BuildProjectRole:
  Type: AWS::IAM::Role
  Properties:
    AssumeRolePolicyDocument:
      Version: '2012-10-17'
      Statement:
        - Effect: Allow
          Principal:
            Service:
              - codebuild.amazonaws.com
          Action:
            - sts:AssumeRole
    Path: /
    ManagedPolicyArns:
      - 'arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess' # for env ls
      - 'arn:aws:iam::aws:policy/AWSCloudFormationReadOnlyAccess' # for service package
    {{- if .PermissionsBoundary}}
    PermissionsBoundary: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/{{.PermissionsBoundary}}'
    {{- end}}
    Policies:
      - PolicyName: assume-env-manager
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          {{- range $stage := .Stages}}
          - Effect: Allow
            Resource: 'arn:aws:iam::{{$stage.AccountID}}:role/{{$.AppName}}-{{$stage.Name}}-EnvManagerRole'
            Action:
              - sts:AssumeRole
          {{- end }}

BuildProjectPolicy:
  Type: AWS::IAM::Policy
  DependsOn: BuildProjectRole
  Properties:
    PolicyName: !Sub ${AWS::StackName}-CodeBuildPolicy
    PolicyDocument:
      Version: '2012-10-17'
      Statement:
        - Effect: Allow
          Action:
            - codebuild:CreateReportGroup
            - codebuild:CreateReport
            - codebuild:UpdateReport
            - codebuild:BatchPutTestCases
            - codebuild:BatchPutCodeCoverages
          Resource: !Sub arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/pipeline-{{$.AppName}}-*
        - Effect: Allow
          Action:
            - s3:PutObject
            - s3:GetObject
            - s3:GetObjectVersion
          # TODO: This might not be necessary. We may only need the bucket
          # that is in the same region as the pipeline.
          # Loop through all the artifact buckets created in the stackset
          Resource:{{range .ArtifactBuckets}}
          - !Join ['', ['arn:aws:s3:::', '{{.BucketName}}']]
          - !Join ['', ['arn:aws:s3:::', '{{.BucketName}}', '/*']]{{end}}
        - Effect: Allow
          Action:
            # TODO: scope this down if possible
            - kms:*
          # TODO: This might not be necessary. We may only need the KMS key
          # that is in the same region as the pipeline.
          # Loop through all the KMS keys used to en/decrypt artifacts
          # across (cross-regional) pipeline stages, with each stage
          # backed by a (regional) S3 bucket.
          Resource:{{range .ArtifactBuckets}}
          - {{.KeyArn}}{{end}}
        - Effect: Allow
          Action:
            - logs:CreateLogGroup
            - logs:CreateLogStream
            - logs:PutLogEvents
          Resource: arn:aws:logs:*:*:*
        - Effect: Allow
          Action:
            - ecr:GetAuthorizationToken
          Resource: '*'
        - Effect: Allow
          Action:
            - ecr:DescribeImageScanFindings
            - ecr:GetLifecyclePolicyPreview
            - ecr:GetDownloadUrlForLayer
            - ecr:BatchGetImage
            - ecr:DescribeImages
            - ecr:ListTagsForResource
            - ecr:BatchCheckLayerAvailability
            - ecr:GetLifecyclePolicy
            - ecr:GetRepositoryPolicy
            - ecr:PutImage
            - ecr:InitiateLayerUpload
            - ecr:UploadLayerPart
            - ecr:CompleteLayerUpload
          Resource: '*'
          Condition: {StringEquals: {'ecr:ResourceTag/copilot-application': {{$.AppName}}}}
        {{- if ne .Source.ProviderName "GitHubV1" }} {{- if eq .Source.OutputArtifactFormat "CODEBUILD_CLONE_REF" }}
        # Add the policy needed to use CODEBUILD_CLONE_REF.
        {{- if eq .Source.ProviderName "CodeCommit" }}
        - Effect: Allow
          Action:
            - codecommit:GitPull
          Resource: !Sub 'arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:{{.Source.Repository}}'
        {{- else if isCodeStarConnection .Source }}
        - Effect: Allow
          Action:
            - codestar-connections:UseConnection
          {{- if eq .Source.ConnectionARN ""}}
          Resource: !Ref SourceConnection
          {{- else}}
          Resource: {{$.Source.Connection}}
          {{- end }} {{/* endif eq .Source.ConnectionARN "" */}}
        {{- end }} {{/* if eq .Source.ProviderName "CodeCommit" */}}
        {{- end }} {{/* endif ne .Source.OutputArtifactFormat "" */}}{{- end }} {{/* endif ne .Source.ProviderName "GitHubV1" */}}
    Roles:
      - !Ref BuildProjectRole

{{- if .Build.AdditionalPolicyDocument }}
BuildProjectAdditionalPolicy:
  Type: 'AWS::IAM::Policy'
  Properties:
    PolicyName: !Sub ${AWS::StackName}-BuildProjectAdditionalPolicy
    PolicyDocument:
{{.Build.AdditionalPolicyDocument | indent 8}}
    Roles:
      - !Ref BuildProjectRole
{{- end}}

BuildProject:
  Type: AWS::CodeBuild::Project
  Properties:
    Name: !Sub ${AWS::StackName}-BuildProject
    Description: !Sub Build for ${AWS::StackName}
    # ArtifactKey is the KMS key ID or ARN that is used with the artifact bucket
    # created in the same region as this pipeline.
    EncryptionKey: !ImportValue {{$.AppName}}-ArtifactKey
    ServiceRole: !GetAtt BuildProjectRole.Arn
    Artifacts:
      Type: CODEPIPELINE
    {{- if or (eq .Build.EnvironmentType "LINUX_CONTAINER") (eq .Build.EnvironmentType "ARM_CONTAINER")}}
    Cache:
      Modes:
        - LOCAL_DOCKER_LAYER_CACHE
      Type: LOCAL
    {{- else }}
    Cache:
      Type: "NO_CACHE"
    {{- end }}
    Environment:
      Type: {{.Build.EnvironmentType}}
      ComputeType: BUILD_GENERAL1_SMALL
      PrivilegedMode: true
      Image: {{.Build.Image}}
      EnvironmentVariables:
        - Name: AWS_ACCOUNT_ID
          Value: !Sub '${AWS::AccountId}'
        - Name: PARTITION
          Value: !Ref AWS::Partition
    Source:
      Type: CODEPIPELINE
      BuildSpec: {{.Build.BuildspecPath}}
    TimeoutInMinutes: 60