· 6 years ago · Aug 07, 2019, 08:36 PM
1# Input variables
2variable "aws_region" {
3 type = "string"
4 default = "us-west-2"
5}
6
7variable "pipeline_name" {
8 type = "string"
9 default = "static-website"
10}
11
12variable "github_username" {
13 type = "string"
14 default = "kylegalbraith"
15}
16
17variable "github_token" {
18 type = "string"
19}
20
21variable "github_repo" {
22 type = "string"
23}
24
25provider "aws" {
26 region = "${var.aws_region}"
27}
28
29# CodePipeline resources
30resource "aws_s3_bucket" "build_artifact_bucket" {
31 bucket = "${var.pipeline_name}-artifact-bucket"
32 acl = "private"
33}
34
35data "aws_iam_policy_document" "codepipeline_assume_policy" {
36 statement {
37 effect = "Allow"
38 actions = ["sts:AssumeRole"]
39
40 principals {
41 type = "Service"
42 identifiers = ["codepipeline.amazonaws.com"]
43 }
44 }
45}
46
47resource "aws_iam_role" "codepipeline_role" {
48 name = "${var.pipeline_name}-codepipeline-role"
49 assume_role_policy = "${data.aws_iam_policy_document.codepipeline_assume_policy.json}"
50}
51
52# CodePipeline policy needed to use CodeCommit and CodeBuild
53resource "aws_iam_role_policy" "attach_codepipeline_policy" {
54 name = "${var.pipeline_name}-codepipeline-policy"
55 role = "${aws_iam_role.codepipeline_role.id}"
56
57 policy = <<EOF
58{
59 "Statement": [
60 {
61 "Action": [
62 "s3:GetObject",
63 "s3:GetObjectVersion",
64 "s3:GetBucketVersioning",
65 "s3:PutObject"
66 ],
67 "Resource": "*",
68 "Effect": "Allow"
69 },
70 {
71 "Action": [
72 "cloudwatch:*",
73 "sns:*",
74 "sqs:*",
75 "iam:PassRole"
76 ],
77 "Resource": "*",
78 "Effect": "Allow"
79 },
80 {
81 "Action": [
82 "codebuild:BatchGetBuilds",
83 "codebuild:StartBuild"
84 ],
85 "Resource": "*",
86 "Effect": "Allow"
87 }
88 ],
89 "Version": "2012-10-17"
90}
91EOF
92}
93
94# CodeBuild IAM Permissions
95resource "aws_iam_role" "codebuild_assume_role" {
96 name = "${var.pipeline_name}-codebuild-role"
97
98 assume_role_policy = <<EOF
99{
100 "Version": "2012-10-17",
101 "Statement": [
102 {
103 "Effect": "Allow",
104 "Principal": {
105 "Service": "codebuild.amazonaws.com"
106 },
107 "Action": "sts:AssumeRole"
108 }
109 ]
110}
111EOF
112}
113
114resource "aws_iam_role_policy" "codebuild_policy" {
115 name = "${var.pipeline_name}-codebuild-policy"
116 role = "${aws_iam_role.codebuild_assume_role.id}"
117
118 policy = <<POLICY
119{
120 "Version": "2012-10-17",
121 "Statement": [
122 {
123 "Action": [
124 "s3:PutObject",
125 "s3:GetObject",
126 "s3:GetObjectVersion",
127 "s3:GetBucketVersioning"
128 ],
129 "Resource": "*",
130 "Effect": "Allow"
131 },
132 {
133 "Effect": "Allow",
134 "Resource": [
135 "${aws_codebuild_project.build_project.id}"
136 ],
137 "Action": [
138 "codebuild:*"
139 ]
140 },
141 {
142 "Effect": "Allow",
143 "Resource": [
144 "*"
145 ],
146 "Action": [
147 "logs:CreateLogGroup",
148 "logs:CreateLogStream",
149 "logs:PutLogEvents"
150 ]
151 }
152 ]
153}
154POLICY
155}
156
157# CodeBuild Section for the Package stage
158resource "aws_codebuild_project" "build_project" {
159 name = "${var.pipeline_name}-build"
160 description = "The CodeBuild project for ${var.pipeline_name}"
161 service_role = "${aws_iam_role.codebuild_assume_role.arn}"
162 build_timeout = "60"
163
164 artifacts {
165 type = "CODEPIPELINE"
166 }
167
168 environment {
169 compute_type = "BUILD_GENERAL1_SMALL"
170 image = "aws/codebuild/nodejs:6.3.1"
171 type = "LINUX_CONTAINER"
172 }
173
174 source {
175 type = "CODEPIPELINE"
176 buildspec = "buildspec.yml"
177 }
178}
179
180# Full CodePipeline
181resource "aws_codepipeline" "codepipeline" {
182 name = "${var.pipeline_name}-codepipeline"
183 role_arn = "${aws_iam_role.codepipeline_role.arn}"
184
185 artifact_store = {
186 location = "${aws_s3_bucket.build_artifact_bucket.bucket}"
187 type = "S3"
188 }
189
190 stage {
191 name = "Source"
192
193 action {
194 name = "Source"
195 category = "Source"
196 owner = "ThirdParty"
197 provider = "GitHub"
198 version = "1"
199 output_artifacts = ["code"]
200
201 configuration {
202 Owner = "${var.github_username}"
203 OAuthToken = "${var.github_token}"
204 Repo = "${var.github_repo}"
205 Branch = "master"
206 PollForSourceChanges = "true"
207 }
208 }
209 }
210
211 stage {
212 name = "DeployToS3"
213
214 action {
215 name = "DeployToS3"
216 category = "Test"
217 owner = "AWS"
218 provider = "CodeBuild"
219 input_artifacts = ["code"]
220 output_artifacts = ["deployed"]
221 version = "1"
222
223 configuration {
224 ProjectName = "${aws_codebuild_project.build_project.name}"
225 }
226 }
227 }
228}