AWSTemplateFormatVersion: 2010-09-09 Description: Creates IAM roles for pipeline. Resources: CodeBuildServiceRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Sid: '' Effect: Allow Principal: Service: codebuild.amazonaws.com Action: 'sts:AssumeRole' Path: / Policies: - PolicyName: !Sub 'CICD-CodeBuildService-${AWS::Region}' PolicyDocument: Version: 2012-10-17 Statement: - Action: - 'logs:CreateLogGroup' - 'logs:CreateLogStream' - 'logs:PutLogEvents' Resource: - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/*' - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/*:*' Effect: Allow - Action: - 's3:PutObject' - 's3:GetObject' - 's3:GetObjectVersion' - 's3:GetBucketAcl' - 's3:GetBucketLocation' Resource: 'arn:aws:s3:::*' Effect: Allow - Action: - 'codebuild:CreateReportGroup' - 'codebuild:CreateReport' - 'codebuild:UpdateReport' - 'codebuild:BatchPutTestCases' Resource: !Sub 'arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/*' Effect: Allow CodePipelineServiceRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Sid: '' Effect: Allow Principal: Service: codepipeline.amazonaws.com Action: 'sts:AssumeRole' Path: / Policies: - PolicyName: !Sub 'CICD-CodePipelineService-${AWS::Region}' PolicyDocument: Version: 2012-10-17 Statement: - Action: - 's3:GetObject' - 's3:GetObjectVersion' - 's3:GetBucketVersioning' - 's3:PutObject' Resource: - !Sub 'arn:aws:s3:::${ArtifactBucket}' - !Sub 'arn:aws:s3:::${ArtifactBucket}/*' - !Sub 'arn:aws:s3:::${WebsiteBucket}' - !Sub 'arn:aws:s3:::${WebsiteBucket}/*' Effect: Allow - Action: - 'iam:PassRole' Resource: '*' Effect: Allow - Action: - 'codebuild:BatchGetBuilds' - 'codebuild:StartBuild' Resource: '*' Effect: Allow - Action: - 'codedeploy:CreateDeployment' - 'codedeploy:GetApplication' - 'codedeploy:GetApplicationRevision' - 'codedeploy:GetDeployment' - 'codedeploy:GetDeploymentConfig' - 'codedeploy:RegisterApplicationRevision' Resource: '*' Effect: Allow - Action: - 'codecommit:CancelUploadArchive' - 'codecommit:GetBranch' - 'codecommit:GetCommit' - 'codecommit:GetUploadArchiveStatus' - 'codecommit:UploadArchive' Resource: '*' Effect: Allow Parameters: ArtifactBucket: AllowedPattern: '^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$' ConstraintDescription: >- Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Description: S3 bucket name used to store build artifacts. Type: String WebsiteBucket: AllowedPattern: '^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$' ConstraintDescription: >- Website bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Description: S3 bucket name used to host website content. Type: String Outputs: CodePipelineRoleArn: Description: Code Pipeline service role arn Value: !GetAtt - CodePipelineServiceRole - Arn CodeBuildRoleArn: Description: Code Build service role arn Value: !GetAtt - CodeBuildServiceRole - Arn