AWSTemplateFormatVersion: 2010-09-09 Description: Temporary Elevated Access Management (TEAM) Application stack Parameters: Source: Type: String Description: Email notification source Login: Type: String Description: IAM IDC Login URL teamAdminGroup: Type: String Description: TEAM application Admin group teamAuditGroup: Type: String Description: TEAM application Auditor group tags: Type: String Description: TEAM application tags Default: "" Resources: TriggerAmplifyBuild: Type: Custom::TriggerAmplifyBuild Properties: ServiceToken: !GetAtt 'TriggerBuildLambda.Arn' appId: !GetAtt AmplifyApp.AppId branchName: main branch: !GetAtt AmplifyBranch.Arn AmplifyRole: Type: AWS::IAM::Role Metadata: cfn_nag: rules_to_suppress: - id: W9 reason: "This is the main Amplify service role." Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - amplify.amazonaws.com Action: - sts:AssumeRole Path: / ManagedPolicyArns: - "arn:aws:iam::aws:policy/AdministratorAccess" AmplifyApp: Type: "AWS::Amplify::App" Properties: Name: TEAM-IDC-APP Repository: !Sub https://git-codecommit.${AWS::Region}.amazonaws.com/v1/repos/team-idc-app Description: Temporary Elevated Access Management Application CustomRules: - Source: /<*> Status: 404 Target: /index.html - Source: Status: 200 Target: /index.html EnvironmentVariables: - Name: AMPLIFY_DESTRUCTIVE_UPDATES Value: true BuildSpec: |- version: 1 backend: phases: preBuild: commands: - npm i -g @aws-amplify/cli@10.7.3 - '# Update deployment parameters with helper script' - node parameters.js build: commands: - npm i -S graphql-ttl-transformer - '# Execute Amplify CLI with the helper script' - update-alternatives --install /usr/bin/python3 python3 /usr/local/bin/python3.9 11 - /usr/local/bin/pip3.9 install --user pipenv==2023.6.12 - amplifyPush --simple --allow-destructive-graphql-schema-update frontend: phases: preBuild: commands: - npm ci build: commands: - npm run build artifacts: baseDirectory: build files: - '**/*' cache: paths: - node_modules/**/* Tags: - Key: Name Value: TEAM IAMServiceRole: !GetAtt AmplifyRole.Arn AmplifyBranch: Type: AWS::Amplify::Branch Properties: BranchName: main AppId: !GetAtt AmplifyApp.AppId EnableAutoBuild: true EnvironmentVariables: - Name: EMAIL_SOURCE Value: !Ref Source - Name: SSO_LOGIN Value: !Ref Login - Name: TEAM_ADMIN_GROUP Value: !Ref teamAdminGroup - Name: TEAM_AUDITOR_GROUP Value: !Ref teamAuditGroup - Name: TAGS Value: !Ref tags Tags: - Key: Branch Value: main TriggerBuildLambda: Type: AWS::Lambda::Function Properties: Handler: index.handler Runtime: python3.9 Role: !GetAtt AmplifyLambdaRole.Arn Timeout: 120 Code: ZipFile: | import json import cfnresponse import boto3 import logging from botocore.exceptions import ClientError client = boto3.client('amplify') logger = logging.getLogger() logger.setLevel(logging.INFO) def handler(event, context): logger.info("Received event: %s" % json.dumps(event)) appId = event['ResourceProperties']['appId'] branchName = event['ResourceProperties']['branchName'] result = cfnresponse.SUCCESS try: if event['RequestType'] == 'Create' or event['RequestType'] == 'Update': response = client.start_job( appId = appId, branchName = branchName, jobType='RELEASE' ) elif event['RequestType'] == 'Delete': pass except ClientError as e: logger.error('Error: %s', e) result = cfnresponse.FAILED cfnresponse.send(event, context, result, {}) AmplifyLambdaRole: Type: AWS::IAM::Role Properties: Path: / AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole Policies: - PolicyName: AmplifyLambdaPolicy PolicyDocument: Version: 2012-10-17 Statement: - Sid: AllowLogging Effect: Allow Action: - "logs:CreateLogGroup" - "logs:CreateLogStream" - "logs:PutLogEvents" Resource: "*" - Sid: startBuild Effect: Allow Action: - "amplify:StartJob" Resource: "*" Outputs: DefaultDomain: Value: !GetAtt AmplifyApp.DefaultDomain