Description: This template deploys a CI/CD pipeline to deploy to a kubernetes cluster Parameters: Name: Type: String Default: code-service-demo TemplateBucket: Type: String Default: code-service-demo-public BranchName: Type: String Default: master DeploymentName: Type: String Default: code-service-demo ClusterEndpoint: Type: String LocalBucket: Type: String Description: This is created from the lambda-copy clouformation and passed to this template Resources: ArtifactBucket: Type: AWS::S3::Bucket #DeletionPolicy: Retain Repository: Type: AWS::ECR::Repository #DeletionPolicy: Retain CWEventTrigger: Type: AWS::Events::Rule Properties: Description: InvokePipeline EventPattern: source: - "aws.codecommit" detail-type: - "CodeCommit Repository State Change" resources: - !Ref CodeCommitRepo detail: referenceType: - branch referenceName: - master Targets: - Arn: !Sub 'arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:${Pipeline}' Id: Id345 RoleArn: !GetAtt CodePipelineEventsRole.Arn PermissionForEventsToInvokePipeline: Type: AWS::IAM::Policy Properties: PolicyName: EventsRolePolicy Roles: - !Ref CodePipelineEventsRole PolicyDocument: Version: '2012-10-17' Statement: - Resource: "*" Effect: Allow Action: - codepipeline:* CodePipelineEventsRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - events.amazonaws.com Action: - sts:AssumeRole Path: / CodeCommitRepo: Type: AWS::CodeCommit::Repository Properties: RepositoryName: !Ref Name LambdaCodePipelineExecutionPolicy: DependsOn: - CodePipelineLambdaRole Type: AWS::IAM::Policy Properties: PolicyName: LambdaRolePolicy Roles: - !Ref 'CodePipelineLambdaRole' PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - ssm:Describe* - ssm:Get* Resource: - '*' - Effect: Allow Action: - kms:Decrypt Resource: - '*' - Effect: Allow Action: - logs:* Resource: - arn:aws:logs:*:*:* - Effect: Allow Action: - codepipeline:PutJobSuccessResult - codepipeline:PutJobFailureResult Resource: - '*' - Effect: Allow Action: - s3:GetObject Resource: - !Sub arn:aws:s3:::${TemplateBucket}/* - !Sub arn:aws:s3:::${ArtifactBucket}/* - !Sub arn:aws:s3:::${LocalBucket}/* CodePipelineLambdaRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - sts:AssumeRole Path: / LambdaKubernetesDeployment: Type: AWS::Lambda::Function DependsOn: - CodePipelineLambdaRole - LambdaCodePipelineExecutionPolicy Properties: Code: S3Bucket: !Ref LocalBucket S3Key: Archive.zip Role: !GetAtt 'CodePipelineLambdaRole.Arn' Description: Update Kubernetes Deployment Timeout: 20 Handler: kube-lambda.lambda_handler Runtime: python3.6 MemorySize: 128 CodePipelineServiceRole: Type: AWS::IAM::Role Properties: Path: / AssumeRolePolicyDocument: | { "Statement": [{ "Effect": "Allow", "Principal": { "Service": [ "codepipeline.amazonaws.com" ]}, "Action": [ "sts:AssumeRole" ] }] } Policies: - PolicyName: root PolicyDocument: Version: 2012-10-17 Statement: - Resource: - !Sub arn:aws:s3:::${ArtifactBucket}/* - !Sub arn:aws:s3:::${TemplateBucket} - !Sub arn:aws:s3:::${TemplateBucket}/* Effect: Allow Action: - s3:PutObject - s3:GetObject - s3:GetObjectVersion - s3:GetBucketVersioning - Resource: "*" Effect: Allow Action: - codebuild:StartBuild - codebuild:BatchGetBuilds - cloudformation:* - iam:PassRole - codecommit:* - Resource: "*" Effect: Allow Action: - lambda:* CodeBuildServiceRole: Type: AWS::IAM::Role Properties: Path: / AssumeRolePolicyDocument: | { "Statement": [{ "Effect": "Allow", "Principal": { "Service": [ "codebuild.amazonaws.com" ]}, "Action": [ "sts:AssumeRole" ] }] } Policies: - PolicyName: root PolicyDocument: Version: 2012-10-17 Statement: - Resource: "*" Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - ecr:GetAuthorizationToken - Resource: !Sub arn:aws:s3:::${ArtifactBucket}/* Effect: Allow Action: - s3:GetObject - s3:PutObject - s3:GetObjectVersion - Resource: !Sub arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/${Repository} Effect: Allow Action: - ecr:GetDownloadUrlForLayer - ecr:BatchGetImage - ecr:BatchCheckLayerAvailability - ecr:PutImage - ecr:InitiateLayerUpload - ecr:UploadLayerPart - ecr:CompleteLayerUpload CodeBuildProject: Type: AWS::CodeBuild::Project Properties: Artifacts: Location: !Ref ArtifactBucket Type: "S3" Source: Location: !Sub ${ArtifactBucket}/source.zip Type: "S3" BuildSpec: | version: 0.2 phases: pre_build: commands: - $(aws ecr get-login) - TAG="$(echo $CODEBUILD_RESOLVED_SOURCE_VERSION | head -c 8)" build: commands: - docker build --tag "${REPOSITORY_URI}:${TAG}" . post_build: commands: - docker push "${REPOSITORY_URI}:${TAG}" - printf '{"tag":"%s","repository-uri":"%s","template-bucket":"%s","deployment-name":"%s","cluster-endpoint":"%s"}' $TAG $REPOSITORY_URI $TEMPLATE_BUCKET $DEPLOYMENT_NAME $CLUSTER_ENDPOINT > build.json artifacts: files: build.json Environment: ComputeType: "BUILD_GENERAL1_SMALL" Image: "aws/codebuild/docker:1.12.1" Type: "LINUX_CONTAINER" EnvironmentVariables: - Name: AWS_DEFAULT_REGION Value: !Ref AWS::Region - Name: REPOSITORY_URI Value: !Sub ${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/${Repository} - Name: TEMPLATE_BUCKET Value: !Ref TemplateBucket - Name: DEPLOYMENT_NAME Value: !Ref DeploymentName - Name: CLUSTER_ENDPOINT Value: !Ref ClusterEndpoint Name: !Ref AWS::StackName ServiceRole: !Ref CodeBuildServiceRole Pipeline: Type: AWS::CodePipeline::Pipeline Properties: RoleArn: !GetAtt CodePipelineServiceRole.Arn ArtifactStore: Type: S3 Location: !Ref ArtifactBucket Stages: - Name: Source Actions: - Name: App ActionTypeId: Category: Source Owner: AWS Version: 1 Provider: CodeCommit Configuration: RepositoryName: !GetAtt CodeCommitRepo.Name BranchName: !Ref BranchName OutputArtifacts: - Name: App RunOrder: 1 - Name: Build Actions: - Name: Build ActionTypeId: Category: Build Owner: AWS Version: 1 Provider: CodeBuild Configuration: ProjectName: !Ref CodeBuildProject InputArtifacts: - Name: App OutputArtifacts: - Name: BuildOutput RunOrder: 1 - Name: Deploy Actions: - Name: UpdateDeployment ActionTypeId: Category: Invoke Owner: AWS Version: 1 Provider: Lambda Configuration: FunctionName: !Ref LambdaKubernetesDeployment InputArtifacts: - Name: BuildOutput RunOrder: 1 Outputs: CodeCommitRepo: Value: !GetAtt CodeCommitRepo.CloneUrlHttp Description: http url for codecommit repository PipelineUrl: Value: !Sub https://console.aws.amazon.com/codepipeline/home?region=${AWS::Region}#/view/${Pipeline}