.0
         ImagePullCredentialsType: CODEBUILD
         PrivilegedMode: true
-        Type: LINUX_CONTAINER
+        Type: ARM_CONTAINER
       LogsConfig:
         CloudWatchLogs:
           Status: ENABLED
diff --git a/docker-bake.hcl b/docker-bake.hcl
@@ -6,9 +6,9 @@ target "parent" {
     context = "./parent"
     dockerfile = "Dockerfile"
     args = {
-        TARGETPLATFORM = "x86_64-unknown-linux-gnu"
+        TARGETPLATFORM = "aarch64-unknown-linux-gnu"
     }
-    platforms = ["linux/amd64"]
+    platforms = ["linux/arm64"]
     tags = ["parent-vault:latest"]
     cache-to = ["type=gha,ignore-error=true,mode=max,scope=parent"]
     cache-from = ["type=gha,scope=parent"]
@@ -18,9 +18,9 @@ target "enclave" {
     context = "./enclave"
     dockerfile = "Dockerfile"
     args = {
-        TARGETPLATFORM = "x86_64-unknown-linux-musl"
+        TARGETPLATFORM = "aarch64-unknown-linux-musl"
     }
-    platforms = ["linux/amd64"]
+    platforms = ["linux/arm64"]
     tags = ["enclave-vault:latest"]
     cache-to = ["type=gha,ignore-error=true,mode=max,scope=enclave"]
     cache-from = ["type=gha,scope=enclave"]
diff --git a/enclave/Makefile b/enclave/Makefile
@@ -1,7 +1,7 @@
 .PHONY: build build-docker build-enclave run-enclave create-private-key clean
 
-ARCH := x86_64
-# ARCH := aarch64
+# ARCH := x86_64
+ARCH := aarch64
 
 RUST_DIR := $(shell readlink -m $(shell dirname $(firstword $(MAKEFILE_LIST))))
 
diff --git a/parent/Makefile b/parent/Makefile
@@ -1,7 +1,7 @@
 .PHONY: build build-docker clean
 
-ARCH := x86_64
-# ARCH := aarch64
+# ARCH := x86_64
+ARCH := aarch64
 
 RUST_DIR := $(shell readlink -m $(shell dirname $(firstword $(MAKEFILE_LIST))))
 
diff --git a/parent/src/constants.rs b/parent/src/constants.rs
@@ -7,9 +7,9 @@ pub const ENCLAVE_PREFIX: &str = "enclave-vault";
 pub const ENCLAVE_PORT: u32 = 5050;
 /// https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html#nitro-enclave-considerations
 /// one enclave is consumed for the Nitro ACM service
-pub const MAX_ENCLAVES_PER_INSTANCE: usize = 3;
+pub const MAX_ENCLAVES_PER_INSTANCE: usize = 2;
 pub const RUN_ENCLAVE_EIF_PATH: &str = "/home/ec2-user/enclave-vault.eif";
-pub const RUN_ENCLAVE_CPU_COUNT: &str = "2";
+pub const RUN_ENCLAVE_CPU_COUNT: &str = "1";
 pub const RUN_ENCLAVE_MEMORY_SIZE: &str = "512";
 pub const REFRESH_ENCLAVES_INTERVAL: Duration = Duration::from_secs(10);
 pub const IMDS_TOKEN_TTL: Duration = Duration::from_secs(300); // 5 minutes
diff --git a/vault_template.yml b/vault_template.yml
@@ -239,7 +239,7 @@ Resources:
                 memory_mib: 4096
                 #
                 # How many CPUs to reserve for enclaves.
-                cpu_count: 6
+                cpu_count: 3
                 #
                 # Alternatively, the exact CPUs to be reserved for the enclave can be explicitly
                 # configured by using `cpu_pool` (like below), instead of `cpu_count`.
@@ -629,8 +629,7 @@ Resources:
           BareMetal: excluded
           BurstablePerformance: excluded
           CpuManufacturers:
-            - intel
-            - amd
+            - amazon-web-services
           ExcludedInstanceTypes:
             - "a1*"
             - "c6g*"
@@ -648,10 +647,10 @@ Resources:
           InstanceGenerations:
             - current
           MemoryMiB:
-            Min: 8192
+            Min: 4096
           VCpuCount:
-            Min: 8
-        ImageId: "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2023-ami-minimal-kernel-6.12-x86_64}}"
+            Min: 4
+        ImageId: "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2023-ami-minimal-kernel-6.12-arm64}}"
         MetadataOptions:
           HttpEndpoint: enabled
           HttpPutResponseHopLimit: 1
