--- AWSTemplateFormatVersion: '2010-09-09' Description: A template that brings up a code pipeline that builds and signs artifacts Parameters: BuildAndSignCodePipelineName: Type: String Description: The name of the code pipeline Default: artifact-build-sign-pipeline BuildspecsExtractCodeBuildProjectName: Type: String Description: The name of the buildspec extractor project Default: buildspec-extractor AmdBuildCodeBuildProjectName: Type: String Description: The name of the AMD build project Default: amd-artifact-build ArmBuildCodeBuildProjectName: Type: String Description: The name of the ARM build project Default: arm-artifact-build UbuntuAmdBuildCodeBuildProjectName: Type: String Description: The name of the Ubuntu AMD build project (builds .deb ) Default: ubuntu-amd-artifact-build UbuntuArmBuildCodeBuildProjectName: Type: String Description: The name of the Ubuntu ARM build project (builds .deb ) Default: ubuntu-arm-artifact-build SigningCodeBuildProjectName: Type: String Description: The name of the signing project Default: artifact-sign SigningCodeBuildProjectCustomImageUri: Type: String Description: A custom ECR image to use with the signing project, can be left blank to use the default Codebuild image Default: '' SigningCodeBuildProjectCustomImageRepositoryArn: Type: String Description: The ARN of the ECR repository where the custom image is stored, ignored if SigningCodeBuildProjectCustomImageUri is blank Default: '' CopyCodeBuildProjectName: Type: String Description: The name of the copy project Default: artifact-copy LogsPullerCodeBuildProjectName: Type: String Description: The name of the copy project Default: log-puller MakeJSONCodeBuildProjectName: Type: String Description: The name of the release config builder project Default: make-json CodeBuildLogGroupName: Type: String Description: The name of the log group to push build logs to Default: build-and-sign-logs LogGroupRetentionPeriodInDays: Type: Number Description: The number of days to retain cloudwatch logs, the allowed values exist because CloudWatch Logs only accepts certain day values Default: 180 AllowedValues: - 1 - 3 - 5 - 7 - 14 - 30 - 60 - 90 - 120 - 150 - 180 - 365 - 400 - 545 - 731 - 1827 - 3653 ReleaseArtifactsBucketName: Type: String Description: The name of the bucket where things land at the end, this is assumed to already exist ReleaseArtifactsBucketArn: Type: String Description: The ARN of the bucket where things land at the end, this is assumed to already exist ReleaseArtifactsBucketS3Uri: Type: String Description: The URI of the bucket where things land at the end, this is assumed to already exist (e.g. s3://artifacts) CodeStarConnectionArn: Type: String Description: The ARN of the connection to use to connect to GitHub GithubFullRepoName: Type: String Description: The name of the repository that we want to use (e.g. aws/amazon-ecs-agent) GithubBranchName: Type: String Description: The name of the branch to use to build (e.g. mainline, dev) GithubSourceBranchName: Type: String Description: The name of the source branch (e.g. dev, featureBranch) SecretKeyArn: Type: String Description: The ARN of the secret key PassphraseArn: Type: String Description: The ARN of the passphrase Conditions: UseCustomSigningImage: !Not [!Equals [!Ref 'SigningCodeBuildProjectCustomImageUri', '']] Resources: CodeBuildLogGroup: Type: AWS::Logs::LogGroup Properties: LogGroupName: !Ref CodeBuildLogGroupName RetentionInDays: !Ref LogGroupRetentionPeriodInDays BuildAndSignCodePipelineArtifactBucket: Type: AWS::S3::Bucket Properties: BucketName: !Sub 'codepipeline-${AWS::Region}-${AWS::AccountId}-artifacts' BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 VersioningConfiguration: Status: Enabled PublicAccessBlockConfiguration: BlockPublicAcls: true BlockPublicPolicy: true IgnorePublicAcls: true RestrictPublicBuckets: true BuildspecsExtractCodeBuildProjectServiceRole: Type: AWS::IAM::Role Properties: RoleName: !Sub 'buildspecs-extract-codebuild-project-service-role-${AWS::Region}' AssumeRolePolicyDocument: Version: 2012-10-17 Statement: Effect: Allow Principal: Service: codebuild.amazonaws.com Action: sts:AssumeRole Policies: - PolicyName: codebuild-buildspec-extract-base-policy PolicyDocument: Version: 2012-10-17 Statement: - Sid: CloudWatchLogsAccess Effect: Allow Resource: - !GetAtt CodeBuildLogGroup.Arn - !Sub '${CodeBuildLogGroup.Arn}:*' Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - Sid: ArtifactBucketAccess Effect: Allow Resource: - !Sub 'arn:aws:s3:::codepipeline-${AWS::Region}-*' Action: - s3:PutObject - s3:GetObject - s3:GetObjectVersion - s3:GetBucketAcl - s3:GetBucketLocation - Sid: CodeBuildCodeStarConnectionAccess Effect: Allow Resource: - !Ref CodeStarConnectionArn Action: - codestar-connections:UseConnection - Sid: CodeBuildCreateReportAccess Effect: Allow Resource: - !Sub 'arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/${BuildspecsExtractCodeBuildProjectName}-*' Action: - codebuild:CreateReportGroup - codebuild:CreateReport - codebuild:UpdateReport - codebuild:BatchPutTestCases - codebuild:BatchPutCodeCoverages BuildspecsExtractCodeBuildProject: Type: AWS::CodeBuild::Project Properties: Artifacts: Type: CODEPIPELINE ConcurrentBuildLimit: 10 Description: CodeBuild project to extract buildspecs from the source repo Environment: ComputeType: BUILD_GENERAL1_SMALL Image: aws/codebuild/amazonlinux2-x86_64-standard:3.0 ImagePullCredentialsType: CODEBUILD PrivilegedMode: false Type: LINUX_CONTAINER LogsConfig: CloudWatchLogs: GroupName: !Ref CodeBuildLogGroupName Status: ENABLED StreamName: !Ref BuildspecsExtractCodeBuildProjectName Name: !Ref BuildspecsExtractCodeBuildProjectName QueuedTimeoutInMinutes: 60 ServiceRole: !Ref BuildspecsExtractCodeBuildProjectServiceRole Source: BuildSpec: buildspecs/extract.yml Type: CODEPIPELINE TimeoutInMinutes: 60 AmdBuildCodeBuildProjectServiceRole: Type: AWS::IAM::Role Properties: RoleName: !Sub 'amd-build-codebuild-project-service-role-${AWS::Region}' AssumeRolePolicyDocument: Version: 2012-10-17 Statement: Effect: Allow Principal: Service: codebuild.amazonaws.com Action: sts:AssumeRole Policies: - PolicyName: amd-codebuild-build-base-policy PolicyDocument: Version: 2012-10-17 Statement: - Sid: CloudWatchLogsAccess Effect: Allow Resource: - !GetAtt CodeBuildLogGroup.Arn - !Sub '${CodeBuildLogGroup.Arn}:*' Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - Sid: ArtifactBucketAccess Effect: Allow Resource: - !Sub 'arn:aws:s3:::codepipeline-${AWS::Region}-*' Action: - s3:PutObject - s3:GetObject - s3:GetObjectVersion - s3:GetBucketAcl - s3:GetBucketLocation - Sid: CodeBuildCodeStarConnectionAccess Effect: Allow Resource: - !Ref CodeStarConnectionArn Action: - codestar-connections:UseConnection - Sid: CodeBuildCreateReportAccess Effect: Allow Resource: - !Sub 'arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/${AmdBuildCodeBuildProjectName}-*' Action: - codebuild:CreateReportGroup - codebuild:CreateReport - codebuild:UpdateReport - codebuild:BatchPutTestCases - codebuild:BatchPutCodeCoverages UbuntuAmdBuildCodeBuildProjectServiceRole: Type: AWS::IAM::Role Properties: RoleName: !Sub 'ubuntu-amd-build-codebuild-project-service-role-${AWS::Region}' AssumeRolePolicyDocument: Version: 2012-10-17 Statement: Effect: Allow Principal: Service: codebuild.amazonaws.com Action: sts:AssumeRole Policies: - PolicyName: ubuntu-codebuild-build-base-policy PolicyDocument: Version: 2012-10-17 Statement: - Sid: CloudWatchLogsAccess Effect: Allow Resource: - !GetAtt CodeBuildLogGroup.Arn - !Sub '${CodeBuildLogGroup.Arn}:*' Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - Sid: ArtifactBucketAccess Effect: Allow Resource: - !Sub 'arn:aws:s3:::codepipeline-${AWS::Region}-*' Action: - s3:PutObject - s3:GetObject - s3:GetObjectVersion - s3:GetBucketAcl - s3:GetBucketLocation - Sid: CodeBuildCodeStarConnectionAccess Effect: Allow Resource: - !Ref CodeStarConnectionArn Action: - codestar-connections:UseConnection - Sid: CodeBuildCreateReportAccess Effect: Allow Resource: - !Sub 'arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/${UbuntuAmdBuildCodeBuildProjectName}-*' Action: - codebuild:CreateReportGroup - codebuild:CreateReport - codebuild:UpdateReport - codebuild:BatchPutTestCases - codebuild:BatchPutCodeCoverages UbuntuArmBuildCodeBuildProjectServiceRole: Type: AWS::IAM::Role Properties: RoleName: !Sub 'ubuntu-arm-build-codebuild-project-service-role-${AWS::Region}' AssumeRolePolicyDocument: Version: 2012-10-17 Statement: Effect: Allow Principal: Service: codebuild.amazonaws.com Action: sts:AssumeRole Policies: - PolicyName: ubuntu-codebuild-build-base-policy PolicyDocument: Version: 2012-10-17 Statement: - Sid: CloudWatchLogsAccess Effect: Allow Resource: - !GetAtt CodeBuildLogGroup.Arn - !Sub '${CodeBuildLogGroup.Arn}:*' Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - Sid: ArtifactBucketAccess Effect: Allow Resource: - !Sub 'arn:aws:s3:::codepipeline-${AWS::Region}-*' Action: - s3:PutObject - s3:GetObject - s3:GetObjectVersion - s3:GetBucketAcl - s3:GetBucketLocation - Sid: CodeBuildCodeStarConnectionAccess Effect: Allow Resource: - !Ref CodeStarConnectionArn Action: - codestar-connections:UseConnection - Sid: CodeBuildCreateReportAccess Effect: Allow Resource: - !Sub 'arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/${UbuntuArmBuildCodeBuildProjectName}-*' Action: - codebuild:CreateReportGroup - codebuild:CreateReport - codebuild:UpdateReport - codebuild:BatchPutTestCases - codebuild:BatchPutCodeCoverages UbuntuArmBuildCodeBuildProject: Type: AWS::CodeBuild::Project Properties: Artifacts: Type: CODEPIPELINE ConcurrentBuildLimit: 10 Description: CodeBuild project running an Ubuntu docker image to build the ECS Agent deb packages Environment: ComputeType: BUILD_GENERAL1_SMALL Image: 'public.ecr.aws/lts/ubuntu:20.04' ImagePullCredentialsType: CODEBUILD PrivilegedMode: false Type: ARM_CONTAINER LogsConfig: CloudWatchLogs: GroupName: !Ref CodeBuildLogGroupName Status: ENABLED StreamName: !Ref UbuntuArmBuildCodeBuildProjectName Name: !Ref UbuntuArmBuildCodeBuildProjectName QueuedTimeoutInMinutes: 60 ServiceRole: !Ref UbuntuArmBuildCodeBuildProjectServiceRole Source: BuildSpec: buildspecs/merge-build-ubuntu.yml Type: CODEPIPELINE TimeoutInMinutes: 60 AmdBuildCodeBuildProject: Type: AWS::CodeBuild::Project Properties: Artifacts: Type: CODEPIPELINE ConcurrentBuildLimit: 10 Description: CodeBuild project to build the ECS Agent Docker image tarball and RPM Environment: ComputeType: BUILD_GENERAL1_SMALL Image: aws/codebuild/amazonlinux2-x86_64-standard:3.0 ImagePullCredentialsType: CODEBUILD PrivilegedMode: false Type: LINUX_CONTAINER LogsConfig: CloudWatchLogs: GroupName: !Ref CodeBuildLogGroupName Status: ENABLED StreamName: !Ref AmdBuildCodeBuildProjectName Name: !Ref AmdBuildCodeBuildProjectName QueuedTimeoutInMinutes: 60 ServiceRole: !Ref AmdBuildCodeBuildProjectServiceRole Source: BuildSpec: buildspecs/merge-build.yml Type: CODEPIPELINE TimeoutInMinutes: 60 UbuntuAmdBuildCodeBuildProject: Type: AWS::CodeBuild::Project Properties: Artifacts: Type: CODEPIPELINE ConcurrentBuildLimit: 10 Description: CodeBuild project running an Ubuntu docker image to build the ECS Agent deb packages Environment: ComputeType: BUILD_GENERAL1_SMALL Image: 'public.ecr.aws/lts/ubuntu:20.04' ImagePullCredentialsType: CODEBUILD PrivilegedMode: false Type: LINUX_CONTAINER LogsConfig: CloudWatchLogs: GroupName: !Ref CodeBuildLogGroupName Status: ENABLED StreamName: !Ref UbuntuAmdBuildCodeBuildProjectName Name: !Ref UbuntuAmdBuildCodeBuildProjectName QueuedTimeoutInMinutes: 60 ServiceRole: !Ref UbuntuAmdBuildCodeBuildProjectServiceRole Source: BuildSpec: buildspecs/merge-build-ubuntu.yml Type: CODEPIPELINE TimeoutInMinutes: 60 ArmBuildCodeBuildProjectServiceRole: Type: AWS::IAM::Role Properties: RoleName: !Sub 'arm-build-codebuild-project-service-role-${AWS::Region}' AssumeRolePolicyDocument: Version: 2012-10-17 Statement: Effect: Allow Principal: Service: codebuild.amazonaws.com Action: sts:AssumeRole Policies: - PolicyName: arm-codebuild-build-base-policy PolicyDocument: Version: 2012-10-17 Statement: - Sid: CloudWatchLogsAccess Effect: Allow Resource: - !GetAtt CodeBuildLogGroup.Arn - !Sub '${CodeBuildLogGroup.Arn}:*' Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - Sid: ArtifactBucketAccess Effect: Allow Resource: - !Sub 'arn:aws:s3:::codepipeline-${AWS::Region}-*' Action: - s3:PutObject - s3:GetObject - s3:GetObjectVersion - s3:GetBucketAcl - s3:GetBucketLocation - Sid: CodeBuildCodeStarConnectionAccess Effect: Allow Resource: - !Ref CodeStarConnectionArn Action: - codestar-connections:UseConnection - Sid: CodeBuildCreateReportAccess Effect: Allow Resource: - !Sub 'arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/${ArmBuildCodeBuildProjectName}-*' Action: - codebuild:CreateReportGroup - codebuild:CreateReport - codebuild:UpdateReport - codebuild:BatchPutTestCases - codebuild:BatchPutCodeCoverages ArmBuildCodeBuildProject: Type: AWS::CodeBuild::Project Properties: Artifacts: Type: CODEPIPELINE ConcurrentBuildLimit: 10 Description: CodeBuild project to build the ECS Agent Docker image tarball Environment: ComputeType: BUILD_GENERAL1_SMALL Image: aws/codebuild/amazonlinux2-aarch64-standard:2.0 ImagePullCredentialsType: CODEBUILD PrivilegedMode: false Type: ARM_CONTAINER LogsConfig: CloudWatchLogs: GroupName: !Ref CodeBuildLogGroupName Status: ENABLED StreamName: !Ref ArmBuildCodeBuildProjectName Name: !Ref ArmBuildCodeBuildProjectName QueuedTimeoutInMinutes: 60 ServiceRole: !Ref ArmBuildCodeBuildProjectServiceRole Source: BuildSpec: buildspecs/merge-build.yml Type: CODEPIPELINE TimeoutInMinutes: 60 SigningCodeBuildProjectServiceRole: Type: AWS::IAM::Role Properties: RoleName: !Sub 'signing-codebuild-project-service-role-${AWS::Region}' AssumeRolePolicyDocument: Version: 2012-10-17 Statement: Effect: Allow Principal: Service: codebuild.amazonaws.com Action: sts:AssumeRole Policies: - PolicyName: codebuild-signing-base-policy PolicyDocument: Version: 2012-10-17 Statement: - Sid: CloudWatchLogsAccess Effect: Allow Resource: - !GetAtt CodeBuildLogGroup.Arn - !Sub '${CodeBuildLogGroup.Arn}:*' Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - Sid: ArtifactBucketAccess Effect: Allow Resource: - !Sub 'arn:aws:s3:::codepipeline-${AWS::Region}-*' Action: - s3:PutObject - s3:GetObject - s3:GetObjectVersion - s3:GetBucketAcl - s3:GetBucketLocation - Sid: CodeBuildCreateReportAccess Effect: Allow Resource: - !Sub 'arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/${SigningCodeBuildProjectName}-*' Action: - codebuild:CreateReportGroup - codebuild:CreateReport - codebuild:UpdateReport - codebuild:BatchPutTestCases - codebuild:BatchPutCodeCoverages - PolicyName: codebuild-secretsmanager-policy PolicyDocument: Version: 2012-10-17 Statement: - Sid: SecretsManagerAccess Effect: Allow Action: - secretsmanager:GetSecretValue Resource: - !Ref SecretKeyArn - !Ref PassphraseArn - !If - UseCustomSigningImage - PolicyName: codebuild-custom-ecr-image-policy PolicyDocument: Version: 2012-10-17 Statement: - Sid: EcrGetAuthTokenAccess Effect: Allow Action: - ecr:GetAuthorizationToken Resource: '*' - Sid: EcrImageAccess Effect: Allow Action: - ecr:BatchCheckLayerAvailability - ecr:GetDownloadUrlForLayer - ecr:BatchGetImage - ecr:PutImage - ecr:InitiateLayerUpload - ecr:UploadLayerPart - ecr:CompleteLayerUpload Resource: - !Ref SigningCodeBuildProjectCustomImageRepositoryArn - !Ref AWS::NoValue SigningCodeBuildProject: Type: AWS::CodeBuild::Project Properties: Name: !Ref SigningCodeBuildProjectName Description: A CodeBuild project that signs artifacts that were built earlier ConcurrentBuildLimit: 10 ServiceRole: !GetAtt SigningCodeBuildProjectServiceRole.Arn Artifacts: Type: CODEPIPELINE Environment: Type: LINUX_CONTAINER ComputeType: BUILD_GENERAL1_SMALL ImagePullCredentialsType: !If - UseCustomSigningImage - SERVICE_ROLE - CODEBUILD Image: !If - UseCustomSigningImage - !Ref SigningCodeBuildProjectCustomImageUri - aws/codebuild/amazonlinux2-x86_64-standard:3.0 EnvironmentVariables: - Name: PASSPHRASE Type: SECRETS_MANAGER Value: !Ref PassphraseArn - Name: PRIVATE_KEY_ARN Type: PLAINTEXT Value: !Ref SecretKeyArn Source: BuildSpec: buildspecs/signing.yml Type: CODEPIPELINE TimeoutInMinutes: 60 QueuedTimeoutInMinutes: 480 LogsConfig: CloudWatchLogs: GroupName: !Ref CodeBuildLogGroupName Status: ENABLED StreamName: !Ref SigningCodeBuildProjectName MakeJSONCodeBuildProjectServiceRole: Type: AWS::IAM::Role Properties: RoleName: !Sub 'make-json-codebuild-project-service-role-${AWS::Region}' AssumeRolePolicyDocument: Version: 2012-10-17 Statement: Effect: Allow Principal: Service: codebuild.amazonaws.com Action: sts:AssumeRole Policies: - PolicyName: codebuild-copy-base-policy PolicyDocument: Version: 2012-10-17 Statement: - Sid: CloudWatchLogsAccess Effect: Allow Resource: - !GetAtt CodeBuildLogGroup.Arn - !Sub '${CodeBuildLogGroup.Arn}:*' Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - Sid: ArtifactBucketAccess Effect: Allow Resource: - !Sub 'arn:aws:s3:::codepipeline-${AWS::Region}-*' Action: - s3:PutObject - s3:GetObject - s3:GetObjectVersion - s3:GetBucketAcl - s3:GetBucketLocation - Sid: ResultsBucketAccess Effect: Allow Resource: - !Ref ReleaseArtifactsBucketArn - !Sub '${ReleaseArtifactsBucketArn}/*' Action: s3:* - Sid: CodeBuildCreateReportAccess Effect: Allow Resource: - !Sub 'arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/${MakeJSONCodeBuildProjectName}-*' Action: - codebuild:CreateReportGroup - codebuild:CreateReport - codebuild:UpdateReport - codebuild:BatchPutTestCases - codebuild:BatchPutCodeCoverages MakeJSONCodeBuildProject: Type: AWS::CodeBuild::Project Properties: Name: !Ref MakeJSONCodeBuildProjectName Description: A CodeBuild project that prepares a release config JSON file ConcurrentBuildLimit: 10 ServiceRole: !GetAtt MakeJSONCodeBuildProjectServiceRole.Arn Artifacts: Type: CODEPIPELINE Environment: Type: LINUX_CONTAINER ComputeType: BUILD_GENERAL1_SMALL ImagePullCredentialsType: CODEBUILD Image: aws/codebuild/amazonlinux2-x86_64-standard:3.0 EnvironmentVariables: - Name: RESULTS_BUCKET_URI Type: PLAINTEXT Value: !Ref ReleaseArtifactsBucketS3Uri - Name: GITHUB_SOURCE_BRANCH_NAME Type: PLAINTEXT Value: !Ref GithubSourceBranchName Source: BuildSpec: buildspecs/release-config.yml Type: CODEPIPELINE TimeoutInMinutes: 60 QueuedTimeoutInMinutes: 480 LogsConfig: CloudWatchLogs: GroupName: !Ref CodeBuildLogGroupName Status: ENABLED StreamName: !Ref MakeJSONCodeBuildProjectName CopyCodeBuildProjectServiceRole: Type: AWS::IAM::Role Properties: RoleName: !Sub 'copy-codebuild-project-service-role-${AWS::Region}' AssumeRolePolicyDocument: Version: 2012-10-17 Statement: Effect: Allow Principal: Service: codebuild.amazonaws.com Action: sts:AssumeRole Policies: - PolicyName: codebuild-copy-base-policy PolicyDocument: Version: 2012-10-17 Statement: - Sid: CloudWatchLogsAccess Effect: Allow Resource: - !GetAtt CodeBuildLogGroup.Arn - !Sub '${CodeBuildLogGroup.Arn}:*' Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - Sid: ArtifactBucketAccess Effect: Allow Resource: - !Sub 'arn:aws:s3:::codepipeline-${AWS::Region}-*' Action: - s3:PutObject - s3:GetObject - s3:GetObjectVersion - s3:GetBucketAcl - s3:GetBucketLocation - Sid: ResultsBucketAccess Effect: Allow Resource: - !Ref ReleaseArtifactsBucketArn - !Sub '${ReleaseArtifactsBucketArn}/*' Action: s3:* - Sid: CodeBuildCreateReportAccess Effect: Allow Resource: - !Sub 'arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/${CopyCodeBuildProjectName}-*' Action: - codebuild:CreateReportGroup - codebuild:CreateReport - codebuild:UpdateReport - codebuild:BatchPutTestCases - codebuild:BatchPutCodeCoverages CopyCodeBuildProject: Type: AWS::CodeBuild::Project Properties: Name: !Ref CopyCodeBuildProjectName Description: A CodeBuild project that copies provided input artifacts to S3 ConcurrentBuildLimit: 10 ServiceRole: !GetAtt CopyCodeBuildProjectServiceRole.Arn Artifacts: Type: CODEPIPELINE Environment: Type: LINUX_CONTAINER ComputeType: BUILD_GENERAL1_SMALL ImagePullCredentialsType: CODEBUILD Image: aws/codebuild/amazonlinux2-x86_64-standard:3.0 EnvironmentVariables: - Name: RESULTS_BUCKET_URI Type: PLAINTEXT Value: !Ref ReleaseArtifactsBucketS3Uri - Name: GITHUB_SOURCE_BRANCH_NAME Type: PLAINTEXT Value: !Ref GithubSourceBranchName Source: BuildSpec: buildspecs/copy.yml Type: CODEPIPELINE TimeoutInMinutes: 60 QueuedTimeoutInMinutes: 480 LogsConfig: CloudWatchLogs: GroupName: !Ref CodeBuildLogGroupName Status: ENABLED StreamName: !Ref CopyCodeBuildProjectName LogsPullerCodeBuildProjectServiceRole: Type: AWS::IAM::Role Properties: RoleName: !Sub 'logs-puller-codebuild-project-service-role-${AWS::Region}' AssumeRolePolicyDocument: Version: 2012-10-17 Statement: Effect: Allow Principal: Service: codebuild.amazonaws.com Action: sts:AssumeRole Policies: - PolicyName: codebuild-logs-puller-base-policy PolicyDocument: Version: 2012-10-17 Statement: - Sid: CloudWatchLogsAccess Effect: Allow Resource: - !GetAtt CodeBuildLogGroup.Arn - !Sub '${CodeBuildLogGroup.Arn}:*' Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - Sid: CloudWatchLogsExportAccess Effect: Allow Resource: '*' Action: - logs:CreateExportTask - logs:DescribeExportTasks - Sid: ArtifactBucketAccess Effect: Allow Resource: - !Sub 'arn:aws:s3:::codepipeline-${AWS::Region}-*' Action: - s3:PutObject - s3:GetObject - s3:GetObjectVersion - s3:GetBucketAcl - s3:GetBucketLocation - Sid: ResultsBucketAccess Effect: Allow Resource: - !Ref ReleaseArtifactsBucketArn - !Sub '${ReleaseArtifactsBucketArn}/*' Action: s3:* - Sid: CodeBuildCreateReportAccess Effect: Allow Resource: - !Sub 'arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/${LogsPullerCodeBuildProjectName}-*' Action: - codebuild:CreateReportGroup - codebuild:CreateReport - codebuild:UpdateReport - codebuild:BatchPutTestCases - codebuild:BatchPutCodeCoverages LogsPullerCodeBuildProject: Type: AWS::CodeBuild::Project Properties: Name: !Ref LogsPullerCodeBuildProjectName Description: A CodeBuild project that pulls logs from CloudWatch Logs and moves them to S3 ConcurrentBuildLimit: 10 ServiceRole: !GetAtt LogsPullerCodeBuildProjectServiceRole.Arn Artifacts: Type: CODEPIPELINE Environment: Type: LINUX_CONTAINER ComputeType: BUILD_GENERAL1_SMALL ImagePullCredentialsType: CODEBUILD Image: aws/codebuild/amazonlinux2-x86_64-standard:3.0 EnvironmentVariables: - Name: RELEASE_BUCKET_NAME Type: PLAINTEXT Value: !Ref ReleaseArtifactsBucketName - Name: SOURCE_LOG_GROUP_NAME Type: PLAINTEXT Value: !Ref CodeBuildLogGroupName Source: BuildSpec: buildspecs/pull-logs.yml Type: CODEPIPELINE TimeoutInMinutes: 60 QueuedTimeoutInMinutes: 480 LogsConfig: CloudWatchLogs: GroupName: !Ref CodeBuildLogGroupName Status: ENABLED StreamName: !Ref CopyCodeBuildProjectName BuildAndSignCodePipelineServiceRole: Type: AWS::IAM::Role Properties: RoleName: !Sub 'build-and-sign-codepipeline-service-role-${AWS::Region}' AssumeRolePolicyDocument: Version: 2012-10-17 Statement: Effect: Allow Principal: Service: codepipeline.amazonaws.com Action: sts:AssumeRole Policies: - PolicyName: build-and-sign-codepipeline-base-policy PolicyDocument: Version: 2012-10-17 Statement: - Sid: CodePipelinePassRoleAccess Effect: Allow Resource: '*' Action: - iam:PassRole Condition: StringEqualsIfExists: iam:PassedToService: - cloudformation.amazonaws.com - elasticbeanstalk.amazonaws.com - ec2.amazonaws.com - ecs-tasks.amazonaws.com - Sid: CodePipelineGithubConnectionsAccess Effect: Allow Resource: '*' Action: - codestar-connections:UseConnection - Sid: CodePipelineReadAndWriteToS3Access Effect: Allow Resource: '*' Action: - s3:* - Sid: CodePipelineCodeBuildAccess Effect: Allow Resource: '*' Action: - codebuild:BatchGetBuilds - codebuild:StartBuild - codebuild:BatchGetBuildBatches - codebuild:StartBuildBatch BuildAndSignCodePipeline: Type: AWS::CodePipeline::Pipeline Properties: Name: !Ref BuildAndSignCodePipelineName RoleArn: !GetAtt BuildAndSignCodePipelineServiceRole.Arn ArtifactStore: Type: S3 Location: !Sub 'codepipeline-${AWS::Region}-${AWS::AccountId}-artifacts' Stages: - Name: Source Actions: - Name: Github InputArtifacts: [] ActionTypeId: Category: Source Owner: AWS Version: '1' Provider: CodeStarSourceConnection Configuration: ConnectionArn: !Ref CodeStarConnectionArn FullRepositoryId: !Ref GithubFullRepoName BranchName: !Ref GithubBranchName OutputArtifactFormat: CODEBUILD_CLONE_REF OutputArtifacts: - Name: SourceArtifact RunOrder: 1 Namespace: SourceVariables - Name: Extract Actions: - Name: Buildspecs InputArtifacts: - Name: SourceArtifact ActionTypeId: Category: Build Owner: AWS Version: '1' Provider: CodeBuild Configuration: ProjectName: !Ref BuildspecsExtractCodeBuildProject OutputArtifacts: - Name: Buildspecs RunOrder: 1 Namespace: BuildspecsExtractVariables - Name: Build Actions: - Name: MakeAmd InputArtifacts: - Name: SourceArtifact ActionTypeId: Category: Build Owner: AWS Version: '1' Provider: CodeBuild Configuration: ProjectName: !Ref AmdBuildCodeBuildProject EnvironmentVariables: '[{"name":"GIT_COMMIT_SHA","value":"#{SourceVariables.CommitId}","type":"PLAINTEXT"}]' OutputArtifacts: - Name: AmdBuildArtifact RunOrder: 1 Namespace: AmdBuildVariables - Name: MakeUbuntuAmd InputArtifacts: - Name: SourceArtifact ActionTypeId: Category: Build Owner: AWS Version: '1' Provider: CodeBuild Configuration: ProjectName: !Ref UbuntuAmdBuildCodeBuildProject EnvironmentVariables: '[{"name":"GIT_COMMIT_SHA","value":"#{SourceVariables.CommitId}","type":"PLAINTEXT"}]' OutputArtifacts: - Name: UbuntuAmdBuildArtifact RunOrder: 1 Namespace: UbuntuAmdBuildVariables - Name: MakeArm InputArtifacts: - Name: SourceArtifact ActionTypeId: Category: Build Owner: AWS Version: '1' Provider: CodeBuild Configuration: ProjectName: !Ref ArmBuildCodeBuildProject EnvironmentVariables: '[{"name":"GIT_COMMIT_SHA","value":"#{SourceVariables.CommitId}","type":"PLAINTEXT"}]' OutputArtifacts: - Name: ArmBuildArtifact RunOrder: 1 Namespace: ArmBuildVariables - Name: MakeUbuntuArm InputArtifacts: - Name: SourceArtifact ActionTypeId: Category: Build Owner: AWS Version: '1' Provider: CodeBuild Configuration: ProjectName: !Ref UbuntuArmBuildCodeBuildProject EnvironmentVariables: '[{"name":"GIT_COMMIT_SHA","value":"#{SourceVariables.CommitId}","type":"PLAINTEXT"}]' OutputArtifacts: - Name: UbuntuArmBuildArtifact RunOrder: 1 Namespace: UbuntuArmBuildVariables - Name: Sign Actions: - Name: GPG InputArtifacts: - Name: Buildspecs - Name: UbuntuAmdBuildArtifact - Name: UbuntuArmBuildArtifact - Name: AmdBuildArtifact - Name: ArmBuildArtifact ActionTypeId: Category: Build Owner: AWS Version: '1' Provider: CodeBuild Configuration: ProjectName: !Ref SigningCodeBuildProject PrimarySource: Buildspecs # Agent version and git short sha env variables to generate file names for signing EnvironmentVariables: '[{"name":"AGENT_VERSION","value":"#{AmdBuildVariables.AGENT_VERSION}","type":"PLAINTEXT"},{"name":"GIT_COMMIT_SHORT_SHA","value":"#{AmdBuildVariables.GIT_COMMIT_SHORT_SHA}","type":"PLAINTEXT"},{"name":"INIT_VERSION","value":"#{AmdBuildVariables.INIT_VERSION}","type":"PLAINTEXT"}]' OutputArtifacts: - Name: SignedArtifact RunOrder: 1 Namespace: SigningVariables - Name: ReleaseConfig Actions: - Name: MakeJSON # SourceArtifact as input to access the github repository # To run git short sha command in buildspec InputArtifacts: - Name: Buildspecs - Name: SignedArtifact ActionTypeId: Category: Build Owner: AWS Version: '1' Provider: CodeBuild Configuration: ProjectName: !Ref MakeJSONCodeBuildProject PrimarySource: Buildspecs EnvironmentVariables: '[{"name":"GIT_COMMIT_SHA","value":"#{SourceVariables.CommitId}","type":"PLAINTEXT"},{"name":"AGENT_VERSION","value":"#{AmdBuildVariables.AGENT_VERSION}","type":"PLAINTEXT"},{"name":"GIT_COMMIT_SHORT_SHA","value":"#{AmdBuildVariables.GIT_COMMIT_SHORT_SHA}","type":"PLAINTEXT"}]' OutputArtifacts: - Name: JSONArtifact RunOrder: 1 Namespace: JSONVariables - Name: Copy Actions: - Name: ToS3 InputArtifacts: - Name: Buildspecs - Name: SignedArtifact - Name: JSONArtifact - Name: AmdBuildArtifact - Name: ArmBuildArtifact ActionTypeId: Category: Build Owner: AWS Version: '1' Provider: CodeBuild Configuration: ProjectName: !Ref CopyCodeBuildProject PrimarySource: Buildspecs EnvironmentVariables: '[{"name":"GIT_COMMIT_SHA","value":"#{SourceVariables.CommitId}","type":"PLAINTEXT"}]' RunOrder: 1 Namespace: CopyVariables - Name: ExportLogs Actions: - Name: ToS3 InputArtifacts: - Name: Buildspecs ActionTypeId: Category: Build Owner: AWS Version: '1' Provider: CodeBuild Configuration: ProjectName: !Ref LogsPullerCodeBuildProject EnvironmentVariables: '[{"name":"GIT_COMMIT_SHA","value":"#{SourceVariables.CommitId}","type":"PLAINTEXT"},{"name":"EXTRACT_BUILD_ID","value":"#{BuildspecsExtractVariables.CODEBUILD_BUILD_ID}","type":"PLAINTEXT"},{"name":"AMD_BUILD_ID","value":"#{AmdBuildVariables.CODEBUILD_BUILD_ID}","type":"PLAINTEXT"},{"name":"ARM_BUILD_ID","value":"#{ArmBuildVariables.CODEBUILD_BUILD_ID}","type":"PLAINTEXT"},{"name":"SIGNING_BUILD_ID","value":"#{SigningVariables.CODEBUILD_BUILD_ID}","type":"PLAINTEXT"},{"name":"COPY_BUILD_ID","value":"#{CopyVariables.CODEBUILD_BUILD_ID}","type":"PLAINTEXT"}]' RunOrder: 1 Namespace: LogsPullerVariables