chinchalinchin · January 22, 2023 15:06
diff --git a/ci-template.yaml b/ci-template.yaml
 AWSTemplateFormatVersion: '2010-09-09'

 Description: "Resources for hooking continuous integration into a version control repository"

 Parameters:
  applicationName:
    Type: String
    Description: Name of the application 
    Default: demo
    
  Resources:
    CloudWatchEventExecutor:
      Type: AWS::IAM::Role
      Properties:
        Description: !Sub Assumed role for CloudWatchEvent to invoke ${applicationName} CodePipeline
        Path: !Sub "/${applicationName}/"
        AssumeRolePolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Action: 
                - sts:AssumeRole
              Effect: Allow
              Principal:
                Service:
                  - events.amazonaws.com            
        Policies:
          - PolicyName: !Sub "${applicationName}-cloudwatch-event-execution"
            PolicyDocument:
              Version: "2012-10-17"
              Statement:
                - Sid: CodePipelinePermissions
                  Effect: Allow
                  Action: codepipeline:StartPipelineExecution
                  Resource: !Sub "arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:${applicationName}*"
        RoleName: !Sub ${applicationName}-cloudwatch-executor
        Tags:
          - Key: Application
            Value: !Ref applicationName

    CodeBuildExecutor:
      Type: AWS::IAM::Role
      Properties:
        Description: !Sub Assumed role for CodeBuild to allow access to ${applicationName} resources.
        Path: !Sub "/${applicationName}/"
        AssumeRolePolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Principal:
                Service:
                  - "codebuild.amazonaws.com"
              Action: 
                - "sts:AssumeRole"
        Policies:
          - PolicyName: !Sub ${applicationName}-codebuild-execution
            PolicyDocument:
              Version: "2012-10-17"
              Statement:
                - Sid: LogPermisisons
                  Action:
                    - logs:CreateLogGroup
                    - logs:CreateLogStream
                    - logs:PutLogEvents
                  Effect: Allow
                  Resource: !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${applicationName}*
                - Sid: CloudFrontPermissions
                  Action:
                    - cloudfront:CreateInvalidation
                  Effect: Allow
                  Resource: '*'
                - Sid: S3Permissions
                  Action:
                    - s3:List*
                    - s3:PutObject
                    - s3:GetObject
                    - s3:DeleteObject
                    - s3:GetObjectVersion
                    - s3:GetBucketAcl
                    - s3:GetBucketLocation
                  Effect: Allow
                  Resource: 
                    - !Sub "arn:aws:s3:::${applicationName}*"
                - Sid: CodeBuildPermissions
                  Action:
                    - codebuild:CreateReportGroup
                    - codebuild:CreateReport
                    - codebuild:UpdateReport
                    - codebuild:BatchPutTestCases
                    - codebuild:BatchPutCodeCoverages
                  Effect: Allow
                  Resource:
                    - !Sub "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/${applicationName}*"
                - Sid: CodeCommitPermissions
                  Action:
                    - codecommit:GitPull
                  Effect: Allow
                  Resource:
                    - !Sub "arn:aws:codecommit:${AWS::Region}:${AWS::AccountId}:${applicationName}*" 
                - Sid: SecretManagerPermissions
                  Action:
                    - secretsmanager:GetSecretValue
                  Effect: Allow
                  Resource:
                    - !Sub "arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:${applicationName}*"
                - Sid: ECRAuthPermissions
                  Action:
                    - ecr:GetAuthorizationToken
                  Effect: Allow
                  Resource: '*'
                - Sid: ECRPermissions
                  Action:
                    - ecr:BatchCheckLayerAvailability
                    - ecr:GetDownloadUrlForLayer
                    - ecr:GetRepositoryPolicy
                    - ecr:SetRepositoryPolicy
                    - ecr:DescribeRepositories
                    - ecr:ListImages
                    - ecr:DescribeImages
                    - ecr:BatchGetImage
                    - ecr:InitiateLayerUpload
                    - ecr:UploadLayerPart
                    - ecr:CompleteLayerUpload
                    - ecr:PutImage
                  Effect: Allow
                  Resource: 
                    - !Sub "arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/${applicationName}-*"
                - Sid: LambdaPermissions
                  Action:
                    - lambda:UpdateFunctionCode
                  Effect: Allow
                  Resource: 
                    - !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${applicationName}-*"
                # Add whatever other permissions you need here.
        RoleName: !Sub ${applicationName}-codebuild-executor
        Tags:
          - Key: Application
            Value: !Ref applicationName

    CodePipelineExecutor:
      Type: AWS::IAM::Role
      Properties:
        Description: !Sub Assumed role for CodePipeline to access ${applicationName} resources
        Path: !Sub "/${applicationName}/"
        AssumeRolePolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Principal:
                Service:
                  - "codepipeline.amazonaws.com"
              Action: 
                - "sts:AssumeRole"
        Policies:
          - PolicyName: !Sub ${applicationName}-codepipeline-role-policy
            PolicyDocument:
              Version: "2012-10-17"
              Statement:
                - Sid: IAMPermissions
                  Action: 
                    - iam:PassRole
                  Effect: Allow
                  Resource: !Sub "arn:aws:iam::${AWS::AccountId}:role/${applicationName}*"
                - Sid: CloudWatchPermissions
                  Action:
                    - cloudwatch:*
                  Resource: "*"
                  Effect: Allow
                - Sid: S3Permissions
                  Action:
                    - s3:*
                  Effect: Allow
                  Resource: 
                    - !Sub "arn:aws:s3:::${applicationName}*"
                - Sid: CodeCommitPermissions
                  Action:
                    - codecommit:CancelUploadArchive
                    - codecommit:GetBranch
                    - codecommit:GetCommit
                    - codecommit:GetRepository
                    - codecommit:GetUploadArchiveStatus
                    - codecommit:UploadArchive
                  Effect: Allow
                  Resource: !Sub "arn:aws:codecommit:${AWS::Region}:${AWS::AccountId}:${applicationName}-*"
                - Sid: CodeBuildPermissions
                  Action:
                    - codebuild:BatchGetBuilds
                    - codebuild:StartBuild
                    - codebuild:BatchGetBuildBatches
                    - codebuild:StartBuildBatch
                  Resource: 
                    - !Sub "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:*/${applicationName}*"
                  Effect: Allow
               # add whatever other permissions you need here
        RoleName: !Sub ${applicationName}-codepipeline-executor
        Tags:
          - Key: Application
            Value: !Ref applicationName
            
    Repo: 
      Type: AWS::CodeCommit::Repository
      Properties:
        RepositoryName: !Sub "${applicationName}"
        RepositoryDescription: !Sub "A repository for the ${applicationName} code."

    PipelineArtifacts:
      Type: AWS::S3::Bucket
      DeletionPolicy: Delete
      Properties:
        BucketName: !Sub "${applicationName}-pipeline-artifacts"
        VersioningConfiguration:
          Status: Enabled

    CodeBuild:
      Type: AWS::CodeBuild::Project
      Properties:
        Name: !Sub "${applicationName}-codebuild"
        Artifacts:
          Type: CODEPIPELINE
        ServiceRole: !GetAtt CodeBuildExecutor.Arn
        Environment:
          Type: LINUX_CONTAINER
          ComputeType: BUILD_GENERAL1_MEDIUM
          Image: aws/codebuild/standard:4.0
          PrivilegedMode: true
        Source:
          Type: CODEPIPELINE
        Cache:
          Type: LOCAL
          Modes: # You can specify one or more cache mode, 
            - LOCAL_CUSTOM_CACHE
            - LOCAL_DOCKER_LAYER_CACHE
            - LOCAL_SOURCE_CACHE

    CommitEventRule:
      Type: AWS::Events::Rule
      Properties:
        EventPattern:
          source:
            - aws.codecommit
          detail-type:
            - 'CodeCommit Repository State Change'
          resources:
            - !GetAtt Repo.Arn
          detail:
            event:
              - referenceCreated
              - referenceUpdated
            referenceType:
              - branch
            referenceName:
              - master
        Targets:
          - Arn: !Sub "arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:${applicationName}-pipeline"
            RoleArn: !GetAtt CloudWatchEventExecutor.Arn
            Id: !Sub ${applicationName}-codepipeline

  CIPipeline:
      Type: AWS::CodePipeline::Pipeline
      Properties:
        Name: !Sub "${applicationName}-pipeline"
        RoleArn: !GetAtt CodePipelineExecutor.Arn
        ArtifactStore: 
          Type: S3 
          Location: !Ref PipelineArtifacts
        Stages:
          - Name: Source
            Actions:
              - Name: Source
                InputArtifacts: []
                ActionTypeId:
                  Category: Source
                  Owner: AWS
                  Version: 1
                  Provider: CodeCommit
                OutputArtifacts:
                  - Name: !Sub "${applicationName}-source"    
                Configuration:
                  RepositoryName: !GetAtt Repo.Name
                  BranchName: master
                  PollForSourceChanges: false
          - Name: Build   
            Actions:
              - Name: CodeBuild
                ActionTypeId:
                  Category: Build
                  Owner: AWS
                  Provider: CodeBuild
                  Version: '1'
                InputArtifacts:
                  - Name: !Sub "${applicationName}-source"
                OutputArtifacts:
                  - Name: !Sub "${applicationName}-build"
                Configuration: 
                  ProjectName: !Ref CodeBuild
                  EnvironmentVariables: !Sub 
                      - '[{"name":"APPLICATION","value":"${app}","type":"PLAINTEXT"},{ "name": "AWS_ACCOUNT_ID", "value": "${id}", "type": "PLAINTEXT"}]'
                      - app: !Ref applicationName
                        id: !Sub ${AWS::AccountId}
	AWSTemplateFormatVersion: '2010-09-09'

	Description: "Resources for hooking continuous integration into a version control repository"

	Parameters:
	applicationName:
	Type: String
	Description: Name of the application
	Default: demo

	Resources:
	CloudWatchEventExecutor:
	Type: AWS::IAM::Role
	Properties:
	Description: !Sub Assumed role for CloudWatchEvent to invoke ${applicationName} CodePipeline
	Path: !Sub "/${applicationName}/"
	AssumeRolePolicyDocument:
	Version: "2012-10-17"
	Statement:
	- Action:
	- sts:AssumeRole
	Effect: Allow
	Principal:
	Service:
	- events.amazonaws.com
	Policies:
	- PolicyName: !Sub "${applicationName}-cloudwatch-event-execution"
	PolicyDocument:
	Version: "2012-10-17"
	Statement:
	- Sid: CodePipelinePermissions
	Effect: Allow
	Action: codepipeline:StartPipelineExecution
	Resource: !Sub "arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:${applicationName}*"
	RoleName: !Sub ${applicationName}-cloudwatch-executor
	Tags:
	- Key: Application
	Value: !Ref applicationName

	CodeBuildExecutor:
	Type: AWS::IAM::Role
	Properties:
	Description: !Sub Assumed role for CodeBuild to allow access to ${applicationName} resources.
	Path: !Sub "/${applicationName}/"
	AssumeRolePolicyDocument:
	Version: "2012-10-17"
	Statement:
	- Effect: Allow
	Principal:
	Service:
	- "codebuild.amazonaws.com"
	Action:
	- "sts:AssumeRole"
	Policies:
	- PolicyName: !Sub ${applicationName}-codebuild-execution
	PolicyDocument:
	Version: "2012-10-17"
	Statement:
	- Sid: LogPermisisons
	Action:
	- logs:CreateLogGroup
	- logs:CreateLogStream
	- logs:PutLogEvents
	Effect: Allow
	Resource: !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${applicationName}*
	- Sid: CloudFrontPermissions
	Action:
	- cloudfront:CreateInvalidation
	Effect: Allow
	Resource: '*'
	- Sid: S3Permissions
	Action:
	- s3:List*
	- s3:PutObject
	- s3:GetObject
	- s3:DeleteObject
	- s3:GetObjectVersion
	- s3:GetBucketAcl
	- s3:GetBucketLocation
	Effect: Allow
	Resource:
	- !Sub "arn:aws:s3:::${applicationName}*"
	- Sid: CodeBuildPermissions
	Action:
	- codebuild:CreateReportGroup
	- codebuild:CreateReport
	- codebuild:UpdateReport
	- codebuild:BatchPutTestCases
	- codebuild:BatchPutCodeCoverages
	Effect: Allow
	Resource:
	- !Sub "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/${applicationName}*"
	- Sid: CodeCommitPermissions
	Action:
	- codecommit:GitPull
	Effect: Allow
	Resource:
	- !Sub "arn:aws:codecommit:${AWS::Region}:${AWS::AccountId}:${applicationName}*"
	- Sid: SecretManagerPermissions
	Action:
	- secretsmanager:GetSecretValue
	Effect: Allow
	Resource:
	- !Sub "arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:${applicationName}*"
	- Sid: ECRAuthPermissions
	Action:
	- ecr:GetAuthorizationToken
	Effect: Allow
	Resource: '*'
	- Sid: ECRPermissions
	Action:
	- ecr:BatchCheckLayerAvailability
	- ecr:GetDownloadUrlForLayer
	- ecr:GetRepositoryPolicy
	- ecr:SetRepositoryPolicy
	- ecr:DescribeRepositories
	- ecr:ListImages
	- ecr:DescribeImages
	- ecr:BatchGetImage
	- ecr:InitiateLayerUpload
	- ecr:UploadLayerPart
	- ecr:CompleteLayerUpload
	- ecr:PutImage
	Effect: Allow
	Resource:
	- !Sub "arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/${applicationName}-*"
	- Sid: LambdaPermissions
	Action:
	- lambda:UpdateFunctionCode
	Effect: Allow
	Resource:
	- !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${applicationName}-*"
	# Add whatever other permissions you need here.
	RoleName: !Sub ${applicationName}-codebuild-executor
	Tags:
	- Key: Application
	Value: !Ref applicationName

	CodePipelineExecutor:
	Type: AWS::IAM::Role
	Properties:
	Description: !Sub Assumed role for CodePipeline to access ${applicationName} resources
	Path: !Sub "/${applicationName}/"
	AssumeRolePolicyDocument:
	Version: "2012-10-17"
	Statement:
	- Effect: Allow
	Principal:
	Service:
	- "codepipeline.amazonaws.com"
	Action:
	- "sts:AssumeRole"
	Policies:
	- PolicyName: !Sub ${applicationName}-codepipeline-role-policy
	PolicyDocument:
	Version: "2012-10-17"
	Statement:
	- Sid: IAMPermissions
	Action:
	- iam:PassRole
	Effect: Allow
	Resource: !Sub "arn:aws:iam::${AWS::AccountId}:role/${applicationName}*"
	- Sid: CloudWatchPermissions
	Action:
	- cloudwatch:*
	Resource: "*"
	Effect: Allow
	- Sid: S3Permissions
	Action:
	- s3:*
	Effect: Allow
	Resource:
	- !Sub "arn:aws:s3:::${applicationName}*"
	- Sid: CodeCommitPermissions
	Action:
	- codecommit:CancelUploadArchive
	- codecommit:GetBranch
	- codecommit:GetCommit
	- codecommit:GetRepository
	- codecommit:GetUploadArchiveStatus
	- codecommit:UploadArchive
	Effect: Allow
	Resource: !Sub "arn:aws:codecommit:${AWS::Region}:${AWS::AccountId}:${applicationName}-*"
	- Sid: CodeBuildPermissions
	Action:
	- codebuild:BatchGetBuilds
	- codebuild:StartBuild
	- codebuild:BatchGetBuildBatches
	- codebuild:StartBuildBatch
	Resource:
	- !Sub "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:/${applicationName}"
	Effect: Allow
	# add whatever other permissions you need here
	RoleName: !Sub ${applicationName}-codepipeline-executor
	Tags:
	- Key: Application
	Value: !Ref applicationName

	Repo:
	Type: AWS::CodeCommit::Repository
	Properties:
	RepositoryName: !Sub "${applicationName}"
	RepositoryDescription: !Sub "A repository for the ${applicationName} code."

	PipelineArtifacts:
	Type: AWS::S3::Bucket
	DeletionPolicy: Delete
	Properties:
	BucketName: !Sub "${applicationName}-pipeline-artifacts"
	VersioningConfiguration:
	Status: Enabled

	CodeBuild:
	Type: AWS::CodeBuild::Project
	Properties:
	Name: !Sub "${applicationName}-codebuild"
	Artifacts:
	Type: CODEPIPELINE
	ServiceRole: !GetAtt CodeBuildExecutor.Arn
	Environment:
	Type: LINUX_CONTAINER
	ComputeType: BUILD_GENERAL1_MEDIUM
	Image: aws/codebuild/standard:4.0
	PrivilegedMode: true
	Source:
	Type: CODEPIPELINE
	Cache:
	Type: LOCAL
	Modes: # You can specify one or more cache mode,
	- LOCAL_CUSTOM_CACHE
	- LOCAL_DOCKER_LAYER_CACHE
	- LOCAL_SOURCE_CACHE

	CommitEventRule:
	Type: AWS::Events::Rule
	Properties:
	EventPattern:
	source:
	- aws.codecommit
	detail-type:
	- 'CodeCommit Repository State Change'
	resources:
	- !GetAtt Repo.Arn
	detail:
	event:
	- referenceCreated
	- referenceUpdated
	referenceType:
	- branch
	referenceName:
	- master
	Targets:
	- Arn: !Sub "arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:${applicationName}-pipeline"
	RoleArn: !GetAtt CloudWatchEventExecutor.Arn
	Id: !Sub ${applicationName}-codepipeline

	CIPipeline:
	Type: AWS::CodePipeline::Pipeline
	Properties:
	Name: !Sub "${applicationName}-pipeline"
	RoleArn: !GetAtt CodePipelineExecutor.Arn
	ArtifactStore:
	Type: S3
	Location: !Ref PipelineArtifacts
	Stages:
	- Name: Source
	Actions:
	- Name: Source
	InputArtifacts: []
	ActionTypeId:
	Category: Source
	Owner: AWS
	Version: 1
	Provider: CodeCommit
	OutputArtifacts:
	- Name: !Sub "${applicationName}-source"
	Configuration:
	RepositoryName: !GetAtt Repo.Name
	BranchName: master
	PollForSourceChanges: false
	- Name: Build
	Actions:
	- Name: CodeBuild
	ActionTypeId:
	Category: Build
	Owner: AWS
	Provider: CodeBuild
	Version: '1'
	InputArtifacts:
	- Name: !Sub "${applicationName}-source"
	OutputArtifacts:
	- Name: !Sub "${applicationName}-build"
	Configuration:
	ProjectName: !Ref CodeBuild
	EnvironmentVariables: !Sub
	- '[{"name":"APPLICATION","value":"${app}","type":"PLAINTEXT"},{ "name": "AWS_ACCOUNT_ID", "value": "${id}", "type": "PLAINTEXT"}]'
	- app: !Ref applicationName
	id: !Sub ${AWS::AccountId}