# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
---
description:  |
  ### Document Name - ASR-ReplaceCodeBuildClearTextCredentials

  ## What does this document do?
  This document is used to replace environment variables containing clear text credentials in a CodeBuild project with Amazon EC2 Systems Manager Parameters.

  ## Input Parameters
  * ProjectName: (Required) Name of the CodeBuild project (not the ARN).
  * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.

  ## Output Parameters
  * CreateParameters.Parameters - results of the API calls to create SSM parameters
  * CreateParameters.Policy - result of the API call to create an IAM policy for the project to access the new parameters
  * CreateParameters.AttachResponse - result of the API call to attach the new IAM policy to the project service role
  * UpdateProject.Output - result of the API call to update the project environment with the new parameters
schemaVersion: "0.3"
assumeRole: "{{ AutomationAssumeRole }}"
outputs:
  - CreateParameters.Parameters
  - CreateParameters.Policy
  - CreateParameters.AttachResponse
  - UpdateProject.Output
parameters:
  ProjectName:
    type: String
    description: (Required) The project name (not the ARN).
    allowedPattern: ^[A-Za-z0-9][A-Za-z0-9\-_]{1,254}$
  AutomationAssumeRole:
    type: String
    description: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
    allowedPattern: '^arn:(?:aws|aws-us-gov|aws-cn):iam::\d{12}:role/[\w+=,.@-]+$'
mainSteps:
  - name: BatchGetProjects
    action: "aws:executeAwsApi"
    description: |
      ## BatchGetProjects
      Gets information about one or more build projects.
    inputs:
      Service: codebuild
      Api: BatchGetProjects
      names: [ "{{ ProjectName }}" ]
    isCritical: true
    maxAttempts: 2
    timeoutSeconds: 600
    outputs:
      - Name: ProjectInfo
        Selector: $.projects[0]
        Type: StringMap
  - name: CreateParameters
    action: "aws:executeScript"
    description: |
      ## CreateParameters
      Parses project environment variables for credentials.
      Creates SSM parameters.
      Returns new project environment variables and SSM parameter information (without values).
    timeoutSeconds: 600
    isCritical: true
    inputs:
      Runtime: python3.8
      Handler: replace_credentials
      InputPayload:
        ProjectInfo: "{{ BatchGetProjects.ProjectInfo }}"
      Script: |-
        %%SCRIPT=ReplaceCodeBuildClearTextCredentials.py%%
    outputs:
      - Name: UpdatedProjectEnv
        Selector: $.Payload.UpdatedProjectEnv
        Type: StringMap
      - Name: Parameters
        Selector: $.Payload.Parameters
        Type: MapList
      - Name: Policy
        Selector: $.Payload.Policy
        Type: StringMap
      - Name: AttachResponse
        Selector: $.Payload.AttachResponse
        Type: StringMap
  - name: UpdateProject
    action: "aws:executeAwsApi"
    description: |
      ## UpdateProject
      Changes the settings of a build project.
    isEnd: true
    inputs:
      Service: codebuild
      Api: UpdateProject
      name: "{{ ProjectName }}"
      environment: "{{ CreateParameters.UpdatedProjectEnv }}"
    isCritical: true
    maxAttempts: 2
    timeoutSeconds: 600
    outputs:
      - Name: Output
        Selector: $.Payload.output
        Type: StringMap