AWSTemplateFormatVersion: "2010-09-09"
Description: This template will launch the Modernization Workshop CI/CD Pipeline.

# It should only be necessary to update the parameters
# run this stack as below but sub for {WORKSHOP NAME} with the workshop/company name and set the value
# of CloudFrontDistroId resulting from the S3 + CloudFront CloudFormation template.

# aws cloudformation create-stack --stack-name {WORKSHOP NAME}-Website-Pipeline --template-body file://pipeline.yaml --capabilities CAPABILITY_NAMED_IAM

Parameters:
  ProjectName:
    Type: String
    Description: Project Name
    Default: jfrog
  WebsiteBucket:
    Type: String
    Description: Website S3 bucket name
    Default: jfrog.awsworkshop.io
  CloudFrontDistroId:
    Type: String
    Description: CloudFront distribution ID 
    Default: E3LE4WC0QATFUK
  GitHubRepo:
    Type: String
    Description: repo name
    Default: aws-modernization-with-jfrog
  FullRepoURL:
    Type: String
    Description: The full url to the repo
    Default: https://github.com/aws-samples/aws-modernization-with-jfrog.git  
  GitHubOwner:
    Type: String
    Description: GitHub owner name
    Default: aws-samples  
  
Resources:
  CodeBuildServiceRole:
    Type: AWS::IAM::Role
    Properties:
      Path: /
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: codebuild.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: root
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Resource: "*"
                Effect: Allow
                Action:
                  - logs:CreateLogGroup
                  - logs:CreateLogStream
                  - logs:PutLogEvents
              - Resource: !Sub arn:aws:s3:::${ArtifactBucket}/*
                Effect: Allow
                Action:
                  - s3:GetObject
                  - s3:PutObject
                  - s3:GetObjectVersion
              - Resource: 
                - !Sub arn:aws:s3:::${WebsiteBucket}/*
                - !Sub arn:aws:s3:::${WebsiteBucket}
                Effect: Allow
                Action:
                  - s3:*
              - Effect: Allow
                Action:
                  - cloudfront:CreateInvalidation
                Resource: !Sub arn:aws:cloudfront::${AWS::AccountId}:distribution/${CloudFrontDistroId}

  CodePipelineServiceRole:
    Type: AWS::IAM::Role
    Properties:
      Path: /
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: codepipeline.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: root
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Resource:
                  - !Sub arn:aws:s3:::${ArtifactBucket}/*
                Effect: Allow
                Action:
                  - s3:PutObject
                  - s3:GetObject
                  - s3:GetObjectVersion
                  - s3:GetBucketVersioning
              - Resource: "*"
                Effect: Allow
                Action:
                  - codebuild:StartBuild
                  - codebuild:BatchGetBuilds
                  - iam:PassRole

  ArtifactBucket:
    Type: AWS::S3::Bucket
    DeletionPolicy: Delete

  CodeBuildProject:
    Type: AWS::CodeBuild::Project
    Properties:
      Artifacts:
        Type: CODEPIPELINE
      Source:
        Type: CODEPIPELINE
        BuildSpec: webspec.yml
      Environment:
        ComputeType: BUILD_GENERAL1_SMALL
        Image: aws/codebuild/standard:2.0
        Type: LINUX_CONTAINER
        EnvironmentVariables:
          - Name: AWS_DEFAULT_REGION
            Value: !Ref AWS::Region
          - Name: FULL_REPO_URL
            Value: !Ref FullRepoURL
          - Name: WEB_SITE_BUCKET
            Value: !Ref WebsiteBucket
          - Name: CLOUDFRONT_DISTRO_ID
            Value: !Ref CloudFrontDistroId
        PrivilegedMode: true
      Name: !Join ['', [!Ref 'ProjectName', '-Workshop-website']]
      ServiceRole: !Ref CodeBuildServiceRole
                     
  Pipeline:
    Type: AWS::CodePipeline::Pipeline
    Properties:
      RoleArn: !GetAtt CodePipelineServiceRole.Arn
      ArtifactStore:
        Type: S3
        Location: !Ref ArtifactBucket
      Stages:
        - Name: Source
          Actions:
            - Name: Source
              ActionTypeId:
                Category: Source
                Owner: ThirdParty
                Version: '1'
                Provider: GitHub
              Configuration:
                Owner: !Ref GitHubOwner
                Repo: !Ref GitHubRepo
                Branch: main
                PollForSourceChanges: false
                OAuthToken: '{{resolve:secretsmanager:GitHub/WorkshopOwnerToken:SecretString:OwnerToken}}'
              OutputArtifacts:
                - Name: SourceCode
              RunOrder: 1
        - Name: Build
          Actions:
            - Name: Build
              ActionTypeId:
                Category: Build
                Owner: AWS
                Version: '1'
                Provider: CodeBuild
              Configuration:
                ProjectName: !Ref CodeBuildProject
              InputArtifacts:
                - Name: SourceCode
              OutputArtifacts:
                - Name: BuildOutput
              RunOrder: 1
    
  GithubWebhook:
    Type: 'AWS::CodePipeline::Webhook'
    Properties:
      Authentication: GITHUB_HMAC
      AuthenticationConfiguration:
        SecretToken: '{{resolve:secretsmanager:GitHub/WorkshopOwnerToken:SecretString:OwnerToken}}'
      RegisterWithThirdParty: true
      Filters:
      - JsonPath: "$.ref"
        MatchEquals: refs/heads/{Branch}
      TargetPipeline: !Ref Pipeline
      TargetAction: Source
      TargetPipelineVersion: !GetAtt Pipeline.Version

Outputs:
  PipelineUrl:
    Value: !Sub https://console.aws.amazon.com/codepipeline/home?region=${AWS::Region}#/view/${Pipeline}