# Copyright 2017 Amazon.com, Inc. or its affiliates. All Rights Reserved. # Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with # the License. A copy of the License is located at # http://aws.amazon.com/apache2.0/ # or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR # CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and # limitations under the License. AWSTemplateFormatVersion: '2010-09-09' Description: CodePipeline for the Sample Lambda Function Parameters: ProjectName: Description: Name of the Project Type: String S3Bucket: Description: S3 Bucket, which will hold the artifacts Type: String WebUIBucket: Description: S3 Bucket, which will hold the website file Type: String CMKARN: Description: ARN of the KMS CMK created in Tools account Type: String NonProdCloudFormationServiceRole: Type: String Description: ARN of the Non Prod CloudFormationServiceRole NonProdCodePipelineActionServiceRole: Type: String Description: ARN of the Non Prod CodePipelineActionServiceRole WebProject: Type: String AllowedValues: - "True" - "False" Default: "False" Description: Pipeline for Web Project (True or False) Conditions: IsLambdaProject: !Equals [ !Ref "WebProject", "False" ] IsWebProject: !Equals [ !Ref "WebProject", "True" ] Resources: BuildProjectRole: Type: AWS::IAM::Role Properties: RoleName: !Sub ${ProjectName}-CodeBuildRole AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - codebuild.amazonaws.com Action: - sts:AssumeRole Path: / BuildProjectPolicy: Type: AWS::IAM::Policy DependsOn: S3BucketPolicy Properties: PolicyName: !Sub ${ProjectName}-CodeBuildPolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - s3:PutObject - s3:GetBucketPolicy - s3:GetObject - s3:ListBucket Resource: - !Join ['',['arn:aws:s3:::',!Ref S3Bucket, '/*']] - !Join ['',['arn:aws:s3:::',!Ref S3Bucket]] - Effect: Allow Action: - s3:PutObject - s3:DeleteObject - s3:GetObjectAcl - s3:PutObjectAcl - s3:GetObject - s3:ListBucket Resource: - !Join ['',['arn:aws:s3:::',!Ref WebUIBucket, '/*']] - !Join ['',['arn:aws:s3:::',!Ref WebUIBucket]] - Effect: Allow Action: - kms:* Resource: !Ref CMKARN - Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Resource: arn:aws:logs:*:*:* Roles: - !Ref BuildProjectRole BuildProject: Type: AWS::CodeBuild::Project Properties: Name: !Ref ProjectName Description: !Ref ProjectName EncryptionKey: !Ref CMKARN ServiceRole: !GetAtt BuildProjectRole.Arn Artifacts: Type: CODEPIPELINE Source: Type: CODEPIPELINE Environment: Type: linuxContainer ComputeType: BUILD_GENERAL1_SMALL Image: aws/codebuild/nodejs:7.0.0 EnvironmentVariables: - Name: S3Bucket Value: !Ref S3Bucket TimeoutInMinutes: 10 Tags: - Key: Name Value: !Ref ProjectName PipelineRole: Type: AWS::IAM::Role Properties: RoleName: !Sub ${ProjectName}-codepipeline-role AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - codepipeline.amazonaws.com Action: - sts:AssumeRole ManagedPolicyArns: - 'arn:aws:iam::aws:policy/AWSCodeCommitFullAccess' - 'arn:aws:iam::aws:policy/AmazonS3FullAccess' - 'arn:aws:iam::aws:policy/AdministratorAccess' Path: / PipelinePolicy: Type: AWS::IAM::Policy DependsOn: S3BucketPolicy Properties: PolicyName: !Sub ${ProjectName}-codepipeline-policy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - codepipeline:* - iam:ListRoles - cloudformation:Describe* - cloudFormation:List* - codecommit:List* - codecommit:Get* - codecommit:GitPull - codecommit:UploadArchive - codecommit:CancelUploadArchive - codebuild:BatchGetBuilds - codebuild:StartBuild - cloudformation:CreateStack - cloudformation:DeleteStack - cloudformation:DescribeStacks - cloudformation:UpdateStack - cloudformation:CreateChangeSet - cloudformation:DeleteChangeSet - cloudformation:DescribeChangeSet - cloudformation:ExecuteChangeSet - cloudformation:SetStackPolicy - cloudformation:ValidateTemplate - iam:PassRole - s3:ListAllMyBuckets - s3:GetBucketLocation Resource: - "*" - Effect: Allow Action: - kms:Decrypt Resource: !Ref CMKARN - Effect: Allow Action: - s3:PutObject - s3:GetBucketPolicy - s3:GetObject - s3:ListBucket Resource: - !Join ['',['arn:aws:s3:::',!Ref S3Bucket, '/*']] - !Join ['',['arn:aws:s3:::',!Ref S3Bucket]] - Effect: Allow Action: - sts:AssumeRole Resource: - !Ref NonProdCodePipelineActionServiceRole Roles: - !Ref PipelineRole CodeRepository: Type: AWS::CodeCommit::Repository Properties: RepositoryName: !Sub "${ProjectName}-CodeRepo" RepositoryDescription: 'Source Code Repository for application' LambdaPipeline: Condition: "IsLambdaProject" Type: AWS::CodePipeline::Pipeline Properties: RoleArn: !GetAtt PipelineRole.Arn Name: !Ref AWS::StackName Stages: - Name: Source Actions: - Name: App ActionTypeId: Category: Source Owner: AWS Version: 1 Provider: CodeCommit Configuration: RepositoryName: !GetAtt CodeRepository.Name BranchName: master OutputArtifacts: - Name: SCCheckoutArtifact RunOrder: 1 - Name: Build Actions: - Name: Build ActionTypeId: Category: Build Owner: AWS Version: 1 Provider: CodeBuild Configuration: ProjectName: !Ref BuildProject RunOrder: 1 InputArtifacts: - Name: SCCheckoutArtifact OutputArtifacts: - Name: BuildOutput - Name: DeployToTest Actions: - Name: CreateChangeSetTest ActionTypeId: Category: Deploy Owner: AWS Version: 1 Provider: CloudFormation Configuration: ChangeSetName: !Join ['-',[!Ref ProjectName, 'lambda', 'CS']] ActionMode: CHANGE_SET_REPLACE StackName: !Join ['-',[!Ref ProjectName, 'lambda']] Capabilities: CAPABILITY_NAMED_IAM TemplatePath: BuildOutput::output-sam-template.yaml TemplateConfiguration: BuildOutput::sam-config.json RoleArn: !Ref NonProdCloudFormationServiceRole InputArtifacts: - Name: BuildOutput RunOrder: 1 RoleArn: !Ref NonProdCodePipelineActionServiceRole - Name: DeployChangeSetTest ActionTypeId: Category: Deploy Owner: AWS Version: 1 Provider: CloudFormation Configuration: ChangeSetName: !Join ['-',[!Ref ProjectName, 'lambda', 'CS']] ActionMode: CHANGE_SET_EXECUTE StackName: !Join ['-',[!Ref ProjectName, 'lambda']] InputArtifacts: - Name: BuildOutput RunOrder: 2 RoleArn: !Ref NonProdCodePipelineActionServiceRole ArtifactStore: Type: S3 Location: !Ref S3Bucket EncryptionKey: Id: !Ref CMKARN Type: KMS WebProjectPipeline: Condition: "IsWebProject" Type: AWS::CodePipeline::Pipeline Properties: RoleArn: !GetAtt PipelineRole.Arn Name: !Ref AWS::StackName Stages: - Name: Source Actions: - Name: App ActionTypeId: Category: Source Owner: AWS Version: 1 Provider: CodeCommit Configuration: RepositoryName: !GetAtt CodeRepository.Name BranchName: master OutputArtifacts: - Name: SCCheckoutArtifact RunOrder: 1 - Name: DeployWebsiteBucket Actions: - Name: CreateChangeSetTest ActionTypeId: Category: Deploy Owner: AWS Version: 1 Provider: CloudFormation Configuration: ChangeSetName: !Join ['-',[!Ref ProjectName, 'CS']] ActionMode: CHANGE_SET_REPLACE StackName: !Join ['-',[!Ref ProjectName, "s3-website-bucket"]] Capabilities: CAPABILITY_NAMED_IAM TemplatePath: SCCheckoutArtifact::S3-Bucket.template TemplateConfiguration: SCCheckoutArtifact::S3-Bucket-config.json RoleArn: !Ref NonProdCloudFormationServiceRole InputArtifacts: - Name: SCCheckoutArtifact RoleArn: !Ref NonProdCodePipelineActionServiceRole - Name: DeployChangeSetTest ActionTypeId: Category: Deploy Owner: AWS Version: 1 Provider: CloudFormation Configuration: ChangeSetName: !Join ['-',[!Ref ProjectName, 'CS']] ActionMode: CHANGE_SET_EXECUTE StackName: !Join ['-',[!Ref ProjectName, 's3-website-bucket']] InputArtifacts: - Name: SCCheckoutArtifact RunOrder: 2 RoleArn: !Ref NonProdCodePipelineActionServiceRole - Name: Build Actions: - Name: Build ActionTypeId: Category: Build Owner: AWS Version: 1 Provider: CodeBuild Configuration: ProjectName: !Ref BuildProject RunOrder: 3 InputArtifacts: - Name: SCCheckoutArtifact ArtifactStore: Type: S3 Location: !Ref S3Bucket EncryptionKey: Id: !Ref CMKARN Type: KMS S3BucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref S3Bucket PolicyDocument: Statement: - Action: - s3:* Effect: Allow Resource: - !Sub arn:aws:s3:::${S3Bucket} - !Sub arn:aws:s3:::${S3Bucket}/* Principal: AWS: - !Ref NonProdCloudFormationServiceRole - !Ref NonProdCodePipelineActionServiceRole Outputs: PipelineUrl: Description: The URL for the CodePipeline AWS Management Console. Value: Fn::If: - "IsLambdaProject" - !Sub https://console.aws.amazon.com/codepipeline/home?region=${AWS::Region}#/view/${LambdaPipeline} - !Sub https://console.aws.amazon.com/codepipeline/home?region=${AWS::Region}#/view/${WebProjectPipeline}] SourceCodeCommitCloneUrlHttp: Description: The URL for the source code CodeCommit repo. Value: !GetAtt CodeRepository.CloneUrlHttp