Transform: AWS::Serverless-2016-10-31 Resources: CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83: Type: AWS::KMS::Key Properties: KeyPolicy: Statement: - Action: kms:* Effect: Allow Principal: AWS: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::712950704752:root Resource: "*" Version: "2012-10-17" UpdateReplacePolicy: Delete DeletionPolicy: Delete Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/BuildPipeline/ArtifactsBucketEncryptionKey/Resource CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKeyAliasB1396C5D: Type: AWS::KMS::Alias Properties: AliasName: alias/codepipeline-delivlibtestcodecommitpipelinebuildpipeline5be6878f TargetKeyId: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn UpdateReplacePolicy: Delete DeletionPolicy: Delete Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/BuildPipeline/ArtifactsBucketEncryptionKeyAlias/Resource CodeCommitPipelineBuildPipelineArtifactsBucketED2813B3: Type: AWS::S3::Bucket Properties: BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: KMSMasterKeyID: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn SSEAlgorithm: aws:kms PublicAccessBlockConfiguration: BlockPublicAcls: true BlockPublicPolicy: true IgnorePublicAcls: true RestrictPublicBuckets: true UpdateReplacePolicy: Retain DeletionPolicy: Retain Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/BuildPipeline/ArtifactsBucket/Resource CodeCommitPipelineBuildPipelineArtifactsBucketPolicy97EF6204: Type: AWS::S3::BucketPolicy Properties: Bucket: Ref: CodeCommitPipelineBuildPipelineArtifactsBucketED2813B3 PolicyDocument: Statement: - Action: s3:* Condition: Bool: aws:SecureTransport: "false" Effect: Deny Principal: AWS: "*" Resource: - Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketED2813B3 - Arn - Fn::Join: - "" - - Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketED2813B3 - Arn - /* Version: "2012-10-17" Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/BuildPipeline/ArtifactsBucket/Policy/Resource CodeCommitPipelineBuildPipelineRole1843599A: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: codepipeline.amazonaws.com Version: "2012-10-17" Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/BuildPipeline/Role/Resource CodeCommitPipelineBuildPipelineRoleDefaultPolicy94C30F44: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - s3:GetObject* - s3:GetBucket* - s3:List* - s3:DeleteObject* - s3:PutObject - s3:PutObjectLegalHold - s3:PutObjectRetention - s3:PutObjectTagging - s3:PutObjectVersionTagging - s3:Abort* Effect: Allow Resource: - Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketED2813B3 - Arn - Fn::Join: - "" - - Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketED2813B3 - Arn - /* - Action: - kms:Decrypt - kms:DescribeKey - kms:Encrypt - kms:ReEncrypt* - kms:GenerateDataKey* Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn - Action: sts:AssumeRole Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineBuildPipelineBuildCodePipelineActionRoleF95CDA16 - Arn - Action: sts:AssumeRole Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineBuildPipelineTestTestHelloLinuxCodePipelineActionRole8FAC0642 - Arn - Action: sts:AssumeRole Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineBuildPipelineTestTestHelloWindowsCodePipelineActionRole9316936E - Arn - Action: sts:AssumeRole Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineBuildPipelineTestTestAssumeRoleCodePipelineActionRole8A7F2D7D - Arn - Action: sts:AssumeRole Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineBuildPipelineTestActionGenerateTwoArtifactsCodePipelineActionRoleD657FD04 - Arn - Action: sts:AssumeRole Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineBuildPipelinePublishNpmPublishCodePipelineActionRoleCAA948F0 - Arn - Action: sts:AssumeRole Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineBuildPipelinePublishNuGetPublishCodePipelineActionRole515B871C - Arn - Action: sts:AssumeRole Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineBuildPipelinePublishMavenPublishCodePipelineActionRoleB41F452E - Arn - Action: sts:AssumeRole Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineBuildPipelinePublishGitHubPublishCodePipelineActionRole17D6E0C9 - Arn - Action: sts:AssumeRole Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineBuildPipelinePublishGitHubPagesPublishCodePipelineActionRoleEEE32F4A - Arn - Action: sts:AssumeRole Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineBuildPipelinePublishPyPIPublishCodePipelineActionRole05AF99D5 - Arn - Action: sts:AssumeRole Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineBuildPipelinePublishGolangPublishCodePipelineActionRole365FF3C7 - Arn Version: "2012-10-17" PolicyName: CodeCommitPipelineBuildPipelineRoleDefaultPolicy94C30F44 Roles: - Ref: CodeCommitPipelineBuildPipelineRole1843599A Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/BuildPipeline/Role/DefaultPolicy/Resource CodeCommitPipelineBuildPipeline656B8CCB: Type: AWS::CodePipeline::Pipeline Properties: RoleArn: Fn::GetAtt: - CodeCommitPipelineBuildPipelineRole1843599A - Arn Stages: - Actions: - ActionTypeId: Category: Source Owner: ThirdParty Provider: GitHub Version: "1" Configuration: Owner: awslabs Repo: aws-delivlib-sample Branch: master OAuthToken: "{{resolve:secretsmanager:arn:aws:secretsmanager:us-east-1:712950704752:secret:github-token-QDP6QX:SecretString:::}}" PollForSourceChanges: false Name: Pull OutputArtifacts: - Name: Source RunOrder: 1 Name: Source - Actions: - ActionTypeId: Category: Build Owner: AWS Provider: CodeBuild Version: "1" Configuration: ProjectName: Ref: CodeCommitPipelineBuildProject9F59E8AA InputArtifacts: - Name: Source Name: Build OutputArtifacts: - Name: Artifact_Build_Build RoleArn: Fn::GetAtt: - CodeCommitPipelineBuildPipelineBuildCodePipelineActionRoleF95CDA16 - Arn RunOrder: 1 Name: Build - Actions: - ActionTypeId: Category: Build Owner: AWS Provider: CodeBuild Version: "1" Configuration: ProjectName: Ref: CodeCommitPipelineHelloLinuxCB82AB68 InputArtifacts: - Name: Artifact_Build_Build Name: TestHelloLinux OutputArtifacts: - Name: Artifact_c883e6647f907b1eb255846397acb348c18b48b3a2 RoleArn: Fn::GetAtt: - CodeCommitPipelineBuildPipelineTestTestHelloLinuxCodePipelineActionRole8FAC0642 - Arn RunOrder: 1 - ActionTypeId: Category: Build Owner: AWS Provider: CodeBuild Version: "1" Configuration: ProjectName: Ref: CodeCommitPipelineHelloWindows61CA8F73 InputArtifacts: - Name: Artifact_Build_Build Name: TestHelloWindows OutputArtifacts: - Name: Artifact_c841b1bdd02c8dd629e3593235a8c4b73d361a30be RoleArn: Fn::GetAtt: - CodeCommitPipelineBuildPipelineTestTestHelloWindowsCodePipelineActionRole9316936E - Arn RunOrder: 1 - ActionTypeId: Category: Build Owner: AWS Provider: CodeBuild Version: "1" Configuration: ProjectName: Ref: CodeCommitPipelineAssumeRole05A76F51 InputArtifacts: - Name: Artifact_Build_Build Name: TestAssumeRole OutputArtifacts: - Name: Artifact_c8681ea53827139c363558663e59350c1c894a3e54 RoleArn: Fn::GetAtt: - CodeCommitPipelineBuildPipelineTestTestAssumeRoleCodePipelineActionRole8A7F2D7D - Arn RunOrder: 1 - ActionTypeId: Category: Build Owner: AWS Provider: CodeBuild Version: "1" Configuration: ProjectName: Ref: CodeCommitPipelineGenerateTwoArtifactsA9DAD33B InputArtifacts: - Name: Artifact_Build_Build Name: ActionGenerateTwoArtifacts OutputArtifacts: - Name: Artifact_c8e859296b521c19119769864a1f8ff14746ebd0c1 - Name: artifact2 RoleArn: Fn::GetAtt: - CodeCommitPipelineBuildPipelineTestActionGenerateTwoArtifactsCodePipelineActionRoleD657FD04 - Arn RunOrder: 1 Name: Test - Actions: - ActionTypeId: Category: Build Owner: AWS Provider: CodeBuild Version: "1" Configuration: ProjectName: Ref: CodeCommitPipelineNpm0D31AEFC InputArtifacts: - Name: Artifact_Build_Build Name: NpmPublish RoleArn: Fn::GetAtt: - CodeCommitPipelineBuildPipelinePublishNpmPublishCodePipelineActionRoleCAA948F0 - Arn RunOrder: 1 - ActionTypeId: Category: Build Owner: AWS Provider: CodeBuild Version: "1" Configuration: ProjectName: Ref: CodeCommitPipelineNuGet67CE1BA7 InputArtifacts: - Name: Artifact_Build_Build Name: NuGetPublish RoleArn: Fn::GetAtt: - CodeCommitPipelineBuildPipelinePublishNuGetPublishCodePipelineActionRole515B871C - Arn RunOrder: 1 - ActionTypeId: Category: Build Owner: AWS Provider: CodeBuild Version: "1" Configuration: ProjectName: Ref: CodeCommitPipelineMavenB7154296 InputArtifacts: - Name: Artifact_Build_Build Name: MavenPublish RoleArn: Fn::GetAtt: - CodeCommitPipelineBuildPipelinePublishMavenPublishCodePipelineActionRoleB41F452E - Arn RunOrder: 1 - ActionTypeId: Category: Build Owner: AWS Provider: CodeBuild Version: "1" Configuration: ProjectName: Ref: CodeCommitPipelineGitHub0797840C PrimarySource: Artifact_Build_Build InputArtifacts: - Name: Artifact_Build_Build - Name: Artifact_c8e859296b521c19119769864a1f8ff14746ebd0c1 - Name: artifact2 Name: GitHubPublish RoleArn: Fn::GetAtt: - CodeCommitPipelineBuildPipelinePublishGitHubPublishCodePipelineActionRole17D6E0C9 - Arn RunOrder: 1 - ActionTypeId: Category: Build Owner: AWS Provider: CodeBuild Version: "1" Configuration: ProjectName: Ref: CodeCommitPipelineGitHubPages53B77CF6 InputArtifacts: - Name: Artifact_Build_Build Name: GitHubPagesPublish RoleArn: Fn::GetAtt: - CodeCommitPipelineBuildPipelinePublishGitHubPagesPublishCodePipelineActionRoleEEE32F4A - Arn RunOrder: 1 - ActionTypeId: Category: Build Owner: AWS Provider: CodeBuild Version: "1" Configuration: ProjectName: Ref: CodeCommitPipelinePyPI2C59CE7B InputArtifacts: - Name: Artifact_Build_Build Name: PyPIPublish RoleArn: Fn::GetAtt: - CodeCommitPipelineBuildPipelinePublishPyPIPublishCodePipelineActionRole05AF99D5 - Arn RunOrder: 1 - ActionTypeId: Category: Build Owner: AWS Provider: CodeBuild Version: "1" Configuration: ProjectName: Ref: CodeCommitPipelineGolangBDFA17A1 InputArtifacts: - Name: Artifact_Build_Build Name: GolangPublish RoleArn: Fn::GetAtt: - CodeCommitPipelineBuildPipelinePublishGolangPublishCodePipelineActionRole365FF3C7 - Arn RunOrder: 1 Name: Publish ArtifactStore: EncryptionKey: Id: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn Type: KMS Location: Ref: CodeCommitPipelineBuildPipelineArtifactsBucketED2813B3 Type: S3 RestartExecutionOnUpdate: true DependsOn: - CodeCommitPipelineBuildPipelineRoleDefaultPolicy94C30F44 - CodeCommitPipelineBuildPipelineRole1843599A Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/BuildPipeline/Resource CodeCommitPipelineBuildPipelineSourcePullWebhookResource0898F523: Type: AWS::CodePipeline::Webhook Properties: Authentication: GITHUB_HMAC AuthenticationConfiguration: SecretToken: "{{resolve:secretsmanager:arn:aws:secretsmanager:us-east-1:712950704752:secret:github-token-QDP6QX:SecretString:::}}" Filters: - JsonPath: $.ref MatchEquals: refs/heads/{Branch} TargetAction: Pull TargetPipeline: Ref: CodeCommitPipelineBuildPipeline656B8CCB TargetPipelineVersion: 1 RegisterWithThirdParty: true Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/BuildPipeline/Source/Pull/WebhookResource CodeCommitPipelineBuildPipelineBuildCodePipelineActionRoleF95CDA16: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: AWS: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::712950704752:root Version: "2012-10-17" Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/BuildPipeline/Build/Build/CodePipelineActionRole/Resource CodeCommitPipelineBuildPipelineBuildCodePipelineActionRoleDefaultPolicy7735849D: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - codebuild:BatchGetBuilds - codebuild:StartBuild - codebuild:StopBuild Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineBuildProject9F59E8AA - Arn Version: "2012-10-17" PolicyName: CodeCommitPipelineBuildPipelineBuildCodePipelineActionRoleDefaultPolicy7735849D Roles: - Ref: CodeCommitPipelineBuildPipelineBuildCodePipelineActionRoleF95CDA16 Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/BuildPipeline/Build/Build/CodePipelineActionRole/DefaultPolicy/Resource CodeCommitPipelineBuildPipelineTestTestHelloLinuxCodePipelineActionRole8FAC0642: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: AWS: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::712950704752:root Version: "2012-10-17" Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/BuildPipeline/Test/TestHelloLinux/CodePipelineActionRole/Resource CodeCommitPipelineBuildPipelineTestTestHelloLinuxCodePipelineActionRoleDefaultPolicyDD449768: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - codebuild:BatchGetBuilds - codebuild:StartBuild - codebuild:StopBuild Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineHelloLinuxCB82AB68 - Arn Version: "2012-10-17" PolicyName: CodeCommitPipelineBuildPipelineTestTestHelloLinuxCodePipelineActionRoleDefaultPolicyDD449768 Roles: - Ref: CodeCommitPipelineBuildPipelineTestTestHelloLinuxCodePipelineActionRole8FAC0642 Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/BuildPipeline/Test/TestHelloLinux/CodePipelineActionRole/DefaultPolicy/Resource CodeCommitPipelineBuildPipelineTestTestHelloWindowsCodePipelineActionRole9316936E: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: AWS: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::712950704752:root Version: "2012-10-17" Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/BuildPipeline/Test/TestHelloWindows/CodePipelineActionRole/Resource CodeCommitPipelineBuildPipelineTestTestHelloWindowsCodePipelineActionRoleDefaultPolicyFC7988F8: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - codebuild:BatchGetBuilds - codebuild:StartBuild - codebuild:StopBuild Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineHelloWindows61CA8F73 - Arn Version: "2012-10-17" PolicyName: CodeCommitPipelineBuildPipelineTestTestHelloWindowsCodePipelineActionRoleDefaultPolicyFC7988F8 Roles: - Ref: CodeCommitPipelineBuildPipelineTestTestHelloWindowsCodePipelineActionRole9316936E Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/BuildPipeline/Test/TestHelloWindows/CodePipelineActionRole/DefaultPolicy/Resource CodeCommitPipelineBuildPipelineTestTestAssumeRoleCodePipelineActionRole8A7F2D7D: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: AWS: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::712950704752:root Version: "2012-10-17" Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/BuildPipeline/Test/TestAssumeRole/CodePipelineActionRole/Resource CodeCommitPipelineBuildPipelineTestTestAssumeRoleCodePipelineActionRoleDefaultPolicy22EE0A3D: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - codebuild:BatchGetBuilds - codebuild:StartBuild - codebuild:StopBuild Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineAssumeRole05A76F51 - Arn Version: "2012-10-17" PolicyName: CodeCommitPipelineBuildPipelineTestTestAssumeRoleCodePipelineActionRoleDefaultPolicy22EE0A3D Roles: - Ref: CodeCommitPipelineBuildPipelineTestTestAssumeRoleCodePipelineActionRole8A7F2D7D Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/BuildPipeline/Test/TestAssumeRole/CodePipelineActionRole/DefaultPolicy/Resource CodeCommitPipelineBuildPipelineTestActionGenerateTwoArtifactsCodePipelineActionRoleD657FD04: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: AWS: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::712950704752:root Version: "2012-10-17" Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/BuildPipeline/Test/ActionGenerateTwoArtifacts/CodePipelineActionRole/Resource CodeCommitPipelineBuildPipelineTestActionGenerateTwoArtifactsCodePipelineActionRoleDefaultPolicy23313445: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - codebuild:BatchGetBuilds - codebuild:StartBuild - codebuild:StopBuild Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineGenerateTwoArtifactsA9DAD33B - Arn Version: "2012-10-17" PolicyName: CodeCommitPipelineBuildPipelineTestActionGenerateTwoArtifactsCodePipelineActionRoleDefaultPolicy23313445 Roles: - Ref: CodeCommitPipelineBuildPipelineTestActionGenerateTwoArtifactsCodePipelineActionRoleD657FD04 Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/BuildPipeline/Test/ActionGenerateTwoArtifacts/CodePipelineActionRole/DefaultPolicy/Resource CodeCommitPipelineBuildPipelinePublishNpmPublishCodePipelineActionRoleCAA948F0: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: AWS: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::712950704752:root Version: "2012-10-17" Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/BuildPipeline/Publish/NpmPublish/CodePipelineActionRole/Resource CodeCommitPipelineBuildPipelinePublishNpmPublishCodePipelineActionRoleDefaultPolicyA1E1E060: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - codebuild:BatchGetBuilds - codebuild:StartBuild - codebuild:StopBuild Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineNpm0D31AEFC - Arn Version: "2012-10-17" PolicyName: CodeCommitPipelineBuildPipelinePublishNpmPublishCodePipelineActionRoleDefaultPolicyA1E1E060 Roles: - Ref: CodeCommitPipelineBuildPipelinePublishNpmPublishCodePipelineActionRoleCAA948F0 Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/BuildPipeline/Publish/NpmPublish/CodePipelineActionRole/DefaultPolicy/Resource CodeCommitPipelineBuildPipelinePublishNuGetPublishCodePipelineActionRole515B871C: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: AWS: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::712950704752:root Version: "2012-10-17" Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/BuildPipeline/Publish/NuGetPublish/CodePipelineActionRole/Resource CodeCommitPipelineBuildPipelinePublishNuGetPublishCodePipelineActionRoleDefaultPolicy5224BD0C: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - codebuild:BatchGetBuilds - codebuild:StartBuild - codebuild:StopBuild Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineNuGet67CE1BA7 - Arn Version: "2012-10-17" PolicyName: CodeCommitPipelineBuildPipelinePublishNuGetPublishCodePipelineActionRoleDefaultPolicy5224BD0C Roles: - Ref: CodeCommitPipelineBuildPipelinePublishNuGetPublishCodePipelineActionRole515B871C Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/BuildPipeline/Publish/NuGetPublish/CodePipelineActionRole/DefaultPolicy/Resource CodeCommitPipelineBuildPipelinePublishMavenPublishCodePipelineActionRoleB41F452E: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: AWS: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::712950704752:root Version: "2012-10-17" Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/BuildPipeline/Publish/MavenPublish/CodePipelineActionRole/Resource CodeCommitPipelineBuildPipelinePublishMavenPublishCodePipelineActionRoleDefaultPolicy07DE5816: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - codebuild:BatchGetBuilds - codebuild:StartBuild - codebuild:StopBuild Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineMavenB7154296 - Arn Version: "2012-10-17" PolicyName: CodeCommitPipelineBuildPipelinePublishMavenPublishCodePipelineActionRoleDefaultPolicy07DE5816 Roles: - Ref: CodeCommitPipelineBuildPipelinePublishMavenPublishCodePipelineActionRoleB41F452E Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/BuildPipeline/Publish/MavenPublish/CodePipelineActionRole/DefaultPolicy/Resource CodeCommitPipelineBuildPipelinePublishGitHubPublishCodePipelineActionRole17D6E0C9: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: AWS: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::712950704752:root Version: "2012-10-17" Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/BuildPipeline/Publish/GitHubPublish/CodePipelineActionRole/Resource CodeCommitPipelineBuildPipelinePublishGitHubPublishCodePipelineActionRoleDefaultPolicyF10F860F: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - codebuild:BatchGetBuilds - codebuild:StartBuild - codebuild:StopBuild Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineGitHub0797840C - Arn Version: "2012-10-17" PolicyName: CodeCommitPipelineBuildPipelinePublishGitHubPublishCodePipelineActionRoleDefaultPolicyF10F860F Roles: - Ref: CodeCommitPipelineBuildPipelinePublishGitHubPublishCodePipelineActionRole17D6E0C9 Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/BuildPipeline/Publish/GitHubPublish/CodePipelineActionRole/DefaultPolicy/Resource CodeCommitPipelineBuildPipelinePublishGitHubPagesPublishCodePipelineActionRoleEEE32F4A: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: AWS: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::712950704752:root Version: "2012-10-17" Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/BuildPipeline/Publish/GitHubPagesPublish/CodePipelineActionRole/Resource CodeCommitPipelineBuildPipelinePublishGitHubPagesPublishCodePipelineActionRoleDefaultPolicyDE4085C1: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - codebuild:BatchGetBuilds - codebuild:StartBuild - codebuild:StopBuild Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineGitHubPages53B77CF6 - Arn Version: "2012-10-17" PolicyName: CodeCommitPipelineBuildPipelinePublishGitHubPagesPublishCodePipelineActionRoleDefaultPolicyDE4085C1 Roles: - Ref: CodeCommitPipelineBuildPipelinePublishGitHubPagesPublishCodePipelineActionRoleEEE32F4A Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/BuildPipeline/Publish/GitHubPagesPublish/CodePipelineActionRole/DefaultPolicy/Resource CodeCommitPipelineBuildPipelinePublishPyPIPublishCodePipelineActionRole05AF99D5: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: AWS: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::712950704752:root Version: "2012-10-17" Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/BuildPipeline/Publish/PyPIPublish/CodePipelineActionRole/Resource CodeCommitPipelineBuildPipelinePublishPyPIPublishCodePipelineActionRoleDefaultPolicyB6A54068: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - codebuild:BatchGetBuilds - codebuild:StartBuild - codebuild:StopBuild Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelinePyPI2C59CE7B - Arn Version: "2012-10-17" PolicyName: CodeCommitPipelineBuildPipelinePublishPyPIPublishCodePipelineActionRoleDefaultPolicyB6A54068 Roles: - Ref: CodeCommitPipelineBuildPipelinePublishPyPIPublishCodePipelineActionRole05AF99D5 Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/BuildPipeline/Publish/PyPIPublish/CodePipelineActionRole/DefaultPolicy/Resource CodeCommitPipelineBuildPipelinePublishGolangPublishCodePipelineActionRole365FF3C7: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: AWS: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::712950704752:root Version: "2012-10-17" Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/BuildPipeline/Publish/GolangPublish/CodePipelineActionRole/Resource CodeCommitPipelineBuildPipelinePublishGolangPublishCodePipelineActionRoleDefaultPolicyED342278: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - codebuild:BatchGetBuilds - codebuild:StartBuild - codebuild:StopBuild Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineGolangBDFA17A1 - Arn Version: "2012-10-17" PolicyName: CodeCommitPipelineBuildPipelinePublishGolangPublishCodePipelineActionRoleDefaultPolicyED342278 Roles: - Ref: CodeCommitPipelineBuildPipelinePublishGolangPublishCodePipelineActionRole365FF3C7 Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/BuildPipeline/Publish/GolangPublish/CodePipelineActionRole/DefaultPolicy/Resource CodeCommitPipelineBuildProjectRoleC6347B6E: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: codebuild.amazonaws.com Version: "2012-10-17" Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/BuildProject/Role/Resource CodeCommitPipelineBuildProjectRoleDefaultPolicy1184486E: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Effect: Allow Resource: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :logs:us-east-1:712950704752:log-group:/aws/codebuild/ - Ref: CodeCommitPipelineBuildProject9F59E8AA - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :logs:us-east-1:712950704752:log-group:/aws/codebuild/ - Ref: CodeCommitPipelineBuildProject9F59E8AA - :* - Action: - codebuild:CreateReportGroup - codebuild:CreateReport - codebuild:UpdateReport - codebuild:BatchPutTestCases - codebuild:BatchPutCodeCoverages Effect: Allow Resource: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :codebuild:us-east-1:712950704752:report-group/ - Ref: CodeCommitPipelineBuildProject9F59E8AA - -* - Action: - ssmmessages:CreateControlChannel - ssmmessages:CreateDataChannel - ssmmessages:OpenControlChannel - ssmmessages:OpenDataChannel - logs:DescribeLogGroups - logs:CreateLogStream - logs:PutLogEvents - s3:GetEncryptionConfiguration - s3:PutObject Effect: Allow Resource: "*" - Action: - s3:GetObject* - s3:GetBucket* - s3:List* - s3:DeleteObject* - s3:PutObject - s3:PutObjectLegalHold - s3:PutObjectRetention - s3:PutObjectTagging - s3:PutObjectVersionTagging - s3:Abort* Effect: Allow Resource: - Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketED2813B3 - Arn - Fn::Join: - "" - - Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketED2813B3 - Arn - /* - Action: - kms:Decrypt - kms:DescribeKey - kms:Encrypt - kms:ReEncrypt* - kms:GenerateDataKey* Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn - Action: - kms:Decrypt - kms:Encrypt - kms:ReEncrypt* - kms:GenerateDataKey* Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn Version: "2012-10-17" PolicyName: CodeCommitPipelineBuildProjectRoleDefaultPolicy1184486E Roles: - Ref: CodeCommitPipelineBuildProjectRoleC6347B6E Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/BuildProject/Role/DefaultPolicy/Resource CodeCommitPipelineBuildProject9F59E8AA: Type: AWS::CodeBuild::Project Properties: Artifacts: Type: CODEPIPELINE Environment: ComputeType: BUILD_GENERAL1_SMALL EnvironmentVariables: - Name: DELIVLIB_ENV_TEST Type: PLAINTEXT Value: MAGIC_1924 Image: public.ecr.aws/jsii/superchain:1-buster-slim-node18 ImagePullCredentialsType: SERVICE_ROLE PrivilegedMode: false Type: LINUX_CONTAINER ServiceRole: Fn::GetAtt: - CodeCommitPipelineBuildProjectRoleC6347B6E - Arn Source: Type: CODEPIPELINE Cache: Type: NO_CACHE EncryptionKey: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn TimeoutInMinutes: 480 Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/BuildProject/Resource CodeCommitPipelineBuildProjectOnBuildFailed2A08058D: Type: AWS::Events::Rule Properties: EventPattern: source: - aws.codebuild detail: project-name: - Ref: CodeCommitPipelineBuildProject9F59E8AA build-status: - FAILED detail-type: - CodeBuild Build State Change State: ENABLED Targets: - Arn: Ref: CodeCommitPipelineNotificationsTopic36C2D667 Id: Target0 Input: '"aws-delivlib test pipeline build failed"' Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/BuildProject/OnBuildFailed/Resource CodeCommitPipelineNotificationsTopic36C2D667: Type: AWS::SNS::Topic Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/NotificationsTopic/Resource CodeCommitPipelineNotificationsTopicawscdkdevdelivlibtestamazoncom7F5014D8: Type: AWS::SNS::Subscription Properties: Protocol: email TopicArn: Ref: CodeCommitPipelineNotificationsTopic36C2D667 Endpoint: aws-cdk-dev+delivlib-test@amazon.com Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/NotificationsTopic/aws-cdk-dev+delivlib-test@amazon.com/Resource CodeCommitPipelineNotificationsTopicPolicyBBE90C33: Type: AWS::SNS::TopicPolicy Properties: PolicyDocument: Statement: - Action: sns:Publish Effect: Allow Principal: Service: events.amazonaws.com Resource: Ref: CodeCommitPipelineNotificationsTopic36C2D667 Sid: "0" Version: "2012-10-17" Topics: - Ref: CodeCommitPipelineNotificationsTopic36C2D667 Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/NotificationsTopic/Policy/Resource CodeCommitPipelinePipelineWatcherPollerServiceRole0A1D8005: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: lambda.amazonaws.com Version: "2012-10-17" ManagedPolicyArns: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::aws:policy/service-role/AWSLambdaBasicExecutionRole Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/PipelineWatcher/Poller/ServiceRole/Resource CodeCommitPipelinePipelineWatcherPollerServiceRoleDefaultPolicyE2104AD1: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: cloudwatch:PutMetricData Condition: StringEquals: cloudwatch:namespace: CDK/Delivlib Effect: Allow Resource: "*" Version: "2012-10-17" PolicyName: CodeCommitPipelinePipelineWatcherPollerServiceRoleDefaultPolicyE2104AD1 Roles: - Ref: CodeCommitPipelinePipelineWatcherPollerServiceRole0A1D8005 Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/PipelineWatcher/Poller/ServiceRole/DefaultPolicy/Resource CodeCommitPipelinePipelineWatcherPoller5C65ACDE: Type: AWS::Lambda::Function Properties: Code: S3Bucket: cdk-hnb659fds-assets-712950704752-us-east-1 S3Key: 724c32a4245b8249d4f1c1f94df218273cc0e3bee1755fa7db527a9a8fcbe495.zip Role: Fn::GetAtt: - CodeCommitPipelinePipelineWatcherPollerServiceRole0A1D8005 - Arn Environment: Variables: METRIC_NAMESPACE: CDK/Delivlib METRIC_NAME: Failures Handler: watcher-handler.handler Runtime: nodejs14.x DependsOn: - CodeCommitPipelinePipelineWatcherPollerServiceRoleDefaultPolicyE2104AD1 - CodeCommitPipelinePipelineWatcherPollerServiceRole0A1D8005 Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/PipelineWatcher/Poller/Resource CodeCommitPipelinePipelineWatcherTriggerA38A4AD0: Type: AWS::Events::Rule Properties: EventPattern: source: - aws.codepipeline resources: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":codepipeline:us-east-1:712950704752:" - Ref: CodeCommitPipelineBuildPipeline656B8CCB detail-type: - CodePipeline Action Execution State Change - CodePipeline Pipeline Execution State Change detail: state: - FAILED - SUCCEEDED State: ENABLED Targets: - Arn: Fn::GetAtt: - CodeCommitPipelinePipelineWatcherPoller5C65ACDE - Arn Id: Target0 Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/PipelineWatcher/Trigger/Resource CodeCommitPipelinePipelineWatcherTriggerAllowEventRuledelivlibtestCodeCommitPipelinePipelineWatcherPoller7862623143029B4E: Type: AWS::Lambda::Permission Properties: Action: lambda:InvokeFunction FunctionName: Fn::GetAtt: - CodeCommitPipelinePipelineWatcherPoller5C65ACDE - Arn Principal: events.amazonaws.com SourceArn: Fn::GetAtt: - CodeCommitPipelinePipelineWatcherTriggerA38A4AD0 - Arn Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/PipelineWatcher/Trigger/AllowEventRuledelivlibtestCodeCommitPipelinePipelineWatcherPoller78626231 CodeCommitPipelinePipelineWatcherAlarm73779F48: Type: AWS::CloudWatch::Alarm Properties: ComparisonOperator: GreaterThanOrEqualToThreshold EvaluationPeriods: 1 AlarmDescription: Pipeline aws-delivlib test pipeline has failed stages Dimensions: - Name: Pipeline Value: Ref: CodeCommitPipelineBuildPipeline656B8CCB MetricName: Failures Namespace: CDK/Delivlib Period: 300 Statistic: Maximum Threshold: 1 TreatMissingData: ignore Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/PipelineWatcher/Alarm/Resource CodeCommitPipelineHelloLinuxRole97734933: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: codebuild.amazonaws.com Version: "2012-10-17" Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/HelloLinux/Resource/Role/Resource CodeCommitPipelineHelloLinuxRoleDefaultPolicy234DABC6: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Effect: Allow Resource: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :logs:us-east-1:712950704752:log-group:/aws/codebuild/ - Ref: CodeCommitPipelineHelloLinuxCB82AB68 - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :logs:us-east-1:712950704752:log-group:/aws/codebuild/ - Ref: CodeCommitPipelineHelloLinuxCB82AB68 - :* - Action: - codebuild:CreateReportGroup - codebuild:CreateReport - codebuild:UpdateReport - codebuild:BatchPutTestCases - codebuild:BatchPutCodeCoverages Effect: Allow Resource: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :codebuild:us-east-1:712950704752:report-group/ - Ref: CodeCommitPipelineHelloLinuxCB82AB68 - -* - Action: - ssmmessages:CreateControlChannel - ssmmessages:CreateDataChannel - ssmmessages:OpenControlChannel - ssmmessages:OpenDataChannel - logs:DescribeLogGroups - logs:CreateLogStream - logs:PutLogEvents - s3:GetEncryptionConfiguration - s3:PutObject Effect: Allow Resource: "*" - Action: - s3:GetObject* - s3:GetBucket* - s3:List* Effect: Allow Resource: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :s3:::cdk-hnb659fds-assets-712950704752-us-east-1 - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :s3:::cdk-hnb659fds-assets-712950704752-us-east-1/* - Action: - s3:GetObject* - s3:GetBucket* - s3:List* - s3:DeleteObject* - s3:PutObject - s3:PutObjectLegalHold - s3:PutObjectRetention - s3:PutObjectTagging - s3:PutObjectVersionTagging - s3:Abort* Effect: Allow Resource: - Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketED2813B3 - Arn - Fn::Join: - "" - - Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketED2813B3 - Arn - /* - Action: - kms:Decrypt - kms:DescribeKey - kms:Encrypt - kms:ReEncrypt* - kms:GenerateDataKey* Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn - Action: - kms:Decrypt - kms:Encrypt - kms:ReEncrypt* - kms:GenerateDataKey* Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn Version: "2012-10-17" PolicyName: CodeCommitPipelineHelloLinuxRoleDefaultPolicy234DABC6 Roles: - Ref: CodeCommitPipelineHelloLinuxRole97734933 Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/HelloLinux/Resource/Role/DefaultPolicy/Resource CodeCommitPipelineHelloLinuxCB82AB68: Type: AWS::CodeBuild::Project Properties: Artifacts: Type: NO_ARTIFACTS Environment: ComputeType: BUILD_GENERAL1_MEDIUM EnvironmentVariables: - Name: SCRIPT_S3_BUCKET Type: PLAINTEXT Value: cdk-hnb659fds-assets-712950704752-us-east-1 - Name: SCRIPT_S3_KEY Type: PLAINTEXT Value: 3d34b07ba871989d030649c646b3096ba7c78ca531897bcdb0670774d2f9d3e4.zip Image: aws/codebuild/standard:4.0 ImagePullCredentialsType: CODEBUILD PrivilegedMode: false Type: LINUX_CONTAINER ServiceRole: Fn::GetAtt: - CodeCommitPipelineHelloLinuxRole97734933 - Arn Source: BuildSpec: |- { "version": "0.2", "phases": { "pre_build": { "commands": [ "echo \"Downloading scripts from s3://${SCRIPT_S3_BUCKET}/${SCRIPT_S3_KEY}\"", "aws s3 cp s3://${SCRIPT_S3_BUCKET}/${SCRIPT_S3_KEY} /tmp", "mkdir -p /tmp/scriptdir", "unzip /tmp/$(basename $SCRIPT_S3_KEY) -d /tmp/scriptdir" ] }, "build": { "commands": [ "export SCRIPT_DIR=/tmp/scriptdir", "echo \"Running test.sh\"", "/bin/bash /tmp/scriptdir/test.sh" ] } } } Type: NO_SOURCE Cache: Type: NO_CACHE EncryptionKey: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/HelloLinux/Resource/Resource CodeCommitPipelineHelloLinuxOnBuildFailedD96AF043: Type: AWS::Events::Rule Properties: EventPattern: source: - aws.codebuild detail: project-name: - Ref: CodeCommitPipelineHelloLinuxCB82AB68 build-status: - FAILED detail-type: - CodeBuild Build State Change State: ENABLED Targets: - Arn: Ref: CodeCommitPipelineNotificationsTopic36C2D667 Id: Target0 Input: '"Test HelloLinux failed"' Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/HelloLinux/Resource/OnBuildFailed/Resource CodeCommitPipelineHelloLinuxAlarmE81F4D20: Type: AWS::CloudWatch::Alarm Properties: ComparisonOperator: GreaterThanOrEqualToThreshold EvaluationPeriods: 1 Dimensions: - Name: ProjectName Value: Ref: CodeCommitPipelineHelloLinuxCB82AB68 MetricName: FailedBuilds Namespace: AWS/CodeBuild Period: 300 Statistic: Sum Threshold: 1 TreatMissingData: ignore Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/HelloLinux/Alarm/Resource CodeCommitPipelineHelloWindowsRole769C073E: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: codebuild.amazonaws.com Version: "2012-10-17" Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/HelloWindows/Resource/Role/Resource CodeCommitPipelineHelloWindowsRoleDefaultPolicyA240EEEE: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Effect: Allow Resource: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :logs:us-east-1:712950704752:log-group:/aws/codebuild/ - Ref: CodeCommitPipelineHelloWindows61CA8F73 - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :logs:us-east-1:712950704752:log-group:/aws/codebuild/ - Ref: CodeCommitPipelineHelloWindows61CA8F73 - :* - Action: - codebuild:CreateReportGroup - codebuild:CreateReport - codebuild:UpdateReport - codebuild:BatchPutTestCases - codebuild:BatchPutCodeCoverages Effect: Allow Resource: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :codebuild:us-east-1:712950704752:report-group/ - Ref: CodeCommitPipelineHelloWindows61CA8F73 - -* - Action: - ssmmessages:CreateControlChannel - ssmmessages:CreateDataChannel - ssmmessages:OpenControlChannel - ssmmessages:OpenDataChannel - logs:DescribeLogGroups - logs:CreateLogStream - logs:PutLogEvents - s3:GetEncryptionConfiguration - s3:PutObject Effect: Allow Resource: "*" - Action: - s3:GetObject* - s3:GetBucket* - s3:List* Effect: Allow Resource: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :s3:::cdk-hnb659fds-assets-712950704752-us-east-1 - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :s3:::cdk-hnb659fds-assets-712950704752-us-east-1/* - Action: - s3:GetObject* - s3:GetBucket* - s3:List* - s3:DeleteObject* - s3:PutObject - s3:PutObjectLegalHold - s3:PutObjectRetention - s3:PutObjectTagging - s3:PutObjectVersionTagging - s3:Abort* Effect: Allow Resource: - Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketED2813B3 - Arn - Fn::Join: - "" - - Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketED2813B3 - Arn - /* - Action: - kms:Decrypt - kms:DescribeKey - kms:Encrypt - kms:ReEncrypt* - kms:GenerateDataKey* Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn - Action: - kms:Decrypt - kms:Encrypt - kms:ReEncrypt* - kms:GenerateDataKey* Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn Version: "2012-10-17" PolicyName: CodeCommitPipelineHelloWindowsRoleDefaultPolicyA240EEEE Roles: - Ref: CodeCommitPipelineHelloWindowsRole769C073E Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/HelloWindows/Resource/Role/DefaultPolicy/Resource CodeCommitPipelineHelloWindows61CA8F73: Type: AWS::CodeBuild::Project Properties: Artifacts: Type: NO_ARTIFACTS Environment: ComputeType: BUILD_GENERAL1_MEDIUM EnvironmentVariables: - Name: SCRIPT_S3_BUCKET Type: PLAINTEXT Value: cdk-hnb659fds-assets-712950704752-us-east-1 - Name: SCRIPT_S3_KEY Type: PLAINTEXT Value: 36b33307c18c06726950e481637d4439c34e56a89ae6e2f1725e2718095e0985.zip Image: aws/codebuild/windows-base:2019-1.0 ImagePullCredentialsType: CODEBUILD PrivilegedMode: false Type: WINDOWS_SERVER_2019_CONTAINER ServiceRole: Fn::GetAtt: - CodeCommitPipelineHelloWindowsRole769C073E - Arn Source: BuildSpec: |- { "version": "0.2", "phases": { "install": { "commands": [ "Import-Module \"C:\\ProgramData\\chocolatey\\helpers\\chocolateyProfile.psm1\"", "C:\\ProgramData\\chocolatey\\bin\\choco.exe upgrade nodejs-lts -y" ] }, "pre_build": { "commands": [] }, "build": { "commands": [ "Set-Variable -Name TEMPDIR -Value (New-TemporaryFile).DirectoryName", "aws s3 cp s3://$env:SCRIPT_S3_BUCKET/$env:SCRIPT_S3_KEY $TEMPDIR\\scripts.zip", "New-Item -ItemType Directory -Path $TEMPDIR\\scriptdir", "Expand-Archive -Path $TEMPDIR/scripts.zip -DestinationPath $TEMPDIR\\scriptdir", "$env:SCRIPT_DIR = \"$TEMPDIR\\scriptdir\"", "& $TEMPDIR\\scriptdir\\test.ps1" ] } } } Type: NO_SOURCE Cache: Type: NO_CACHE EncryptionKey: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/HelloWindows/Resource/Resource CodeCommitPipelineHelloWindowsOnBuildFailed25F55C59: Type: AWS::Events::Rule Properties: EventPattern: source: - aws.codebuild detail: project-name: - Ref: CodeCommitPipelineHelloWindows61CA8F73 build-status: - FAILED detail-type: - CodeBuild Build State Change State: ENABLED Targets: - Arn: Ref: CodeCommitPipelineNotificationsTopic36C2D667 Id: Target0 Input: '"Test HelloWindows failed"' Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/HelloWindows/Resource/OnBuildFailed/Resource CodeCommitPipelineHelloWindowsAlarmB6D353FA: Type: AWS::CloudWatch::Alarm Properties: ComparisonOperator: GreaterThanOrEqualToThreshold EvaluationPeriods: 1 Dimensions: - Name: ProjectName Value: Ref: CodeCommitPipelineHelloWindows61CA8F73 MetricName: FailedBuilds Namespace: AWS/CodeBuild Period: 300 Statistic: Sum Threshold: 1 TreatMissingData: ignore Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/HelloWindows/Alarm/Resource CodeCommitPipelineAssumeRoleRole1186B781: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: codebuild.amazonaws.com Version: "2012-10-17" Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/AssumeRole/Resource/Role/Resource CodeCommitPipelineAssumeRoleRoleDefaultPolicy438D80DD: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Effect: Allow Resource: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :logs:us-east-1:712950704752:log-group:/aws/codebuild/ - Ref: CodeCommitPipelineAssumeRole05A76F51 - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :logs:us-east-1:712950704752:log-group:/aws/codebuild/ - Ref: CodeCommitPipelineAssumeRole05A76F51 - :* - Action: - codebuild:CreateReportGroup - codebuild:CreateReport - codebuild:UpdateReport - codebuild:BatchPutTestCases - codebuild:BatchPutCodeCoverages Effect: Allow Resource: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :codebuild:us-east-1:712950704752:report-group/ - Ref: CodeCommitPipelineAssumeRole05A76F51 - -* - Action: - ssmmessages:CreateControlChannel - ssmmessages:CreateDataChannel - ssmmessages:OpenControlChannel - ssmmessages:OpenDataChannel - logs:DescribeLogGroups - logs:CreateLogStream - logs:PutLogEvents - s3:GetEncryptionConfiguration - s3:PutObject Effect: Allow Resource: "*" - Action: - s3:GetObject* - s3:GetBucket* - s3:List* Effect: Allow Resource: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :s3:::cdk-hnb659fds-assets-712950704752-us-east-1 - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :s3:::cdk-hnb659fds-assets-712950704752-us-east-1/* - Action: sts:AssumeRole Effect: Allow Resource: Fn::GetAtt: - AssumeMe924099BB - Arn - Action: - s3:GetObject* - s3:GetBucket* - s3:List* - s3:DeleteObject* - s3:PutObject - s3:PutObjectLegalHold - s3:PutObjectRetention - s3:PutObjectTagging - s3:PutObjectVersionTagging - s3:Abort* Effect: Allow Resource: - Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketED2813B3 - Arn - Fn::Join: - "" - - Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketED2813B3 - Arn - /* - Action: - kms:Decrypt - kms:DescribeKey - kms:Encrypt - kms:ReEncrypt* - kms:GenerateDataKey* Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn - Action: - kms:Decrypt - kms:Encrypt - kms:ReEncrypt* - kms:GenerateDataKey* Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn Version: "2012-10-17" PolicyName: CodeCommitPipelineAssumeRoleRoleDefaultPolicy438D80DD Roles: - Ref: CodeCommitPipelineAssumeRoleRole1186B781 Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/AssumeRole/Resource/Role/DefaultPolicy/Resource CodeCommitPipelineAssumeRole05A76F51: Type: AWS::CodeBuild::Project Properties: Artifacts: Type: NO_ARTIFACTS Environment: ComputeType: BUILD_GENERAL1_MEDIUM EnvironmentVariables: - Name: SCRIPT_S3_BUCKET Type: PLAINTEXT Value: cdk-hnb659fds-assets-712950704752-us-east-1 - Name: SCRIPT_S3_KEY Type: PLAINTEXT Value: fa3b8e01a3815c9af6c66b1e4c986e8743a43f68fb763464198c94900c0c96da.zip - Name: EXPECTED_ROLE_NAME Type: PLAINTEXT Value: Ref: AssumeMe924099BB Image: aws/codebuild/standard:4.0 ImagePullCredentialsType: CODEBUILD PrivilegedMode: false Type: LINUX_CONTAINER ServiceRole: Fn::GetAtt: - CodeCommitPipelineAssumeRoleRole1186B781 - Arn Source: BuildSpec: Fn::Join: - "" - - |- { "version": "0.2", "phases": { "pre_build": { "commands": [ "echo \"Downloading scripts from s3://${SCRIPT_S3_BUCKET}/${SCRIPT_S3_KEY}\"", "aws s3 cp s3://${SCRIPT_S3_BUCKET}/${SCRIPT_S3_KEY} /tmp", "mkdir -p /tmp/scriptdir", "unzip /tmp/$(basename $SCRIPT_S3_KEY) -d /tmp/scriptdir", "creds=$(mktemp -d)/creds.json", "AWS_STS_REGIONAL_ENDPOINTS=legacy aws sts assume-role --role-arn \" - Fn::GetAtt: - AssumeMe924099BB - Arn - |- \" --role-session-name \"assume-role-test\" --external-id \"require-me-please\" > $creds", "export AWS_ACCESS_KEY_ID=\"$(cat ${creds} | grep \"AccessKeyId\" | cut -d'\"' -f 4)\"", "export AWS_SECRET_ACCESS_KEY=\"$(cat ${creds} | grep \"SecretAccessKey\" | cut -d'\"' -f 4)\"", "export AWS_SESSION_TOKEN=\"$(cat ${creds} | grep \"SessionToken\" | cut -d'\"' -f 4)\"" ] }, "build": { "commands": [ "export SCRIPT_DIR=/tmp/scriptdir", "echo \"Running test.sh\"", "/bin/bash /tmp/scriptdir/test.sh" ] } } } Type: NO_SOURCE Cache: Type: NO_CACHE EncryptionKey: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/AssumeRole/Resource/Resource CodeCommitPipelineAssumeRoleOnBuildFailed494CD87B: Type: AWS::Events::Rule Properties: EventPattern: source: - aws.codebuild detail: project-name: - Ref: CodeCommitPipelineAssumeRole05A76F51 build-status: - FAILED detail-type: - CodeBuild Build State Change State: ENABLED Targets: - Arn: Ref: CodeCommitPipelineNotificationsTopic36C2D667 Id: Target0 Input: '"Test AssumeRole failed"' Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/AssumeRole/Resource/OnBuildFailed/Resource CodeCommitPipelineAssumeRoleAlarm6D09484D: Type: AWS::CloudWatch::Alarm Properties: ComparisonOperator: GreaterThanOrEqualToThreshold EvaluationPeriods: 1 Dimensions: - Name: ProjectName Value: Ref: CodeCommitPipelineAssumeRole05A76F51 MetricName: FailedBuilds Namespace: AWS/CodeBuild Period: 300 Statistic: Sum Threshold: 1 TreatMissingData: ignore Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/AssumeRole/Alarm/Resource CodeCommitPipelineGenerateTwoArtifactsRole91D2CDCA: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: codebuild.amazonaws.com Version: "2012-10-17" Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/GenerateTwoArtifacts/Resource/Role/Resource CodeCommitPipelineGenerateTwoArtifactsRoleDefaultPolicy770BE7EA: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Effect: Allow Resource: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :logs:us-east-1:712950704752:log-group:/aws/codebuild/ - Ref: CodeCommitPipelineGenerateTwoArtifactsA9DAD33B - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :logs:us-east-1:712950704752:log-group:/aws/codebuild/ - Ref: CodeCommitPipelineGenerateTwoArtifactsA9DAD33B - :* - Action: - codebuild:CreateReportGroup - codebuild:CreateReport - codebuild:UpdateReport - codebuild:BatchPutTestCases - codebuild:BatchPutCodeCoverages Effect: Allow Resource: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :codebuild:us-east-1:712950704752:report-group/ - Ref: CodeCommitPipelineGenerateTwoArtifactsA9DAD33B - -* - Action: - ssmmessages:CreateControlChannel - ssmmessages:CreateDataChannel - ssmmessages:OpenControlChannel - ssmmessages:OpenDataChannel - logs:DescribeLogGroups - logs:CreateLogStream - logs:PutLogEvents - s3:GetEncryptionConfiguration - s3:PutObject Effect: Allow Resource: "*" - Action: - s3:GetObject* - s3:GetBucket* - s3:List* Effect: Allow Resource: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :s3:::cdk-hnb659fds-assets-712950704752-us-east-1 - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :s3:::cdk-hnb659fds-assets-712950704752-us-east-1/* - Action: - s3:GetObject* - s3:GetBucket* - s3:List* - s3:DeleteObject* - s3:PutObject - s3:PutObjectLegalHold - s3:PutObjectRetention - s3:PutObjectTagging - s3:PutObjectVersionTagging - s3:Abort* Effect: Allow Resource: - Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketED2813B3 - Arn - Fn::Join: - "" - - Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketED2813B3 - Arn - /* - Action: - kms:Decrypt - kms:DescribeKey - kms:Encrypt - kms:ReEncrypt* - kms:GenerateDataKey* Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn - Action: - kms:Decrypt - kms:Encrypt - kms:ReEncrypt* - kms:GenerateDataKey* Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn Version: "2012-10-17" PolicyName: CodeCommitPipelineGenerateTwoArtifactsRoleDefaultPolicy770BE7EA Roles: - Ref: CodeCommitPipelineGenerateTwoArtifactsRole91D2CDCA Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/GenerateTwoArtifacts/Resource/Role/DefaultPolicy/Resource CodeCommitPipelineGenerateTwoArtifactsA9DAD33B: Type: AWS::CodeBuild::Project Properties: Artifacts: Type: NO_ARTIFACTS Environment: ComputeType: BUILD_GENERAL1_MEDIUM EnvironmentVariables: - Name: SCRIPT_S3_BUCKET Type: PLAINTEXT Value: cdk-hnb659fds-assets-712950704752-us-east-1 - Name: SCRIPT_S3_KEY Type: PLAINTEXT Value: 3d34b07ba871989d030649c646b3096ba7c78ca531897bcdb0670774d2f9d3e4.zip Image: aws/codebuild/standard:4.0 ImagePullCredentialsType: CODEBUILD PrivilegedMode: false Type: LINUX_CONTAINER ServiceRole: Fn::GetAtt: - CodeCommitPipelineGenerateTwoArtifactsRole91D2CDCA - Arn Source: BuildSpec: |- { "version": "0.2", "phases": { "pre_build": { "commands": [ "echo \"Downloading scripts from s3://${SCRIPT_S3_BUCKET}/${SCRIPT_S3_KEY}\"", "aws s3 cp s3://${SCRIPT_S3_BUCKET}/${SCRIPT_S3_KEY} /tmp", "mkdir -p /tmp/scriptdir", "unzip /tmp/$(basename $SCRIPT_S3_KEY) -d /tmp/scriptdir" ] }, "build": { "commands": [ "export SCRIPT_DIR=/tmp/scriptdir", "echo \"Running void.sh\"", "/bin/bash /tmp/scriptdir/void.sh", "mkdir -p output1 output2", "echo '{\"name\": \"output1\", \"version\": \"1.2.3\", \"commit\": \"abcdef\"}' > output1/build.json", "echo '{\"name\": \"output2\", \"version\": \"1.2.3\", \"commit\": \"abcdef\"}' > output2/build.json" ] } }, "artifacts": { "secondary-artifacts": { "artifact2": { "base-directory": "output2", "files": [ "**/*" ] }, "Artifact_c8e859296b521c19119769864a1f8ff14746ebd0c1": { "base-directory": "output1", "files": [ "**/*" ] } } } } Type: NO_SOURCE Cache: Type: NO_CACHE EncryptionKey: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/GenerateTwoArtifacts/Resource/Resource CodeCommitPipelineGenerateTwoArtifactsAlarm4299580B: Type: AWS::CloudWatch::Alarm Properties: ComparisonOperator: GreaterThanOrEqualToThreshold EvaluationPeriods: 1 Dimensions: - Name: ProjectName Value: Ref: CodeCommitPipelineGenerateTwoArtifactsA9DAD33B MetricName: FailedBuilds Namespace: AWS/CodeBuild Period: 300 Statistic: Sum Threshold: 1 TreatMissingData: ignore Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/GenerateTwoArtifacts/Alarm/Resource CodeCommitPipelineCanaryHelloCanaryShellableRole65D634EB: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: codebuild.amazonaws.com Version: "2012-10-17" Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/CanaryHelloCanary/Shellable/Resource/Role/Resource CodeCommitPipelineCanaryHelloCanaryShellableRoleDefaultPolicyD466B3CA: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Effect: Allow Resource: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :logs:us-east-1:712950704752:log-group:/aws/codebuild/ - Ref: CodeCommitPipelineCanaryHelloCanaryShellableC8458471 - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :logs:us-east-1:712950704752:log-group:/aws/codebuild/ - Ref: CodeCommitPipelineCanaryHelloCanaryShellableC8458471 - :* - Action: - codebuild:CreateReportGroup - codebuild:CreateReport - codebuild:UpdateReport - codebuild:BatchPutTestCases - codebuild:BatchPutCodeCoverages Effect: Allow Resource: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :codebuild:us-east-1:712950704752:report-group/ - Ref: CodeCommitPipelineCanaryHelloCanaryShellableC8458471 - -* - Action: - ssmmessages:CreateControlChannel - ssmmessages:CreateDataChannel - ssmmessages:OpenControlChannel - ssmmessages:OpenDataChannel - logs:DescribeLogGroups - logs:CreateLogStream - logs:PutLogEvents - s3:GetEncryptionConfiguration - s3:PutObject Effect: Allow Resource: "*" - Action: - s3:GetObject* - s3:GetBucket* - s3:List* Effect: Allow Resource: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :s3:::cdk-hnb659fds-assets-712950704752-us-east-1 - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :s3:::cdk-hnb659fds-assets-712950704752-us-east-1/* Version: "2012-10-17" PolicyName: CodeCommitPipelineCanaryHelloCanaryShellableRoleDefaultPolicyD466B3CA Roles: - Ref: CodeCommitPipelineCanaryHelloCanaryShellableRole65D634EB Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/CanaryHelloCanary/Shellable/Resource/Role/DefaultPolicy/Resource CodeCommitPipelineCanaryHelloCanaryShellableC8458471: Type: AWS::CodeBuild::Project Properties: Artifacts: Type: NO_ARTIFACTS Environment: ComputeType: BUILD_GENERAL1_MEDIUM EnvironmentVariables: - Name: SCRIPT_S3_BUCKET Type: PLAINTEXT Value: cdk-hnb659fds-assets-712950704752-us-east-1 - Name: SCRIPT_S3_KEY Type: PLAINTEXT Value: 3d34b07ba871989d030649c646b3096ba7c78ca531897bcdb0670774d2f9d3e4.zip - Name: IS_CANARY Type: PLAINTEXT Value: "true" Image: aws/codebuild/standard:4.0 ImagePullCredentialsType: CODEBUILD PrivilegedMode: false Type: LINUX_CONTAINER ServiceRole: Fn::GetAtt: - CodeCommitPipelineCanaryHelloCanaryShellableRole65D634EB - Arn Source: BuildSpec: |- { "version": "0.2", "phases": { "pre_build": { "commands": [ "echo \"Downloading scripts from s3://${SCRIPT_S3_BUCKET}/${SCRIPT_S3_KEY}\"", "aws s3 cp s3://${SCRIPT_S3_BUCKET}/${SCRIPT_S3_KEY} /tmp", "mkdir -p /tmp/scriptdir", "unzip /tmp/$(basename $SCRIPT_S3_KEY) -d /tmp/scriptdir" ] }, "build": { "commands": [ "export SCRIPT_DIR=/tmp/scriptdir", "echo \"Running test.sh\"", "/bin/bash /tmp/scriptdir/test.sh" ] } } } Type: NO_SOURCE Cache: Type: NO_CACHE EncryptionKey: alias/aws/s3 Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/CanaryHelloCanary/Shellable/Resource/Resource CodeCommitPipelineCanaryHelloCanaryShellableEventsRole0F756230: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: events.amazonaws.com Version: "2012-10-17" Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/CanaryHelloCanary/Shellable/Resource/EventsRole/Resource CodeCommitPipelineCanaryHelloCanaryShellableEventsRoleDefaultPolicy6CE0D6E4: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: codebuild:StartBuild Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineCanaryHelloCanaryShellableC8458471 - Arn Version: "2012-10-17" PolicyName: CodeCommitPipelineCanaryHelloCanaryShellableEventsRoleDefaultPolicy6CE0D6E4 Roles: - Ref: CodeCommitPipelineCanaryHelloCanaryShellableEventsRole0F756230 Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/CanaryHelloCanary/Shellable/Resource/EventsRole/DefaultPolicy/Resource CodeCommitPipelineCanaryHelloCanaryShellableAlarm049B43C4: Type: AWS::CloudWatch::Alarm Properties: ComparisonOperator: GreaterThanOrEqualToThreshold EvaluationPeriods: 1 Dimensions: - Name: ProjectName Value: Ref: CodeCommitPipelineCanaryHelloCanaryShellableC8458471 MetricName: FailedBuilds Namespace: AWS/CodeBuild Period: 300 Statistic: Sum Threshold: 1 TreatMissingData: ignore Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/CanaryHelloCanary/Shellable/Alarm/Resource CodeCommitPipelineCanaryHelloCanarySchedule6177762B: Type: AWS::Events::Rule Properties: ScheduleExpression: rate(1 minute) State: ENABLED Targets: - Arn: Fn::GetAtt: - CodeCommitPipelineCanaryHelloCanaryShellableC8458471 - Arn Id: Target0 RoleArn: Fn::GetAtt: - CodeCommitPipelineCanaryHelloCanaryShellableEventsRole0F756230 - Arn Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/CanaryHelloCanary/Schedule/Resource CodeCommitPipelineNpmRole219D5F49: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: codebuild.amazonaws.com Version: "2012-10-17" Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/Npm/Default/Resource/Role/Resource CodeCommitPipelineNpmRoleDefaultPolicy1AFB68F0: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Effect: Allow Resource: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :logs:us-east-1:712950704752:log-group:/aws/codebuild/ - Ref: CodeCommitPipelineNpm0D31AEFC - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :logs:us-east-1:712950704752:log-group:/aws/codebuild/ - Ref: CodeCommitPipelineNpm0D31AEFC - :* - Action: - codebuild:CreateReportGroup - codebuild:CreateReport - codebuild:UpdateReport - codebuild:BatchPutTestCases - codebuild:BatchPutCodeCoverages Effect: Allow Resource: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :codebuild:us-east-1:712950704752:report-group/ - Ref: CodeCommitPipelineNpm0D31AEFC - -* - Action: - ssmmessages:CreateControlChannel - ssmmessages:CreateDataChannel - ssmmessages:OpenControlChannel - ssmmessages:OpenDataChannel - logs:DescribeLogGroups - logs:CreateLogStream - logs:PutLogEvents - s3:GetEncryptionConfiguration - s3:PutObject Effect: Allow Resource: "*" - Action: - s3:GetObject* - s3:GetBucket* - s3:List* Effect: Allow Resource: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :s3:::cdk-hnb659fds-assets-712950704752-us-east-1 - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :s3:::cdk-hnb659fds-assets-712950704752-us-east-1/* - Action: - secretsmanager:ListSecrets - secretsmanager:DescribeSecret - secretsmanager:GetSecretValue Effect: Allow Resource: arn:aws:secretsmanager:us-east-1:712950704752:secret:delivlib/npm-MhaWgx - Action: - s3:GetObject* - s3:GetBucket* - s3:List* Effect: Allow Resource: - Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketED2813B3 - Arn - Fn::Join: - "" - - Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketED2813B3 - Arn - /* - Action: - kms:Decrypt - kms:DescribeKey Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn - Action: - kms:Decrypt - kms:Encrypt - kms:ReEncrypt* - kms:GenerateDataKey* Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn Version: "2012-10-17" PolicyName: CodeCommitPipelineNpmRoleDefaultPolicy1AFB68F0 Roles: - Ref: CodeCommitPipelineNpmRole219D5F49 Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/Npm/Default/Resource/Role/DefaultPolicy/Resource CodeCommitPipelineNpm0D31AEFC: Type: AWS::CodeBuild::Project Properties: Artifacts: Type: NO_ARTIFACTS Environment: ComputeType: BUILD_GENERAL1_MEDIUM EnvironmentVariables: - Name: SCRIPT_S3_BUCKET Type: PLAINTEXT Value: cdk-hnb659fds-assets-712950704752-us-east-1 - Name: SCRIPT_S3_KEY Type: PLAINTEXT Value: b47ae622aa5e233309182a77632e391df4af339a7313ef79b47c718d0d5e4a9d.zip - Name: FOR_REAL Type: PLAINTEXT Value: "false" - Name: NPM_TOKEN_SECRET Type: PLAINTEXT Value: arn:aws:secretsmanager:us-east-1:712950704752:secret:delivlib/npm-MhaWgx - Name: DISTTAG Type: PLAINTEXT Value: "" - Name: ACCESS Type: PLAINTEXT Value: restricted Image: aws/codebuild/standard:5.0 ImagePullCredentialsType: CODEBUILD PrivilegedMode: false Type: LINUX_CONTAINER ServiceRole: Fn::GetAtt: - CodeCommitPipelineNpmRole219D5F49 - Arn Source: BuildSpec: |- { "version": "0.2", "phases": { "pre_build": { "commands": [ "echo \"Downloading scripts from s3://${SCRIPT_S3_BUCKET}/${SCRIPT_S3_KEY}\"", "aws s3 cp s3://${SCRIPT_S3_BUCKET}/${SCRIPT_S3_KEY} /tmp", "mkdir -p /tmp/scriptdir", "unzip /tmp/$(basename $SCRIPT_S3_KEY) -d /tmp/scriptdir" ] }, "build": { "commands": [ "export SCRIPT_DIR=/tmp/scriptdir", "echo \"Running publish.sh\"", "/bin/bash /tmp/scriptdir/publish.sh" ] } } } Type: NO_SOURCE Cache: Type: NO_CACHE EncryptionKey: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/Npm/Default/Resource/Resource CodeCommitPipelineNpmAlarm7A04F7A3: Type: AWS::CloudWatch::Alarm Properties: ComparisonOperator: GreaterThanOrEqualToThreshold EvaluationPeriods: 1 Dimensions: - Name: ProjectName Value: Ref: CodeCommitPipelineNpm0D31AEFC MetricName: FailedBuilds Namespace: AWS/CodeBuild Period: 300 Statistic: Sum Threshold: 1 TreatMissingData: ignore Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/Npm/Default/Alarm/Resource CodeCommitPipelineNuGetRole488DA302: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: codebuild.amazonaws.com Version: "2012-10-17" Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/NuGet/Default/Resource/Role/Resource CodeCommitPipelineNuGetRoleDefaultPolicy9AF66D81: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Effect: Allow Resource: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :logs:us-east-1:712950704752:log-group:/aws/codebuild/ - Ref: CodeCommitPipelineNuGet67CE1BA7 - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :logs:us-east-1:712950704752:log-group:/aws/codebuild/ - Ref: CodeCommitPipelineNuGet67CE1BA7 - :* - Action: - codebuild:CreateReportGroup - codebuild:CreateReport - codebuild:UpdateReport - codebuild:BatchPutTestCases - codebuild:BatchPutCodeCoverages Effect: Allow Resource: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :codebuild:us-east-1:712950704752:report-group/ - Ref: CodeCommitPipelineNuGet67CE1BA7 - -* - Action: - ssmmessages:CreateControlChannel - ssmmessages:CreateDataChannel - ssmmessages:OpenControlChannel - ssmmessages:OpenDataChannel - logs:DescribeLogGroups - logs:CreateLogStream - logs:PutLogEvents - s3:GetEncryptionConfiguration - s3:PutObject Effect: Allow Resource: "*" - Action: - s3:GetObject* - s3:GetBucket* - s3:List* Effect: Allow Resource: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :s3:::cdk-hnb659fds-assets-712950704752-us-east-1 - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :s3:::cdk-hnb659fds-assets-712950704752-us-east-1/* - Action: - s3:GetObject* - s3:GetBucket* - s3:List* Effect: Allow Resource: - Fn::GetAtt: - X509CodeSigningKeyRSAPrivateKeyCertificateSigningRequestBucketD81FB261 - Arn - Fn::Join: - "" - - Fn::GetAtt: - X509CodeSigningKeyRSAPrivateKeyCertificateSigningRequestBucketD81FB261 - Arn - /* - Action: - secretsmanager:ListSecrets - secretsmanager:DescribeSecret - secretsmanager:GetSecretValue Effect: Allow Resource: arn:aws:secretsmanager:us-east-1:712950704752:secret:delivlib/nuget-jDbgrN - Action: - secretsmanager:ListSecrets - secretsmanager:DescribeSecret - secretsmanager:GetSecretValue Effect: Allow Resource: Fn::GetAtt: - X509CodeSigningKeyRSAPrivateKeyE5980A70 - SecretArn - Action: ssm:GetParameter Effect: Allow Resource: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :ssm:us-east-1:712950704752:parameter - Ref: X509CodeSigningKey8DE65BF8 - Action: - s3:GetObject* - s3:GetBucket* - s3:List* Effect: Allow Resource: - Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketED2813B3 - Arn - Fn::Join: - "" - - Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketED2813B3 - Arn - /* - Action: - kms:Decrypt - kms:DescribeKey Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn - Action: - kms:Decrypt - kms:Encrypt - kms:ReEncrypt* - kms:GenerateDataKey* Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn Version: "2012-10-17" PolicyName: CodeCommitPipelineNuGetRoleDefaultPolicy9AF66D81 Roles: - Ref: CodeCommitPipelineNuGetRole488DA302 Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/NuGet/Default/Resource/Role/DefaultPolicy/Resource CodeCommitPipelineNuGet67CE1BA7: Type: AWS::CodeBuild::Project Properties: Artifacts: Type: NO_ARTIFACTS Environment: ComputeType: BUILD_GENERAL1_MEDIUM EnvironmentVariables: - Name: SCRIPT_S3_BUCKET Type: PLAINTEXT Value: cdk-hnb659fds-assets-712950704752-us-east-1 - Name: SCRIPT_S3_KEY Type: PLAINTEXT Value: 66a63786c570ced320dd48c3922fc8e5fd9c9393e5959b984f3c7e1cb7ac5f14.zip - Name: FOR_REAL Type: PLAINTEXT Value: "false" - Name: NUGET_SECRET_REGION Type: PLAINTEXT Value: us-east-1 - Name: NUGET_SECRET_ID Type: PLAINTEXT Value: arn:aws:secretsmanager:us-east-1:712950704752:secret:delivlib/nuget-jDbgrN Image: jsii/superchain:1-buster-slim ImagePullCredentialsType: SERVICE_ROLE PrivilegedMode: false Type: LINUX_CONTAINER ServiceRole: Fn::GetAtt: - CodeCommitPipelineNuGetRole488DA302 - Arn Source: BuildSpec: |- { "version": "0.2", "phases": { "pre_build": { "commands": [ "echo \"Downloading scripts from s3://${SCRIPT_S3_BUCKET}/${SCRIPT_S3_KEY}\"", "aws s3 cp s3://${SCRIPT_S3_BUCKET}/${SCRIPT_S3_KEY} /tmp", "mkdir -p /tmp/scriptdir", "unzip /tmp/$(basename $SCRIPT_S3_KEY) -d /tmp/scriptdir" ] }, "build": { "commands": [ "export SCRIPT_DIR=/tmp/scriptdir", "echo \"Running publish.sh\"", "/bin/bash /tmp/scriptdir/publish.sh" ] } } } Type: NO_SOURCE Cache: Type: NO_CACHE EncryptionKey: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/NuGet/Default/Resource/Resource CodeCommitPipelineNuGetAlarm4F3CAC42: Type: AWS::CloudWatch::Alarm Properties: ComparisonOperator: GreaterThanOrEqualToThreshold EvaluationPeriods: 1 Dimensions: - Name: ProjectName Value: Ref: CodeCommitPipelineNuGet67CE1BA7 MetricName: FailedBuilds Namespace: AWS/CodeBuild Period: 300 Statistic: Sum Threshold: 1 TreatMissingData: ignore Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/NuGet/Default/Alarm/Resource CodeCommitPipelineMavenRoleC3A7769B: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: codebuild.amazonaws.com Version: "2012-10-17" Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/Maven/Default/Resource/Role/Resource CodeCommitPipelineMavenRoleDefaultPolicyBCD15357: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Effect: Allow Resource: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :logs:us-east-1:712950704752:log-group:/aws/codebuild/ - Ref: CodeCommitPipelineMavenB7154296 - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :logs:us-east-1:712950704752:log-group:/aws/codebuild/ - Ref: CodeCommitPipelineMavenB7154296 - :* - Action: - codebuild:CreateReportGroup - codebuild:CreateReport - codebuild:UpdateReport - codebuild:BatchPutTestCases - codebuild:BatchPutCodeCoverages Effect: Allow Resource: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :codebuild:us-east-1:712950704752:report-group/ - Ref: CodeCommitPipelineMavenB7154296 - -* - Action: - ssmmessages:CreateControlChannel - ssmmessages:CreateDataChannel - ssmmessages:OpenControlChannel - ssmmessages:OpenDataChannel - logs:DescribeLogGroups - logs:CreateLogStream - logs:PutLogEvents - s3:GetEncryptionConfiguration - s3:PutObject Effect: Allow Resource: "*" - Action: - s3:GetObject* - s3:GetBucket* - s3:List* Effect: Allow Resource: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :s3:::cdk-hnb659fds-assets-712950704752-us-east-1 - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :s3:::cdk-hnb659fds-assets-712950704752-us-east-1/* - Action: - secretsmanager:ListSecrets - secretsmanager:DescribeSecret - secretsmanager:GetSecretValue Effect: Allow Resource: arn:aws:secretsmanager:us-east-1:712950704752:secret:delivlib/maven-S4Q2y3 - Action: - secretsmanager:ListSecrets - secretsmanager:DescribeSecret - secretsmanager:GetSecretValue Effect: Allow Resource: Fn::GetAtt: - CodeSign52FB6674 - SecretArn - Action: kms:Decrypt Effect: Allow Resource: Fn::GetAtt: - CodeSignCMKC986BB89 - Arn - Action: - s3:GetObject* - s3:GetBucket* - s3:List* Effect: Allow Resource: - Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketED2813B3 - Arn - Fn::Join: - "" - - Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketED2813B3 - Arn - /* - Action: - kms:Decrypt - kms:DescribeKey Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn - Action: - kms:Decrypt - kms:Encrypt - kms:ReEncrypt* - kms:GenerateDataKey* Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn Version: "2012-10-17" PolicyName: CodeCommitPipelineMavenRoleDefaultPolicyBCD15357 Roles: - Ref: CodeCommitPipelineMavenRoleC3A7769B Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/Maven/Default/Resource/Role/DefaultPolicy/Resource CodeCommitPipelineMavenB7154296: Type: AWS::CodeBuild::Project Properties: Artifacts: Type: NO_ARTIFACTS Environment: ComputeType: BUILD_GENERAL1_MEDIUM EnvironmentVariables: - Name: SCRIPT_S3_BUCKET Type: PLAINTEXT Value: cdk-hnb659fds-assets-712950704752-us-east-1 - Name: SCRIPT_S3_KEY Type: PLAINTEXT Value: 95e395880ca2de45ad4273f17cb4915be787585da0aa7b17a2cbbd860594ad9e.zip - Name: STAGING_PROFILE_ID Type: PLAINTEXT Value: 68a05363083174 - Name: SIGNING_KEY_ARN Type: PLAINTEXT Value: Fn::GetAtt: - CodeSign52FB6674 - SecretArn - Name: FOR_REAL Type: PLAINTEXT Value: "false" - Name: MAVEN_LOGIN_SECRET Type: PLAINTEXT Value: arn:aws:secretsmanager:us-east-1:712950704752:secret:delivlib/maven-S4Q2y3 - Name: MAVEN_ENDPOINT Type: PLAINTEXT Value: https://aws.oss.sonatype.org:443/ Image: jsii/superchain:1-buster-slim ImagePullCredentialsType: SERVICE_ROLE PrivilegedMode: false Type: LINUX_CONTAINER ServiceRole: Fn::GetAtt: - CodeCommitPipelineMavenRoleC3A7769B - Arn Source: BuildSpec: |- { "version": "0.2", "phases": { "pre_build": { "commands": [ "echo \"Downloading scripts from s3://${SCRIPT_S3_BUCKET}/${SCRIPT_S3_KEY}\"", "aws s3 cp s3://${SCRIPT_S3_BUCKET}/${SCRIPT_S3_KEY} /tmp", "mkdir -p /tmp/scriptdir", "unzip /tmp/$(basename $SCRIPT_S3_KEY) -d /tmp/scriptdir" ] }, "build": { "commands": [ "export SCRIPT_DIR=/tmp/scriptdir", "echo \"Running publish.sh\"", "/bin/bash /tmp/scriptdir/publish.sh" ] } } } Type: NO_SOURCE Cache: Type: NO_CACHE EncryptionKey: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/Maven/Default/Resource/Resource CodeCommitPipelineMavenAlarmC4A88DC3: Type: AWS::CloudWatch::Alarm Properties: ComparisonOperator: GreaterThanOrEqualToThreshold EvaluationPeriods: 1 Dimensions: - Name: ProjectName Value: Ref: CodeCommitPipelineMavenB7154296 MetricName: FailedBuilds Namespace: AWS/CodeBuild Period: 300 Statistic: Sum Threshold: 1 TreatMissingData: ignore Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/Maven/Default/Alarm/Resource CodeCommitPipelineGitHubRole77F2217D: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: codebuild.amazonaws.com Version: "2012-10-17" Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/GitHub/Default/Resource/Role/Resource CodeCommitPipelineGitHubRoleDefaultPolicy3FEA7E07: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: secretsmanager:GetSecretValue Effect: Allow Resource: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :secretsmanager:us-east-1:712950704752:secret:github-token-?????? - Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Effect: Allow Resource: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :logs:us-east-1:712950704752:log-group:/aws/codebuild/ - Ref: CodeCommitPipelineGitHub0797840C - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :logs:us-east-1:712950704752:log-group:/aws/codebuild/ - Ref: CodeCommitPipelineGitHub0797840C - :* - Action: - codebuild:CreateReportGroup - codebuild:CreateReport - codebuild:UpdateReport - codebuild:BatchPutTestCases - codebuild:BatchPutCodeCoverages Effect: Allow Resource: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :codebuild:us-east-1:712950704752:report-group/ - Ref: CodeCommitPipelineGitHub0797840C - -* - Action: - ssmmessages:CreateControlChannel - ssmmessages:CreateDataChannel - ssmmessages:OpenControlChannel - ssmmessages:OpenDataChannel - logs:DescribeLogGroups - logs:CreateLogStream - logs:PutLogEvents - s3:GetEncryptionConfiguration - s3:PutObject Effect: Allow Resource: "*" - Action: - s3:GetObject* - s3:GetBucket* - s3:List* Effect: Allow Resource: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :s3:::cdk-hnb659fds-assets-712950704752-us-east-1 - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :s3:::cdk-hnb659fds-assets-712950704752-us-east-1/* - Action: - secretsmanager:GetSecretValue - secretsmanager:DescribeSecret Effect: Allow Resource: arn:aws:secretsmanager:us-east-1:712950704752:secret:github-token-QDP6QX - Action: - secretsmanager:ListSecrets - secretsmanager:DescribeSecret - secretsmanager:GetSecretValue Effect: Allow Resource: Fn::GetAtt: - CodeSign52FB6674 - SecretArn - Action: kms:Decrypt Effect: Allow Resource: Fn::GetAtt: - CodeSignCMKC986BB89 - Arn - Action: - s3:GetObject* - s3:GetBucket* - s3:List* Effect: Allow Resource: - Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketED2813B3 - Arn - Fn::Join: - "" - - Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketED2813B3 - Arn - /* - Action: - kms:Decrypt - kms:DescribeKey Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn - Action: - kms:Decrypt - kms:Encrypt - kms:ReEncrypt* - kms:GenerateDataKey* Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn Version: "2012-10-17" PolicyName: CodeCommitPipelineGitHubRoleDefaultPolicy3FEA7E07 Roles: - Ref: CodeCommitPipelineGitHubRole77F2217D Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/GitHub/Default/Resource/Role/DefaultPolicy/Resource CodeCommitPipelineGitHub0797840C: Type: AWS::CodeBuild::Project Properties: Artifacts: Type: NO_ARTIFACTS Environment: ComputeType: BUILD_GENERAL1_MEDIUM EnvironmentVariables: - Name: SCRIPT_S3_BUCKET Type: PLAINTEXT Value: cdk-hnb659fds-assets-712950704752-us-east-1 - Name: SCRIPT_S3_KEY Type: PLAINTEXT Value: e449ed654aa21e23a39b20237b24d1e7ee76956d00a908005ed695aea81397b1.zip - Name: BUILD_MANIFEST Type: PLAINTEXT Value: ./build.json - Name: CHANGELOG Type: PLAINTEXT Value: ./CHANGELOG.md - Name: RELEASE_NOTES Type: PLAINTEXT Value: ./RELEASE_NOTES.md - Name: SIGNING_KEY_ARN Type: PLAINTEXT Value: Fn::GetAtt: - CodeSign52FB6674 - SecretArn - Name: GITHUB_OWNER Type: PLAINTEXT Value: awslabs - Name: GITHUB_REPO Type: PLAINTEXT Value: aws-delivlib-sample - Name: FOR_REAL Type: PLAINTEXT Value: "false" - Name: SECONDARY_SOURCE_NAMES Type: PLAINTEXT Value: Artifact_c8e859296b521c19119769864a1f8ff14746ebd0c1 artifact2 - Name: SIGN_ADDITIONAL_ARTIFACTS Type: PLAINTEXT Value: "true" - Name: GITHUB_TOKEN Type: SECRETS_MANAGER Value: github-token Image: aws/codebuild/standard:5.0 ImagePullCredentialsType: CODEBUILD PrivilegedMode: false Type: LINUX_CONTAINER ServiceRole: Fn::GetAtt: - CodeCommitPipelineGitHubRole77F2217D - Arn Source: BuildSpec: |- { "version": "0.2", "phases": { "pre_build": { "commands": [ "echo \"Downloading scripts from s3://${SCRIPT_S3_BUCKET}/${SCRIPT_S3_KEY}\"", "aws s3 cp s3://${SCRIPT_S3_BUCKET}/${SCRIPT_S3_KEY} /tmp", "mkdir -p /tmp/scriptdir", "unzip /tmp/$(basename $SCRIPT_S3_KEY) -d /tmp/scriptdir" ] }, "build": { "commands": [ "export SCRIPT_DIR=/tmp/scriptdir", "echo \"Running publish.sh\"", "/bin/bash /tmp/scriptdir/publish.sh" ] } } } Type: NO_SOURCE Cache: Type: NO_CACHE EncryptionKey: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/GitHub/Default/Resource/Resource CodeCommitPipelineGitHubAlarmBD31FE64: Type: AWS::CloudWatch::Alarm Properties: ComparisonOperator: GreaterThanOrEqualToThreshold EvaluationPeriods: 1 Dimensions: - Name: ProjectName Value: Ref: CodeCommitPipelineGitHub0797840C MetricName: FailedBuilds Namespace: AWS/CodeBuild Period: 300 Statistic: Sum Threshold: 1 TreatMissingData: ignore Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/GitHub/Default/Alarm/Resource CodeCommitPipelineGitHubPagesRole10784D1D: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: codebuild.amazonaws.com Version: "2012-10-17" Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/GitHubPages/Default/Resource/Role/Resource CodeCommitPipelineGitHubPagesRoleDefaultPolicy23292E7F: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Effect: Allow Resource: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :logs:us-east-1:712950704752:log-group:/aws/codebuild/ - Ref: CodeCommitPipelineGitHubPages53B77CF6 - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :logs:us-east-1:712950704752:log-group:/aws/codebuild/ - Ref: CodeCommitPipelineGitHubPages53B77CF6 - :* - Action: - codebuild:CreateReportGroup - codebuild:CreateReport - codebuild:UpdateReport - codebuild:BatchPutTestCases - codebuild:BatchPutCodeCoverages Effect: Allow Resource: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :codebuild:us-east-1:712950704752:report-group/ - Ref: CodeCommitPipelineGitHubPages53B77CF6 - -* - Action: - ssmmessages:CreateControlChannel - ssmmessages:CreateDataChannel - ssmmessages:OpenControlChannel - ssmmessages:OpenDataChannel - logs:DescribeLogGroups - logs:CreateLogStream - logs:PutLogEvents - s3:GetEncryptionConfiguration - s3:PutObject Effect: Allow Resource: "*" - Action: - s3:GetObject* - s3:GetBucket* - s3:List* Effect: Allow Resource: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :s3:::cdk-hnb659fds-assets-712950704752-us-east-1 - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :s3:::cdk-hnb659fds-assets-712950704752-us-east-1/* - Action: - secretsmanager:ListSecrets - secretsmanager:DescribeSecret - secretsmanager:GetSecretValue Effect: Allow Resource: arn:aws:secretsmanager:us-east-1:712950704752:secret:delivlib/github-ssh-okGazo - Action: - s3:GetObject* - s3:GetBucket* - s3:List* Effect: Allow Resource: - Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketED2813B3 - Arn - Fn::Join: - "" - - Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketED2813B3 - Arn - /* - Action: - kms:Decrypt - kms:DescribeKey Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn - Action: - kms:Decrypt - kms:Encrypt - kms:ReEncrypt* - kms:GenerateDataKey* Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn Version: "2012-10-17" PolicyName: CodeCommitPipelineGitHubPagesRoleDefaultPolicy23292E7F Roles: - Ref: CodeCommitPipelineGitHubPagesRole10784D1D Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/GitHubPages/Default/Resource/Role/DefaultPolicy/Resource CodeCommitPipelineGitHubPages53B77CF6: Type: AWS::CodeBuild::Project Properties: Artifacts: Type: NO_ARTIFACTS Environment: ComputeType: BUILD_GENERAL1_MEDIUM EnvironmentVariables: - Name: SCRIPT_S3_BUCKET Type: PLAINTEXT Value: cdk-hnb659fds-assets-712950704752-us-east-1 - Name: SCRIPT_S3_KEY Type: PLAINTEXT Value: 3252e1539f1e33e68b94d8ee2a2a84ff6a7fdf4fbbdb7b77286f931145dfe3b3.zip - Name: GITHUB_REPO Type: PLAINTEXT Value: git@github.com:awslabs/aws-delivlib-sample.git - Name: GITHUB_PAGES_BRANCH Type: PLAINTEXT Value: gh-pages - Name: SSH_KEY_SECRET Type: PLAINTEXT Value: arn:aws:secretsmanager:us-east-1:712950704752:secret:delivlib/github-ssh-okGazo - Name: FOR_REAL Type: PLAINTEXT Value: "false" - Name: COMMIT_USERNAME Type: PLAINTEXT Value: foobar - Name: COMMIT_EMAIL Type: PLAINTEXT Value: foo@bar.com - Name: BUILD_MANIFEST Type: PLAINTEXT Value: ./build.json Image: aws/codebuild/standard:5.0 ImagePullCredentialsType: CODEBUILD PrivilegedMode: false Type: LINUX_CONTAINER ServiceRole: Fn::GetAtt: - CodeCommitPipelineGitHubPagesRole10784D1D - Arn Source: BuildSpec: |- { "version": "0.2", "phases": { "pre_build": { "commands": [ "echo \"Downloading scripts from s3://${SCRIPT_S3_BUCKET}/${SCRIPT_S3_KEY}\"", "aws s3 cp s3://${SCRIPT_S3_BUCKET}/${SCRIPT_S3_KEY} /tmp", "mkdir -p /tmp/scriptdir", "unzip /tmp/$(basename $SCRIPT_S3_KEY) -d /tmp/scriptdir" ] }, "build": { "commands": [ "export SCRIPT_DIR=/tmp/scriptdir", "echo \"Running publish.sh\"", "/bin/bash /tmp/scriptdir/publish.sh" ] } } } Type: NO_SOURCE Cache: Type: NO_CACHE EncryptionKey: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/GitHubPages/Default/Resource/Resource CodeCommitPipelineGitHubPagesAlarmC5B4BC57: Type: AWS::CloudWatch::Alarm Properties: ComparisonOperator: GreaterThanOrEqualToThreshold EvaluationPeriods: 1 Dimensions: - Name: ProjectName Value: Ref: CodeCommitPipelineGitHubPages53B77CF6 MetricName: FailedBuilds Namespace: AWS/CodeBuild Period: 300 Statistic: Sum Threshold: 1 TreatMissingData: ignore Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/GitHubPages/Default/Alarm/Resource CodeCommitPipelinePyPIRole30E20A9B: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: codebuild.amazonaws.com Version: "2012-10-17" Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/PyPI/Default/Resource/Role/Resource CodeCommitPipelinePyPIRoleDefaultPolicy5062B3BA: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Effect: Allow Resource: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :logs:us-east-1:712950704752:log-group:/aws/codebuild/ - Ref: CodeCommitPipelinePyPI2C59CE7B - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :logs:us-east-1:712950704752:log-group:/aws/codebuild/ - Ref: CodeCommitPipelinePyPI2C59CE7B - :* - Action: - codebuild:CreateReportGroup - codebuild:CreateReport - codebuild:UpdateReport - codebuild:BatchPutTestCases - codebuild:BatchPutCodeCoverages Effect: Allow Resource: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :codebuild:us-east-1:712950704752:report-group/ - Ref: CodeCommitPipelinePyPI2C59CE7B - -* - Action: - ssmmessages:CreateControlChannel - ssmmessages:CreateDataChannel - ssmmessages:OpenControlChannel - ssmmessages:OpenDataChannel - logs:DescribeLogGroups - logs:CreateLogStream - logs:PutLogEvents - s3:GetEncryptionConfiguration - s3:PutObject Effect: Allow Resource: "*" - Action: - s3:GetObject* - s3:GetBucket* - s3:List* Effect: Allow Resource: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :s3:::cdk-hnb659fds-assets-712950704752-us-east-1 - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :s3:::cdk-hnb659fds-assets-712950704752-us-east-1/* - Action: - secretsmanager:ListSecrets - secretsmanager:DescribeSecret - secretsmanager:GetSecretValue Effect: Allow Resource: arn:aws:secretsmanager:us-east-1:712950704752:secret:delivlib/pypi-tp8M57 - Action: - s3:GetObject* - s3:GetBucket* - s3:List* Effect: Allow Resource: - Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketED2813B3 - Arn - Fn::Join: - "" - - Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketED2813B3 - Arn - /* - Action: - kms:Decrypt - kms:DescribeKey Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn - Action: - kms:Decrypt - kms:Encrypt - kms:ReEncrypt* - kms:GenerateDataKey* Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn Version: "2012-10-17" PolicyName: CodeCommitPipelinePyPIRoleDefaultPolicy5062B3BA Roles: - Ref: CodeCommitPipelinePyPIRole30E20A9B Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/PyPI/Default/Resource/Role/DefaultPolicy/Resource CodeCommitPipelinePyPI2C59CE7B: Type: AWS::CodeBuild::Project Properties: Artifacts: Type: NO_ARTIFACTS Environment: ComputeType: BUILD_GENERAL1_MEDIUM EnvironmentVariables: - Name: SCRIPT_S3_BUCKET Type: PLAINTEXT Value: cdk-hnb659fds-assets-712950704752-us-east-1 - Name: SCRIPT_S3_KEY Type: PLAINTEXT Value: c17f8f9d719e9e4e72c47092e9d9a130a19c607b87d5f5a327b05f38c219c1ca.zip - Name: FOR_REAL Type: PLAINTEXT Value: "false" - Name: PYPI_CREDENTIALS_SECRET_ID Type: PLAINTEXT Value: arn:aws:secretsmanager:us-east-1:712950704752:secret:delivlib/pypi-tp8M57 Image: aws/codebuild/standard:5.0 ImagePullCredentialsType: CODEBUILD PrivilegedMode: false Type: LINUX_CONTAINER ServiceRole: Fn::GetAtt: - CodeCommitPipelinePyPIRole30E20A9B - Arn Source: BuildSpec: |- { "version": "0.2", "phases": { "pre_build": { "commands": [ "echo \"Downloading scripts from s3://${SCRIPT_S3_BUCKET}/${SCRIPT_S3_KEY}\"", "aws s3 cp s3://${SCRIPT_S3_BUCKET}/${SCRIPT_S3_KEY} /tmp", "mkdir -p /tmp/scriptdir", "unzip /tmp/$(basename $SCRIPT_S3_KEY) -d /tmp/scriptdir" ] }, "build": { "commands": [ "export SCRIPT_DIR=/tmp/scriptdir", "echo \"Running publish.sh\"", "/bin/bash /tmp/scriptdir/publish.sh" ] } } } Type: NO_SOURCE Cache: Type: NO_CACHE EncryptionKey: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/PyPI/Default/Resource/Resource CodeCommitPipelinePyPIAlarmEA15EF14: Type: AWS::CloudWatch::Alarm Properties: ComparisonOperator: GreaterThanOrEqualToThreshold EvaluationPeriods: 1 Dimensions: - Name: ProjectName Value: Ref: CodeCommitPipelinePyPI2C59CE7B MetricName: FailedBuilds Namespace: AWS/CodeBuild Period: 300 Statistic: Sum Threshold: 1 TreatMissingData: ignore Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/PyPI/Default/Alarm/Resource CodeCommitPipelineGolangRole46DA8D4C: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: codebuild.amazonaws.com Version: "2012-10-17" Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/Golang/Default/Resource/Role/Resource CodeCommitPipelineGolangRoleDefaultPolicy189AF9A0: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Effect: Allow Resource: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :logs:us-east-1:712950704752:log-group:/aws/codebuild/ - Ref: CodeCommitPipelineGolangBDFA17A1 - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :logs:us-east-1:712950704752:log-group:/aws/codebuild/ - Ref: CodeCommitPipelineGolangBDFA17A1 - :* - Action: - codebuild:CreateReportGroup - codebuild:CreateReport - codebuild:UpdateReport - codebuild:BatchPutTestCases - codebuild:BatchPutCodeCoverages Effect: Allow Resource: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :codebuild:us-east-1:712950704752:report-group/ - Ref: CodeCommitPipelineGolangBDFA17A1 - -* - Action: - ssmmessages:CreateControlChannel - ssmmessages:CreateDataChannel - ssmmessages:OpenControlChannel - ssmmessages:OpenDataChannel - logs:DescribeLogGroups - logs:CreateLogStream - logs:PutLogEvents - s3:GetEncryptionConfiguration - s3:PutObject Effect: Allow Resource: "*" - Action: - s3:GetObject* - s3:GetBucket* - s3:List* Effect: Allow Resource: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :s3:::cdk-hnb659fds-assets-712950704752-us-east-1 - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :s3:::cdk-hnb659fds-assets-712950704752-us-east-1/* - Action: - secretsmanager:ListSecrets - secretsmanager:DescribeSecret - secretsmanager:GetSecretValue Effect: Allow Resource: arn:aws:secretsmanager:us-east-1:712950704752:secret:github-token-QDP6QX - Action: - s3:GetObject* - s3:GetBucket* - s3:List* Effect: Allow Resource: - Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketED2813B3 - Arn - Fn::Join: - "" - - Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketED2813B3 - Arn - /* - Action: - kms:Decrypt - kms:DescribeKey Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn - Action: - kms:Decrypt - kms:Encrypt - kms:ReEncrypt* - kms:GenerateDataKey* Effect: Allow Resource: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn Version: "2012-10-17" PolicyName: CodeCommitPipelineGolangRoleDefaultPolicy189AF9A0 Roles: - Ref: CodeCommitPipelineGolangRole46DA8D4C Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/Golang/Default/Resource/Role/DefaultPolicy/Resource CodeCommitPipelineGolangBDFA17A1: Type: AWS::CodeBuild::Project Properties: Artifacts: Type: NO_ARTIFACTS Environment: ComputeType: BUILD_GENERAL1_MEDIUM EnvironmentVariables: - Name: SCRIPT_S3_BUCKET Type: PLAINTEXT Value: cdk-hnb659fds-assets-712950704752-us-east-1 - Name: SCRIPT_S3_KEY Type: PLAINTEXT Value: d51656c063a0eef8e6e43eebc868209915793a138eb4a16217cb8d51583f6424.zip - Name: DRYRUN Type: PLAINTEXT Value: "true" - Name: GITHUB_TOKEN_SECRET Type: PLAINTEXT Value: arn:aws:secretsmanager:us-east-1:712950704752:secret:github-token-QDP6QX - Name: GIT_BRANCH Type: PLAINTEXT Value: golang - Name: GIT_USER_NAME Type: PLAINTEXT Value: Delivlib Tests - Name: GIT_USER_EMAIL Type: PLAINTEXT Value: aws-cdk-dev+delivlib@amazon.com Image: aws/codebuild/standard:5.0 ImagePullCredentialsType: CODEBUILD PrivilegedMode: false Type: LINUX_CONTAINER ServiceRole: Fn::GetAtt: - CodeCommitPipelineGolangRole46DA8D4C - Arn Source: BuildSpec: |- { "version": "0.2", "phases": { "pre_build": { "commands": [ "echo \"Downloading scripts from s3://${SCRIPT_S3_BUCKET}/${SCRIPT_S3_KEY}\"", "aws s3 cp s3://${SCRIPT_S3_BUCKET}/${SCRIPT_S3_KEY} /tmp", "mkdir -p /tmp/scriptdir", "unzip /tmp/$(basename $SCRIPT_S3_KEY) -d /tmp/scriptdir" ] }, "build": { "commands": [ "export SCRIPT_DIR=/tmp/scriptdir", "echo \"Running publish.sh\"", "/bin/bash /tmp/scriptdir/publish.sh" ] } } } Type: NO_SOURCE Cache: Type: NO_CACHE EncryptionKey: Fn::GetAtt: - CodeCommitPipelineBuildPipelineArtifactsBucketEncryptionKey05A62A83 - Arn Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/Golang/Default/Resource/Resource CodeCommitPipelineGolangAlarmF9F61D0D: Type: AWS::CloudWatch::Alarm Properties: ComparisonOperator: GreaterThanOrEqualToThreshold EvaluationPeriods: 1 Dimensions: - Name: ProjectName Value: Ref: CodeCommitPipelineGolangBDFA17A1 MetricName: FailedBuilds Namespace: AWS/CodeBuild Period: 300 Statistic: Sum Threshold: 1 TreatMissingData: ignore Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/Golang/Default/Alarm/Resource CodeCommitPipelineAutoBumpAutoPullRequestRoleE7E0E388: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: codebuild.amazonaws.com Version: "2012-10-17" Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/AutoBump/AutoPullRequest/PullRequest/Role/Resource CodeCommitPipelineAutoBumpAutoPullRequestRoleDefaultPolicy3BB1CD6F: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Effect: Allow Resource: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :logs:us-east-1:712950704752:log-group:/aws/codebuild/ - Ref: CodeCommitPipelineAutoBumpAutoPullRequest033F6993 - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :logs:us-east-1:712950704752:log-group:/aws/codebuild/ - Ref: CodeCommitPipelineAutoBumpAutoPullRequest033F6993 - :* - Action: - codebuild:CreateReportGroup - codebuild:CreateReport - codebuild:UpdateReport - codebuild:BatchPutTestCases - codebuild:BatchPutCodeCoverages Effect: Allow Resource: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :codebuild:us-east-1:712950704752:report-group/ - Ref: CodeCommitPipelineAutoBumpAutoPullRequest033F6993 - -* - Action: - ssmmessages:CreateControlChannel - ssmmessages:CreateDataChannel - ssmmessages:OpenControlChannel - ssmmessages:OpenDataChannel - logs:DescribeLogGroups - logs:CreateLogStream - logs:PutLogEvents - s3:GetEncryptionConfiguration - s3:PutObject Effect: Allow Resource: "*" - Action: - secretsmanager:ListSecrets - secretsmanager:DescribeSecret - secretsmanager:GetSecretValue Effect: Allow Resource: arn:aws:secretsmanager:us-east-1:712950704752:secret:delivlib/github-ssh-okGazo - Action: - secretsmanager:ListSecrets - secretsmanager:DescribeSecret - secretsmanager:GetSecretValue Effect: Allow Resource: arn:aws:secretsmanager:us-east-1:712950704752:secret:github-token-QDP6QX Version: "2012-10-17" PolicyName: CodeCommitPipelineAutoBumpAutoPullRequestRoleDefaultPolicy3BB1CD6F Roles: - Ref: CodeCommitPipelineAutoBumpAutoPullRequestRoleE7E0E388 Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/AutoBump/AutoPullRequest/PullRequest/Role/DefaultPolicy/Resource CodeCommitPipelineAutoBumpAutoPullRequest033F6993: Type: AWS::CodeBuild::Project Properties: Artifacts: Type: NO_ARTIFACTS Environment: ComputeType: BUILD_GENERAL1_SMALL Image: jsii/superchain:1-buster-slim ImagePullCredentialsType: SERVICE_ROLE PrivilegedMode: false Type: LINUX_CONTAINER ServiceRole: Fn::GetAtt: - CodeCommitPipelineAutoBumpAutoPullRequestRoleE7E0E388 - Arn Source: BuildSpec: |- { "version": "0.2", "phases": { "pre_build": { "commands": [ "git config --global user.email \"foo@bar.com\"", "git config --global user.name \"foobar\"" ] }, "build": { "commands": [ "export SKIP=false", "$SKIP || { aws secretsmanager get-secret-value --secret-id \"arn:aws:secretsmanager:us-east-1:712950704752:secret:delivlib/github-ssh-okGazo\" --output=text --query=SecretString > ~/.ssh/id_rsa ; }", "$SKIP || { mkdir -p ~/.ssh ; }", "$SKIP || { chmod 0600 ~/.ssh/id_rsa ~/.ssh/config ; }", "$SKIP || { ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts ; }", "$SKIP || { ls .git && { echo \".git directory exists\"; } || { echo \".git directory doesnot exist - cloning...\" && git init . && git remote add origin git@github.com:awslabs/aws-delivlib-sample.git && git fetch && git reset --hard origin/master && git branch -M master && git clean -fqdx; } ; }", "$SKIP || { git describe --exact-match master && { echo 'Skip condition is met, skipping...' && export SKIP=true; } || { echo 'Skip condition is not met, continuing...' && export SKIP=false; } ; }", "$SKIP || { export GITHUB_TOKEN=$(aws secretsmanager get-secret-value --secret-id \"arn:aws:secretsmanager:us-east-1:712950704752:secret:github-token-QDP6QX\" --output=text --query=SecretString) ; }", "$SKIP || { git rev-parse --verify origin/bump/$VERSION && { git checkout bump/$VERSION && git merge master && npm i && npm run bump && export VERSION=$(git describe) && echo Finished running user commands; } || { git checkout master && git checkout -b temp && npm i && npm run bump && export VERSION=$(git describe) && echo Finished running user commands && git branch -M bump/$VERSION; } ; }", "$SKIP || { git merge-base --is-ancestor bump/$VERSION origin/master && { echo \"Skipping: bump/$VERSION is an ancestor of origin/master\"; export SKIP=true; } || { echo \"Pushing: bump/$VERSION is ahead of origin/master\"; export SKIP=false; } ; }", "$SKIP || { git remote add origin_ssh git@github.com:awslabs/aws-delivlib-sample.git ; }", "$SKIP || { git push --atomic --follow-tags origin_ssh bump/$VERSION:bump/$VERSION ; }", "$SKIP || { curl --fail -X POST -o pr.json --header \"Authorization: token $GITHUB_TOKEN\" --header \"Content-Type: application/json\" -d \"{\\\"title\\\":\\\"chore(release): $VERSION\\\",\\\"base\\\":\\\"master\\\",\\\"head\\\":\\\"bump/$VERSION\\\"}\" https://api.github.com/repos/awslabs/aws-delivlib-sample/pulls && export PR_NUMBER=$(node -p 'require(\"./pr.json\").number') ; }", "$SKIP || { curl --fail -X PATCH --header \"Authorization: token $GITHUB_TOKEN\" --header \"Content-Type: application/json\" -d \"{\\\"body\\\":\\\"See [CHANGELOG](https://github.com/awslabs/aws-delivlib-sample/blob/bump/$VERSION/CHANGELOG.md)\\\"}\" https://api.github.com/repos/awslabs/aws-delivlib-sample/pulls/$PR_NUMBER ; }" ] } } } GitCloneDepth: 0 Location: https://github.com/awslabs/aws-delivlib-sample.git ReportBuildStatus: false Type: GITHUB Cache: Type: NO_CACHE Description: Release awslabs/aws-delivlib-sample, branch master EncryptionKey: alias/aws/s3 Triggers: Webhook: false Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/AutoBump/AutoPullRequest/PullRequest/Resource CodeCommitPipelineAutoBumpAutoPullRequestAutoPullRequestFailedAlarmEFC2345F: Type: AWS::CloudWatch::Alarm Properties: ComparisonOperator: GreaterThanOrEqualToThreshold EvaluationPeriods: 1 Dimensions: - Name: ProjectName Value: Ref: CodeCommitPipelineAutoBumpAutoPullRequest033F6993 MetricName: FailedBuilds Namespace: AWS/CodeBuild Period: 300 Statistic: Sum Threshold: 1 TreatMissingData: ignore Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/AutoBump/AutoPullRequest/AutoPullRequestFailedAlarm/Resource CodeCommitPipelineAutoBuildProjectRole733AD222: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: codebuild.amazonaws.com Version: "2012-10-17" Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/AutoBuild/Project/Role/Resource CodeCommitPipelineAutoBuildProjectRoleDefaultPolicyFF5563AC: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Effect: Allow Resource: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :logs:us-east-1:712950704752:log-group:/aws/codebuild/ - Ref: CodeCommitPipelineAutoBuildProject5D212EE9 - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :logs:us-east-1:712950704752:log-group:/aws/codebuild/ - Ref: CodeCommitPipelineAutoBuildProject5D212EE9 - :* - Action: - codebuild:CreateReportGroup - codebuild:CreateReport - codebuild:UpdateReport - codebuild:BatchPutTestCases - codebuild:BatchPutCodeCoverages Effect: Allow Resource: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :codebuild:us-east-1:712950704752:report-group/ - Ref: CodeCommitPipelineAutoBuildProject5D212EE9 - -* - Action: - ssmmessages:CreateControlChannel - ssmmessages:CreateDataChannel - ssmmessages:OpenControlChannel - ssmmessages:OpenDataChannel - logs:DescribeLogGroups - logs:CreateLogStream - logs:PutLogEvents - s3:GetEncryptionConfiguration - s3:PutObject Effect: Allow Resource: "*" Version: "2012-10-17" PolicyName: CodeCommitPipelineAutoBuildProjectRoleDefaultPolicyFF5563AC Roles: - Ref: CodeCommitPipelineAutoBuildProjectRole733AD222 Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/AutoBuild/Project/Role/DefaultPolicy/Resource CodeCommitPipelineAutoBuildProject5D212EE9: Type: AWS::CodeBuild::Project Properties: Artifacts: Type: NO_ARTIFACTS Environment: ComputeType: BUILD_GENERAL1_SMALL Image: public.ecr.aws/jsii/superchain:1-buster-slim-node18 ImagePullCredentialsType: SERVICE_ROLE PrivilegedMode: false Type: LINUX_CONTAINER ServiceRole: Fn::GetAtt: - CodeCommitPipelineAutoBuildProjectRole733AD222 - Arn Source: Location: https://github.com/awslabs/aws-delivlib-sample.git ReportBuildStatus: true Type: GITHUB BadgeEnabled: true Cache: Type: NO_CACHE Description: Automatic PR build for awslabs/aws-delivlib-sample EncryptionKey: alias/aws/s3 Triggers: FilterGroups: - - Pattern: PUSH, PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED Type: EVENT Webhook: true Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/AutoBuild/Project/Resource CodeCommitPipelineAutoBuildGitHubCodeBuildLogsSAR75EABC5D: Type: AWS::Serverless::Application Properties: Location: ApplicationId: arn:aws:serverlessrepo:us-east-1:277187709615:applications/github-codebuild-logs SemanticVersion: 1.4.0 Parameters: CodeBuildProjectName: Ref: CodeCommitPipelineAutoBuildProject5D212EE9 DeletePreviousComments: "true" CommentOnSuccess: "true" GitHubOAuthToken: "{{resolve:secretsmanager:arn:aws:secretsmanager:us-east-1:712950704752:secret:github-token-QDP6QX:SecretString:::}}" Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/AutoBuild/GitHubCodeBuildLogsSAR CodeCommitPipelineChangeControllerCalendar94B1DEA8: Type: AWS::S3::Bucket Properties: VersioningConfiguration: Status: Enabled UpdateReplacePolicy: Delete DeletionPolicy: Delete Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/ChangeController/Calendar/Resource CodeCommitPipelineChangeControllerCalendarNotifications1AFBE6E9: Type: Custom::S3BucketNotifications Properties: ServiceToken: Fn::GetAtt: - BucketNotificationsHandler050a0587b7544547bf325f094a3db8347ECC3691 - Arn BucketName: Ref: CodeCommitPipelineChangeControllerCalendar94B1DEA8 NotificationConfiguration: LambdaFunctionConfigurations: - Events: - s3:ObjectCreated:* Filter: Key: FilterRules: - Name: prefix Value: change-control.ics LambdaFunctionArn: Fn::GetAtt: - CodeCommitPipelineChangeControllerFunction776EAE6A - Arn Managed: true DependsOn: - CodeCommitPipelineChangeControllerCalendarAllowBucketNotificationsTodelivlibtestCodeCommitPipelineChangeControllerFunction83CC56EB3330DA3F Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/ChangeController/Calendar/Notifications/Resource CodeCommitPipelineChangeControllerCalendarAllowBucketNotificationsTodelivlibtestCodeCommitPipelineChangeControllerFunction83CC56EB3330DA3F: Type: AWS::Lambda::Permission Properties: Action: lambda:InvokeFunction FunctionName: Fn::GetAtt: - CodeCommitPipelineChangeControllerFunction776EAE6A - Arn Principal: s3.amazonaws.com SourceAccount: "712950704752" SourceArn: Fn::GetAtt: - CodeCommitPipelineChangeControllerCalendar94B1DEA8 - Arn Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/ChangeController/Calendar/AllowBucketNotificationsTodelivlibtestCodeCommitPipelineChangeControllerFunction83CC56EB CodeCommitPipelineChangeControllerFunctionServiceRoleF02841DB: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: lambda.amazonaws.com Version: "2012-10-17" ManagedPolicyArns: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::aws:policy/service-role/AWSLambdaBasicExecutionRole Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/ChangeController/Function/ServiceRole/Resource CodeCommitPipelineChangeControllerFunctionServiceRoleDefaultPolicy315F7AF5: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - codepipeline:EnableStageTransition - codepipeline:DisableStageTransition Effect: Allow Resource: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":codepipeline:us-east-1:712950704752:" - Ref: CodeCommitPipelineBuildPipeline656B8CCB - /Publish - Action: - s3:GetObject* - s3:GetBucket* - s3:List* Effect: Allow Resource: - Fn::GetAtt: - CodeCommitPipelineChangeControllerCalendar94B1DEA8 - Arn - Fn::Join: - "" - - Fn::GetAtt: - CodeCommitPipelineChangeControllerCalendar94B1DEA8 - Arn - /* Version: "2012-10-17" PolicyName: CodeCommitPipelineChangeControllerFunctionServiceRoleDefaultPolicy315F7AF5 Roles: - Ref: CodeCommitPipelineChangeControllerFunctionServiceRoleF02841DB Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/ChangeController/Function/ServiceRole/DefaultPolicy/Resource CodeCommitPipelineChangeControllerFunction776EAE6A: Type: AWS::Lambda::Function Properties: Code: S3Bucket: cdk-hnb659fds-assets-712950704752-us-east-1 S3Key: 96398aae0b5918cde6e86a7c00ecfb4e4ac990db8d0fc8112703a48e9565bd1d.zip Role: Fn::GetAtt: - CodeCommitPipelineChangeControllerFunctionServiceRoleF02841DB - Arn Description: Enforces a Change Control Policy into CodePipeline's Publish stage Environment: Variables: CHANGE_CONTROL_BUCKET_NAME: Ref: CodeCommitPipelineChangeControllerCalendar94B1DEA8 CHANGE_CONTROL_OBJECT_KEY: change-control.ics PIPELINE_NAME: Ref: CodeCommitPipelineBuildPipeline656B8CCB STAGE_NAME: Publish AWS_NODEJS_CONNECTION_REUSE_ENABLED: "1" Handler: index.handler Runtime: nodejs14.x Timeout: 300 DependsOn: - CodeCommitPipelineChangeControllerFunctionServiceRoleDefaultPolicy315F7AF5 - CodeCommitPipelineChangeControllerFunctionServiceRoleF02841DB Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/ChangeController/Function/Resource CodeCommitPipelineChangeControllerFailed03331BFB: Type: AWS::CloudWatch::Alarm Properties: ComparisonOperator: GreaterThanOrEqualToThreshold EvaluationPeriods: 1 DatapointsToAlarm: 1 Dimensions: - Name: FunctionName Value: Ref: CodeCommitPipelineChangeControllerFunction776EAE6A MetricName: Errors Namespace: AWS/Lambda Period: 300 Statistic: Sum Threshold: 1 Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/ChangeController/Failed/Resource CodeCommitPipelineChangeControllerRuleAEEA7A52: Type: AWS::Events::Rule Properties: Description: Fn::Join: - "" - - "Run the change controller for promotions into " - Ref: CodeCommitPipelineBuildPipeline656B8CCB - "'s Publish on a [object Object] schedule" ScheduleExpression: rate(15 minutes) State: ENABLED Targets: - Arn: Fn::GetAtt: - CodeCommitPipelineChangeControllerFunction776EAE6A - Arn Id: Target0 Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/ChangeController/Rule/Resource CodeCommitPipelineChangeControllerRuleAllowEventRuledelivlibtestCodeCommitPipelineChangeControllerFunction83CC56EB9365DB12: Type: AWS::Lambda::Permission Properties: Action: lambda:InvokeFunction FunctionName: Fn::GetAtt: - CodeCommitPipelineChangeControllerFunction776EAE6A - Arn Principal: events.amazonaws.com SourceArn: Fn::GetAtt: - CodeCommitPipelineChangeControllerRuleAEEA7A52 - Arn Metadata: aws:cdk:path: delivlib-test/CodeCommitPipeline/ChangeController/Rule/AllowEventRuledelivlibtestCodeCommitPipelineChangeControllerFunction83CC56EB AssumeMe924099BB: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Condition: StringEquals: sts:ExternalId: require-me-please Effect: Allow Principal: AWS: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::712950704752:root Version: "2012-10-17" Metadata: aws:cdk:path: delivlib-test/AssumeMe/Resource X509CodeSigningKeyRSAPrivateKeyOpenSslCliLayer3F0C7B04: Type: AWS::Lambda::LayerVersion Properties: Content: S3Bucket: cdk-hnb659fds-assets-712950704752-us-east-1 S3Key: 3484e3af42fdf9fe20bc76b3aa0b74c59f8ffe2e6aa726d82b5fb8fed9b91889.zip Metadata: aws:cdk:path: delivlib-test/X509CodeSigningKey/RSAPrivateKey/OpenSslCliLayer/Resource X509CodeSigningKeyRSAPrivateKeyE5980A70: Type: Custom::RsaPrivateKeySecret Properties: ServiceToken: Fn::GetAtt: - RSAPrivateKey72FD327D38134632934028EC437AA486D8EE708F - Arn ResourceVersion: 9SSpvWpv9ZgC52WHzM5Je6Ju9ZoJHVALR5VlJhROwgs= Description: The PEM-encoded private key of the x509 Code-Signing Certificate KeySize: 2048 SecretName: delivlib-test/X509CodeSigningKey/RSAPrivateKey DependsOn: - RSAPrivateKey72FD327D38134632934028EC437AA486ServiceRoleDefaultPolicy487DB1EA - RSAPrivateKey72FD327D38134632934028EC437AA486ServiceRole76094455 UpdateReplacePolicy: Delete DeletionPolicy: Delete Metadata: aws:cdk:path: delivlib-test/X509CodeSigningKey/RSAPrivateKey/Resource/Default X509CodeSigningKeyRSAPrivateKeyCertificateSigningRequestOpenSslCliLayer61AF8E77: Type: AWS::Lambda::LayerVersion Properties: Content: S3Bucket: cdk-hnb659fds-assets-712950704752-us-east-1 S3Key: 3484e3af42fdf9fe20bc76b3aa0b74c59f8ffe2e6aa726d82b5fb8fed9b91889.zip Metadata: aws:cdk:path: delivlib-test/X509CodeSigningKey/RSAPrivateKey/CertificateSigningRequest/OpenSslCliLayer/Resource X509CodeSigningKeyRSAPrivateKeyCertificateSigningRequestBucketD81FB261: Type: AWS::S3::Bucket Properties: BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 Tags: - Key: aws-cdk:auto-delete-objects Value: "true" UpdateReplacePolicy: Delete DeletionPolicy: Delete Metadata: aws:cdk:path: delivlib-test/X509CodeSigningKey/RSAPrivateKey/CertificateSigningRequest/Bucket/Resource X509CodeSigningKeyRSAPrivateKeyCertificateSigningRequestBucketPolicy8E2DB075: Type: AWS::S3::BucketPolicy Properties: Bucket: Ref: X509CodeSigningKeyRSAPrivateKeyCertificateSigningRequestBucketD81FB261 PolicyDocument: Statement: - Action: s3:* Condition: Bool: aws:SecureTransport: "false" Effect: Deny Principal: AWS: "*" Resource: - Fn::GetAtt: - X509CodeSigningKeyRSAPrivateKeyCertificateSigningRequestBucketD81FB261 - Arn - Fn::Join: - "" - - Fn::GetAtt: - X509CodeSigningKeyRSAPrivateKeyCertificateSigningRequestBucketD81FB261 - Arn - /* - Action: - s3:GetBucket* - s3:List* - s3:DeleteObject* Effect: Allow Principal: AWS: Fn::GetAtt: - CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092 - Arn Resource: - Fn::GetAtt: - X509CodeSigningKeyRSAPrivateKeyCertificateSigningRequestBucketD81FB261 - Arn - Fn::Join: - "" - - Fn::GetAtt: - X509CodeSigningKeyRSAPrivateKeyCertificateSigningRequestBucketD81FB261 - Arn - /* Version: "2012-10-17" Metadata: aws:cdk:path: delivlib-test/X509CodeSigningKey/RSAPrivateKey/CertificateSigningRequest/Bucket/Policy/Resource X509CodeSigningKeyRSAPrivateKeyCertificateSigningRequestBucketAutoDeleteObjectsCustomResource8471F189: Type: Custom::S3AutoDeleteObjects Properties: ServiceToken: Fn::GetAtt: - CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F - Arn BucketName: Ref: X509CodeSigningKeyRSAPrivateKeyCertificateSigningRequestBucketD81FB261 DependsOn: - X509CodeSigningKeyRSAPrivateKeyCertificateSigningRequestBucketPolicy8E2DB075 UpdateReplacePolicy: Delete DeletionPolicy: Delete Metadata: aws:cdk:path: delivlib-test/X509CodeSigningKey/RSAPrivateKey/CertificateSigningRequest/Bucket/AutoDeleteObjectsCustomResource/Default X509CodeSigningKeyRSAPrivateKeyCertificateSigningRequest7F706C9D: Type: Custom::CertificateSigningRequest Properties: ServiceToken: Fn::GetAtt: - CreateCSR541F67826DCF49A78C5A67715ADD9E4C8F4169F6 - Arn ResourceVersion: iya3EURiIdG1hRWpTxUXI9stXq1asjZOpJDjraiV9dM= PrivateKeySecretId: Fn::GetAtt: - X509CodeSigningKeyRSAPrivateKeyE5980A70 - SecretArn DnCommonName: delivlib-test DnCountry: IL DnStateOrProvince: Ztate DnLocality: Zity DnOrganizationName: Amazon Test DnOrganizationalUnitName: AWS DnEmailAddress: aws-cdk-dev+delivlib-test@amazon.com ExtendedKeyUsage: critical,codeSigning KeyUsage: critical,digitalSignature OutputBucket: Ref: X509CodeSigningKeyRSAPrivateKeyCertificateSigningRequestBucketD81FB261 DependsOn: - CreateCSR541F67826DCF49A78C5A67715ADD9E4CServiceRoleDefaultPolicyC0800208 - CreateCSR541F67826DCF49A78C5A67715ADD9E4CServiceRoleD2990C92 UpdateReplacePolicy: Delete DeletionPolicy: Delete Metadata: aws:cdk:path: delivlib-test/X509CodeSigningKey/RSAPrivateKey/CertificateSigningRequest/Resource/Default X509CodeSigningKey8DE65BF8: Type: AWS::SSM::Parameter Properties: Type: String Value: Fn::GetAtt: - X509CodeSigningKeyRSAPrivateKeyCertificateSigningRequest7F706C9D - SelfSignedCertificate Description: Fn::Join: - "" - - "A PEM-encoded Code-Signing Certificate (private key in " - Fn::GetAtt: - X509CodeSigningKeyRSAPrivateKeyE5980A70 - SecretArn - ) Name: /delivlib-test/X509CodeSigningKey/Certificate Metadata: aws:cdk:path: delivlib-test/X509CodeSigningKey/Resource/Resource RSAPrivateKey72FD327D38134632934028EC437AA486ServiceRole76094455: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: lambda.amazonaws.com Version: "2012-10-17" ManagedPolicyArns: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::aws:policy/service-role/AWSLambdaBasicExecutionRole Metadata: aws:cdk:path: delivlib-test/RSAPrivate-Key72FD327D38134632934028EC437AA486/ServiceRole/Resource RSAPrivateKey72FD327D38134632934028EC437AA486ServiceRoleDefaultPolicy487DB1EA: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - secretsmanager:CreateSecret - secretsmanager:DeleteSecret - secretsmanager:UpdateSecret Effect: Allow Resource: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :secretsmanager:us-east-1:712950704752:secret:delivlib-test/X509CodeSigningKey/RSAPrivateKey-?????? Version: "2012-10-17" PolicyName: RSAPrivateKey72FD327D38134632934028EC437AA486ServiceRoleDefaultPolicy487DB1EA Roles: - Ref: RSAPrivateKey72FD327D38134632934028EC437AA486ServiceRole76094455 Metadata: aws:cdk:path: delivlib-test/RSAPrivate-Key72FD327D38134632934028EC437AA486/ServiceRole/DefaultPolicy/Resource RSAPrivateKey72FD327D38134632934028EC437AA486D8EE708F: Type: AWS::Lambda::Function Properties: Code: S3Bucket: cdk-hnb659fds-assets-712950704752-us-east-1 S3Key: 49ad3cae9aedaa06b54a5997b18d3545de801b45c7dfb05a5354a03aec399460.zip Role: Fn::GetAtt: - RSAPrivateKey72FD327D38134632934028EC437AA486ServiceRole76094455 - Arn Description: Generates an RSA Private Key and stores it in AWS Secrets Manager Handler: index.handler Layers: - Ref: X509CodeSigningKeyRSAPrivateKeyOpenSslCliLayer3F0C7B04 Runtime: nodejs14.x Timeout: 300 DependsOn: - RSAPrivateKey72FD327D38134632934028EC437AA486ServiceRoleDefaultPolicy487DB1EA - RSAPrivateKey72FD327D38134632934028EC437AA486ServiceRole76094455 Metadata: aws:cdk:path: delivlib-test/RSAPrivate-Key72FD327D38134632934028EC437AA486/Resource CreateCSR541F67826DCF49A78C5A67715ADD9E4CServiceRoleD2990C92: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: lambda.amazonaws.com Version: "2012-10-17" ManagedPolicyArns: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::aws:policy/service-role/AWSLambdaBasicExecutionRole Metadata: aws:cdk:path: delivlib-test/CreateCSR541F67826DCF49A78C5A67715ADD9E4C/ServiceRole/Resource CreateCSR541F67826DCF49A78C5A67715ADD9E4CServiceRoleDefaultPolicyC0800208: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - s3:GetObject* - s3:GetBucket* - s3:List* - s3:DeleteObject* - s3:PutObject - s3:PutObjectLegalHold - s3:PutObjectRetention - s3:PutObjectTagging - s3:PutObjectVersionTagging - s3:Abort* Effect: Allow Resource: - Fn::GetAtt: - X509CodeSigningKeyRSAPrivateKeyCertificateSigningRequestBucketD81FB261 - Arn - Fn::Join: - "" - - Fn::GetAtt: - X509CodeSigningKeyRSAPrivateKeyCertificateSigningRequestBucketD81FB261 - Arn - /* - Action: secretsmanager:GetSecretValue Effect: Allow Resource: Fn::GetAtt: - X509CodeSigningKeyRSAPrivateKeyE5980A70 - SecretArn Version: "2012-10-17" PolicyName: CreateCSR541F67826DCF49A78C5A67715ADD9E4CServiceRoleDefaultPolicyC0800208 Roles: - Ref: CreateCSR541F67826DCF49A78C5A67715ADD9E4CServiceRoleD2990C92 Metadata: aws:cdk:path: delivlib-test/CreateCSR541F67826DCF49A78C5A67715ADD9E4C/ServiceRole/DefaultPolicy/Resource CreateCSR541F67826DCF49A78C5A67715ADD9E4C8F4169F6: Type: AWS::Lambda::Function Properties: Code: S3Bucket: cdk-hnb659fds-assets-712950704752-us-east-1 S3Key: 9012a4bd6eb36f7ec4fec65ce817435d9b8dda297c62e87163a773c7d25c60a9.zip Role: Fn::GetAtt: - CreateCSR541F67826DCF49A78C5A67715ADD9E4CServiceRoleD2990C92 - Arn Description: Creates a Certificate Signing Request document for an x509 certificate Handler: index.handler Layers: - Ref: X509CodeSigningKeyRSAPrivateKeyCertificateSigningRequestOpenSslCliLayer61AF8E77 Runtime: nodejs14.x Timeout: 300 DependsOn: - CreateCSR541F67826DCF49A78C5A67715ADD9E4CServiceRoleDefaultPolicyC0800208 - CreateCSR541F67826DCF49A78C5A67715ADD9E4CServiceRoleD2990C92 Metadata: aws:cdk:path: delivlib-test/CreateCSR541F67826DCF49A78C5A67715ADD9E4C/Resource CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: lambda.amazonaws.com ManagedPolicyArns: - Fn::Sub: arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole Metadata: aws:cdk:path: delivlib-test/Custom::S3AutoDeleteObjectsCustomResourceProvider/Role CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F: Type: AWS::Lambda::Function Properties: Code: S3Bucket: cdk-hnb659fds-assets-712950704752-us-east-1 S3Key: 3f51abb709b8e65167a45aeed02bab11540603d909005d7148230ba5ce6c74d7.zip Timeout: 900 MemorySize: 128 Handler: __entrypoint__.handler Role: Fn::GetAtt: - CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092 - Arn Runtime: nodejs14.x Description: Fn::Join: - "" - - "Lambda function for auto-deleting objects in " - Ref: X509CodeSigningKeyRSAPrivateKeyCertificateSigningRequestBucketD81FB261 - " S3 bucket." DependsOn: - CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092 Metadata: aws:cdk:path: delivlib-test/Custom::S3AutoDeleteObjectsCustomResourceProvider/Handler CodeSignCMKC986BB89: Type: AWS::KMS::Key Properties: KeyPolicy: Statement: - Action: kms:* Effect: Allow Principal: AWS: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::712950704752:root Resource: "*" - Action: - kms:Decrypt - kms:GenerateDataKey Condition: StringEquals: kms:ViaService: secretsmanager.us-east-1.amazonaws.com Effect: Allow Principal: AWS: Fn::GetAtt: - SingletonLambdaf25803d3054b44fc985f4860d7d6ee74ServiceRole410148CF - Arn Resource: "*" - Action: kms:Decrypt Effect: Allow Principal: AWS: Fn::GetAtt: - CodeCommitPipelineMavenRoleC3A7769B - Arn Resource: "*" - Action: kms:Decrypt Effect: Allow Principal: AWS: Fn::GetAtt: - CodeCommitPipelineGitHubRole77F2217D - Arn Resource: "*" Version: "2012-10-17" UpdateReplacePolicy: Retain DeletionPolicy: Retain Metadata: aws:cdk:path: delivlib-test/CodeSign-CMK/Resource CodeSignGpgLayer4D38F47B: Type: AWS::Lambda::LayerVersion Properties: Content: S3Bucket: cdk-hnb659fds-assets-712950704752-us-east-1 S3Key: 69a776bec2bf25cc316055ac300a38998a429f41c98f76ef762e1aacb23488fe.zip Metadata: aws:cdk:path: delivlib-test/CodeSign/GpgLayer/Resource CodeSign52FB6674: Type: AWS::CloudFormation::CustomResource Properties: ServiceToken: Fn::GetAtt: - SingletonLambdaf25803d3054b44fc985f4860d7d6ee746203BDE6 - Arn ResourceVersion: x9okTy8d1Bkcfmthe30NhD2o1N8snoz7uTlyrP9I6eA= Identity: aws-cdk-dev Email: aws-cdk-dev+delivlib@amazon.com Expiry: 4y KeySizeBits: 4096 SecretName: delivlib-test/CodeSign KeyArn: Fn::GetAtt: - CodeSignCMKC986BB89 - Arn Version: 0 DeleteImmediately: true UpdateReplacePolicy: Delete DeletionPolicy: Delete Metadata: aws:cdk:path: delivlib-test/CodeSign/Resource/Default CodeSignPrincipal30E4C212: Type: AWS::SSM::Parameter Properties: Type: String Value: Fn::GetAtt: - CodeSign52FB6674 - PublicKey Description: Fn::Join: - "" - - "The public part of the OpenPGP key in " - Fn::GetAtt: - CodeSign52FB6674 - SecretArn Name: /delivlib-test/CodeSign.pub Metadata: aws:cdk:path: delivlib-test/CodeSign/Principal/Resource SingletonLambdaf25803d3054b44fc985f4860d7d6ee74ServiceRole410148CF: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: lambda.amazonaws.com Version: "2012-10-17" ManagedPolicyArns: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::aws:policy/service-role/AWSLambdaBasicExecutionRole Metadata: aws:cdk:path: delivlib-test/SingletonLambdaf25803d3054b44fc985f4860d7d6ee74/ServiceRole/Resource SingletonLambdaf25803d3054b44fc985f4860d7d6ee74ServiceRoleDefaultPolicyA8FDF5BD: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - secretsmanager:CreateSecret - secretsmanager:GetSecretValue - secretsmanager:UpdateSecret - secretsmanager:DeleteSecret Effect: Allow Resource: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :secretsmanager:us-east-1:712950704752:secret:delivlib-test/CodeSign-?????? - Action: ssm:DeleteParameter Effect: Allow Resource: "*" Version: "2012-10-17" PolicyName: SingletonLambdaf25803d3054b44fc985f4860d7d6ee74ServiceRoleDefaultPolicyA8FDF5BD Roles: - Ref: SingletonLambdaf25803d3054b44fc985f4860d7d6ee74ServiceRole410148CF Metadata: aws:cdk:path: delivlib-test/SingletonLambdaf25803d3054b44fc985f4860d7d6ee74/ServiceRole/DefaultPolicy/Resource SingletonLambdaf25803d3054b44fc985f4860d7d6ee746203BDE6: Type: AWS::Lambda::Function Properties: Code: S3Bucket: cdk-hnb659fds-assets-712950704752-us-east-1 S3Key: 82a7500f96ba72e7bb0d262fe02e5a925b0801f0a77474de466ad2818fdbeea4.zip Role: Fn::GetAtt: - SingletonLambdaf25803d3054b44fc985f4860d7d6ee74ServiceRole410148CF - Arn Description: Generates an OpenPGP Key and stores the private key in Secrets Manager and the public key in an SSM Parameter Handler: index.handler Layers: - Ref: CodeSignGpgLayer4D38F47B Runtime: nodejs14.x Timeout: 300 DependsOn: - SingletonLambdaf25803d3054b44fc985f4860d7d6ee74ServiceRoleDefaultPolicyA8FDF5BD - SingletonLambdaf25803d3054b44fc985f4860d7d6ee74ServiceRole410148CF Metadata: aws:cdk:path: delivlib-test/SingletonLambdaf25803d3054b44fc985f4860d7d6ee74/Resource BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: lambda.amazonaws.com Version: "2012-10-17" ManagedPolicyArns: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::aws:policy/service-role/AWSLambdaBasicExecutionRole Metadata: aws:cdk:path: delivlib-test/BucketNotificationsHandler050a0587b7544547bf325f094a3db834/Role/Resource BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: s3:PutBucketNotification Effect: Allow Resource: "*" Version: "2012-10-17" PolicyName: BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36 Roles: - Ref: BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC Metadata: aws:cdk:path: delivlib-test/BucketNotificationsHandler050a0587b7544547bf325f094a3db834/Role/DefaultPolicy/Resource BucketNotificationsHandler050a0587b7544547bf325f094a3db8347ECC3691: Type: AWS::Lambda::Function Properties: Description: AWS CloudFormation handler for "Custom::S3BucketNotifications" resources (@aws-cdk/aws-s3) Code: ZipFile: | import boto3 # type: ignore import json import logging import urllib.request s3 = boto3.client("s3") EVENTBRIDGE_CONFIGURATION = 'EventBridgeConfiguration' CONFIGURATION_TYPES = ["TopicConfigurations", "QueueConfigurations", "LambdaFunctionConfigurations"] def handler(event: dict, context): response_status = "SUCCESS" error_message = "" try: props = event["ResourceProperties"] bucket = props["BucketName"] notification_configuration = props["NotificationConfiguration"] request_type = event["RequestType"] managed = props.get('Managed', 'true').lower() == 'true' stack_id = event['StackId'] if managed: config = handle_managed(request_type, notification_configuration) else: config = handle_unmanaged(bucket, stack_id, request_type, notification_configuration) put_bucket_notification_configuration(bucket, config) except Exception as e: logging.exception("Failed to put bucket notification configuration") response_status = "FAILED" error_message = f"Error: {str(e)}. " finally: submit_response(event, context, response_status, error_message) def handle_managed(request_type, notification_configuration): if request_type == 'Delete': return {} return notification_configuration def handle_unmanaged(bucket, stack_id, request_type, notification_configuration): external_notifications = find_external_notifications(bucket, stack_id) if request_type == 'Delete': return external_notifications def with_id(notification): notification['Id'] = f"{stack_id}-{hash(json.dumps(notification, sort_keys=True))}" return notification notifications = {} for t in CONFIGURATION_TYPES: external = external_notifications.get(t, []) incoming = [with_id(n) for n in notification_configuration.get(t, [])] notifications[t] = external + incoming if EVENTBRIDGE_CONFIGURATION in notification_configuration: notifications[EVENTBRIDGE_CONFIGURATION] = notification_configuration[EVENTBRIDGE_CONFIGURATION] elif EVENTBRIDGE_CONFIGURATION in external_notifications: notifications[EVENTBRIDGE_CONFIGURATION] = external_notifications[EVENTBRIDGE_CONFIGURATION] return notifications def find_external_notifications(bucket, stack_id): existing_notifications = get_bucket_notification_configuration(bucket) external_notifications = {} for t in CONFIGURATION_TYPES: external_notifications[t] = [n for n in existing_notifications.get(t, []) if not n['Id'].startswith(f"{stack_id}-")] if EVENTBRIDGE_CONFIGURATION in existing_notifications: external_notifications[EVENTBRIDGE_CONFIGURATION] = existing_notifications[EVENTBRIDGE_CONFIGURATION] return external_notifications def get_bucket_notification_configuration(bucket): return s3.get_bucket_notification_configuration(Bucket=bucket) def put_bucket_notification_configuration(bucket, notification_configuration): s3.put_bucket_notification_configuration(Bucket=bucket, NotificationConfiguration=notification_configuration) def submit_response(event: dict, context, response_status: str, error_message: str): response_body = json.dumps( { "Status": response_status, "Reason": f"{error_message}See the details in CloudWatch Log Stream: {context.log_stream_name}", "PhysicalResourceId": event.get("PhysicalResourceId") or event["LogicalResourceId"], "StackId": event["StackId"], "RequestId": event["RequestId"], "LogicalResourceId": event["LogicalResourceId"], "NoEcho": False, } ).encode("utf-8") headers = {"content-type": "", "content-length": str(len(response_body))} try: req = urllib.request.Request(url=event["ResponseURL"], headers=headers, data=response_body, method="PUT") with urllib.request.urlopen(req) as response: print(response.read().decode("utf-8")) print("Status code: " + response.reason) except Exception as e: print("send(..) failed executing request.urlopen(..): " + str(e)) Handler: index.handler Role: Fn::GetAtt: - BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC - Arn Runtime: python3.9 Timeout: 300 DependsOn: - BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36 - BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC Metadata: aws:cdk:path: delivlib-test/BucketNotificationsHandler050a0587b7544547bf325f094a3db834/Resource Outputs: CodeCommitPipelineChangeControllerChangeControlBucketKeyCA921D21: Value: change-control.ics CodeCommitPipelineChangeControllerChangeControlBucket707A9E21: Value: Ref: CodeCommitPipelineChangeControllerCalendar94B1DEA8 X509CodeSigningKeyCSR5137C5A3: Description: A PEM-encoded Certificate Signing Request for a Code-Signing Certificate Value: Fn::GetAtt: - X509CodeSigningKeyRSAPrivateKeyCertificateSigningRequest7F706C9D - CSR Parameters: BootstrapVersion: Type: AWS::SSM::Parameter::Value Default: /cdk-bootstrap/hnb659fds/version Description: Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip] Rules: CheckBootstrapVersion: Assertions: - Assert: Fn::Not: - Fn::Contains: - - "1" - "2" - "3" - "4" - "5" - Ref: BootstrapVersion AssertDescription: CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.