Description: CICD pipeline for ECS service. Parameters: EnvironmentName: Type: String SourceRepoName: Type: String SourceRepoBranch: Type: String Default: master Outputs: SourceRepoCloneUrlHttp: Value: !GetAtt CodeCommitRepository.CloneUrlHttp PipelineUrl: Value: !Sub https://console.aws.amazon.com/codepipeline/home?region=${AWS::Region}#/view/${Pipeline} ArtifactBucket: Value: !Ref ArtifactBucket Resources: # Code Commit repo CodeCommitRepository: Type: AWS::CodeCommit::Repository Properties: RepositoryName: !Ref SourceRepoName DeletionPolicy: Delete # Event rule to trigger pipeline TriggerRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: [events.amazonaws.com] Action: ['sts:AssumeRole'] Path: / Policies: - PolicyName: !Sub start-pipeline-execution-${AWS::Region}-${SourceRepoName} PolicyDocument: Statement: - Effect: Allow Action: "codepipeline:StartPipelineExecution" Resource: !Sub arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:${Pipeline} CodeCommitRepoTrigger: Type: AWS::Events::Rule Properties: Description: Trigger the pipeline on change to repo/branch EventPattern: source: - "aws.codecommit" detail-type: - "CodeCommit Repository State Change" resources: - !GetAtt CodeCommitRepository.Arn detail: event: - "referenceCreated" - "referenceUpdated" referenceType: - "branch" referenceName: - !Ref SourceRepoBranch RoleArn: !GetAtt TriggerRole.Arn State: ENABLED Targets: - Arn: !Sub arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:${Pipeline} Id: !Sub codepipeline-${SourceRepoName}-pipeline RoleArn: !GetAtt TriggerRole.Arn ### IAM Permissions CloudFormationExecutionRole: Type: AWS::IAM::Role DeletionPolicy: Delete Properties: Path: / AssumeRolePolicyDocument: | { "Statement": [{ "Effect": "Allow", "Principal": { "Service": [ "cloudformation.amazonaws.com" ]}, "Action": [ "sts:AssumeRole" ] }] } Policies: - PolicyName: root PolicyDocument: Version: 2012-10-17 Statement: - Resource: "*" Effect: Allow Action: - ecs:* - ecr:* - iam:* - logs:* - elasticloadbalancing:CreateTargetGroup - elasticloadbalancing:DeleteTargetGroup - elasticloadbalancing:CreateRule - elasticloadbalancing:DeleteRule - elasticloadbalancing:DescribeRules - elasticloadbalancing:DescribeTargetHealth - elasticloadbalancing:DescribeTargetGroups - elasticloadbalancing:DescribeTargetGroupAttributes - elasticloadbalancing:ModifyRule - elasticloadbalancing:ModifyTargetGroup - elasticloadbalancing:ModifyTargetGroupAttributes - elasticloadbalancing:SetRulePriorities - elasticloadbalancing:AddTags - elasticloadbalancing:RemoveTags - servicediscovery:CreateService - servicediscovery:GetService - servicediscovery:UpdateService - servicediscovery:DeleteService - servicediscovery:TagResource - cloudwatch:GetDashboard - cloudwatch:PutDashboard - cloudwatch:PutMetricData - cloudwatch:DeleteDashboards CodePipelineServiceRole: Type: AWS::IAM::Role DeletionPolicy: Delete Properties: Path: / AssumeRolePolicyDocument: | { "Statement": [{ "Effect": "Allow", "Principal": { "Service": [ "codepipeline.amazonaws.com" ]}, "Action": [ "sts:AssumeRole" ] }] } Policies: - PolicyName: root PolicyDocument: Version: 2012-10-17 Statement: - Resource: - !Sub arn:aws:s3:::${ArtifactBucket}/* Effect: Allow Action: - s3:PutObject - s3:GetObject - s3:GetObjectVersion - s3:GetBucketVersioning - Resource: "*" Effect: Allow Action: - codebuild:StartBuild - codebuild:BatchGetBuilds - cloudformation:* - iam:PassRole - codecommit:CancelUploadArchive - codecommit:GetBranch - codecommit:GetCommit - codecommit:GetUploadArchiveStatus - codecommit:UploadArchive ### CodePipeline & Codebuild ArtifactBucket: Type: AWS::S3::Bucket # Properties: # BucketName: !Sub "${EnvironmentName}-${MicroServiceName}-codepipeline" # Tags: DeletionPolicy: Retain Pipeline: Type: AWS::CodePipeline::Pipeline DependsOn: [ CodePipelineServiceRole ] Properties: RoleArn: !GetAtt CodePipelineServiceRole.Arn RestartExecutionOnUpdate: False ArtifactStore: Type: S3 Location: !Ref ArtifactBucket Name: !Sub "${EnvironmentName}-${SourceRepoName}-Pipeline" Stages: - Name: Source Actions: - Name: Config ActionTypeId: Category: Source Owner: AWS Version: 1 Provider: CodeCommit Configuration: RepositoryName: !Ref SourceRepoName BranchName: !Ref SourceRepoBranch PollForSourceChanges: false OutputArtifacts: - Name: SourceOutput RunOrder: 1 - Name: Deploy Actions: - Name: Deploy ActionTypeId: Category: Deploy Owner: AWS Version: 1 Provider: CloudFormation Configuration: ActionMode: CREATE_UPDATE StackName: !Sub "${EnvironmentName}-lab4-${SourceRepoName}" Capabilities: CAPABILITY_NAMED_IAM TemplatePath: SourceOutput::service-template.yaml TemplateConfiguration: SourceOutput::template-config.json RoleArn: !GetAtt CloudFormationExecutionRole.Arn InputArtifacts: - Name: SourceOutput RunOrder: 1