diff --git a/.github/workflows/docker-bake.yml b/.github/workflows/docker-bake.yml index 87ecf07..54f54e0 100644 --- a/.github/workflows/docker-bake.yml +++ b/.github/workflows/docker-bake.yml @@ -20,7 +20,7 @@ env: jobs: docker: if: github.repository_owner == 'aws-samples' - runs-on: ubuntu-latest + runs-on: ubuntu-24.04-arm steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index 25b0dc8..c290f49 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -20,7 +20,7 @@ env: jobs: test: if: github.repository_owner == 'aws-samples' - runs-on: ubuntu-latest + runs-on: ubuntu-24.04-arm steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/security_audit.yml b/.github/workflows/security_audit.yml index 163e05c..215e2f6 100644 --- a/.github/workflows/security_audit.yml +++ b/.github/workflows/security_audit.yml @@ -8,7 +8,7 @@ on: - '**/Cargo.lock' jobs: security_audit: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04-arm if: github.repository_owner == 'aws-samples' permissions: issues: write diff --git a/ci_template.yml b/ci_template.yml index a1203ef..86be82e 100644 --- a/ci_template.yml +++ b/ci_template.yml @@ -431,7 +431,7 @@ Resources: Properties: BaseCapacity: 1 ComputeType: BUILD_GENERAL1_SMALL - EnvironmentType: LINUX_CONTAINER + EnvironmentType: ARM_CONTAINER rPermissionsBoundary: Type: "AWS::IAM::ManagedPolicy" @@ -1121,9 +1121,6 @@ Resources: Environment: ComputeType: BUILD_GENERAL1_SMALL EnvironmentVariables: - - Name: ARCH - Type: PLAINTEXT - Value: x86_64 - Name: INSTANCE_ROLE_ARN Type: PLAINTEXT Value: !GetAtt rInstanceRole.Arn @@ -1140,10 +1137,10 @@ Resources: - cUseCodeBuildFleet - FleetArn: !Ref rCodeBuildFleet - !Ref "AWS::NoValue" - Image: aws/codebuild/amazonlinux-x86_64-standard:5.0 + Image: aws/codebuild/amazonlinux-aarch64-standard:3.0 ImagePullCredentialsType: CODEBUILD PrivilegedMode: true - Type: LINUX_CONTAINER + Type: ARM_CONTAINER LogsConfig: CloudWatchLogs: Status: ENABLED diff --git a/docker-bake.hcl b/docker-bake.hcl index 766ecac..7b12988 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -6,9 +6,9 @@ target "parent" { context = "./parent" dockerfile = "Dockerfile" args = { - TARGETPLATFORM = "x86_64-unknown-linux-gnu" + TARGETPLATFORM = "aarch64-unknown-linux-gnu" } - platforms = ["linux/amd64"] + platforms = ["linux/arm64"] tags = ["parent-vault:latest"] cache-to = ["type=gha,ignore-error=true,mode=max,scope=parent"] cache-from = ["type=gha,scope=parent"] @@ -18,9 +18,9 @@ target "enclave" { context = "./enclave" dockerfile = "Dockerfile" args = { - TARGETPLATFORM = "x86_64-unknown-linux-musl" + TARGETPLATFORM = "aarch64-unknown-linux-musl" } - platforms = ["linux/amd64"] + platforms = ["linux/arm64"] tags = ["enclave-vault:latest"] cache-to = ["type=gha,ignore-error=true,mode=max,scope=enclave"] cache-from = ["type=gha,scope=enclave"] diff --git a/enclave/Makefile b/enclave/Makefile index d988a1d..71d10c0 100644 --- a/enclave/Makefile +++ b/enclave/Makefile @@ -1,7 +1,7 @@ .PHONY: build build-docker build-enclave run-enclave create-private-key clean -ARCH := x86_64 -# ARCH := aarch64 +# ARCH := x86_64 +ARCH := aarch64 RUST_DIR := $(shell readlink -m $(shell dirname $(firstword $(MAKEFILE_LIST)))) diff --git a/parent/Makefile b/parent/Makefile index 9fe10b8..efca583 100644 --- a/parent/Makefile +++ b/parent/Makefile @@ -1,7 +1,7 @@ .PHONY: build build-docker clean -ARCH := x86_64 -# ARCH := aarch64 +# ARCH := x86_64 +ARCH := aarch64 RUST_DIR := $(shell readlink -m $(shell dirname $(firstword $(MAKEFILE_LIST)))) diff --git a/parent/src/constants.rs b/parent/src/constants.rs index cb9c2e4..3f36376 100644 --- a/parent/src/constants.rs +++ b/parent/src/constants.rs @@ -7,9 +7,9 @@ pub const ENCLAVE_PREFIX: &str = "enclave-vault"; pub const ENCLAVE_PORT: u32 = 5050; /// https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html#nitro-enclave-considerations /// one enclave is consumed for the Nitro ACM service -pub const MAX_ENCLAVES_PER_INSTANCE: usize = 3; +pub const MAX_ENCLAVES_PER_INSTANCE: usize = 2; pub const RUN_ENCLAVE_EIF_PATH: &str = "/home/ec2-user/enclave-vault.eif"; -pub const RUN_ENCLAVE_CPU_COUNT: &str = "2"; +pub const RUN_ENCLAVE_CPU_COUNT: &str = "1"; pub const RUN_ENCLAVE_MEMORY_SIZE: &str = "512"; pub const REFRESH_ENCLAVES_INTERVAL: Duration = Duration::from_secs(10); pub const IMDS_TOKEN_TTL: Duration = Duration::from_secs(300); // 5 minutes diff --git a/vault_template.yml b/vault_template.yml index ce7831f..cec3a70 100644 --- a/vault_template.yml +++ b/vault_template.yml @@ -239,7 +239,7 @@ Resources: memory_mib: 4096 # # How many CPUs to reserve for enclaves. - cpu_count: 6 + cpu_count: 3 # # Alternatively, the exact CPUs to be reserved for the enclave can be explicitly # configured by using `cpu_pool` (like below), instead of `cpu_count`. @@ -629,8 +629,7 @@ Resources: BareMetal: excluded BurstablePerformance: excluded CpuManufacturers: - - intel - - amd + - amazon-web-services ExcludedInstanceTypes: - "a1*" - "c6g*" @@ -648,10 +647,10 @@ Resources: InstanceGenerations: - current MemoryMiB: - Min: 8192 + Min: 4096 VCpuCount: - Min: 8 - ImageId: "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2023-ami-minimal-kernel-6.12-x86_64}}" + Min: 4 + ImageId: "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2023-ami-minimal-kernel-6.12-arm64}}" MetadataOptions: HttpEndpoint: enabled HttpPutResponseHopLimit: 1