#!/usr/bin/env python # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 Parameters: BranchName: Description: CodeCommit branch name Type: String Default: main RepositoryName: Description: CodeComit repository name Type: String Default: elasticbeanstalk-sc-product CodeBuildProjectName: Description: Name for CodeBuildProject Type: String Default: elasticbeanstalk-sc-product StackName: Description: Name of the CloudFormation stack deploying the Service Catalog Portfolio Type: String Default: elasticbeanstalk-sc-portfolio Resources: CodeCommitRepository: DeletionPolicy: Retain Type: AWS::CodeCommit::Repository Properties: RepositoryDescription: Elasticbeanstalk SC Product code RepositoryName: !Ref RepositoryName CodePipelineArtifactStoreBucket: DeletionPolicy: Retain Type: 'AWS::S3::Bucket' Properties: BucketEncryption: ServerSideEncryptionConfiguration: - BucketKeyEnabled: true ServerSideEncryptionByDefault: KMSMasterKeyID: "alias/aws/s3" SSEAlgorithm: "aws:kms" CodePipelineArtifactStoreBucketPolicy: Type: 'AWS::S3::BucketPolicy' Properties: Bucket: !Ref CodePipelineArtifactStoreBucket PolicyDocument: Version: 2012-10-17 Statement: # - Sid: DenyUnEncryptedObjectUploads # Effect: Deny # Principal: '*' # Action: 's3:PutObject' # Resource: !Join # - '' # - - !GetAtt # - CodePipelineArtifactStoreBucket # - Arn # - /* # Condition: # StringNotEquals: # 's3:x-amz-server-side-encryption': 'aws:kms' - Sid: DenyInsecureConnections Effect: Deny Principal: '*' Action: 's3:*' Resource: !Join - '' - - !GetAtt - CodePipelineArtifactStoreBucket - Arn - /* Condition: Bool: 'aws:SecureTransport': false AmazonCloudWatchEventRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - events.amazonaws.com Action: 'sts:AssumeRole' Path: / Policies: - PolicyName: cwe-pipeline-execution PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: 'codepipeline:StartPipelineExecution' Resource: !Join - '' - - 'arn:aws:codepipeline:' - !Ref 'AWS::Region' - ':' - !Ref 'AWS::AccountId' - ':' - !Ref AppPipeline AmazonCloudWatchEventRule: Type: 'AWS::Events::Rule' Properties: EventPattern: source: - aws.codecommit detail-type: - CodeCommit Repository State Change resources: - !Join - '' - - 'arn:aws:codecommit:' - !Ref 'AWS::Region' - ':' - !Ref 'AWS::AccountId' - ':' - !Ref RepositoryName detail: event: - referenceCreated - referenceUpdated referenceType: - branch referenceName: - master Targets: - Arn: !Join - '' - - 'arn:aws:codepipeline:' - !Ref 'AWS::Region' - ':' - !Ref 'AWS::AccountId' - ':' - !Ref AppPipeline RoleArn: !GetAtt - AmazonCloudWatchEventRole - Arn Id: codepipeline-AppPipeline AppPipeline: Type: 'AWS::CodePipeline::Pipeline' Properties: Name: codecommit-events-pipeline RoleArn: !GetAtt - CodePipelineServiceRole - Arn Stages: - Name: Source Actions: - Name: SourceAction ActionTypeId: Category: Source Owner: AWS Version: "1" Provider: CodeCommit OutputArtifacts: - Name: SourceOutput Configuration: BranchName: !Ref BranchName RepositoryName: !Ref RepositoryName PollForSourceChanges: true RunOrder: 1 - Name: TestAndDeploy Actions: - Name: TestAndDeployAction InputArtifacts: - Name: SourceOutput ActionTypeId: Category: Build Owner: AWS Version: "1" Provider: CodeBuild Configuration: ProjectName: !Ref CodeBuildProject # PrimarySource: "CICD" EnvironmentVariables: !Sub '[{"name": "STACKNAME","value": "${StackName}"},{"name": "ARTIFACT_BUCKET_NAME","value": "${CodePipelineArtifactStoreBucket}"}]' RunOrder: 1 ArtifactStore: Type: S3 Location: !Ref CodePipelineArtifactStoreBucket CodeBuildProject: Type: AWS::CodeBuild::Project Properties: Artifacts: # ArtifactIdentifier: String EncryptionDisabled: false # Location: String # Name: String # NamespaceType: String # OverrideArtifactName: Boolean # Packaging: String # Path: String Type: "CODEPIPELINE" EncryptionKey: "alias/aws/s3" Environment: ComputeType: "BUILD_GENERAL1_SMALL" # EnvironmentVariables: # - EnvironmentVariable Image: "aws/codebuild/amazonlinux2-x86_64-standard:3.0" # ImagePullCredentialsType: String # PrivilegedMode: Boolean # RegistryCredential: # RegistryCredential Type: LINUX_CONTAINER LogsConfig: CloudWatchLogs: Status: ENABLED Name: !Ref CodeBuildProjectName ServiceRole: !Ref CodeBuildServiceRole Source: BuildSpec: "CICD/buildspec.yml" # GitCloneDepth: Integer # GitSubmodulesConfig: # GitSubmodulesConfig # Location: String # SourceIdentifier: String Type: "CODEPIPELINE" CodeBuildServiceRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - codebuild.amazonaws.com Action: 'sts:AssumeRole' Path: / Policies: - PolicyName: AWS-CodePipeline-Service-3 PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 'elasticbeanstalk:*' - 'cloudwatch:*' - 'logs:*' - 's3:*' - 'codecommit:*' - 'cloudformation:*' - 'sts:*' - 'iam:*' - 'lambda:*' - 'kms:*' - 'servicecatalog:*' Resource: '*' CodePipelineServiceRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - codepipeline.amazonaws.com Action: 'sts:AssumeRole' Path: / Policies: - PolicyName: AWS-CodePipeline-Service-3 PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 'codecommit:CancelUploadArchive' - 'codecommit:GetBranch' - 'codecommit:GetCommit' - 'codecommit:GetUploadArchiveStatus' - 'codecommit:UploadArchive' Resource: '*' - Effect: Allow Action: - 'codedeploy:CreateDeployment' - 'codedeploy:GetApplicationRevision' - 'codedeploy:GetDeployment' - 'codedeploy:GetDeploymentConfig' - 'codedeploy:RegisterApplicationRevision' Resource: '*' - Effect: Allow Action: - 'codebuild:BatchGetBuilds' - 'codebuild:StartBuild' Resource: '*' - Effect: Allow Action: - 'devicefarm:ListProjects' - 'devicefarm:ListDevicePools' - 'devicefarm:GetRun' - 'devicefarm:GetUpload' - 'devicefarm:CreateUpload' - 'devicefarm:ScheduleRun' Resource: '*' - Effect: Allow Action: - 'lambda:InvokeFunction' - 'lambda:ListFunctions' Resource: '*' - Effect: Allow Action: - 'iam:PassRole' Resource: '*' - Effect: Allow Action: - 'elasticbeanstalk:*' - 'ec2:*' - 'elasticloadbalancing:*' - 'autoscaling:*' - 'cloudwatch:*' - 's3:*' - 'sns:*' - 'cloudformation:*' - 'rds:*' - 'sqs:*' - 'ecs:*' Resource: '*'