# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 Parameters: UploadBucketName: Type: String Description: The name of the Amazon S3 bucket where files are uploaded. Resources: # repository - no dependency clamavECRRepo: Type: AWS::ECR::Repository Properties: RepositoryName: Fn::Join: - "" - - "clamav-scan-file" - Fn::Select: - 2 - Fn::Split: - "/" - Ref: AWS::StackId ImageScanningConfiguration: ScanOnPush: true Metadata: aws:cdk:path: VirusScan/avcodebuild/AVScanRepo # codebuild role codebuildIAMRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: codebuild.amazonaws.com Version: "2012-10-17" Metadata: aws:cdk:path: VirusScan/avcodebuild/AVScanUpdateDefinitions/Role/Resource # code build policy statement - assigned to the above created role codebuildPolicy: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - s3:GetObject Effect: Allow Resource: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":s3:::" - Ref: UploadBucketName - /scan-file.zip - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":s3:::" - Ref: UploadBucketName - Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Effect: Allow Resource: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":logs:" - Ref: AWS::Region - ":" - Ref: AWS::AccountId - :log-group:/aws/codebuild/ - Ref: codebuildProject - :* - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":logs:" - Ref: AWS::Region - ":" - Ref: AWS::AccountId - :log-group:/aws/codebuild/ - Ref: codebuildProject - Action: - codebuild:BatchPutCodeCoverages - codebuild:BatchPutTestCases - codebuild:CreateReport - codebuild:CreateReportGroup - codebuild:UpdateReport Effect: Allow Resource: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":codebuild:" - Ref: AWS::Region - ":" - Ref: AWS::AccountId - :report-group/ - Ref: codebuildProject - -* - Action: ecr:GetAuthorizationToken Effect: Allow Resource: "*" - Action: - ecr:BatchCheckLayerAvailability - ecr:CompleteLayerUpload - ecr:InitiateLayerUpload - ecr:PutImage - ecr:UploadLayerPart Effect: Allow Resource: Fn::GetAtt: - clamavECRRepo - Arn Version: "2012-10-17" PolicyName: codebuildPolicy Roles: - Ref: codebuildIAMRole Metadata: aws:cdk:path: VirusScan/avcodebuild/AVScanUpdateDefinitions/Role/DefaultPolicy/Resource # codebuild project - depends on the role and policy above codebuildProject: Type: AWS::CodeBuild::Project Properties: Artifacts: Type: NO_ARTIFACTS Environment: ComputeType: BUILD_GENERAL1_SMALL EnvironmentVariables: - Name: REPO_URI Type: PLAINTEXT Value: Fn::GetAtt: - clamavECRRepo - RepositoryUri - Name: AWS_DEFAULT_REGION Type: PLAINTEXT Value: Ref: AWS::Region - Name: AWS_ACCOUNT_ID Type: PLAINTEXT Value: Ref: AWS::AccountId Image: aws/codebuild/standard:6.0 ImagePullCredentialsType: CODEBUILD PrivilegedMode: true Type: LINUX_CONTAINER ServiceRole: Fn::GetAtt: - codebuildIAMRole - Arn Source: Location: Fn::Join: - "" - - Ref: UploadBucketName - /scan-file.zip Type: S3 Cache: Type: NO_CACHE EncryptionKey: alias/aws/s3 Metadata: aws:cdk:path: VirusScan/avcodebuild/AVScanUpdateDefinitions/Resource #role for cron rule cronEventIAMRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: events.amazonaws.com Version: "2012-10-17" Metadata: aws:cdk:path: VirusScan/avcodebuild/AVScanUpdateDefinitions/EventsRole/Resource #policy for cron rule role cronEventPolicy: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: codebuild:StartBuild Effect: Allow Resource: Fn::GetAtt: - codebuildProject - Arn Version: "2012-10-17" PolicyName: cronEventPolicy Roles: - Ref: cronEventIAMRole Metadata: aws:cdk:path: VirusScan/avcodebuild/AVScanUpdateDefinitions/EventsRole/DefaultPolicy/Resource # Cron rule - only dependency on codebuild cronEventRule: Type: AWS::Events::Rule Properties: ScheduleExpression: cron(0 5 * * ? *) State: ENABLED Targets: - Arn: Fn::GetAtt: - codebuildProject - Arn Id: Target0 RoleArn: Fn::GetAtt: - cronEventIAMRole - Arn Metadata: aws:cdk:path: VirusScan/avcodebuild/AV-updates-rule/Resource Outputs: ecrRepoArn: Value: Fn::GetAtt: - clamavECRRepo - Arn Export: Name: 'Fn::Sub': '${AWS::StackName}-repoArn' ecrRepoUri: Value: Fn::GetAtt: - clamavECRRepo - RepositoryUri Export: Name: 'Fn::Sub': '${AWS::StackName}-repoUri' codeBuildResource: Value: Ref: codebuildProject Export: Name: 'Fn::Sub': '${AWS::StackName}-projectName'