# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 AWSTemplateFormatVersion: '2010-09-09' Description: "CodeBuild project to validate CloudFormation templates and policies for drs-plan-automation" Parameters: Application: Description: Application Name Type: String Default: drs-plan-automation Resources: CodeBuildValidateTemplates: Type: AWS::CodeBuild::Project Properties: Name: ValidateTemplates Description: Validate Cloudformation Templates with cfnnag ServiceRole: Fn::GetAtt: - CodeBuildRole - Arn Artifacts: Type: CODEPIPELINE EncryptionKey: Fn::ImportValue: "drs-kms-key-arn" Environment: Type: LINUX_CONTAINER ComputeType: BUILD_GENERAL1_SMALL Image: aws/codebuild/amazonlinux2-x86_64-standard:3.0 Source: Type: CODEPIPELINE BuildSpec: cfn/codebuild/ValidateTemplates/buildspec-cfnnag.yml TimeoutInMinutes: 10 Tags: - Key: Application Value: !Ref Application CodeBuildRole: Type: AWS::IAM::Role Properties: Description: CodePipeline role for static analysis of templates. AssumeRolePolicyDocument: Version: '2012-10-17' Statement: Effect: Allow Principal: Service: codebuild.amazonaws.com Action: sts:AssumeRole Policies: - PolicyName: CodeBuildManageS3Artifacts PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - s3:GetObject - s3:PutObject - s3:PutObjectAcl - s3:GetObjectVersion - s3:GetBucketAcl - s3:GetBucketLocation Resource: - Fn::ImportValue: "drs-s3-bucket-arn" - Fn::Sub: - "${bucketarn}/*" - bucketarn: Fn::ImportValue: "drs-s3-bucket-arn" - Fn::Sub: arn:aws:s3:::taskcat-* - Effect: Allow Action: - logs:CreateLogStream - logs:PutLogEvents - logs:DescribeLogStreams - logs:CreateLogGroup Resource: - Fn::Sub: arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/* - Action: - 'kms:Encrypt' - 'kms:Decrypt' - 'kms:ReEncrypt*' - 'kms:GenerateDataKey*' - 'kms:DescribeKey' Resource: Fn::ImportValue: "drs-kms-key-arn" Effect: Allow Tags: - Key: Application Value: !Ref Application