--- AWSTemplateFormatVersion: 2010-09-09 Parameters: Name: Type: String ParentDomain: Type: String FullyQualifiedDomainName: Type: String CodeCommitRepoName: Type: String SecretsManagerSigningARN: Type: String SecretsManagerBackchannelARN: Type: String SecretsManagerEncryptionARN: Type: String SecretsManagerLDAPSettingsARN: Type: String SecretsManagerSealerKeyARN: Type: String RepoSourceBucket: Type: String Default: aws-shibboleth-reference-architecture Description: > The S3 bucket from which to fetch the templates used by this stack. RepoSourceFolder: Type: String Default: '' Cluster: Type: String Service: Type: String Resources: CodeCommitRepo: Type: AWS::CodeCommit::Repository Properties: RepositoryDescription: Main code repository for holding the Docker build files for the Shibboleth reference architecture RepositoryName: !Ref CodeCommitRepoName Code: BranchName: main S3: Bucket: !Ref RepoSourceBucket Key: !Sub '${RepoSourceFolder}repo/code.zip' ECRRepo: Type: AWS::ECR::Repository Properties: RepositoryName: !Ref CodeCommitRepoName CodeBuildServiceRole: Type: AWS::IAM::Role Properties: Path: / AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: codebuild.amazonaws.com Action: sts:AssumeRole CodeBuildServiceRolePolicy: Type: AWS::IAM::Policy Properties: PolicyName: !Sub ${Name}-CodeBuildServiceRolePolicy PolicyDocument: Version: 2012-10-17 Statement: - Resource: !GetAtt CodeBuildServiceRole.Arn Effect: Allow Action: - sts:AssumeRole - Resource: "*" Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - ecr:GetAuthorizationToken - Resource: !Sub arn:aws:s3:::${ArtifactBucket}/* Effect: Allow Action: - s3:GetObject - s3:PutObject - s3:GetObjectVersion - Resource: !Sub arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/${ECRRepo} Effect: Allow Action: - ecr:GetDownloadUrlForLayer - ecr:BatchGetImage - ecr:BatchCheckLayerAvailability - ecr:PutImage - ecr:InitiateLayerUpload - ecr:UploadLayerPart - ecr:CompleteLayerUpload - Resource: - !Ref SecretsManagerSigningARN - !Ref SecretsManagerBackchannelARN - !Ref SecretsManagerEncryptionARN - !Ref SecretsManagerLDAPSettingsARN Effect: Allow Action: - secretsmanager:GetResourcePolicy - secretsmanager:GetSecretValue - secretsmanager:PutSecretValue - secretsmanager:DescribeSecret - secretsmanager:ListSecretVersionIds Roles: - !Ref CodeBuildServiceRole CodePipelineServiceRole: Type: AWS::IAM::Role Properties: Path: / AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: codepipeline.amazonaws.com Action: sts:AssumeRole Policies: - PolicyName: root PolicyDocument: Version: 2012-10-17 Statement: - Resource: - !Sub arn:aws:s3:::${ArtifactBucket}/* Effect: Allow Action: - s3:PutObject - s3:GetObject - s3:GetObjectVersion - s3:GetBucketVersioning - Resource: !GetAtt CodeCommitRepo.Arn Effect: Allow Action: - codecommit:GetCommit - codecommit:GetUploadArchiveStatus - codecommit:GetBranch - codecommit:UploadArchive - Resource: "*" Effect: Allow Action: - ecs:DescribeServices - ecs:DescribeTaskDefinition - ecs:DescribeTasks - ecs:ListTasks - ecs:RegisterTaskDefinition - ecs:UpdateService - codebuild:StartBuild - codebuild:BatchGetBuilds - iam:PassRole AmazonCloudWatchEventRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - events.amazonaws.com Action: sts:AssumeRole Path: / Policies: - PolicyName: cwe-pipeline-execution PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: codepipeline:StartPipelineExecution Resource: !Join [ '', [ 'arn:aws:codepipeline:', !Ref 'AWS::Region', ':', !Ref 'AWS::AccountId', ':', !Ref Pipeline ] ] AmazonCloudWatchEventRule: Type: AWS::Events::Rule Properties: EventPattern: source: - aws.codecommit detail-type: - 'CodeCommit Repository State Change' resources: - !Join [ '', [ 'arn:aws:codecommit:', !Ref 'AWS::Region', ':', !Ref 'AWS::AccountId', ':', !Ref CodeCommitRepoName ] ] detail: event: - referenceCreated - referenceUpdated referenceType: - branch referenceName: - main Targets: - Arn: !Join [ '', [ 'arn:aws:codepipeline:', !Ref 'AWS::Region', ':', !Ref 'AWS::AccountId', ':', !Ref Pipeline ] ] RoleArn: !GetAtt AmazonCloudWatchEventRole.Arn Id: codepipeline-AppPipeline ArtifactBucket: Type: AWS::S3::Bucket CodeBuildProject: Type: AWS::CodeBuild::Project Properties: Artifacts: Type: CODEPIPELINE Source: Type: CODEPIPELINE BuildSpec: | version: 0.2 phases: install: runtime-versions: nodejs: 12 commands: - TEMP_ROLE=`aws sts assume-role --role-arn $CODE_BUILD_SERVICE_ROLE_ARN --role-session-name test` - export TEMP_ROLE - echo $TEMP_ROLE - export AWS_ACCESS_KEY_ID=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.AccessKeyId') - export AWS_SECRET_ACCESS_KEY=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SecretAccessKey') - export AWS_SESSION_TOKEN=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SessionToken') - echo $AWS_ACCESS_KEY_ID - echo $AWS_SECRET_ACCESS_KEY - echo $AWS_SESSION_TOKEN - echo $PARENT_DOMAIN - echo $FULLY_QUALIFIED_DOMAIN_NAME pre_build: commands: - $(aws ecr get-login --no-include-email) - TAG="$(echo $CODEBUILD_RESOLVED_SOURCE_VERSION | head -c 8)" - IMAGE_URI="${REPOSITORY_URI}:${TAG}" build: commands: - docker build --build-arg AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION --build-arg AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID --build-arg AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY --build-arg AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN --build-arg PARENT_DOMAIN=$PARENT_DOMAIN --build-arg FULLY_QUALIFIED_DOMAIN_NAME=$FULLY_QUALIFIED_DOMAIN_NAME --build-arg SECRETS_MANAGER_SIGNING_ARN=$SECRETS_MANAGER_SIGNING_ARN --build-arg SECRETS_MANAGER_BACKCHANNEL_ARN=$SECRETS_MANAGER_BACKCHANNEL_ARN --build-arg SECRETS_MANAGER_ENCRYPTION_ARN=$SECRETS_MANAGER_ENCRYPTION_ARN --build-arg SECRETS_MANAGER_LDAP_SETTINGS_ARN=$SECRETS_MANAGER_LDAP_SETTINGS_ARN --build-arg SECRETS_MANAGER_SEALER_KEY_ARN=$SECRETS_MANAGER_SEALER_KEY_ARN --tag "$IMAGE_URI" ./ post_build: commands: - docker push "$IMAGE_URI" - printf '[{"name":"shibboleth-idp","imageUri":"%s"}]' "$IMAGE_URI" > images.json artifacts: files: images.json Environment: ComputeType: BUILD_GENERAL1_SMALL Image: aws/codebuild/amazonlinux2-x86_64-standard:3.0 Type: LINUX_CONTAINER PrivilegedMode: true EnvironmentVariables: - Name: AWS_DEFAULT_REGION Value: !Ref AWS::Region - Name: CODE_BUILD_SERVICE_ROLE_ARN Value: !GetAtt CodeBuildServiceRole.Arn - Name: PARENT_DOMAIN Value: !Ref ParentDomain - Name: FULLY_QUALIFIED_DOMAIN_NAME Value: !Ref FullyQualifiedDomainName - Name: REPOSITORY_URI Value: !Sub ${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/${ECRRepo} - Name: SECRETS_MANAGER_SIGNING_ARN Value: !Ref SecretsManagerSigningARN - Name: SECRETS_MANAGER_BACKCHANNEL_ARN Value: !Ref SecretsManagerBackchannelARN - Name: SECRETS_MANAGER_ENCRYPTION_ARN Value: !Ref SecretsManagerEncryptionARN - Name: SECRETS_MANAGER_LDAP_SETTINGS_ARN Value: !Ref SecretsManagerLDAPSettingsARN - Name: SECRETS_MANAGER_SEALER_KEY_ARN Value: !Ref SecretsManagerSealerKeyARN Name: !Ref Name ServiceRole: !Ref CodeBuildServiceRole Pipeline: Type: AWS::CodePipeline::Pipeline Properties: RoleArn: !GetAtt CodePipelineServiceRole.Arn ArtifactStore: Type: S3 Location: !Ref ArtifactBucket Stages: - Name: Source Actions: - Name: ShibbolethIdP ActionTypeId: Category: Source Owner: AWS Provider: CodeCommit Version: 1 Configuration: BranchName: main PollForSourceChanges: false RepositoryName: !Ref 'CodeCommitRepoName' InputArtifacts: [] Name: ApplicationSource OutputArtifacts: - Name: ShibbolethIdPSource RunOrder: 1 - Name: Build Actions: - Name: Build ActionTypeId: Category: Build Owner: AWS Version: 1 Provider: CodeBuild Configuration: ProjectName: !Ref CodeBuildProject InputArtifacts: - Name: ShibbolethIdPSource OutputArtifacts: - Name: ShibbolethIdPBuild RunOrder: 1 - Name: Deploy Actions: - Name: Deploy ActionTypeId: Category: Deploy Owner: AWS Version: 1 Provider: ECS Configuration: ClusterName: !Ref Cluster ServiceName: !Ref Service FileName: images.json InputArtifacts: - Name: ShibbolethIdPBuild RunOrder: 1 Outputs: PipelineUrl: Value: !Sub https://console.aws.amazon.com/codepipeline/home?region=${AWS::Region}#/view/${Pipeline}