Parameters: AppStackName: Type: String Description: "The name of the CloudFormation stack you have deployed your application to." Default: railsconf2019 PipelineName: Type: String Description: "Name of the CodePipeline to create." SourceBucketName: Type: String Description: "S3 bucket name to use for the source code." SourceZipKey: Type: String Description: "S3 key in the Source Bucket where source code is stored." Default: railsconf-source.zip Resources: SourceCodeBucket: Type: AWS::S3::Bucket Properties: BucketName: !Ref SourceBucketName VersioningConfiguration: Status: Enabled DeletionPolicy: Retain LambdaPipelineArtifactsBucket: Type: AWS::S3::Bucket DeletionPolicy: Retain LambdaPipelineRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: codepipeline.amazonaws.com Version: "2012-10-17" LambdaPipelineRoleDefaultPolicy: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - s3:GetObject* - s3:GetBucket* - s3:List* - s3:DeleteObject* - s3:PutObject* - s3:Abort* Effect: Allow Resource: - Fn::GetAtt: - LambdaPipelineArtifactsBucket - Arn - Fn::Join: - "" - - Fn::GetAtt: - LambdaPipelineArtifactsBucket - Arn - /* - Action: - s3:GetObject* - s3:GetBucket* - s3:List* Effect: Allow Resource: - Fn::GetAtt: - SourceCodeBucket - Arn - Fn::Join: - "" - - Fn::GetAtt: - SourceCodeBucket - Arn - /* - Action: - codebuild:BatchGetBuilds - codebuild:StartBuild - codebuild:StopBuild Effect: Allow Resource: Fn::GetAtt: - BuildProject - Arn - Action: iam:PassRole Effect: Allow Resource: Fn::GetAtt: - CloudFormationDeploymentRole - Arn - Action: - cloudformation:CreateStack - cloudformation:DescribeStack* - cloudformation:GetStackPolicy - cloudformation:GetTemplate* - cloudformation:SetStackPolicy - cloudformation:UpdateStack - cloudformation:ValidateTemplate Effect: Allow Resource: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":cloudformation:" - Ref: AWS::Region - ":" - Ref: AWS::AccountId - ":stack/" - Ref: AppStackName - "/*" Version: "2012-10-17" PolicyName: LambdaPipelineRoleDefaultPolicy Roles: - Ref: LambdaPipelineRole LambdaPipeline: Type: AWS::CodePipeline::Pipeline Properties: RoleArn: Fn::GetAtt: - LambdaPipelineRole - Arn Stages: - Actions: - ActionTypeId: Category: Source Owner: AWS Provider: S3 Version: "1" Configuration: S3Bucket: Ref: SourceCodeBucket S3ObjectKey: !Ref SourceZipKey PollForSourceChanges: true InputArtifacts: [] Name: S3Source OutputArtifacts: - Name: Artifact_InfrastructureStackS3Source RunOrder: 1 Name: Source - Actions: - ActionTypeId: Category: Build Owner: AWS Provider: CodeBuild Version: "1" Configuration: ProjectName: Ref: BuildProject InputArtifacts: - Name: Artifact_InfrastructureStackS3Source Name: BuildAction OutputArtifacts: - Name: Artifact_InfrastructureStackBuildAction RunOrder: 1 Name: Build - Actions: - ActionTypeId: Category: Deploy Owner: AWS Provider: CloudFormation Version: "1" Configuration: StackName: !Ref AppStackName ActionMode: CREATE_UPDATE TemplatePath: Artifact_InfrastructureStackBuildAction::packaged.yaml Capabilities: CAPABILITY_IAM,CAPABILITY_AUTO_EXPAND RoleArn: Fn::GetAtt: - CloudFormationDeploymentRole - Arn InputArtifacts: - Name: Artifact_InfrastructureStackBuildAction Name: CloudFrontDeployment OutputArtifacts: [] RunOrder: 1 Name: Deploy ArtifactStore: Location: Ref: LambdaPipelineArtifactsBucket Type: S3 Name: !Ref PipelineName DependsOn: - LambdaPipelineRole - LambdaPipelineRoleDefaultPolicy BuildProjectRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: codebuild.amazonaws.com Version: "2012-10-17" BuildProjectRoleDefaultPolicy: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Effect: Allow Resource: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":logs:" - Ref: AWS::Region - ":" - Ref: AWS::AccountId - :log-group:/aws/codebuild/ - Ref: BuildProject - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":logs:" - Ref: AWS::Region - ":" - Ref: AWS::AccountId - :log-group:/aws/codebuild/ - Ref: BuildProject - :* - Action: - s3:GetObject* - s3:GetBucket* - s3:List* - s3:DeleteObject* - s3:PutObject* - s3:Abort* Effect: Allow Resource: - Fn::GetAtt: - LambdaPipelineArtifactsBucket - Arn - Fn::Join: - "" - - Fn::GetAtt: - LambdaPipelineArtifactsBucket - Arn - /* - Action: - s3:GetObject* - s3:GetBucket* - s3:List* - s3:DeleteObject* - s3:PutObject* - s3:Abort* Effect: Allow Resource: - Fn::GetAtt: - SourceCodeBucket - Arn - Fn::Join: - "" - - Fn::GetAtt: - SourceCodeBucket - Arn - /* Version: "2012-10-17" PolicyName: BuildProjectRoleDefaultPolicy Roles: - Ref: BuildProjectRole BuildProject: Type: AWS::CodeBuild::Project Properties: Artifacts: Type: CODEPIPELINE Environment: ComputeType: BUILD_GENERAL1_SMALL Image: aws/codebuild/ruby:2.5.3 PrivilegedMode: false Type: LINUX_CONTAINER EnvironmentVariables: - Name: SOURCE_BUCKET_NAME Value: !Ref SourceBucketName ServiceRole: Fn::GetAtt: - BuildProjectRole - Arn Source: BuildSpec: buildspec.yml Type: CODEPIPELINE CloudFormationDeploymentRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: cloudformation.amazonaws.com Version: "2012-10-17" CloudFormationDeploymentRoleDefaultPolicy: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: "*" Effect: Allow Resource: "*" Version: "2012-10-17" PolicyName: CloudFormationDeploymentRoleDefaultPolicy Roles: - Ref: CloudFormationDeploymentRole