Description: > CICD for a custom codebuild container using CodeCommit, Codepipeline and Codebuild. - this custom container does maven build and docker push to ECR Parameters: CodeCommitRepo: Type: String CodeCommitBranch: Type: String Default: master ECRRepositoryName: Type: String Resources: #### ECR Repositories ECRRepository: Type: AWS::ECR::Repository Properties: RepositoryName: !Ref ECRRepositoryName RepositoryPolicyText: Version: "2012-10-17" Statement: - Sid: CodeBuildAccess Effect: Allow Principal: Service: - "codebuild.amazonaws.com" Action: - "ecr:GetDownloadUrlForLayer" - "ecr:BatchGetImage" - "ecr:BatchCheckLayerAvailability" # DeletionPolicy: Retain DeletionPolicy: Delete ### IAM Permissions CodeBuildServiceRole: Type: AWS::IAM::Role DeletionPolicy: Delete Properties: Path: / AssumeRolePolicyDocument: | { "Statement": [{ "Effect": "Allow", "Principal": { "Service": [ "codebuild.amazonaws.com" ]}, "Action": [ "sts:AssumeRole" ] }] } Policies: - PolicyName: root PolicyDocument: Version: 2012-10-17 Statement: - Resource: "*" Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - ecr:GetAuthorizationToken - Resource: !Sub arn:aws:s3:::${ArtifactBucket}/* Effect: Allow Action: - s3:GetObject - s3:PutObject - s3:GetObjectVersion - Resource: - !Sub "arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/${ECRRepository}" Effect: Allow Action: - ecr:GetDownloadUrlForLayer - ecr:BatchGetImage - ecr:BatchCheckLayerAvailability - ecr:PutImage - ecr:InitiateLayerUpload - ecr:UploadLayerPart - ecr:CompleteLayerUpload CodePipelineServiceRole: Type: AWS::IAM::Role DeletionPolicy: Delete Properties: Path: / AssumeRolePolicyDocument: | { "Statement": [{ "Effect": "Allow", "Principal": { "Service": [ "codepipeline.amazonaws.com" ]}, "Action": [ "sts:AssumeRole" ] }] } Policies: - PolicyName: root PolicyDocument: Version: 2012-10-17 Statement: - Resource: - !Sub arn:aws:s3:::${ArtifactBucket}/* # - !Sub arn:aws:s3:::${CfnTemplateBucket} # - !Sub arn:aws:s3:::${CfnTemplateBucket}/* Effect: Allow Action: - s3:PutObject - s3:GetObject - s3:GetObjectVersion - s3:GetBucketVersioning - Resource: "*" Effect: Allow Action: - codebuild:StartBuild - codebuild:BatchGetBuilds - cloudformation:* - iam:PassRole - codecommit:CancelUploadArchive - codecommit:GetBranch - codecommit:GetCommit - codecommit:GetUploadArchiveStatus - codecommit:UploadArchive ### CodePipeline & Codebuild ArtifactBucket: Type: AWS::S3::Bucket Properties: BucketName: !Sub "${CodeCommitRepo}-${AWS::AccountId}-codepipeline-artifacts" # Tags: DeletionPolicy: Retain # ref: http://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref.html # CODEBUILD_RESOLVED_SOURCE_VERSION : Commit ID CodeBuildProject: Type: AWS::CodeBuild::Project DependsOn: [ CodeBuildServiceRole, ECRRepository] Properties: Name: !Sub "${CodeCommitRepo}-Build" Artifacts: Type: "CODEPIPELINE" Source: Type: "CODEPIPELINE" BuildSpec: | version: 0.2 phases: pre_build: commands: - echo Logging in to Amazon ECR... - $(aws ecr get-login --region $AWS_DEFAULT_REGION) build: commands: - echo Build started on `date` - echo Building the Docker image... - docker build -t $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE_REPO_NAME:$IMAGE_TAG . post_build: commands: - echo Build completed on `date` - echo Pushing the Docker image... - docker push $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE_REPO_NAME:$IMAGE_TAG # artifacts: # files: # - build.json Environment: ComputeType: BUILD_GENERAL1_SMALL #BUILD_GENERAL1_LARGE Image: "aws/codebuild/docker:1.12.1" Type: "LINUX_CONTAINER" PrivilegedMode: "true" EnvironmentVariables: - Name: AWS_ACCOUNT_ID Value: !Ref AWS::AccountId - Name: IMAGE_TAG Value: "latest" - Name: AWS_DEFAULT_REGION Value: !Ref AWS::Region - Name: IMAGE_REPO_NAME Value: !Ref ECRRepository ServiceRole: !Ref CodeBuildServiceRole Pipeline: Type: AWS::CodePipeline::Pipeline DependsOn: [ CodePipelineServiceRole, CodeBuildProject ] Properties: RoleArn: !GetAtt CodePipelineServiceRole.Arn RestartExecutionOnUpdate: False ArtifactStore: Type: S3 Location: !Ref ArtifactBucket Name: !Sub "${CodeCommitRepo}-Pipeline" # DisableInboundStageTransitions: # - Reason: "Do not build when create or update this CFN" # StageName: "Build" Stages: - Name: Source Actions: - Name: App ActionTypeId: Category: Source Owner: AWS Version: 1 Provider: CodeCommit Configuration: RepositoryName: !Ref CodeCommitRepo BranchName: !Ref CodeCommitBranch OutputArtifacts: - Name: App RunOrder: 1 - Name: Build Actions: - Name: Build ActionTypeId: Category: Build Owner: AWS Version: 1 Provider: CodeBuild Configuration: ProjectName: !Ref CodeBuildProject InputArtifacts: - Name: App OutputArtifacts: - Name: BuildOutput RunOrder: 1 # - Name: Approval # ActionTypeId: # Category: Approval # Owner: AWS # Version: 1 # Provider: "Manual" # RunOrder: 2 Outputs: PipelineUrl: Value: !Sub https://console.aws.amazon.com/codepipeline/home?region=${AWS::Region}#/view/${Pipeline} CustomCodebuildECR: Value: !Ref ECRRepository