AWSTemplateFormatVersion: '2010-09-09' Description: "CodeBuild project to validate CloudFormation templates and policies for Backup & Recovery with AWS Backup solution" Parameters: # Customer Specific Tags - Example BusinessUnit: Description: Business Unit Name Type: String MinLength: '1' MaxLength: '255' AllowedValues: - Marketing - Engineering - R&D ConstraintDescription: Must be a valid business unit Default: Engineering CostCenter: Description: Cost Center for AWS Services Type: String MinLength: '1' MaxLength: '255' Default: '00000' Environment: Description: Environment Type: String AllowedValues: - Development - QA - Production ConstraintDescription: Must be a valid environment. Default: Development ApplicationOwner: Description: Email address of application owner Type: String Default: someone@example.com Application: Description: Application Name Type: String Default: Backup and Recovery with AWS Backup Resources: CodeBuildValidateTemplates: Type: AWS::CodeBuild::Project Properties: Name: AWSBackup-ValidateTemplates Description: Validate Cloudformation Templates with cfnnag ServiceRole: Fn::GetAtt: - CodeBuildRole - Arn Artifacts: Type: CODEPIPELINE EncryptionKey: Fn::ImportValue: "aws-backup-codepipeline-kms-arn" Environment: Type: LINUX_CONTAINER ComputeType: BUILD_GENERAL1_SMALL Image: aws/codebuild/amazonlinux2-x86_64-standard:3.0 Source: Type: CODEPIPELINE BuildSpec: codebuild/ValidateTemplates/buildspec-cfnnag.yml TimeoutInMinutes: 10 Tags: - Key: Application Value: !Ref Application - Key: BusinessUnit Value: !Ref BusinessUnit - Key: CostCenter Value: !Ref CostCenter - Key: Environment Value: !Ref Environment - Key: ApplicationOwner Value: !Ref ApplicationOwner CodeBuildRole: Type: AWS::IAM::Role Properties: Description: CodePipeline role for static analysis of templates. AssumeRolePolicyDocument: Version: '2012-10-17' Statement: Effect: Allow Principal: Service: codebuild.amazonaws.com Action: sts:AssumeRole Policies: - PolicyName: CodeBuildManageS3Artifacts PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - s3:GetObject - s3:PutObject - s3:PutObjectAcl - s3:GetObjectVersion - s3:GetBucketAcl - s3:GetBucketLocation Resource: - Fn::ImportValue: "aws-backup-s3-bucket-arn" - Fn::Sub: - "${bucketarn}/*" - bucketarn: Fn::ImportValue: "aws-backup-s3-bucket-arn" - Fn::Sub: arn:aws:s3:::taskcat-* - Effect: Allow Action: - logs:CreateLogStream - logs:PutLogEvents - logs:DescribeLogStreams - logs:CreateLogGroup Resource: - Fn::Sub: arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/* - Action: - 'kms:Encrypt' - 'kms:Decrypt' - 'kms:ReEncrypt*' - 'kms:GenerateDataKey*' - 'kms:DescribeKey' Resource: Fn::ImportValue: "aws-backup-codepipeline-kms-arn" Effect: Allow Tags: - Key: Application Value: !Ref Application - Key: BusinessUnit Value: !Ref BusinessUnit - Key: CostCenter Value: !Ref CostCenter - Key: Environment Value: !Ref Environment - Key: ApplicationOwner Value: !Ref ApplicationOwner