· 7 years ago · Apr 15, 2018, 03:42 PM
1AWSTemplateFormatVersion: 2010-09-09
2Description: Lambda Pipeline for CI/CD
3Parameters:
4 GitHubRepo:
5 Description: The GitHub repo where the code is hosted.
6 Type: String
7 GitHubRepoOwner:
8 Description: The owning account name for GitHub repo where the code is hosted.
9 Type: String
10 GitHubToken:
11 Description: The GitHub token to access the repo.
12 Type: String
13 PackagedTemplatePath:
14 Description: The packaged SAM template as created by buildspec.yml.
15 Type: String
16Resources:
17 BuildRole:
18 Type: AWS::IAM::Role
19 Properties:
20 AssumeRolePolicyDocument:
21 Version: 2012-10-17
22 Statement:
23 - Effect: Allow
24 Principal:
25 Service: codebuild.amazonaws.com
26 Action: sts:AssumeRole
27 Policies:
28 - PolicyName: CodeBuildTrustPolicy
29 PolicyDocument:
30 Version: 2012-10-17
31 Statement:
32 - Action:
33 - logs:CreateLogGroup
34 - logs:CreateLogStream
35 - logs:PutLogEvents
36 Effect: Allow
37 Resource:
38 - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${AWS::StackName}'
39 - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${AWS::StackName}:*'
40 - Action:
41 - s3:PutObject
42 - s3:GetObject
43 - s3:GetObjectVersion
44 Effect: Allow
45 Resource: !Sub 'arn:aws:s3:::codepipeline-${AWS::Region}-*'
46 - Action:
47 - ssm:GetParameters
48 Effect: Allow
49 Resource: !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/CodeBuild/*'
50 - Action:
51 - s3:PutObject
52 Effect: Allow
53 Resource: arn:aws:s3:::*/*
54 CloudFormationRole:
55 Type: AWS::IAM::Role
56 Properties:
57 AssumeRolePolicyDocument:
58 Version: 2012-10-17
59 Statement:
60 - Effect: Allow
61 Principal:
62 Service: cloudformation.amazonaws.com
63 Action: sts:AssumeRole
64 ManagedPolicyArns:
65 - arn:aws:iam::aws:policy/AWSLambdaExecute
66 Policies:
67 - PolicyName: CloudFormationTrustPolicy
68 PolicyDocument:
69 Version: 2012-10-17
70 Statement:
71 - Action:
72 - s3:GetObject
73 - s3:GetObjectVersion
74 - s3:GetBucketVersioning
75 Effect: Allow
76 Resource: '*'
77 - Action:
78 - s3:PutObject
79 Effect: Allow
80 Resource: arn:aws:s3:::codepipeline*
81 - Action:
82 - lambda:*
83 Effect: Allow
84 Resource: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:*'
85 - Action:
86 - apigateway:*
87 Effect: Allow
88 Resource: !Sub 'arn:aws:apigateway:${AWS::Region}::*'
89 - Action:
90 - iam:GetRole
91 - iam:CreateRole
92 - iam:DeleteRole
93 - iam:PutRolePolicy
94 Effect: Allow
95 Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role/*'
96 - Action:
97 - iam:AttachRolePolicy
98 - iam:DeleteRolePolicy
99 - iam:DetachRolePolicy
100 Effect: Allow
101 Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role/*'
102 - Action:
103 - iam:PassRole
104 Effect: Allow
105 Resource: '*'
106 - Action:
107 - cloudformation:CreateChangeSet
108 Effect: Allow
109 Resource: !Sub 'arn:aws:cloudformation:${AWS::Region}:aws:transform/Serverless-2016-10-31'
110 - Action:
111 - codedeploy:CreateApplication
112 - codedeploy:DeleteApplication
113 - codedeploy:RegisterApplicationRevision
114 Effect: Allow
115 Resource: !Sub 'arn:aws:codedeploy:${AWS::Region}:${AWS::AccountId}:application:*'
116 - Action:
117 - codedeploy:CreateDeploymentGroup
118 - codedeploy:CreateDeployment
119 - codedeploy:GetDeployment
120 Effect: Allow
121 Resource: !Sub 'arn:aws:codedeploy:${AWS::Region}:${AWS::AccountId}:deploymentgroup:*'
122 - Action:
123 - codedeploy:GetDeploymentConfig
124 Effect: Allow
125 Resource: !Sub 'arn:aws:codedeploy:${AWS::Region}:${AWS::AccountId}:deploymentconfig:*'
126 PipelineRole:
127 Type: AWS::IAM::Role
128 Properties:
129 AssumeRolePolicyDocument:
130 Version: 2012-10-17
131 Statement:
132 - Effect: Allow
133 Principal:
134 Service: codepipeline.amazonaws.com
135 Action: sts:AssumeRole
136 Policies:
137 - PolicyName: CodePipelineTrustPolicy
138 PolicyDocument:
139 Version: 2012-10-17
140 Statement:
141 - Action:
142 - s3:GetObject
143 - s3:GetObjectVersion
144 - s3:GetBucketVersioning
145 Effect: Allow
146 Resource: '*'
147 - Action:
148 - s3:PutObject
149 Effect: Allow
150 Resource:
151 - arn:aws:s3:::codepipeline*
152 - arn:aws:s3:::elasticbeanstalk*
153 - Action:
154 - codecommit:CancelUploadArchive
155 - codecommit:GetBranch
156 - codecommit:GetCommit
157 - codecommit:GetUploadArchiveStatus
158 - codecommit:UploadArchive
159 Effect: Allow
160 Resource: '*'
161 - Action:
162 - codedeploy:CreateDeployment
163 - codedeploy:GetApplicationRevision
164 - codedeploy:GetDeployment
165 - codedeploy:GetDeploymentConfig
166 - codedeploy:RegisterApplicationRevision
167 Effect: Allow
168 Resource: '*'
169 - Action:
170 - elasticbeanstalk:*
171 - ec2:*
172 - elasticloadbalancing:*
173 - autoscaling:*
174 - cloudwatch:*
175 - s3:*
176 - sns:*
177 - cloudformation:*
178 - rds:*
179 - sqs:*
180 - ecs:*
181 - iam:PassRole
182 Effect: Allow
183 Resource: '*'
184 - Action:
185 - lambda:InvokeFunction
186 - lambda:ListFunctions
187 Effect: Allow
188 Resource: '*'
189 - Action:
190 - opsworks:CreateDeployment
191 - opsworks:DescribeApps
192 - opsworks:DescribeCommands
193 - opsworks:DescribeDeployments
194 - opsworks:DescribeInstances
195 - opsworks:DescribeStacks
196 - opsworks:UpdateApp
197 - opsworks:UpdateStack
198 Effect: Allow
199 Resource: '*'
200 - Action:
201 - cloudformation:CreateStack
202 - cloudformation:DeleteStack
203 - cloudformation:DescribeStacks
204 - cloudformation:UpdateStack
205 - cloudformation:CreateChangeSet
206 - cloudformation:DeleteChangeSet
207 - cloudformation:DescribeChangeSet
208 - cloudformation:ExecuteChangeSet
209 - cloudformation:SetStackPolicy
210 - cloudformation:ValidateTemplate
211 - iam:PassRole
212 Effect: Allow
213 Resource: '*'
214 - Action:
215 - codebuild:BatchGetBuilds
216 - codebuild:BatchGetBuilds
217 - codebuild:StartBuild
218 Effect: Allow
219 Resource: '*'
220 RoleName: !Sub '${AWS::StackName}-${AWS::Region}-pipeline'
221 EncryptionKey:
222 Type: AWS::KMS::Key
223 Properties:
224 Description: !Sub 'KMS key for the ${AWS::StackName} deployment'
225 KeyPolicy:
226 Version: 2012-10-17
227 Statement:
228 - Action:
229 - kms:Encrypt
230 - kms:Decrypt
231 - kms:ReEncrypt*
232 - kms:GenerateDataKey*
233 - kms:DescribeKey
234 Condition:
235 StringEquals:
236 'kms:ViaService': s3.us-east-1.amazonaws.com
237 'kms:CallerAccount': !Ref AWS::AccountId
238 Effect: Allow
239 Principal:
240 AWS: '*'
241 Resource: '*'
242 - Action:
243 - kms:*
244 Effect: Allow
245 Principal:
246 AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
247 Resource: '*'
248 Build:
249 Type: AWS::CodeBuild::Project
250 Properties:
251 Artifacts:
252 Name: config-service
253 Packaging: NONE
254 Type: CODEPIPELINE
255 EncryptionKey: !GetAtt EncryptionKey.Arn
256 Environment:
257 ComputeType: BUILD_GENERAL1_SMALL
258 Image: aws/codebuild/nodejs:6.3.1
259 Type: LINUX_CONTAINER
260 Name: !Ref AWS::StackName
261 ServiceRole: !GetAtt BuildRole.Arn
262 Source:
263 Type: CODEPIPELINE
264 DependsOn:
265 - BuildRole
266 - EncryptionKey
267 Pipeline:
268 Type: AWS::CodePipeline::Pipeline
269 Properties:
270 ArtifactStore:
271 Location: codepipeline-us-east-1-11101033261
272 Type: S3
273 Name: !Ref AWS::StackName
274 RoleArn: !GetAtt PipelineRole.Arn
275 Stages:
276 - Name: Source
277 Actions:
278 - ActionTypeId:
279 Category: Source
280 Owner: ThirdParty
281 Provider: GitHub
282 Version: 1
283 Configuration:
284 Branch: master
285 OAuthToken: !Ref GitHubToken
286 Owner: !Ref GitHubRepoOwner
287 PollForSourceChanges: true
288 Repo: !Ref GitHubRepo
289 Name: Source
290 OutputArtifacts:
291 - Name: !Sub '${AWS::StackName}Source'
292 RunOrder: 1
293 - Name: Build
294 Actions:
295 - ActionTypeId:
296 Category: Build
297 Owner: AWS
298 Provider: CodeBuild
299 Version: 1
300 Configuration:
301 ProjectName: !Ref Build
302 InputArtifacts:
303 - Name: !Sub '${AWS::StackName}Source'
304 Name: CodeBuild
305 OutputArtifacts:
306 - Name: !Sub '${AWS::StackName}CodeBuild'
307 RunOrder: 1
308 - Name: Prod
309 Actions:
310 - ActionTypeId:
311 Category: Deploy
312 Owner: AWS
313 Provider: CloudFormation
314 Version: 1
315 Configuration:
316 ActionMode: CHANGE_SET_REPLACE
317 Capabilities: CAPABILITY_IAM
318 ChangeSetName: Deploy
319 RoleArn: !GetAtt CloudFormationRole.Arn
320 StackName: !Sub '${AWS::StackName}-deployed'
321 TemplatePath: !Sub '${AWS::StackName}CodeBuild::${PackagedTemplatePath}'
322 InputArtifacts:
323 - Name: !Sub '${AWS::StackName}CodeBuild'
324 Name: PrepCloudFormation
325 RunOrder: 1
326 - ActionTypeId:
327 Category: Deploy
328 Owner: AWS
329 Provider: CloudFormation
330 Version: 1
331 Configuration:
332 ActionMode: CHANGE_SET_EXECUTE
333 ChangeSetName: Deploy
334 StackName: !Sub '${AWS::StackName}-deployed'
335 Name: DeployCloudFormation
336 RunOrder: 2
337 DependsOn:
338 - Build
339 - CloudFormationRole
340 - PipelineRole
341 BuildLogRetention:
342 Type: AWS::Logs::LogGroup
343 Properties:
344 LogGroupName: !Sub '/aws/codebuild/${Build}'
345 RetentionInDays: 7
346Outputs:
347 Pipeline:
348 Description: The ARN of the pipeline that was created.
349 Value: !Ref Pipeline