· 4 years ago · Nov 04, 2020, 02:56 PM
1AWSTemplateFormatVersion: 2010-09-09
2Parameters:
3 ApplicationName:
4 Type: String
5 Description: App name
6 EC2InstanceName:
7 Default:
8 Type: String
9 Description: Name of the target EC2 instance (Value for the Name tag). It will be used to select an instance for deployment
10 Repository:
11 Description: Name of the repository
12 Type: String
13 RepositoryOwner:
14 Default:
15 Description: Repository owner
16 Type: String
17 RepositoryTokenSecret:
18 Default:
19 Description: Secret name for git authentication. Should be created manually beforehand
20 Type: String
21 RepositoryTokenSecretKey:
22 Default:
23 Description: Secret's key for git authentication
24 Type: String
25 TargetBranch:
26 Default: master
27 Description: git source branch
28 Type: String
29
30Resources:
31 application:
32 Type: AWS::CodeDeploy::Application
33 Properties:
34 ApplicationName: !Sub ${ApplicationName}
35 ComputePlatform: Server
36 pipelineRole:
37 Type: AWS::IAM::Role
38 Properties:
39 AssumeRolePolicyDocument:
40 Statement:
41 - Action: sts:AssumeRole
42 Effect: Allow
43 Principal:
44 Service: codepipeline.amazonaws.com
45 Version: "2012-10-17"
46 applicationDeploymentGroup:
47 Type: AWS::CodeDeploy::DeploymentGroup
48 Properties:
49 ApplicationName: !Ref application
50 DeploymentConfigName: CodeDeployDefault.OneAtATime
51 DeploymentStyle:
52 DeploymentType: IN_PLACE
53 DeploymentOption: WITHOUT_TRAFFIC_CONTROL
54 Ec2TagFilters:
55 - Key: Name
56 Type: KEY_AND_VALUE
57 Value: !Ref EC2InstanceName
58 ServiceRoleArn: !Sub arn:aws:iam::${AWS::AccountId}:role/AWSUserRoleForEC2
59 pipelineRoleDefaultPolicy:
60 Type: AWS::IAM::Policy
61 Properties:
62 PolicyDocument:
63 Statement:
64 - Action:
65 - iam:PassRole
66 Resource: "*"
67 Effect: Allow
68 Condition:
69 StringEqualsIfExists:
70 iam:PassedToService:
71 - cloudformation.amazonaws.com
72 - elasticbeanstalk.amazonaws.com
73 - ec2.amazonaws.com
74 - ecs-tasks.amazonaws.com
75 - Action:
76 - codedeploy:CreateDeployment
77 - codedeploy:GetApplication
78 - codedeploy:GetApplicationRevision
79 - codedeploy:GetDeployment
80 - codedeploy:GetDeploymentConfig
81 - codedeploy:RegisterApplicationRevision
82 Resource: "*"
83 Effect: Allow
84 - Action:
85 - ec2:*
86 - cloudwatch:*
87 - s3:*
88 Resource: "*"
89 Effect: Allow
90 Version: '2012-10-17'
91 PolicyName: pipelineRoleDefaultPolicy
92 Roles:
93 - !Ref pipelineRole
94 pipelineResource:
95 Type: AWS::CodePipeline::Pipeline
96 Properties:
97 RoleArn: !GetAtt pipelineRole.Arn
98 Stages:
99 - Name: Source
100 Actions:
101 - ActionTypeId:
102 Category: Source
103 Owner: ThirdParty
104 Provider: GitHub ## update with required git source
105 Version: "1"
106 Configuration:
107 Owner: !Ref RepositoryOwner
108 Repo: !Ref Repository
109 Branch: !Ref TargetBranch
110 OAuthToken: !Join ["", ["{{resolve:secretsmanager:", !Ref RepositoryTokenSecret, ":SecretString:", !Ref RepositoryTokenSecretKey, "::}}"]]
111 PollForSourceChanges: false
112 Name: GitHubSource
113 OutputArtifacts:
114 - Name: SourceArtifact
115 RunOrder: 1
116 - Name: Deploy
117 Actions:
118 - InputArtifacts:
119 - Name: SourceArtifact
120 Name: Deploy
121 Region: !Ref "AWS::Region"
122 ActionTypeId:
123 Category: Deploy
124 Owner: AWS
125 Version: '1'
126 Provider: CodeDeploy
127 Configuration:
128 ApplicationName: !Ref application
129 DeploymentGroupName: !Ref applicationDeploymentGroup
130 RunOrder: 1
131 ArtifactStore:
132 Location: !Ref pipelineArtifactsBucket
133 Type: S3
134 Name: !Sub ${ApplicationName}-pipeline
135 RestartExecutionOnUpdate: false
136 pipelineArtifactsBucket:
137 Type: AWS::S3::Bucket
138 Properties:
139 AccessControl: BucketOwnerFullControl
140 BucketEncryption:
141 ServerSideEncryptionConfiguration:
142 - ServerSideEncryptionByDefault:
143 SSEAlgorithm: AES256
144 BucketName: !Sub ${ApplicationName}-artifact-store
145 PublicAccessBlockConfiguration:
146 BlockPublicAcls: true
147 BlockPublicPolicy: true
148 IgnorePublicAcls: true
149 RestrictPublicBuckets: true