AWSTemplateFormatVersion: "2010-09-09" Description: > AWS CloudFormation Sample Template Continuous Delievery: This template builds an AWS CodePipeline pipeline that implements a continuous delivery release process for AWS CloudFormation stacks. Submit a CloudFormation source artifact to an Amazon S3 location before building the pipeline. The pipeline uses the artifact to automatically create stacks and change sets. Parameters: PipelineName: Default: iac-network-tester-sample-pipeline Description: Pipeline Name Type: String SourceS3Key: Default: iacnetworktestersamplestack.zip Description: The file name of the source artifact, such as myfolder/myartifact.zip Type: String TemplateFileName: Default: sample-stack-multi-vpc.yml Description: The file name of the network deployment Type: String TestStackName: Default: Test-IaCNetworkTesterSampleInfra Description: A name for the test env Type: String ProdStackName: Default: Prod-IaCNetworkTesterSampleInfra Description: A name for the production env Type: String ChangeSetName: Default: UpdatePreview-IaCNetworkTesterChangeSet Description: A name for the production stack change set Type: String Email: Description: The email address where CodePipeline sends pipeline notifications Type: String IaCNetworkTesterStateMachineArn: Description: Network test state machine Step Functions ARN Type: String IaCNetworkTesterRouteToTestOuputKey: Default: NetworkReachabilityTestPaths Description: The output key of the CloudFormation stack that contains the JSON formatted string for the route to test Type: String IaCNetworkTesterAnalysisDuration: Default: 15 Description: The duration in seconds which specifies the time to wait for the VPC Reachability Analysis to run after initiating the analysis Type: Number IaCNetworkTesterAnalysisWaitCount: Default: 3 Description: The number of times to wait for the analysis to run if after the “analysisDuration“ the test is still running. Each wait is the duration specified in “analysisDuration”. Type: Number Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: "CodePipeline Settings" Parameters: - PipelineName - SourceS3Key - Email - Label: default: "Test Stack Settings" Parameters: - TestStackName - TemplateFileName - Label: default: "Production Stack Settings" Parameters: - ChangeSetName - ProdStackName - Label: default: "IaC Network Tester Settings" Parameters: - IaCNetworkTesterStateMachineArn - IaCNetworkTesterRouteToTestOuputKey - IaCNetworkTesterAnalysisDuration - IaCNetworkTesterAnalysisWaitCount Resources: ArtifactStoreBucket: Type: AWS::S3::Bucket Properties: VersioningConfiguration: Status: Enabled SourceBucket: Type: AWS::S3::Bucket Properties: BucketName: !Sub - ${AccountID}-iac-nt-bucket - AccountID: !Ref AWS::AccountId VersioningConfiguration: Status: Enabled CodePipelineSNSTopic: Type: AWS::SNS::Topic Properties: Subscription: - Endpoint: !Ref Email Protocol: email Pipeline: Type: AWS::CodePipeline::Pipeline Properties: ArtifactStore: Location: !Ref "ArtifactStoreBucket" Type: S3 DisableInboundStageTransitions: [] Name: !Ref "PipelineName" RoleArn: !GetAtt [PipelineRole, Arn] Stages: - Name: S3Source Actions: - Name: TemplateSource ActionTypeId: Category: Source Owner: AWS Provider: S3 Version: "1" Configuration: S3Bucket: !Ref "SourceBucket" S3ObjectKey: !Ref "SourceS3Key" OutputArtifacts: - Name: TemplateSource RunOrder: "1" - Name: TestStage Actions: - Name: CreateStack ActionTypeId: Category: Deploy Owner: AWS Provider: CloudFormation Version: "1" InputArtifacts: - Name: TemplateSource Configuration: ActionMode: REPLACE_ON_FAILURE RoleArn: !GetAtt [CFNRole, Arn] StackName: !Ref TestStackName TemplatePath: !Sub "TemplateSource::${TemplateFileName}" RunOrder: "1" - Name: ExecuteNetworkTest ActionTypeId: Category: Invoke Owner: AWS Provider: StepFunctions Version: 1 Configuration: StateMachineArn: !Ref IaCNetworkTesterStateMachineArn ExecutionNamePrefix: iac-network-tester Input: !Join - "" - - '{"stackName":"' - !Ref TestStackName - '",' - '"routeToTestOutputKey": "' - !Ref IaCNetworkTesterRouteToTestOuputKey - '",' - '"analysisDuration": ' - !Ref IaCNetworkTesterAnalysisDuration - "," - '"analysisWaitCount": ' - !Ref IaCNetworkTesterAnalysisWaitCount - "}" OutputArtifacts: - Name: networkTestOutput RunOrder: "2" - Name: ApproveTestStack ActionTypeId: Category: Approval Owner: AWS Provider: Manual Version: "1" Configuration: NotificationArn: !Ref CodePipelineSNSTopic CustomData: !Sub "Do you want to create a change set against the production stack and delete the ${TestStackName} stack?" RunOrder: "3" - Name: DeleteTestStack ActionTypeId: Category: Deploy Owner: AWS Provider: CloudFormation Version: "1" Configuration: ActionMode: DELETE_ONLY RoleArn: !GetAtt [CFNRole, Arn] StackName: !Ref TestStackName RunOrder: "4" - Name: ProdStage Actions: - Name: CreateChangeSet ActionTypeId: Category: Deploy Owner: AWS Provider: CloudFormation Version: "1" InputArtifacts: - Name: TemplateSource Configuration: ActionMode: CHANGE_SET_REPLACE RoleArn: !GetAtt [CFNRole, Arn] StackName: !Ref ProdStackName ChangeSetName: !Ref ChangeSetName TemplatePath: !Sub "TemplateSource::${TemplateFileName}" RunOrder: "1" - Name: ApproveChangeSet ActionTypeId: Category: Approval Owner: AWS Provider: Manual Version: "1" Configuration: NotificationArn: !Ref CodePipelineSNSTopic CustomData: !Sub "A new change set was created for the ${ProdStackName} stack. Do you want to implement the changes?" RunOrder: "2" - Name: ExecuteChangeSet ActionTypeId: Category: Deploy Owner: AWS Provider: CloudFormation Version: "1" Configuration: ActionMode: CHANGE_SET_EXECUTE ChangeSetName: !Ref ChangeSetName RoleArn: !GetAtt [CFNRole, Arn] StackName: !Ref ProdStackName RunOrder: "3" CFNRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: ["sts:AssumeRole"] Effect: Allow Principal: Service: [cloudformation.amazonaws.com] Version: "2012-10-17" Path: / Policies: - PolicyName: CloudFormationRole PolicyDocument: Version: "2012-10-17" Statement: - Action: - "ec2:*" - "ssm:*" Effect: Allow Resource: "*" PipelineRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: ["sts:AssumeRole"] Effect: Allow Principal: Service: [codepipeline.amazonaws.com] Version: "2012-10-17" Path: / Policies: - PolicyName: NetworkTestStepFunctionAccess PolicyDocument: Version: "2012-10-17" Statement: - Action: - "states:DescribeExecution" - "states:StartExecution" - "states:DescribeStateMachine" - "states:ListExecutions" Effect: Allow Resource: "*" - PolicyName: CodePipelineAccess PolicyDocument: Version: "2012-10-17" Statement: - Action: - "s3:*" - "cloudformation:CreateStack" - "cloudformation:DescribeStacks" - "cloudformation:DeleteStack" - "cloudformation:UpdateStack" - "cloudformation:CreateChangeSet" - "cloudformation:ExecuteChangeSet" - "cloudformation:DeleteChangeSet" - "cloudformation:DescribeChangeSet" - "cloudformation:SetStackPolicy" - "iam:PassRole" - "sns:Publish" Effect: Allow Resource: "*"