# --------------------------------------------------------------------------------------------- ## Template 1 of 3 - AWS CodePipeline with Build Stages that provisions PCI Remediation Conformance Pack # # # 1- Creates a Code Pipeline that is triggered via code checkin in a Git repo # - Pre-req - Git repo contains source templates ( PCI Remediation Conformance Packs) # 2- CodePipeline (CodeCommit) uploads source templates to a CodePipeline Artifact repository S3 # 3- CodePipeline (CodeBuild) copies source templates to a staging S3 bucket # 4- CodePipeline (CodeBuild) uses Conformance Pack CLI (PutConformancePack) to deploy PCI Remediation Conformance Pack # ## @author kmmahaj ## ## License: ## This code is made available under the MIT-0 license. See the LICENSE file. # ------------------------------------------------------------............................................... AWSTemplateFormatVersion: 2010-09-09 Description: Uses AWS CodePipeline for CI/CD deployment of PCI Remediation Conformance Pack (qs-1t0eilb5g) ## Parameters Parameters: RepositoryName: Description: CodeCommit Repository for PCI Remediation Conformance Pack templates Type: String Default: PCIDevSecOps BranchName: Description: Branch in the CodeCommit Repsitory for PCI Remediation CloudFormation templates Type: String Default: master ConformancePackStagingBucket: Description: Conformance Pack Staging Bucket Type: String Default: s3-pciautohealconfpack-- ## Resources Resources: # ------------------------------------------------------------------------------------------------------------------------------------------------------- # # Uses AWS CodeCommit for event driven code checkins from a local Git repo. # Uses AWS CodeBuild to deploy PCI Remediation Conformance Packs # # ------------------------------------------------------------------------------------------------------------------------------------------------------- # Bucket that stores source templates - PCI Remediation Conformance Pack Templates # Bucket gets populated during pipeline execution (CodeCommit). Triggered via Git checkin. CodePipelineArtifactStoreBucket: Type: 'AWS::S3::Bucket' Properties: BucketName: !Sub "s3-artifactbucket-${AWS::AccountId}-${AWS::Region}" BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 CodePipelineArtifactStoreBucketPolicy: Type: 'AWS::S3::BucketPolicy' Properties: Bucket: !Ref CodePipelineArtifactStoreBucket PolicyDocument: Version: 2012-10-17 Statement: - Sid: DenyUnEncryptedObjectUploads Effect: Deny Principal: '*' Action: 's3:PutObject' Resource: !Join - '' - - !GetAtt - CodePipelineArtifactStoreBucket - Arn - /* Condition: StringNotEquals: 's3:x-amz-server-side-encryption': 'aws:kms' - Sid: DenyInsecureConnections Effect: Deny Principal: '*' Action: 's3:*' Resource: !Join - '' - - !GetAtt - CodePipelineArtifactStoreBucket - Arn - /* Condition: Bool: 'aws:SecureTransport': false AmazonCloudWatchEventRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - events.amazonaws.com Action: 'sts:AssumeRole' Path: / Policies: - PolicyName: cwe-pipeline-execution PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: 'codepipeline:StartPipelineExecution' Resource: !Join - '' - - 'arn:aws:codepipeline:' - !Ref 'AWS::Region' - ':' - !Ref 'AWS::AccountId' - ':' - !Ref PCIAutohealConformancePackPipeline # Git checkin triggers CodePipeline execution AmazonCloudWatchEventRule: Type: 'AWS::Events::Rule' Properties: EventPattern: source: - aws.codecommit detail-type: - CodeCommit Repository State Change resources: - !Join - '' - - 'arn:aws:codecommit:' - !Ref 'AWS::Region' - ':' - !Ref 'AWS::AccountId' - ':' - !Ref RepositoryName detail: event: - referenceCreated - referenceUpdated referenceType: - branch referenceName: - master Targets: - Arn: !Join - '' - - 'arn:aws:codepipeline:' - !Ref 'AWS::Region' - ':' - !Ref 'AWS::AccountId' - ':' - !Ref PCIAutohealConformancePackPipeline RoleArn: !GetAtt - AmazonCloudWatchEventRole - Arn Id: pciconfpack-pipeline #Pipeline PCIAutohealConformancePackPipeline: Type: 'AWS::CodePipeline::Pipeline' Properties: Name: pciconfpack-pipeline RoleArn: !GetAtt - CodePipelineServiceRole - Arn Stages: - Name: Source Actions: - Name: PCIConfPackSource ActionTypeId: Category: Source Owner: AWS Version: 1 Provider: CodeCommit OutputArtifacts: - Name: SourceOutput Configuration: BranchName: !Ref BranchName RepositoryName: !Ref RepositoryName PollForSourceChanges: false RunOrder: 1 - Name: Build Actions: - Name: PCIConfPackBuild InputArtifacts: - Name: SourceOutput ActionTypeId: Category: Build Owner: AWS Version: 1 Provider: CodeBuild Configuration: ProjectName: !Ref CodeBuildProject ArtifactStore: Type: S3 Location: !Ref CodePipelineArtifactStoreBucket CodePipelineServiceRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: - codebuild.amazonaws.com - codepipeline.amazonaws.com Action: - 'sts:AssumeRole' Path: / Policies: - PolicyName: Codepipeline-base-policy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 's3:GetObject' - 's3:PutObject' - 's3:GetObjectVersion' - 's3:GetBucketVersioning' - 's3:GetBucketAcl' - 's3:GetBucketLocation' - 's3:ListBucket' - 's3:CreateBucket' - 's3:DeleteBucket' - 's3:DeleteBucketPolicy' - 's3:GetBucketPolicy' - 's3:GetBucketPolicyStatus' - 's3:PutBucketPolicy' - 's3:DeleteObject' Resource: '*' - Effect: Allow Action: - 'cloudformation:DescribeStackResource' - 'cloudformation:DescribeStackResources' - 'cloudformation:GetTemplate' - 'cloudformation:ListStackSets' - 'cloudformation:DescribeStackEvents' - 'cloudformation:DescribeStacks' - 'cloudformation:DescribeStackSet' - 'cloudformation:CreateStack' - 'cloudformation:DeleteStack' - 'cloudformation:UpdateStack' - 'cloudformation:UpdateStackSet' - 'cloudformation:CreateStackInstances' - 'cloudformation:UpdateStackInstances' - 'cloudformation:DescribeStackEvents' - 'cloudformation:ListStacks' - 'cloudformation:ValidateTemplate' - 'cloudformation:SetStackPolicy' - 'cloudformation:CreateStackSet' Resource: '*' - Effect: Allow Action: - 'logs:CreateLogGroup' - 'logs:CreateLogStream' - 'logs:PutLogEvents' Resource: '*' - Effect: Allow Action: - 'codecommit:CancelUploadArchive' - 'codecommit:GetBranch' - 'codecommit:GetCommit' - 'codecommit:GetUploadArchiveStatus' - 'codecommit:UploadArchive' Resource: '*' - Effect: Allow Action: - 'codedeploy:CreateDeployment' - 'codedeploy:GetApplicationRevision' - 'codedeploy:GetDeployment' - 'codedeploy:GetDeploymentConfig' - 'codedeploy:RegisterApplicationRevision' Resource: '*' - Effect: Allow Action: - 'codebuild:BatchGetBuilds' - 'codebuild:StartBuild' - 'codebuild:StopBuild' - 'codebuild:BatchGetProjects' - 'codebuild:BatchGetBuilds' - 'codebuild:ListBuildsForProject' - 'codebuild:ListBuilds' - 'codebuild:ListProjects' - 'codebuild:ListCuratedEnvironmentImages' - 'codebuild:ListSourceCredentials' - 'codecommit:GetBranch' - 'codecommit:GetCommit' - 'codecommit:UploadArchive' - 'codecommit:GetUploadArchiveStatus' - 'codecommit:CancelUploadArchive' Resource: '*' - Effect: Allow Action: - 'lambda:InvokeFunction' - 'lambda:ListFunctions' Resource: '*' - Effect: Allow Action: - 'sts:GetCallerIdentity' - 'kms:Decrypt' - 'kms:GenerateDataKey' Resource: '*' PCIConfPackLogGroup: Type: AWS::Logs::LogGroup Properties: LogGroupName: !Sub /codepipeline/pci-autoheal-confpack-${AWS::StackName} CodeBuildProject: Type: 'AWS::CodeBuild::Project' Properties: Artifacts: Type: CODEPIPELINE Environment: ComputeType: BUILD_GENERAL1_SMALL EnvironmentVariables: - Name: AWS_ACCOUNT_ID Type: PLAINTEXT Value: !Ref 'AWS::AccountId' - Name: AWS_DEFAULT_REGION Type: PLAINTEXT Value: !Ref 'AWS::Region' - Name: STAGING_BUCKET Type: PLAINTEXT Value: !Ref ConformancePackStagingBucket - Name: PIPELINE_NAME Type: PLAINTEXT Value: !Ref 'AWS::StackName' Image: 'aws/codebuild/amazonlinux2-x86_64-standard:3.0' PrivilegedMode: true # required to build Docker images Type: LINUX_CONTAINER LogsConfig: CloudWatchLogs: GroupName: !Ref PCIConfPackLogGroup Status: ENABLED ServiceRole: !GetAtt CodePipelineServiceRole.Arn Source: BuildSpec: 'buildspec.yml' Type: CODEPIPELINE TimeoutInMinutes: 10