# Copyright 2022 Amazon.com and its affiliates; all rights reserved. This file is Amazon Web Services Content and may not be duplicated or distributed without permission. AWSTemplateFormatVersion: "2010-09-09" Description: "CodePipeline for Mend Workshop" Parameters: #default names and locations StaticAssetsBucket: Default: "mend-aws-workshop" Description: Bucket for demo app source code Type: String AppZipSourceKey: Default: "easybuggy.zip" Description: S3 key for the zip file containing the buildspec.yml and source code Type: String AppRepositoryName: Default: easybuggy Type: String RenovateZipSourceKey: Default: "mend-renovate.zip" Description: S3 key for the zip file containing the buildspec.yml Type: String RenovateRepositoryName: Default: mend-renovate Type: String SecretsManagerName: Default: Mend Type: String AppCodeBuildProjectName: Default: CI-easybuggy Type: String RenovateCodeBuildProjectName: Default: SC-mend-renovate Type: String RenovateEventBridgeRuleName: Default: sched-mend-renovate Type: String RenovateScheduleExpression: Default: cron(55 * * * ? *) Type: String #mandatory input parameters WSAPIKEY: Type: String WSUSERKEY: Type: String Resources: CodePipelineArtifactBucket: Type: AWS::S3::Bucket DeletionPolicy: Delete AppImage: Type: AWS::ECR::Repository AppRepo: Type: AWS::CodeCommit::Repository Properties: RepositoryName: !Ref AppRepositoryName RepositoryDescription: AWS Mend workshop demo project Code: S3: Bucket: !Ref StaticAssetsBucket Key: !Join - '' - - !Ref AppZipSourceKey RenovateRepo: Type: AWS::CodeCommit::Repository Properties: RepositoryName: !Ref RenovateRepositoryName RepositoryDescription: Mend Renovate for CodeCommit Code: S3: Bucket: !Ref StaticAssetsBucket Key: !Join - '' - - !Ref RenovateZipSourceKey RenovateCodeBuildProject: Type: AWS::CodeBuild::Project Properties: Name: !Ref AppCodeBuildProjectName Artifacts: Type: NO_ARTIFACTS Source: Type: "CODECOMMIT" Location: !Sub - "https://git-codecommit.${AWS::Region}.amazonaws.com/v1/repos/${RepoName}" - RepoName: !Ref RenovateRepositoryName BuildSpec: "buildspec.yml" Environment: ComputeType: "BUILD_GENERAL1_SMALL" Image: "aws/codebuild/standard:5.0" Type: "LINUX_CONTAINER" Name: !Ref RenovateCodeBuildProjectName ServiceRole: !Ref RenovateCodeBuildServiceRole ScheduledEvent: Type: AWS::Events::Rule Properties: Name: !Ref RenovateEventBridgeRuleName ScheduleExpression: !Ref RenovateScheduleExpression State: ENABLED Targets: - Arn: !GetAtt - RenovateCodeBuildProject - Arn Id: RenovateCodeBuildProjectTarget RoleArn: !GetAtt - EventBridgeIAMrole - Arn EventBridgeIAMrole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - "events.amazonaws.com" Action: 'sts:AssumeRole' Path: / Policies: - PolicyName: root PolicyDocument: Version: 2012-10-17 Statement: - Resource: "*" Effect: Allow Action: - codebuild:StartBuild AppCodeBuildProject: Type: AWS::CodeBuild::Project Properties: Artifacts: Type: "CODEPIPELINE" Source: Type: "CODEPIPELINE" BuildSpec: "buildspec.yml" Environment: PrivilegedMode: true ComputeType: "BUILD_GENERAL1_SMALL" Image: "aws/codebuild/standard:5.0" Type: "LINUX_CONTAINER" EnvironmentVariables: - Name: AWS_ACCOUNT_ID Value: !Ref AWS::AccountId Type: PLAINTEXT - Name: REPOSITORY_URI Value: !Sub ${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/${AppImage} Type: PLAINTEXT Name: !Ref AppCodeBuildProjectName ServiceRole: !Ref CodePipelineServiceRole AppPipeline: Type: AWS::CodePipeline::Pipeline Properties: ArtifactStore: Type: S3 Location: !Ref CodePipelineArtifactBucket Name: !Sub ${AWS::StackName} RoleArn: !GetAtt CodePipelineServiceRole.Arn Stages: - Name: 'Source' Actions: - Name: 'Source' ActionTypeId: Category: 'Source' Owner: 'AWS' Version: '1' Provider: CodeCommit OutputArtifacts: - Name: SourceArtifact Configuration: BranchName: main RepositoryName: !Ref AppRepositoryName RunOrder: 1 - Name: 'Build_App_Container' Actions: - Name: CodeBuild ActionTypeId: Category: Build Owner: AWS Version: 1 Provider: CodeBuild InputArtifacts: - Name: SourceArtifact OutputArtifacts: - Name: BuildArtifact Configuration: ProjectName: !Ref AppCodeBuildProject RunOrder: 1 WorkshopSecret: Type: AWS::SecretsManager::Secret Properties: Description: Mend Access Keys Name: !Ref SecretsManagerName SecretString: !Sub - '{"WS_APIKEY": "${APIKEY}","WS_USERKEY": "${USERKEY}"}' - APIKEY: !Ref WSAPIKEY USERKEY: !Ref WSUSERKEY # CodePipeline does not automatically create this for you as part of # creation, but this role is for the CWE Hook to trigger CodePipeline once # there's an update in CodeCommit. Otherwise, we have to have CodePipeline # poll for changes, which is slower. PipelineCloudWatchEventRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - events.amazonaws.com Action: sts:AssumeRole Path: / Policies: - PolicyName: cwe-pipeline-execution PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: codepipeline:StartPipelineExecution Resource: !Sub arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:${AppPipeline} RenovateCodeBuildServiceRole: Type: AWS::IAM::Role Properties: Path: / AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: - "cloudformation.amazonaws.com" - "codedeploy.amazonaws.com" - "codebuild.amazonaws.com" Action: - "sts:AssumeRole" Policies: - PolicyName: root PolicyDocument: Version: 2012-10-17 Statement: - Resource: "*" Effect: Allow Action: - codebuild:StartBuild - codebuild:BatchGetBuilds - iam:PassRole - iam:CreateRole - iam:DetachRolePolicy - iam:AttachRolePolicy - iam:PutRolePolicy - cloudwatch:* - logs:* - PolicyName: RenovateForCodeCommit PolicyDocument: Version: 2012-10-17 Statement: - Resource: "*" Effect: Allow Action: # https://docs.renovatebot.com/modules/platform/codecommit/#permissions - codecommit:DeleteCommentContent - codecommit:UpdatePullRequestDescription - codecommit:GitPull - codecommit:ListPullRequests - codecommit:GetCommentsForPullRequest - codecommit:ListRepositories - codecommit:UpdatePullRequestTitle - codecommit:GetFile - codecommit:UpdateComment - codecommit:GetRepository - codecommit:CreatePullRequest - codecommit:CreatePullRequestApprovalRule - codecommit:GitPush - codecommit:UpdatePullRequestStatus - codecommit:GetPullRequest - secretsmanager:GetSecretValue - secretsmanager:DescribeSecret # This role is used by CodePipeline to trigger deployments CodePipelineServiceRole: Type: AWS::IAM::Role Properties: Path: / AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: - "codepipeline.amazonaws.com" - "cloudformation.amazonaws.com" - "codedeploy.amazonaws.com" - "codebuild.amazonaws.com" Action: - "sts:AssumeRole" Policies: - PolicyName: root PolicyDocument: Version: 2012-10-17 Statement: - Resource: "*" Effect: Allow Action: - s3:GetObject - s3:GetObjectVersion - s3:GetBucketVersioning - Resource: "arn:aws:s3:::*" Effect: Allow Action: - s3:PutObject # - Resource: "arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*" - Resource: "*" Effect: Allow Action: - secretsmanager:GetSecretValue - secretsmanager:DescribeSecret - Resource: "*" Effect: Allow Action: - codecommit:* - codebuild:StartBuild - codebuild:BatchGetBuilds - iam:PassRole - iam:CreateRole - iam:DetachRolePolicy - iam:AttachRolePolicy - iam:PassRole - iam:PutRolePolicy - cloudwatch:* - Resource: "*" Effect: Allow Action: - ecs:* - Resource: "*" Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - ecr:GetAuthorizationToken - Resource: !Sub arn:aws:s3:::${CodePipelineArtifactBucket}/* Effect: Allow Action: - s3:GetObject - s3:PutObject - s3:GetObjectVersion - Resource: - !Sub arn:aws:s3:::codepipeline-${AWS::Region}-* Effect: Allow Action: - s3:PutObject - s3:GetObject - s3:GetObjectVersion - Effect: Allow Action: - ecr:* Resource: - !GetAtt AppImage.Arn - Effect: Allow Action: - lambda:InvokeFunction Resource: "*"