AWSTemplateFormatVersion: "2010-09-09" Description: Infrastructure for the community registry extensions CICD pipeline Parameters: Env: Type: String Description: The environment, alpha, beta, or prod. In a sandbox these are all in one account, but the actual deployment is to three different accounts. AllowedValues: ["alpha", "beta", "prod"] PrefixLower: Type: String Description: The extension prefix lowercase, for example, awscommunity. It's either this or depend on a macro, or put more stars in policies. BetaAccountId: Type: String Description: AccountId for the beta account, which pushes builds to the prod source bucket ProdAccountId: Type: String Description: Account ID for prod, required to share the KMS key so beta can deploy builds to the prod source bucket NotificationEmail: Type: String Description: Email address for pipeline notifications Conditions: IsAlpha: !Equals - !Ref Env - alpha IsBeta: !Equals - !Ref Env - beta IsProd: !Equals - !Ref Env - prod IsNotProd: !Not - !Equals - !Ref Env - prod Resources: ArtifactBucket: Type: AWS::S3::Bucket Metadata: Comment: CodePipeline artifacts Properties: BucketName: !Sub "cep-${Env}-${AWS::AccountId}-artifacts" ArtifactBucketPolicy: Type: AWS::S3::BucketPolicy Condition: IsBeta Metadata: Comment: Allows the beta account to use an assumed role in the prod account to drop builds into the prod account Properties: Bucket: !Ref ArtifactBucket PolicyDocument: Version: 2012-10-17 Statement: - Sid: BetaProdCrossAccount Effect: Allow Principal: AWS: - !Sub "arn:aws:iam::${ProdAccountId}:root" Action: - s3:Put* - s3:Get* - s3:List* Resource: - !Sub "arn:aws:s3:::cep-${Env}-${AWS::AccountId}-artifacts" - !Sub "arn:aws:s3:::cep-${Env}-${AWS::AccountId}-artifacts/*" S3BucketVersioningEnabledBuildProjectRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: codebuild.amazonaws.com Version: '2012-10-17' ManagedPolicyArns: - Fn::ImportValue: !Sub "cep-${Env}-common-build-project-policy" S3PublicAccessControlsRestrictedBuildProjectRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: codebuild.amazonaws.com Version: '2012-10-17' ManagedPolicyArns: - Fn::ImportValue: !Sub "cep-${Env}-common-build-project-policy" KMSEncryptionSettingsBuildProjectRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: codebuild.amazonaws.com Version: '2012-10-17' ManagedPolicyArns: - Fn::ImportValue: !Sub "cep-${Env}-common-build-project-policy" HookEC2SecurityGroupRestrictedSSHBuildProjectRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: codebuild.amazonaws.com Version: '2012-10-17' ManagedPolicyArns: - Fn::ImportValue: !Sub "cep-${Env}-common-build-project-policy" CloudFrontLoggingEnabledBuildProjectRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: codebuild.amazonaws.com Version: '2012-10-17' ManagedPolicyArns: - Fn::ImportValue: !Sub "cep-${Env}-common-build-project-policy" S3BucketNotificationBuildProjectRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: codebuild.amazonaws.com Version: '2012-10-17' ManagedPolicyArns: - Fn::ImportValue: !Sub "cep-${Env}-common-build-project-policy" S3DeleteBucketContentsBuildProjectRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: codebuild.amazonaws.com Version: '2012-10-17' ManagedPolicyArns: - Fn::ImportValue: !Sub "cep-${Env}-common-build-project-policy" ResourceLookupBuildProjectRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: codebuild.amazonaws.com Version: '2012-10-17' ManagedPolicyArns: - Fn::ImportValue: !Sub "cep-${Env}-common-build-project-policy" DynamoDBItemBuildProjectRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: codebuild.amazonaws.com Version: '2012-10-17' ManagedPolicyArns: - Fn::ImportValue: !Sub "cep-${Env}-common-build-project-policy" TimeStaticBuildProjectRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: codebuild.amazonaws.com Version: '2012-10-17' ManagedPolicyArns: - Fn::ImportValue: !Sub "cep-${Env}-common-build-project-policy" TimeSleepBuildProjectRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: codebuild.amazonaws.com Version: '2012-10-17' ManagedPolicyArns: - Fn::ImportValue: !Sub "cep-${Env}-common-build-project-policy" TimeOffsetBuildProjectRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: codebuild.amazonaws.com Version: '2012-10-17' ManagedPolicyArns: - Fn::ImportValue: !Sub "cep-${Env}-common-build-project-policy" CloudFrontWebAclAssociationBuildProjectRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: codebuild.amazonaws.com Version: '2012-10-17' ManagedPolicyArns: - Fn::ImportValue: !Sub "cep-${Env}-common-build-project-policy" S3BucketModuleBuildProjectRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: codebuild.amazonaws.com Version: '2012-10-17' ManagedPolicyArns: - Fn::ImportValue: !Sub "cep-${Env}-common-build-project-policy" SSMDocumentEBSVolumeModuleBuildProjectRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: - ssm:ListDocuments - ssm:ListDocumentVersions - ssm:DescribeDocument - ssm:DeleteDocument - ssm:GetDocument Effect: Allow Resource: "*" - Action: sts:AssumeRole Effect: Allow Principal: Service: codebuild.amazonaws.com Version: '2012-10-17' ManagedPolicyArns: - Fn::ImportValue: !Sub "cep-${Env}-common-build-project-policy" IotAnalyticsPipelineModuleBuildProjectRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: - iotanalytics:* - iot:CreateTopicRule - iot:DeleteTopicRule - iot:ReplaceTopicRule - iot:ListTopicRules - iot:GetTopicRule - iot:EnableTopicRule - iot:DisableTopicRule - iot:CreateTopicRuleDestination - iot:DeleteTopicRuleDestination - iot:UpdateTopicRuleDestination - iot:GetTopicRuleDestination - iot:ConfirmTopicRuleDestination - iot:ListTopicRuleDestinations Effect: Allow Resource: "*" - Action: sts:AssumeRole Effect: Allow Principal: Service: codebuild.amazonaws.com Version: '2012-10-17' ManagedPolicyArns: - Fn::ImportValue: !Sub "cep-${Env}-common-build-project-policy" CloudFrontS3WebsiteModuleBuildProjectRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: codebuild.amazonaws.com Version: '2012-10-17' ManagedPolicyArns: - Fn::ImportValue: !Sub "cep-${Env}-common-build-project-policy" ResourceIamPasswordPolicyRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: codebuild.amazonaws.com Version: '2012-10-17' ManagedPolicyArns: - Fn::ImportValue: !Sub "cep-${Env}-common-build-project-policy" ApplicationAutoscalingScheduledActionBuildProjectRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: codebuild.amazonaws.com Version: '2012-10-17' ManagedPolicyArns: - Fn::ImportValue: !Sub "cep-${Env}-common-build-project-policy" S3BucketNotificationBuildProjectPolicy: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - iam:CreateRole - iam:DeleteRole - iam:GetRole - lambda:AddPermission - lambda:RemovePermission - s3:CreateBucket - s3:DeleteBucket - s3:GetBucketNotification - s3:PutBucketNotification - sns:AddPermission - sns:ConfirmSubscription - sns:CreateTopic - sns:DeleteTopic - sns:GetTopicAttributes - sns:RemovePermission - sns:SetTopicAttributes - sqs:CreateQueue - sqs:DeleteQueue - sqs:AddPermission - sqs:GetQueueAttributes - sqs:GetQueueUrl - sqs:SetQueueAttributes Effect: Allow Resource: "*" - Action: - codebuild:StartBuild - codebuild:BatchGetBuilds - codebuild:StopBuild - codebuild:RetryBuild - codebuild:StartBuildBatch - codebuild:RetryBuildBatch - codebuild:StopBuildBatch Effect: Allow Resource: - !GetAtt S3BucketNotificationBuildProject.Arn Version: '2012-10-17' PolicyName: bucket-notification-build-project-policy Roles: - !Ref S3BucketNotificationBuildProjectRole S3DeleteBucketContentsBuildProjectPolicy: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - iam:CreateRole - iam:DeleteRole - iam:GetRole - s3:CreateBucket - s3:DeleteBucket - s3:ListBucket - s3:GetBucketNotification - s3:PutBucketNotification - s3:GetBucketTagging - s3:PutBucketTagging - s3:ListObjectVersions - s3:DeleteObject - s3:ListBucketVersions Effect: Allow Resource: "*" - Action: - codebuild:StartBuild - codebuild:BatchGetBuilds - codebuild:StopBuild - codebuild:RetryBuild - codebuild:StartBuildBatch - codebuild:RetryBuildBatch - codebuild:StopBuildBatch Effect: Allow Resource: - !GetAtt S3DeleteBucketContentsBuildProject.Arn Version: '2012-10-17' PolicyName: delete-bucket-contents-build-project-policy Roles: - !Ref S3DeleteBucketContentsBuildProjectRole ResourceLookupBuildProjectPolicy: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Effect: Allow Action: - cloudformation:GetResource - cloudformation:ListResources - cloudformation:ListExports - iam:PassRole - ssm:AddTagsToResource - ssm:DeleteParameter - ssm:DescribeParameters - ssm:GetParameter - ssm:GetParameters - ssm:ListTagsForResource - ssm:PutParameter - ssm:RemoveTagsFromResource Resource: "*" - Effect: Allow Action: - iam:AttachRolePolicy - iam:CreateRole - iam:DeleteRole - iam:DetachRolePolicy - iam:GetPolicy - iam:GetPolicyVersion - iam:GetRole - iam:ListAttachedRolePolicies - iam:ListEntitiesForPolicy - iam:ListPolicies - iam:ListPolicyTags - iam:ListPolicyVersions - iam:ListRolePolicies - iam:ListRoleTags - iam:ListRoles - iam:TagRole - iam:UntagRole - iam:UpdateRole - iam:UpdateRoleDescription Resource: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/awscommunity-resource-lookup-*-*-*' - Effect: Allow Action: - ec2:AssociateVpcCidrBlock - ec2:CreateTags - ec2:CreateVpc - ec2:DeleteTags - ec2:DeleteVpc - ec2:DescribeVpcAttribute - ec2:DescribeVpcs - ec2:DisassociateVpcCidrBlock - ec2:ModifyVpcAttribute - ec2:ModifyVpcTenancy Resource: "*" Version: '2012-10-17' PolicyName: resource-lookup-build-project-policy Roles: - !Ref ResourceLookupBuildProjectRole DynamoDBItemBuildProjectPolicy: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - iam:CreateRole - iam:DeleteRole - iam:GetRole - dynamodb:* Effect: Allow Resource: "*" - Action: - codebuild:StartBuild - codebuild:BatchGetBuilds - codebuild:StopBuild - codebuild:RetryBuild - codebuild:StartBuildBatch - codebuild:RetryBuildBatch - codebuild:StopBuildBatch Effect: Allow Resource: - !GetAtt DynamoDBItemBuildProject.Arn Version: '2012-10-17' PolicyName: dynamodb-item-build-project-policy Roles: - !Ref DynamoDBItemBuildProjectRole CloudFrontS3WebsiteBuildProjectPolicy: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: cloudfront:* Effect: Allow Resource: "*" - Action: acm:* Effect: Allow Resource: "*" - Action: s3:* Effect: Allow Resource: "*" - Action: route53:* Effect: Allow Resource: "*" - Action: - codebuild:StartBuild - codebuild:BatchGetBuilds - codebuild:StopBuild - codebuild:RetryBuild - codebuild:StartBuildBatch - codebuild:RetryBuildBatch - codebuild:StopBuildBatch Effect: Allow Resource: - !GetAtt CloudFrontS3WebsiteModuleBuildProject.Arn Version: '2012-10-17' PolicyName: cloudfront-s3-website-build-project-policy Roles: - !Ref CloudFrontS3WebsiteModuleBuildProjectRole TimeStaticBuildProjectRolePolicy: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - iam:CreateRole - iam:DeleteRole - iam:GetRole - dynamodb:* Effect: Allow Resource: "*" - Action: - codebuild:StartBuild - codebuild:BatchGetBuilds - codebuild:StopBuild - codebuild:RetryBuild - codebuild:StartBuildBatch - codebuild:RetryBuildBatch - codebuild:StopBuildBatch Effect: Allow Resource: - !GetAtt TimeStaticBuildProject.Arn - Action: - ssm:DeleteParameter - ssm:GetParameter - ssm:PutParameter Effect: Allow Resource: "*" Version: '2012-10-17' PolicyName: delete-bucket-contents-build-project-policy Roles: - !Ref TimeStaticBuildProjectRole TimeSleepBuildProjectRolePolicy: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - iam:CreateRole - iam:DeleteRole - iam:GetRole - dynamodb:* Effect: Allow Resource: "*" - Action: - codebuild:StartBuild - codebuild:BatchGetBuilds - codebuild:StopBuild - codebuild:RetryBuild - codebuild:StartBuildBatch - codebuild:RetryBuildBatch - codebuild:StopBuildBatch Effect: Allow Resource: - !GetAtt TimeSleepBuildProject.Arn - Action: - ssm:DeleteParameter - ssm:GetParameter - ssm:PutParameter Effect: Allow Resource: "*" Version: '2012-10-17' PolicyName: delete-bucket-contents-build-project-policy Roles: - !Ref TimeSleepBuildProjectRole TimeOffsetBuildProjectRolePolicy: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - iam:CreateRole - iam:DeleteRole - iam:GetRole - dynamodb:* Effect: Allow Resource: "*" - Action: - codebuild:StartBuild - codebuild:BatchGetBuilds - codebuild:StopBuild - codebuild:RetryBuild - codebuild:StartBuildBatch - codebuild:RetryBuildBatch - codebuild:StopBuildBatch Effect: Allow Resource: - !GetAtt TimeOffsetBuildProject.Arn - Action: - ssm:DeleteParameter - ssm:GetParameter - ssm:PutParameter Effect: Allow Resource: "*" Version: '2012-10-17' PolicyName: delete-bucket-contents-build-project-policy Roles: - !Ref TimeOffsetBuildProjectRole CloudFrontWebAclAssociationBuildProjectPolicy: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - iam:GetRole - iam:CreateRole - iam:DeleteRole - wafv2:ListTagsForResource - wafv2:GetWebACL - wafv2:CreateWebACL - wafv2:DeleteWebACL - cloudfront:ListCloudFrontOriginAccessIdentities - cloudfront:TagResource - cloudfront:CreateDistribution - cloudfront:GetDistribution - cloudfront:CreateCloudFrontOriginAccessIdentity - cloudfront:ListDistributions - cloudfront:GetCloudFrontOriginAccessIdentity - cloudfront:DeleteDistribution - cloudfront:UpdateDistribution - cloudfront:DeleteCloudFrontOriginAccessIdentity - s3:PutObject - s3:GetObject - s3:PutBucketWebsite - s3:GetEncryptionConfiguration - s3:ListAllMyBuckets - s3:PutBucketPolicy - s3:GetBucketLocation - s3:DeleteBucket - s3:CreateBucket - s3:ListBucket - s3:GetBucketPolicy - s3:PutBucketCORS - s3:DeleteBucketPolicy Effect: Allow Resource: "*" - Action: - codebuild:StartBuild - codebuild:BatchGetBuilds - codebuild:StopBuild - codebuild:RetryBuild - codebuild:StartBuildBatch - codebuild:RetryBuildBatch - codebuild:StopBuildBatch Effect: Allow Resource: - !GetAtt CloudFrontWebAclAssociationBuildProject.Arn Version: '2012-10-17' PolicyName: cloudfront-webacl-association-build-project-policy Roles: - !Ref CloudFrontWebAclAssociationBuildProjectRole ResourceIamPasswordPolicyPolicy: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - iam:GetRole - iam:CreateRole - iam:DeleteRole - s3:PutObject - s3:GetObject - s3:PutBucketWebsite - s3:GetEncryptionConfiguration - s3:ListAllMyBuckets - s3:PutBucketPolicy - s3:GetBucketLocation - s3:DeleteBucket - s3:CreateBucket - s3:ListBucket - s3:GetBucketPolicy - s3:PutBucketCORS - s3:DeleteBucketPolicy Effect: Allow Resource: "*" - Action: - codebuild:StartBuild - codebuild:BatchGetBuilds - codebuild:StopBuild - codebuild:RetryBuild - codebuild:StartBuildBatch - codebuild:RetryBuildBatch - codebuild:StopBuildBatch Effect: Allow Resource: - !GetAtt IamPasswordPolicyBuildProject.Arn Version: '2012-10-17' PolicyName: cloudfront-webacl-association-build-project-policy Roles: - !Ref ResourceIamPasswordPolicyRole HookEC2SecurityGroupRestrictedSSHBuildProjectRolePolicy: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - ec2:*VPC* - ec2:*SecurityGroup* Effect: Allow Resource: "*" Version: '2012-10-17' PolicyName: SecurityGroupPermissions Roles: - !Ref HookEC2SecurityGroupRestrictedSSHBuildProjectRole KMSEncryptionSettingsBuildProjectPolicy: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Effect: Allow Action: - ec2:DescribeImages - ec2:DescribeInstances - ec2:GetEbsEncryptionByDefault Resource: "*" - !If - IsBeta - Effect: Deny Action: - kms:*CustomKeyStore - kms:CancelKeyDeletion - kms:CreateAlias - kms:Delete* - kms:DeleteAlias - kms:DisableKey* - kms:Put* - kms:ScheduleKeyDeletion - kms:Update* Resource: !GetAtt PipelineKey.Arn - !Ref AWS::NoValue - Effect: Allow Action: - kms:CancelKeyDeletion - kms:Create* - kms:CreateKey - kms:Decrypt - kms:Delete* - kms:Describe* - kms:Disable* - kms:Enable* - kms:Encrypt - kms:GenerateDataKey* - kms:Get* - kms:List* - kms:Put* - kms:ReEncrypt* - kms:Revoke* - kms:ScheduleKeyDeletion - kms:TagResource - kms:UntagResource - kms:Update* Resource: "*" - Effect: Allow Action: - application-autoscaling:* - autoscaling:* - dynamodb:* - ec2:*Instance* - ec2:*LaunchTemplate* - ec2:*SecurityGroup* - ec2:*Tags - ec2:*Volume* - ec2:Describe* - ec2:GetEbsDefaultKmsKeyId - elasticfilesystem:* - kinesis:* - lambda:* - rds:* - redshift:* - s3:* - secretsmanager:GetRandomPassword - sns:* - sqs:* - ssm:GetParameters Resource: "*" - Effect: Allow Action: - logs:* Resource: - !Sub 'arn:${AWS::Partition}:logs:*:${AWS::AccountId}:log-group:*CloudTrailTrailEmptyIntegS3PrefixCleanup:*' - !Sub 'arn:${AWS::Partition}:logs:*:${AWS::AccountId}:log-group:*integ-*-awscommunity-kms-encryptionsettings*:*' - Effect: Allow Action: - secretsmanager:* Resource: !Sub 'arn:${AWS::Partition}:secretsmanager:*:${AWS::AccountId}:secret:*Secret-integ-*-awscommunity-kms-encryptionsettings*' - Effect: Allow Action: - secretsmanager:* Resource: "*" Condition: StringLike: secretsmanager:Name: '*Secret-integ-*-awscommunity-kms-encryptionsettings*' - Effect: Allow Action: - cloudtrail:* Resource: !Sub 'arn:${AWS::Partition}:cloudtrail:*:${AWS::AccountId}:trail/Trail-integ-*-awscommunity-kms-encryptionsettings-*' - Effect: Allow Action: - iam:AttachRolePolicy - iam:CreateRole - iam:DeleteRole - iam:DetachRolePolicy - iam:GetPolicy - iam:GetPolicyVersion - iam:GetRole - iam:ListAttachedRolePolicies - iam:ListEntitiesForPolicy - iam:ListPolicies - iam:ListPolicyTags - iam:ListPolicyVersions - iam:ListRolePolicies - iam:ListRoleTags - iam:ListRoles - iam:TagRole - iam:UntagRole - iam:UpdateRole - iam:UpdateRoleDescription Resource: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/TrailS3Cleanup-integ-*-awscommunity-kms-encryptionsettings' - Effect: Allow Action: - iam:CreateServiceLinkedRole - iam:DeleteServiceLinkedRole - iam:GetServiceLinkedRoleDeletionStatus Resource: "*" Version: '2012-10-17' PolicyName: kms-encryptionsettings-build-project-policy Roles: - !Ref KMSEncryptionSettingsBuildProjectRole ApplicationAutoscalingScheduledActionBuildProjectRolePolicy: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - codebuild:StartBuild - codebuild:BatchGetBuilds - codebuild:StopBuild - codebuild:RetryBuild - codebuild:StartBuildBatch - codebuild:RetryBuildBatch - codebuild:StopBuildBatch Effect: Allow Resource: - !GetAtt ApplicationAutoscalingScheduledActionBuildProject.Arn - Action: - application-autoscaling:* Effect: Allow Resource: "*" - Action: - dynamodb:* Effect: Allow Resource: !Sub "arn:aws:dynamodb:*:${AWS::AccountId}:table/awscommunityscheduledactiontesttable" - Action: - iam:CreateServiceLinkedRole Effect: Allow Resource: "*" Version: '2012-10-17' PolicyName: application-autoscaling-scheduledaction-build-project-policy Roles: - !Ref ApplicationAutoscalingScheduledActionBuildProjectRole S3BucketNotificationBuildProject: Type: AWS::CodeBuild::Project Properties: Name: !Sub "${PrefixLower}-${Env}-s3-bucketnotification" Artifacts: Type: CODEPIPELINE Environment: ComputeType: BUILD_GENERAL1_LARGE Image: !Sub "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/cep-cicd:latest" ImagePullCredentialsType: SERVICE_ROLE PrivilegedMode: true Type: LINUX_CONTAINER EnvironmentVariables: - Name: RESOURCE_PATH Type: PLAINTEXT Value: "placeholder-for-path-to-resource" ServiceRole: !GetAtt S3BucketNotificationBuildProjectRole.Arn Source: Type: CODEPIPELINE BuildSpec: !Sub "resources/${Env}-buildspec-python.yml" TimeoutInMinutes: 480 IamPasswordPolicyBuildProject: Type: AWS::CodeBuild::Project Properties: Name: !Sub "${PrefixLower}-${Env}-iam-passwordpolicy" Artifacts: Type: CODEPIPELINE Environment: ComputeType: BUILD_GENERAL1_LARGE Image: !Sub "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/cep-cicd:latest" ImagePullCredentialsType: SERVICE_ROLE PrivilegedMode: true Type: LINUX_CONTAINER EnvironmentVariables: - Name: RESOURCE_PATH Type: PLAINTEXT Value: "placeholder-for-path-to-resource" ServiceRole: !GetAtt ResourceIamPasswordPolicyRole.Arn Source: Type: CODEPIPELINE BuildSpec: !Sub "resources/${Env}-buildspec-python.yml" TimeoutInMinutes: 480 CloudFrontWebAclAssociationBuildProject: Type: AWS::CodeBuild::Project Properties: Name: !Sub "${PrefixLower}-${Env}-cloudfront-webaclassociation" Artifacts: Type: CODEPIPELINE Environment: ComputeType: BUILD_GENERAL1_LARGE Image: !Sub "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/cep-cicd:latest" ImagePullCredentialsType: SERVICE_ROLE PrivilegedMode: true Type: LINUX_CONTAINER EnvironmentVariables: - Name: RESOURCE_PATH Type: PLAINTEXT Value: "placeholder-for-path-to-resource" ServiceRole: !GetAtt CloudFrontWebAclAssociationBuildProjectRole.Arn Source: Type: CODEPIPELINE BuildSpec: !Sub "resources/${Env}-buildspec-python.yml" TimeoutInMinutes: 480 S3DeleteBucketContentsBuildProject: Type: AWS::CodeBuild::Project Properties: Name: !Sub "${PrefixLower}-${Env}-s3-delete-bucket-contents" Artifacts: Type: CODEPIPELINE Environment: ComputeType: BUILD_GENERAL1_LARGE Image: !Sub "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/cep-cicd:latest" ImagePullCredentialsType: SERVICE_ROLE PrivilegedMode: true Type: LINUX_CONTAINER EnvironmentVariables: - Name: RESOURCE_PATH Type: PLAINTEXT Value: "placeholder-for-path-to-resource" ServiceRole: !GetAtt S3DeleteBucketContentsBuildProjectRole.Arn Source: Type: CODEPIPELINE BuildSpec: !Sub "resources/${Env}-buildspec-python.yml" TimeoutInMinutes: 480 ResourceLookupBuildProject: Type: AWS::CodeBuild::Project Properties: Name: !Sub "${PrefixLower}-${Env}-resource-lookup" Artifacts: Type: CODEPIPELINE Environment: ComputeType: BUILD_GENERAL1_LARGE Image: !Sub "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/cep-cicd:latest" ImagePullCredentialsType: SERVICE_ROLE PrivilegedMode: true Type: LINUX_CONTAINER EnvironmentVariables: - Name: RESOURCE_PATH Type: PLAINTEXT Value: "placeholder-for-path-to-resource" ServiceRole: !GetAtt ResourceLookupBuildProjectRole.Arn Source: Type: CODEPIPELINE BuildSpec: !Sub "resources/${Env}-buildspec-java.yml" TimeoutInMinutes: 480 DynamoDBItemBuildProject: Type: AWS::CodeBuild::Project Properties: Name: !Sub "${PrefixLower}-${Env}-dynamodb-item" Artifacts: Type: CODEPIPELINE Environment: ComputeType: BUILD_GENERAL1_LARGE Image: !Sub "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/cep-cicd:latest" ImagePullCredentialsType: SERVICE_ROLE PrivilegedMode: true Type: LINUX_CONTAINER EnvironmentVariables: - Name: RESOURCE_PATH Type: PLAINTEXT Value: "placeholder-for-path-to-resource" ServiceRole: !GetAtt DynamoDBItemBuildProjectRole.Arn Source: Type: CODEPIPELINE BuildSpec: !Sub "resources/${Env}-buildspec-python.yml" TimeoutInMinutes: 480 TimeStaticBuildProject: Type: AWS::CodeBuild::Project Properties: Name: !Sub "${PrefixLower}-${Env}-time-static" Artifacts: Type: CODEPIPELINE Environment: ComputeType: BUILD_GENERAL1_LARGE Image: !Sub "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/cep-cicd:latest" ImagePullCredentialsType: SERVICE_ROLE PrivilegedMode: true Type: LINUX_CONTAINER EnvironmentVariables: - Name: RESOURCE_PATH Type: PLAINTEXT Value: "placeholder-for-path-to-resource" ServiceRole: !GetAtt TimeStaticBuildProjectRole.Arn Source: Type: CODEPIPELINE BuildSpec: !Sub "resources/${Env}-buildspec-go.yml" TimeoutInMinutes: 480 TimeSleepBuildProject: Type: AWS::CodeBuild::Project Properties: Name: !Sub "${PrefixLower}-${Env}-time-sleep" Artifacts: Type: CODEPIPELINE Environment: ComputeType: BUILD_GENERAL1_LARGE Image: !Sub "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/cep-cicd:latest" ImagePullCredentialsType: SERVICE_ROLE PrivilegedMode: true Type: LINUX_CONTAINER EnvironmentVariables: - Name: RESOURCE_PATH Type: PLAINTEXT Value: "placeholder-for-path-to-resource" ServiceRole: !GetAtt TimeSleepBuildProjectRole.Arn Source: Type: CODEPIPELINE BuildSpec: !Sub "resources/${Env}-buildspec-go.yml" TimeoutInMinutes: 480 TimeOffsetBuildProject: Type: AWS::CodeBuild::Project Properties: Name: !Sub "${PrefixLower}-${Env}-time-offset" Artifacts: Type: CODEPIPELINE Environment: ComputeType: BUILD_GENERAL1_LARGE Image: !Sub "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/cep-cicd:latest" ImagePullCredentialsType: SERVICE_ROLE PrivilegedMode: true Type: LINUX_CONTAINER EnvironmentVariables: - Name: RESOURCE_PATH Type: PLAINTEXT Value: "placeholder-for-path-to-resource" ServiceRole: !GetAtt TimeOffsetBuildProjectRole.Arn Source: Type: CODEPIPELINE BuildSpec: !Sub "resources/${Env}-buildspec-go.yml" TimeoutInMinutes: 480 S3BucketVersioningEnabledBuildProject: Type: AWS::CodeBuild::Project Properties: Name: !Sub "${PrefixLower}-${Env}-s3-bucketversioningenabled" Artifacts: Type: CODEPIPELINE Environment: ComputeType: BUILD_GENERAL1_LARGE Image: !Sub "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/cep-cicd:latest" ImagePullCredentialsType: SERVICE_ROLE PrivilegedMode: true Type: LINUX_CONTAINER EnvironmentVariables: - Name: HOOK_PATH Type: PLAINTEXT Value: "placeholder-for-path-to-hook" ServiceRole: !GetAtt S3BucketVersioningEnabledBuildProjectRole.Arn Source: Type: CODEPIPELINE BuildSpec: !Sub "hooks/${Env}-buildspec-python.yml" TimeoutInMinutes: 480 S3PublicAccessControlsRestrictedBuildProject: Type: AWS::CodeBuild::Project Properties: Name: !Sub "${PrefixLower}-${Env}-s3-publicaccesscontrolsrestricted" Artifacts: Type: CODEPIPELINE Environment: ComputeType: BUILD_GENERAL1_LARGE Image: !Sub "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/cep-cicd:latest" ImagePullCredentialsType: SERVICE_ROLE PrivilegedMode: true Type: LINUX_CONTAINER EnvironmentVariables: - Name: HOOK_PATH Type: PLAINTEXT Value: "placeholder-for-path-to-hook" ServiceRole: !GetAtt S3PublicAccessControlsRestrictedBuildProjectRole.Arn Source: Type: CODEPIPELINE BuildSpec: !Sub "hooks/${Env}-buildspec-python.yml" TimeoutInMinutes: 480 HookEC2SecurityGroupRestrictedSSHBuildProject: Type: AWS::CodeBuild::Project Properties: Name: !Sub "${PrefixLower}-${Env}-ec2-securitygrouprestrictedssh" Artifacts: Type: CODEPIPELINE Environment: ComputeType: BUILD_GENERAL1_LARGE Image: !Sub "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/cep-cicd:latest" ImagePullCredentialsType: SERVICE_ROLE PrivilegedMode: true Type: LINUX_CONTAINER EnvironmentVariables: - Name: HOOK_PATH Type: PLAINTEXT Value: "placeholder-for-path-to-hook" ServiceRole: !GetAtt HookEC2SecurityGroupRestrictedSSHBuildProjectRole.Arn Source: Type: CODEPIPELINE BuildSpec: !Sub "hooks/${Env}-buildspec-python.yml" TimeoutInMinutes: 480 CloudFrontLoggingEnabledBuildProject: Type: AWS::CodeBuild::Project Properties: Name: !Sub "${PrefixLower}-${Env}-cloudfront-loggingenabled" Artifacts: Type: CODEPIPELINE Environment: ComputeType: BUILD_GENERAL1_LARGE Image: !Sub "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/cep-cicd:latest" ImagePullCredentialsType: SERVICE_ROLE PrivilegedMode: true Type: LINUX_CONTAINER EnvironmentVariables: - Name: HOOK_PATH Type: PLAINTEXT Value: "placeholder-for-path-to-resource" ServiceRole: !GetAtt CloudFrontLoggingEnabledBuildProjectRole.Arn Source: Type: CODEPIPELINE BuildSpec: !Sub "hooks/${Env}-buildspec-python.yml" TimeoutInMinutes: 480 S3BucketModuleBuildProject: Type: AWS::CodeBuild::Project Properties: Name: !Sub "${PrefixLower}-${Env}-s3-bucket-module" Artifacts: Type: CODEPIPELINE Environment: ComputeType: BUILD_GENERAL1_LARGE Image: !Sub "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/cep-cicd:latest" ImagePullCredentialsType: SERVICE_ROLE PrivilegedMode: true Type: LINUX_CONTAINER EnvironmentVariables: - Name: MODULE_PATH Type: PLAINTEXT Value: "placeholder-for-path-to-module" ServiceRole: !GetAtt S3BucketModuleBuildProjectRole.Arn Source: Type: CODEPIPELINE BuildSpec: !Sub "modules/${Env}-buildspec.yml" TimeoutInMinutes: 480 CloudFrontS3WebsiteModuleBuildProject: Type: AWS::CodeBuild::Project Properties: Name: !Sub "${PrefixLower}-${Env}-cloudfront-s3-module" Artifacts: Type: CODEPIPELINE Environment: ComputeType: BUILD_GENERAL1_LARGE Image: !Sub "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/cep-cicd:latest" ImagePullCredentialsType: SERVICE_ROLE PrivilegedMode: true Type: LINUX_CONTAINER EnvironmentVariables: - Name: MODULE_PATH Type: PLAINTEXT Value: "placeholder-for-path-to-module" - Name: ACM_CERTIFICATE_ARN Type: PARAMETER_STORE Value: "cep-acm-certificate-arn" - Name: HOSTED_ZONE_ID Type: PARAMETER_STORE Value: "cep-hosted-zone-id" - Name: ALIAS Type: PARAMETER_STORE Value: "cep-cloudfront-s3-alias" ServiceRole: !GetAtt CloudFrontS3WebsiteModuleBuildProjectRole.Arn Source: Type: CODEPIPELINE BuildSpec: !Sub "modules/${Env}-buildspec.yml" TimeoutInMinutes: 480 SSMDocumentEBSVolumeModuleBuildProject: Type: AWS::CodeBuild::Project Properties: Name: !Sub "${PrefixLower}-${Env}-ssm-document-ebsvolume-module" Artifacts: Type: CODEPIPELINE Environment: ComputeType: BUILD_GENERAL1_LARGE Image: !Sub "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/cep-cicd:latest" ImagePullCredentialsType: SERVICE_ROLE PrivilegedMode: true Type: LINUX_CONTAINER EnvironmentVariables: - Name: MODULE_PATH Type: PLAINTEXT Value: "placeholder-for-path-to-module" ServiceRole: !GetAtt SSMDocumentEBSVolumeModuleBuildProjectRole.Arn Source: Type: CODEPIPELINE BuildSpec: !Sub "modules/${Env}-buildspec.yml" TimeoutInMinutes: 480 IotAnalyticsPipelineModuleBuildProject: Type: AWS::CodeBuild::Project Properties: Name: !Sub "${PrefixLower}-${Env}-iot-analytics-pipeline-module" Artifacts: Type: CODEPIPELINE Environment: ComputeType: BUILD_GENERAL1_LARGE Image: !Sub "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/cep-cicd:latest" ImagePullCredentialsType: SERVICE_ROLE PrivilegedMode: true Type: LINUX_CONTAINER EnvironmentVariables: - Name: MODULE_PATH Type: PLAINTEXT Value: "placeholder-for-path-to-module" ServiceRole: !GetAtt IotAnalyticsPipelineModuleBuildProjectRole.Arn Source: Type: CODEPIPELINE BuildSpec: !Sub "modules/${Env}-buildspec.yml" TimeoutInMinutes: 480 AlternateContactBuildProjectRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: codebuild.amazonaws.com Version: '2012-10-17' ManagedPolicyArns: - Fn::ImportValue: !Sub "cep-${Env}-common-build-project-policy" AlternateContactBuildProjectPolicy: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - account:GetAlternateContact - account:PutAlternateContact - account:DeleteAlternateContact Effect: Allow Resource: "*" - Action: - codebuild:StartBuild - codebuild:BatchGetBuilds - codebuild:StopBuild - codebuild:RetryBuild - codebuild:StartBuildBatch - codebuild:RetryBuildBatch - codebuild:StopBuildBatch Effect: Allow Resource: - !GetAtt AlternateContactBuildProject.Arn Version: '2012-10-17' PolicyName: alternate-contact-build-project-policy Roles: - !Ref AlternateContactBuildProjectRole AlternateContactBuildProject: Type: AWS::CodeBuild::Project Properties: Name: !Sub "${PrefixLower}-${Env}-alternate-contact" Artifacts: Type: CODEPIPELINE Environment: ComputeType: BUILD_GENERAL1_LARGE Image: !Sub "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/cep-cicd:latest" ImagePullCredentialsType: SERVICE_ROLE PrivilegedMode: true Type: LINUX_CONTAINER EnvironmentVariables: - Name: RESOURCE_PATH Type: PLAINTEXT Value: "placeholder-for-path-to-resource" ServiceRole: !GetAtt AlternateContactBuildProjectRole.Arn Source: Type: CODEPIPELINE BuildSpec: !Sub "resources/${Env}-buildspec-python.yml" TimeoutInMinutes: 480 KMSEncryptionSettingsBuildProject: Type: AWS::CodeBuild::Project Properties: Name: !Sub "${PrefixLower}-${Env}-kms-encryptionsettings" Artifacts: Type: CODEPIPELINE Environment: ComputeType: BUILD_GENERAL1_LARGE Image: !Sub "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/cep-cicd:latest" ImagePullCredentialsType: SERVICE_ROLE PrivilegedMode: true Type: LINUX_CONTAINER EnvironmentVariables: - Name: HOOK_PATH Type: PLAINTEXT Value: "placeholder-for-path-to-hook" ServiceRole: !GetAtt KMSEncryptionSettingsBuildProjectRole.Arn Source: Type: CODEPIPELINE BuildSpec: !Sub "hooks/${Env}-buildspec-java.yml" TimeoutInMinutes: 480 ApplicationAutoscalingScheduledActionBuildProject: Type: AWS::CodeBuild::Project Properties: Name: !Sub "${PrefixLower}-${Env}-app-autosc-sched" Artifacts: Type: CODEPIPELINE Environment: ComputeType: BUILD_GENERAL1_LARGE Image: !Sub "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/cep-cicd:latest" ImagePullCredentialsType: SERVICE_ROLE PrivilegedMode: true Type: LINUX_CONTAINER EnvironmentVariables: - Name: RESOURCE_PATH Type: PLAINTEXT Value: "placeholder-for-path-to-resource" ServiceRole: !GetAtt ApplicationAutoscalingScheduledActionBuildProjectRole.Arn Source: Type: CODEPIPELINE BuildSpec: !Sub "resources/${Env}-buildspec-python.yml" TimeoutInMinutes: 480 SourceBucket: Type: AWS::S3::Bucket Metadata: Comment: The name is important here since it gets constructed by the webhook handler and CodeBuild job to drop the build into the correct bucket. We only use a one webhook for AwsCommunity and 3rd parties like Okta. Properties: BucketName: !Sub "cep-source-${AWS::AccountId}-${Env}-${PrefixLower}" VersioningConfiguration: Status: Enabled PipelineRole: Type: AWS::IAM::Role Properties: RoleName: !Sub "cep-${Env}-pipeline-role" AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: codepipeline.amazonaws.com Version: '2012-10-17' PipelinePolicy: Type: AWS::IAM::Policy Properties: PolicyName: extension-pipeline-policy Roles: - !Ref PipelineRole PolicyDocument: Statement: - Action: "sts:AssumeRole" Effect: Allow Resource: - !Sub "arn:aws:iam::${ProdAccountId}:role/community-registry-extensions-publish-role" - Action: - s3:GetObject* - s3:GetBucket* - s3:List* - s3:DeleteObject* - s3:PutObject* - s3:Abort* Effect: Allow Resource: - !GetAtt ArtifactBucket.Arn - !Join - '' - - !GetAtt ArtifactBucket.Arn - /* - !GetAtt SourceBucket.Arn - !Join - '' - - !GetAtt SourceBucket.Arn - /* - Action: - codebuild:StartBuild - codebuild:BatchGetBuilds - codebuild:StopBuild - codebuild:RetryBuild - codebuild:StartBuildBatch - codebuild:RetryBuildBatch - codebuild:StopBuildBatch Effect: Allow Resource: - !GetAtt HookEC2SecurityGroupRestrictedSSHBuildProject.Arn - !GetAtt S3BucketNotificationBuildProject.Arn - !GetAtt S3DeleteBucketContentsBuildProject.Arn - !GetAtt ResourceLookupBuildProject.Arn - !GetAtt DynamoDBItemBuildProject.Arn - !GetAtt S3BucketVersioningEnabledBuildProject.Arn - !GetAtt S3PublicAccessControlsRestrictedBuildProject.Arn - !GetAtt TimeStaticBuildProject.Arn - !GetAtt TimeSleepBuildProject.Arn - !GetAtt TimeOffsetBuildProject.Arn - !GetAtt CloudFrontLoggingEnabledBuildProject.Arn - !GetAtt CloudFrontWebAclAssociationBuildProject.Arn - !GetAtt S3BucketModuleBuildProject.Arn - !GetAtt CloudFrontS3WebsiteModuleBuildProject.Arn - !GetAtt SSMDocumentEBSVolumeModuleBuildProject.Arn - !GetAtt IotAnalyticsPipelineModuleBuildProject.Arn - !GetAtt AlternateContactBuildProject.Arn - !GetAtt KMSEncryptionSettingsBuildProject.Arn - !GetAtt ApplicationAutoscalingScheduledActionBuildProject.Arn - Action: - kms:* Effect: Allow Resource: "*" - Action: - sns:Publish Effect: Allow Resource: !Sub "arn:aws:sns:${AWS::Region}:${AWS::AccountId}:${PrefixLower}-${Env}-pipeline-topic" PipelineKey: Type: AWS::KMS::Key Metadata: Comment: Required for cross account deployment from beta CodePipeline to the prod bucket Condition: IsBeta DeletionPolicy: Delete UpdateReplacePolicy: Delete Properties: Description: This key is used by the CEP beta build process to deploy builds to the prod bucket KeyPolicy: Statement: - Action: - kms:Create* - kms:Describe* - kms:Enable* - kms:List* - kms:Put* - kms:Update* - kms:Revoke* - kms:Disable* - kms:Get* - kms:Delete* - kms:ScheduleKeyDeletion - kms:CancelKeyDeletion - kms:GenerateDataKey - kms:TagResource - kms:UntagResource Effect: Allow Principal: AWS: - !Sub "arn:aws:iam::${ProdAccountId}:root" - !Sub "arn:aws:iam::${AWS::AccountId}:role/Admin" Resource: "*" - Action: - kms:Encrypt - kms:Decrypt - kms:ReEncrypt - kms:GenerateDataKey* - kms:DescribeKey Effect: Allow Principal: AWS: - !GetAtt PipelineRole.Arn - !Sub "arn:aws:iam::${ProdAccountId}:root" - !GetAtt HookEC2SecurityGroupRestrictedSSHBuildProjectRole.Arn - !GetAtt S3BucketNotificationBuildProjectRole.Arn - !GetAtt S3DeleteBucketContentsBuildProjectRole.Arn - !GetAtt ResourceLookupBuildProjectRole.Arn - !GetAtt DynamoDBItemBuildProjectRole.Arn - !GetAtt S3BucketVersioningEnabledBuildProjectRole.Arn - !GetAtt S3PublicAccessControlsRestrictedBuildProjectRole.Arn - !GetAtt TimeStaticBuildProjectRole.Arn - !GetAtt TimeSleepBuildProjectRole.Arn - !GetAtt TimeOffsetBuildProjectRole.Arn - !GetAtt AlternateContactBuildProjectRole.Arn - !GetAtt CloudFrontLoggingEnabledBuildProjectRole.Arn - !GetAtt CloudFrontWebAclAssociationBuildProjectRole.Arn - !GetAtt S3BucketModuleBuildProjectRole.Arn - !GetAtt CloudFrontS3WebsiteModuleBuildProjectRole.Arn - !GetAtt SSMDocumentEBSVolumeModuleBuildProjectRole.Arn - !GetAtt IotAnalyticsPipelineModuleBuildProjectRole.Arn - !GetAtt KMSEncryptionSettingsBuildProjectRole.Arn - !GetAtt ApplicationAutoscalingScheduledActionBuildProjectRole.Arn Resource: "*" MultiRegion: true PipelineKeyAlias: Type: AWS::KMS::Alias Condition: IsBeta Properties: AliasName: alias/cep-pipeline-publish-key TargetKeyId: !Ref PipelineKey Pipeline: Type: AWS::CodePipeline::Pipeline Metadata: Comment: This pipeline runs integ tests on all extensions, then drops the build into the prod account for publishing DependsOn: WaitForPipelinePolicy Properties: Name: !Sub "cep-${Env}-${PrefixLower}" RoleArn: !GetAtt PipelineRole.Arn ArtifactStore: !If - IsBeta - Type: S3 Location: !Ref ArtifactBucket EncryptionKey: Id: !Ref PipelineKey Type: KMS - Type: S3 Location: !Ref ArtifactBucket EncryptionKey: !Ref AWS::NoValue Stages: - Name: Source Actions: - Name: S3Source ActionTypeId: Category: Source Owner: AWS Provider: S3 Version: 1 Configuration: S3Bucket: !Ref SourceBucket S3ObjectKey: "source.zip" PollForSourceChanges: true OutputArtifacts: - Name: extensions-source - Name: Build Actions: - !If - IsNotProd - Name: BucketNotification InputArtifacts: - Name: extensions-source ActionTypeId: Category: Build Owner: AWS Provider: CodeBuild Version: 1 Configuration: ProjectName: !Ref S3BucketNotificationBuildProject EnvironmentVariables: |- [ { "name": "RESOURCE_PATH", "type": "PLAINTEXT", "value": "resources/S3_BucketNotification" } ] RunOrder: 2 - !Ref AWS::NoValue # - Name: CloudFrontWebAclAssociation # InputArtifacts: # - Name: extensions-source # ActionTypeId: # Category: Build # Owner: AWS # Provider: CodeBuild # Version: 1 # Configuration: # ProjectName: !Ref CloudFrontWebAclAssociationBuildProject # EnvironmentVariables: |- # [ # { # "name": "RESOURCE_PATH", # "type": "PLAINTEXT", # "value": "resources/CloudFront_WebACLAssociation" # } # ] # RunOrder: 2 - Name: S3DeleteBucketContents InputArtifacts: - Name: extensions-source ActionTypeId: Category: Build Owner: AWS Provider: CodeBuild Version: 1 Configuration: ProjectName: !Ref S3DeleteBucketContentsBuildProject EnvironmentVariables: |- [ { "name": "RESOURCE_PATH", "type": "PLAINTEXT", "value": "resources/S3_DeleteBucketContents" } ] RunOrder: 2 - Name: ResourceLookup InputArtifacts: - Name: extensions-source ActionTypeId: Category: Build Owner: AWS Provider: CodeBuild Version: 1 Configuration: ProjectName: !Ref ResourceLookupBuildProject EnvironmentVariables: |- [ { "name": "RESOURCE_PATH", "type": "PLAINTEXT", "value": "resources/Resource_Lookup" } ] RunOrder: 2 - Name: DynamoDBItem InputArtifacts: - Name: extensions-source ActionTypeId: Category: Build Owner: AWS Provider: CodeBuild Version: 1 Configuration: ProjectName: !Ref DynamoDBItemBuildProject # BatchEnabled: # !If # - IsProd # - true # - false EnvironmentVariables: |- [ { "name": "RESOURCE_PATH", "type": "PLAINTEXT", "value": "resources/DynamoDB_Item" } ] RunOrder: 2 - Name: TimeStatic InputArtifacts: - Name: extensions-source ActionTypeId: Category: Build Owner: AWS Provider: CodeBuild Version: 1 Configuration: ProjectName: !Ref TimeStaticBuildProject # BatchEnabled: # !If # - IsProd # - true # - false EnvironmentVariables: |- [ { "name": "RESOURCE_PATH", "type": "PLAINTEXT", "value": "resources/Time_Static" } ] RunOrder: 2 - Name: TimeSleep InputArtifacts: - Name: extensions-source ActionTypeId: Category: Build Owner: AWS Provider: CodeBuild Version: 1 Configuration: ProjectName: !Ref TimeSleepBuildProject # BatchEnabled: # !If # - IsProd # - true # - false EnvironmentVariables: |- [ { "name": "RESOURCE_PATH", "type": "PLAINTEXT", "value": "resources/Time_Sleep" } ] RunOrder: 2 - Name: TimeOffset InputArtifacts: - Name: extensions-source ActionTypeId: Category: Build Owner: AWS Provider: CodeBuild Version: 1 Configuration: ProjectName: !Ref TimeOffsetBuildProject # BatchEnabled: # !If # - IsProd # - true # - false EnvironmentVariables: |- [ { "name": "RESOURCE_PATH", "type": "PLAINTEXT", "value": "resources/Time_Offset" } ] RunOrder: 2 - Name: Account_AlternateContact InputArtifacts: - Name: extensions-source ActionTypeId: Category: Build Owner: AWS Provider: CodeBuild Version: 1 Configuration: ProjectName: !Ref AlternateContactBuildProject EnvironmentVariables: |- [ { "name": "RESOURCE_PATH", "type": "PLAINTEXT", "value": "resources/Account_AlternateContact" } ] RunOrder: 2 - Name: S3BucketModule InputArtifacts: - Name: extensions-source ActionTypeId: Category: Build Owner: AWS Provider: CodeBuild Version: 1 Configuration: ProjectName: !Ref S3BucketModuleBuildProject EnvironmentVariables: |- [ { "name": "MODULE_PATH", "type": "PLAINTEXT", "value": "modules/S3_Bucket" } ] RunOrder: 2 - Name: CloudFrontS3Website InputArtifacts: - Name: extensions-source ActionTypeId: Category: Build Owner: AWS Provider: CodeBuild Version: 1 Configuration: ProjectName: !Ref CloudFrontS3WebsiteModuleBuildProject EnvironmentVariables: |- [ { "name": "MODULE_PATH", "type": "PLAINTEXT", "value": "modules/CloudFront_S3Website" } ] RunOrder: 2 - Name: SSMDocumentEBSVolumeModule InputArtifacts: - Name: extensions-source ActionTypeId: Category: Build Owner: AWS Provider: CodeBuild Version: 1 Configuration: ProjectName: !Ref SSMDocumentEBSVolumeModuleBuildProject EnvironmentVariables: |- [ { "name": "MODULE_PATH", "type": "PLAINTEXT", "value": "modules/SSM_Document_ResizeVolume" } ] RunOrder: 2 - Name: IotAnalyticsPipelineModule InputArtifacts: - Name: extensions-source ActionTypeId: Category: Build Owner: AWS Provider: CodeBuild Version: 1 Configuration: ProjectName: !Ref IotAnalyticsPipelineModuleBuildProject EnvironmentVariables: |- [ { "name": "MODULE_PATH", "type": "PLAINTEXT", "value": "modules/IOT_ANALYTICS_PIPELINE" } ] RunOrder: 2 - Name: S3BucketVersioningEnabled InputArtifacts: - Name: extensions-source ActionTypeId: Category: Build Owner: AWS Provider: CodeBuild Version: 1 Configuration: ProjectName: !Ref S3BucketVersioningEnabledBuildProject EnvironmentVariables: |- [ { "name": "HOOK_PATH", "type": "PLAINTEXT", "value": "hooks/S3_BucketVersioningEnabled" } ] RunOrder: 3 - Name: HookEC2SecurityGroupRestrictedSSH InputArtifacts: - Name: extensions-source ActionTypeId: Category: Build Owner: AWS Provider: CodeBuild Version: 1 Configuration: ProjectName: !Ref HookEC2SecurityGroupRestrictedSSHBuildProject EnvironmentVariables: |- [ { "name": "HOOK_PATH", "type": "PLAINTEXT", "value": "hooks/EC2_SecurityGroupRestrictedSSH" } ] RunOrder: 3 - Name: HookS3PublicAccessControlsRestricted InputArtifacts: - Name: extensions-source ActionTypeId: Category: Build Owner: AWS Provider: CodeBuild Version: 1 Configuration: ProjectName: !Ref S3PublicAccessControlsRestrictedBuildProject EnvironmentVariables: |- [ { "name": "HOOK_PATH", "type": "PLAINTEXT", "value": "hooks/S3_PublicAccessControlsRestricted" } ] RunOrder: 4 - Name: KMSEncryptionSettings InputArtifacts: - Name: extensions-source ActionTypeId: Category: Build Owner: AWS Provider: CodeBuild Version: 1 Configuration: ProjectName: !Ref KMSEncryptionSettingsBuildProject EnvironmentVariables: |- [ { "name": "HOOK_PATH", "type": "PLAINTEXT", "value": "hooks/KMS_EncryptionSettings" } ] RunOrder: 4 - Name: ApplicationAutoscalingScheduledAction InputArtifacts: - Name: extensions-source ActionTypeId: Category: Build Owner: AWS Provider: CodeBuild Version: 1 Configuration: ProjectName: !Ref ApplicationAutoscalingScheduledActionBuildProject EnvironmentVariables: |- [ { "name": "RESOURCE_PATH", "type": "PLAINTEXT", "value": "resources/ApplicationAutoscaling_ScheduledAction" } ] RunOrder: 1 - !If - IsBeta - Name: CopyBuildToProd Actions: - Name: Copy RoleArn: !Sub "arn:aws:iam::${ProdAccountId}:role/community-registry-extensions-publish-role" InputArtifacts: - Name: extensions-source ActionTypeId: Category: Deploy Owner: AWS Provider: S3 Version: 1 Configuration: BucketName: !Sub "cep-source-${ProdAccountId}-prod-${PrefixLower}" Extract: false ObjectKey: source.zip KMSEncryptionKeyARN: !GetAtt PipelineKey.Arn - !Ref AWS::NoValue # - Name: CloudFrontLoggingEnabled # InputArtifacts: # - Name: extensions-source # ActionTypeId: # Category: Build # Owner: AWS # Provider: CodeBuild # Version: 1 # Configuration: # ProjectName: !Ref CloudFrontLoggingEnabledBuildProject # BatchEnabled: true # EnvironmentVariables: |- # [ # { # "name": "HOOK_PATH", # "type": "PLAINTEXT", # "value": "hooks/CloudFront_LoggingEnabled" # } # ] # RunOrder: 2 PublishBuildBucketRole: Type: AWS::IAM::Role Condition: IsBeta Metadata: Comment: Allows the beta account to put builds into the prod bucket Properties: RoleName: cep-publish-role AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - s3.amazonaws.com Action: sts:AssumeRole Path: / Policies: - PolicyName: put-builds PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: s3:PutObject Resource: - !Sub "arn:aws:s3:::cep-source-${ProdAccountId}-prod-${PrefixLower}" - !Sub "arn:aws:s3:::cep-source-${ProdAccountId}-prod-${PrefixLower}/*" PipelineTopic: Type: AWS::SNS::Topic Metadata: Comment: Topic for pipeline notifications DependsOn: Pipeline Properties: TopicName: !Sub "${PrefixLower}-${Env}-pipeline-topic" Subscription: - Endpoint: !Ref NotificationEmail Protocol: email WaitForPipelinePolicy: Type: Custom::Delay DependsOn: - PipelinePolicy Properties: ServiceToken: !GetAtt DelayFunction.Arn SecondsToSleep: 20 WaitForPipeline: Type: Custom::Delay DependsOn: - Pipeline Properties: ServiceToken: !GetAtt DelayFunction.Arn SecondsToSleep: 10 WaitForTopic: Type: Custom::Delay DependsOn: - PipelineTopic - PipelineTopicPolicy Properties: ServiceToken: !GetAtt DelayFunction.Arn SecondsToSleep: 10 PipelineTopicPolicy: Type: AWS::SNS::TopicPolicy Properties: PolicyDocument: Id: MyTopicPolicy Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - events.amazonaws.com Action: sns:Publish Resource: !Ref PipelineTopic Topics: - !Ref PipelineTopic PipelineEventRole: Type: AWS::IAM::Role Metadata: Comment: Allows the event rule to push to the topic Properties: RoleName: !Sub "cep-${Env}-${PrefixLower}-pipeline-event-role" AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - events.amazonaws.com Action: sts:AssumeRole Path: / Policies: - PolicyName: put-events PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: sns:Publish Resource: !Ref PipelineTopic PipelineEventRule: Type: AWS::Events::Rule DependsOn: WaitForTopic Properties: Description: Watch for pipeline success and failure EventPattern: source: - aws.codepipeline detail-type: - CodePipeline Pipeline Execution State Change detail: pipeline: - !Ref Pipeline state: - SUCCEEDED - FAILED Name: !Sub "cep-${PrefixLower}-${Env}-pipelines" Targets: - Arn: !Sub "arn:aws:sns:us-east-1:${AWS::AccountId}:${PrefixLower}-${Env}-pipeline-topic" Id: pipeline-topic-target InputTransformer: InputTemplate: '"The pipeline from account has at ."' InputPathsMap: pipeline: "$.detail.pipeline" state: "$.detail.state" at: "$.time" account: "$.account" # Prod account resources PublishBuildBucketPolicy: Type: AWS::S3::BucketPolicy Condition: IsProd Metadata: Comment: Allows the beta account to drop builds into the prod account. Properties: Bucket: !Ref SourceBucket PolicyDocument: Version: 2012-10-17 Statement: - Sid: BetaAccountPut Effect: Allow Principal: AWS: - !Sub "arn:aws:iam::${BetaAccountId}:root" - !GetAtt PublishCrossAccountRole.Arn Action: s3:PutObject Resource: - !Sub "arn:aws:s3:::cep-source-${ProdAccountId}-prod-${PrefixLower}" - !Sub "arn:aws:s3:::cep-source-${ProdAccountId}-prod-${PrefixLower}/*" StackSetAdministrationRole: Type: AWS::IAM::Role Condition: IsProd Properties: RoleName: AWSCloudFormationStackSetAdministrationRole AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: cloudformation.amazonaws.com Action: - sts:AssumeRole Path: / Policies: - PolicyName: AssumeRole-AWSCloudFormationStackSetExecutionRole PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - sts:AssumeRole Resource: - !Sub "arn:aws:iam::${AWS::AccountId}:role/AWSCloudFormationStackSetExecutionRole" StackSetExecutionRole: Type: AWS::IAM::Role Condition: IsProd Metadata: Comment: We can limit this role to this account, since we are using stack sets to deploy across all regions, but not to multiple accounts Properties: RoleName: AWSCloudFormationStackSetExecutionRole AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: AWS: !Sub "${AWS::AccountId}" Action: - sts:AssumeRole Path: / StackSetExecutionPolicy: Type: AWS::IAM::Policy Condition: IsProd Properties: Roles: - !Ref StackSetExecutionRole PolicyName: cep-stack-set-execution PolicyDocument: Statement: - Action: - iam:CreateRole - iam:DeleteRole - iam:GetRole - iam:PutRolePolicy - iam:DeleteRolePolicy - iam:GetRolePolicy - iam:PassRole Effect: Allow Resource: "*" - Action: - codebuild:* Effect: Allow Resource: "*" - Action: - codepipeline:* Effect: Allow Resource: "*" - Action: - s3:* Effect: Allow Resource: "*" - Action: - events:* Effect: Allow Resource: "*" - Action: - cloudformation:* Effect: Allow Resource: "*" - Action: - sns:* Effect: Allow Resource: "*" - Action: - codestar-notifications:* Effect: Allow Resource: "*" PublishCrossAccountRole: Type: AWS::IAM::Role Condition: IsProd Metadata: Comment: Assumed by codepipeline in the beta account to access the prod source bucket Properties: RoleName: community-registry-extensions-publish-role AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: AWS: - !Sub "arn:aws:iam::${BetaAccountId}:root" Action: sts:AssumeRole Path: / Policies: - PolicyName: cross-account-pipeline-deploy PolicyDocument: Version: 2012-10-17 Statement: - Action: - s3:Get* - s3:List* - s3:Put* Effect: Allow Resource: - !Sub "arn:aws:s3:::cep-source-${ProdAccountId}-prod-${PrefixLower}" - !Sub "arn:aws:s3:::cep-source-${ProdAccountId}-prod-${PrefixLower}/*" - !Sub "arn:aws:s3:::cep-beta-${BetaAccountId}-artifacts" - !Sub "arn:aws:s3:::cep-beta-${BetaAccountId}-artifacts/*" - Action: - kms:Encrypt - kms:Decrypt - kms:ReEncrypt - kms:GenerateDataKey* - kms:DescribeKey Effect: Allow Resource: - !Sub "arn:aws:kms:${AWS::Region}:${BetaAccountId}:key/*" # Delay Function to solve race conditions where the resource is not actually ready DelayFunctionRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - sts:AssumeRole Path: / Policies: - PolicyName: "lambda-logs" PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Resource: - "arn:aws:logs:*:*:*" DelayFunction: Type: AWS::Lambda::Function Properties: Handler: delay.handler Timeout: 120 Role: !GetAtt DelayFunctionRole.Arn Runtime: python3.7 Code: !Rain::S3 Path: ../delay.py Zip: true BucketProperty: S3Bucket KeyProperty: S3Key MemorySize: 1024