AWSTemplateFormatVersion: 2010-09-09
Description: aws-cli-workshop

Parameters:
  CodeCommitRepo:
    Type: String
    Default: aws-cli-workshop
    Description: Enter name of the new CodeCommit repository.

  CodeBuildProjectName:
    Type: String
    Default: aws-cli-workshop
    Description: Enter name of the new CodeBuild project.

Outputs:
  SourceCodeRepoHttpUrl:
    Description: CodeCommit Repository Http Url
    Value: !GetAtt SourceCodeRepo.CloneUrlHttp

  ECRRepoUri:
    Description: Uri to ECR repository
    Value: !GetAtt ECRRepo.RepositoryUri

Resources:
  SourceCodeRepo:
    Type: AWS::CodeCommit::Repository
    Properties:
      RepositoryName: !Ref CodeCommitRepo

  CodeBuildProject:
    Type: AWS::CodeBuild::Project
    Properties:
      Name: !Ref CodeBuildProjectName
      Description: Build project for us to create the docker image containing several scripts
      ServiceRole: !Ref CodeBuildRole
      Artifacts:
        Type: NO_ARTIFACTS
      Environment:
        Type: LINUX_CONTAINER
        ComputeType: BUILD_GENERAL1_SMALL
        Image: aws/codebuild/standard:5.0 # Ubuntu 20.04
        EnvironmentVariables:
          - Name: ECR_REPO_URI
            Type: PLAINTEXT
            Value: !GetAtt ECRRepo.RepositoryUri
          - Name: DOCKER_BUILDKIT
            Type: PLAINTEXT
            Value: '1'
        PrivilegedMode: true
      Source:
        Location: !GetAtt SourceCodeRepo.CloneUrlHttp
        Type: CODECOMMIT
      TimeoutInMinutes: 60

  ECRRepo:
    Type: AWS::ECR::Repository
    Properties:
      RepositoryName: aws-cli/workshop

  CodeBuildRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: codebuild.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: AWSCLIWorkshop-PushImage
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Sid: CloudWatchLogs
                Effect: Allow
                Action:
                  - logs:CreateLogGroup
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                Resource: '*'
              - Sid: CodeCommit
                Effect: Allow
                Action:
                  - codecommit:GitPull
                Resource: !GetAtt SourceCodeRepo.Arn
              - Sid: ECRPushPull
                Effect: Allow
                Action:
                  - "ecr:GetAuthorizationToken"
                  - "ecr:GetDownloadUrlForLayer"
                  - "ecr:BatchGetImage"
                  - "ecr:BatchCheckLayerAvailability"
                  - "ecr:PutImage"
                  - "ecr:InitiateLayerUpload"
                  - "ecr:UploadLayerPart"
                  - "ecr:CompleteLayerUpload"
                  - "ecr:DescribeImages"
                Resource: '*'
              - Sid: SSMAgentDebug
                Effect: Allow
                Action:
                  - "ssmmessages:CreateControlChannel"
                  - "ssmmessages:CreateDataChannel"
                  - "ssmmessages:OpenControlChannel"
                  - "ssmmessages:OpenDataChannel"
                Resource: '*'

  StartCodeBuildPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: AWSCLIWorkshop-StartBuild
      Description: !Sub "Policy for starting CodeBuild project: ${CodeBuildProject.Arn}"
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Sid: StartCodeBuild
            Effect: Allow
            Action: codebuild:StartBuild
            Resource: !GetAtt CodeBuildProject.Arn