template.yaml

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: "AWS CodePipeline shared resources."

Parameters:
  GitProviderType:
    Type: String
    Default: "GitHub"
  BuildAccount:
    Type: String
    Default: ""
  DeployAccounts:
    Type: CommaDelimitedList
    Default: ""
  ArtifactsBucketArn:
    Type: String
    Default: ""
  ArtifactsBucketKmsKeyArn:
    Type: String
    Default: ""
  ImageRepositoryArn:
    Type: String
    Default: ""
  BuildPipeline:
    Type: String
    AllowedValues: ["true", "false"]
    Default: "true"
  DevPipelineExecutionRole:
    Type: String
    Default: ""
  DevCodeBuildServiceRole:
    Type: String
    Default: ""
  DevCfnExecutionRole:
    Type: String
    Default: ""
  ProdPipelineExecutionRole:
    Type: String
    Default: ""
  ProdCodeBuildServiceRole:
    Type: String
    Default: ""
  ProdCfnExecutionRole:
    Type: String
    Default: ""

Conditions:
  HasDevPipelineExecutionRole: !Not [!Equals [!Ref DevPipelineExecutionRole, ""]]
  HasDevCodeBuildServiceRole: !Not [!Equals [!Ref DevCodeBuildServiceRole, ""]]
  HasDevCfnExecutionRole: !Not [!Equals [!Ref DevCfnExecutionRole, ""]]
  HasProdPipelineExecutionRole: !Not [!Equals [!Ref ProdPipelineExecutionRole, ""]]
  HasProdCodeBuildServiceRole: !Not [!Equals [!Ref ProdCodeBuildServiceRole, ""]]
  HasProdCfnExecutionRole: !Not [!Equals [!Ref ProdCfnExecutionRole, ""]]
  MissingDeployAccounts: !Equals [!Select [0, !Ref DeployAccounts], ""]
  IsBuildPipeline: !Equals [!Ref BuildPipeline, "true"]

Resources:
  PipelineUser:
    Type: AWS::IAM::User
    Condition: IsBuildPipeline
    Properties:
      Policies:
        - PolicyName: AssumeRoles
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - "sts:AssumeRole"
                Resource: "*"
                Condition:
                  StringEquals:
                    aws:ResourceTag/Role: codepipeline-execution-role

  PipelineUserAccessKey:
    Type: AWS::IAM::AccessKey
    Condition: IsBuildPipeline
    Properties:
      Serial: 1
      Status: Active
      UserName: !Ref PipelineUser

  PipelineUserSecretKey:
    Type: AWS::SecretsManager::Secret
    Condition: IsBuildPipeline
    Properties:
      SecretString: !Sub '{"aws_access_key_id": "${PipelineUserAccessKey}", "aws_secret_access_key": "${PipelineUserAccessKey.SecretAccessKey}"}'

  CloudFormationExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      Tags:
        - Key: Role
          Value: cloudformation-execution-role
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: cloudformation.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Policies:
        - PolicyName: GrantCloudFormationFullAccess
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action: '*'
                Resource: '*'

  CloudFormationExecutionRoleArnSsmParam:
    Type: AWS::SSM::Parameter
    Properties:
      Name: !Sub "/${AWS::StackName}/BuildCfnExecutionRoleArn"
      Type: "String"
      Description: "CloudFormation Execution IAM Role ARN"
      Value: !GetAtt CloudFormationExecutionRole.Arn

  PipelineExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      Tags:
        - Key: Role
          Value: codepipeline-execution-role
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          # FIXME: Need to prevent deploy account roles from assuming build account role
          - Action:
              - "sts:AssumeRole"
            Effect: Allow
            Principal:
              Service:
                - codepipeline.amazonaws.com
          - Fn::If:
            - IsBuildPipeline
            - Effect: Allow
              Principal:
                AWS: !GetAtt PipelineUser.Arn
              Action:
                - 'sts:AssumeRole'
            - !Ref AWS::NoValue
          - Effect: Allow
            Principal:
              AWS:
                Fn::If:
                  - IsBuildPipeline
                  - !Ref AWS::AccountId
                  - !Ref BuildAccount
            Action:
              - 'sts:AssumeRole'
            Condition:
                StringLike:
                  aws:PrincipalTag/Role:
                    - codepipeline-execution-role
                    - codebuild-service-role
      Policies:
        # FIXME: What is this permission allowing? Is this maybe only needed
        # in the build account?
        - PolicyName: AssumePipelineRoles
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - sts:AssumeRole
                Resource: "*"
                Condition:
                  StringLike:
                    aws:ResourceTag/Role:
                      - codepipeline-execution-role
                      - codebuild-service-role
        - PolicyName: PassCfnRoleToServices
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action: 'iam:PassRole'
                Resource: !GetAtt CloudFormationExecutionRole.Arn
        - PolicyName: CodeBuild
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              # FIXME: Deploy accounts shouldn't need this.
              - Effect: Allow
                Action:
                  - "codebuild:StartBuild"
                  - "codebuild:BatchGetBuilds"
                Resource: "*"
        - PolicyName: CloudFormationService
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - "cloudformation:CreateChangeSet"
                  - "cloudformation:DeleteChangeSet"
                  - "cloudformation:DescribeChangeSet"
                  - "cloudformation:ExecuteChangeSet"
                  - "cloudformation:DescribeStackEvents"
                  - "cloudformation:DescribeStacks"
                  - "cloudformation:GetTemplateSummary"
                  - "cloudformation:DescribeStackResource"
                Resource: '*'
        - PolicyName: ArtifactBucketAccess
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - 's3:GetObject*'
                  - 's3:PutObject*'
                  - 's3:GetBucket*'
                  - 's3:List*'
                Resource:
                  Fn::If:
                    - IsBuildPipeline
                    - - !Join [ '',[ !GetAtt ArtifactsBucket.Arn, '/*' ] ]
                      - !GetAtt ArtifactsBucket.Arn
                    - - !Join [ '',[ !Ref ArtifactsBucketArn, '/*' ] ]
                      - !Ref ArtifactsBucketArn
        - PolicyName: EcrFetch
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: "Allow"
                Action:
                  - "ecr:GetDownloadUrlForLayer"
                  - "ecr:BatchGetImage"
                  - "ecr:BatchCheckLayerAvailability"
                Resource:
                  Fn::If:
                    - IsBuildPipeline
                    - !GetAtt ImageRepository.Arn
                    - !Ref ImageRepositoryArn
        - PolicyName: KmsKeyAccess
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - kms:DescribeKey
                  - kms:GenerateDataKey*
                  - kms:Encrypt
                  - kms:ReEncrypt*
                  - kms:Decrypt
                Resource:
                  Fn::If:
                    - IsBuildPipeline
                    - !GetAtt ArtifactsBucketKmsKey.Arn
                    - !Ref ArtifactsBucketKmsKeyArn
        - Fn::If:
          - IsBuildPipeline
          - PolicyName: EcrAccess
            PolicyDocument:
              Version: "2012-10-17"
              Statement:
                - Effect: "Allow"
                  Action:
                    - "ecr:GetAuthorizationToken"
                    - "ecr:PutImage"
                    - "ecr:InitiateLayerUpload"
                    - "ecr:UploadLayerPart"
                    - "ecr:CompleteLayerUpload"
                  Resource: "*"
          - !Ref AWS::NoValue
        - Fn::If:
          - IsBuildPipeline
          - PolicyName: CodeStar
            PolicyDocument:
              Version: "2012-10-17"
              Statement:
                - Effect: "Allow"
                  Action:
                    - "codestar-connections:UseConnection"
                  Resource: !Ref CodeStarConnection
          - !Ref AWS::NoValue


  PipelineExecutionRoleArnSsmParam:
    Type: AWS::SSM::Parameter
    Properties:
      Name: !Sub "/${AWS::StackName}/BuildPipelineExecutionRoleArn"
      Type: "String"
      Description: "Shared build pipelineeExecution IAM Role ARN"
      Value: !GetAtt PipelineExecutionRole.Arn

  DevPipelineExecutionRoleArnSsmParam:
    Type: AWS::SSM::Parameter
    Condition: HasDevPipelineExecutionRole
    Properties:
      Name: !Sub "/${AWS::StackName}/DevPipelineExecutionRoleArn"
      Type: "String"
      Description: "Dev deploy pipeline role"
      Value: !Ref DevPipelineExecutionRole

  DevCodeBuildServiceRoleArnSsmParam:
    Type: AWS::SSM::Parameter
    Condition: HasDevCodeBuildServiceRole
    Properties:
      Name: !Sub "/${AWS::StackName}/DevCodeBuildServiceRoleArn"
      Type: "String"
      Description: "Dev CodeBuild service role"
      Value: !Ref DevCodeBuildServiceRole

  DevCfnExecutionRoleArnSsmParam:
    Type: AWS::SSM::Parameter
    Condition: HasDevCfnExecutionRole
    Properties:
      Name: !Sub "/${AWS::StackName}/DevCfnExecutionRoleArn"
      Type: "String"
      Description: "Dev deploy CFN role"
      Value: !Ref DevCfnExecutionRole

  ProdPipelineExecutionRoleArnSsmParam:
    Type: AWS::SSM::Parameter
    Condition: HasProdPipelineExecutionRole
    Properties:
      Name: !Sub "/${AWS::StackName}/ProdPipelineExecutionRoleArn"
      Type: "String"
      Description: "Prod deploy pipeline role"
      Value: !Ref ProdPipelineExecutionRole

  ProdCodeBuildServiceRoleArnSsmParam:
    Type: AWS::SSM::Parameter
    Condition: HasProdCodeBuildServiceRole
    Properties:
      Name: !Sub "/${AWS::StackName}/ProdCodeBuildServiceRoleArn"
      Type: "String"
      Description: "Prod CodeBuild service role"
      Value: !Ref ProdCodeBuildServiceRole

  ProdCfnExecutionRoleArnSsmParam:
    Type: AWS::SSM::Parameter
    Condition: HasProdCfnExecutionRole
    Properties:
      Name: !Sub "/${AWS::StackName}/ProdCfnExecutionRoleArn"
      Type: "String"
      Description: "Prod deploy CFN role"
      Value: !Ref ProdCfnExecutionRole


  ArtifactsBucketKmsKey:
    Type: AWS::KMS::Key
    Condition: IsBuildPipeline
    Properties:
      Description: Artifact Bucket KMS key
      MultiRegion: true
      KeyPolicy:
        Version: '2012-10-17'
        Id: ArtifactBucket
        Statement:
          - Sid: Allow access for principals from this account
            Effect: Allow
            Principal:
              AWS: !Ref AWS::AccountId
            Action: kms:*
            Resource: '*'
          - Sid: Allow codepipeline
            Effect: Allow
            Principal:
              Service: 'codepipeline.amazonaws.com'
            Action:
              - kms:DescribeKey
              - kms:GenerateDataKey*
              - kms:Encrypt
              - kms:ReEncrypt*
              - kms:Decrypt
            Resource: '*'
          - Sid: Allow access through S3 for all deployment account pipeline roles
            Effect: Allow
            Principal:
              AWS: !Ref DeployAccounts
            Action:
              - kms:DescribeKey
              - kms:GenerateDataKey*
              - kms:Encrypt
              - kms:ReEncrypt*
              - kms:Decrypt
            Resource: '*'
            Condition:
              StringLike:
                aws:PrincipalTag/Role:
                  - codepipeline-execution-role
                  - codebuild-service-role
                  - cloudformation-execution-role

  ArtifactsBucketKmsKeySsmParam:
    Type: AWS::SSM::Parameter
    Condition: IsBuildPipeline
    Properties:
      Name: !Sub "/${AWS::StackName}/ArtifactsBucketKmsKey"
      Type: "String"
      Description: "KMS key for artifacts"
      Value: !GetAtt ArtifactsBucketKmsKey.Arn


  ArtifactsBucket:
    Type: AWS::S3::Bucket
    Condition: IsBuildPipeline
    DeletionPolicy: "Retain"
    UpdateReplacePolicy: "Retain"
    Properties:
      LoggingConfiguration:
        DestinationBucketName:
          !Ref ArtifactsLoggingBucket
        LogFilePrefix: "artifacts-logs"
      VersioningConfiguration:
        Status: Enabled
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256

  ArtifactsBucketSsmParameter:
    Type: AWS::SSM::Parameter
    Condition: IsBuildPipeline
    Properties:
      Name: !Sub "/${AWS::StackName}/ArtifactsBucket"
      Type: "String"
      Description: "Artifacts bucket name"
      Value: !Ref ArtifactsBucket

  ArtifactsBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Condition: IsBuildPipeline
    Properties:
      Bucket: !Ref ArtifactsBucket
      PolicyDocument:
        Statement:
          - Effect: "Deny"
            Action: "s3:*"
            Principal: "*"
            Resource:
              - !Join [ '',[ !GetAtt ArtifactsBucket.Arn, '/*' ] ]
              - !GetAtt ArtifactsBucket.Arn
            Condition:
              Bool:
                aws:SecureTransport: false
          - Effect: "Allow"
            Action:
              - 's3:GetObject*'
              - 's3:PutObject*'
              - 's3:GetBucket*'
              - 's3:List*'
            Resource:
              - !Join ['',[!GetAtt ArtifactsBucket.Arn, '/*']]
              - !GetAtt ArtifactsBucket.Arn
            Principal:
              AWS:
                - !GetAtt PipelineExecutionRole.Arn
                - !GetAtt CloudFormationExecutionRole.Arn
            Condition:
                StringLike:
                  aws:PrincipalTag/Role:
                    - codepipeline-execution-role
                    - cloudformation-execution-role
          - Fn::If:
            - MissingDeployAccounts
            - !Ref AWS::NoValue
            - Effect: "Allow"
              Action:
                - 's3:GetObject*'
                - 's3:PutObject*'
                - 's3:GetBucket*'
                - 's3:List*'
              Resource:
                - !Join ['',[!GetAtt ArtifactsBucket.Arn, '/*']]
                - !GetAtt ArtifactsBucket.Arn
              Principal:
                AWS: !Ref DeployAccounts
              Condition:
                  StringLike:
                    aws:PrincipalTag/Role:
                      - codepipeline-execution-role
                      - codebuild-service-role
                      - cloudformation-execution-role

  ArtifactsLoggingBucket:
    Type: AWS::S3::Bucket
    Condition: IsBuildPipeline
    DeletionPolicy: "Retain"
    UpdateReplacePolicy: "Retain"
    Properties:
      AccessControl: "LogDeliveryWrite"
      VersioningConfiguration:
        Status: Enabled
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256

  ArtifactsLoggingBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Condition: IsBuildPipeline
    Properties:
      Bucket: !Ref ArtifactsLoggingBucket
      PolicyDocument:
        Statement:
          - Effect: "Deny"
            Action: "s3:*"
            Principal: "*"
            Resource:
              - !Join [ '',[ !GetAtt ArtifactsLoggingBucket.Arn, '/*' ] ]
              - !GetAtt ArtifactsLoggingBucket.Arn
            Condition:
              Bool:
                aws:SecureTransport: false

  CodeBuildServicePolicy:
    Type: AWS::IAM::ManagedPolicy
    Condition: IsBuildPipeline
    Properties:
      Description: "Managed policy for CodeBuild service roles"
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Sid: AssumeCrossAccountCodeBuildRoles
            Effect: Allow
            Action:
              - "sts:AssumeRole"
            Resource: "*"
            Condition:
              StringLike:
                aws:ResourceTag/Role:
                  - codepipeline-execution-role
                  - codebuild-service-role
          - Sid: CodeBuildLogs
            Effect: Allow
            Action:
              - "logs:CreateLogGroup"
              - "logs:CreateLogStream"
              - "logs:PutLogEvents"
            Resource:
              - !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/*"
          - Sid: ArtifactBucketAccess
            Effect: Allow
            Action:
              - "s3:GetObject"
              - "s3:GetObjectVersion"
              - "s3:PutObject"
            Resource:
              - !Join ['',[!GetAtt ArtifactsBucket.Arn, '/*']]
          - Sid: ListPoliciesForSamCli
            Effect: Allow
            Action:
              - "iam:ListPolicies"
            Resource:
              - "*"
          - Sid: PipelineKmsKeyAccess
            Effect: Allow
            Action:
              - kms:DescribeKey
              - kms:GenerateDataKey*
              - kms:Encrypt
              - kms:ReEncrypt*
              - kms:Decrypt
            Resource: !GetAtt ArtifactsBucketKmsKey.Arn

  CodeBuildServicePolicyArnSsmParameter:
    Type: AWS::SSM::Parameter
    Condition: IsBuildPipeline
    Properties:
      Name: !Sub "/${AWS::StackName}/CodeBuildServicePolicyArn"
      Type: "String"
      Description: "CodeBuild service managed policy ARN"
      Value: !Ref CodeBuildServicePolicy


  CodeBuildServiceRole:
    Type: AWS::IAM::Role
    Properties:
      Tags:
        - Key: Role
          Value: codebuild-service-role
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          # FIXME: Need to prevent deploy account roles from assuming build account role
          - Action:
              - "sts:AssumeRole"
            Effect: Allow
            Principal:
              Service:
                - codepipeline.amazonaws.com
          - Effect: Allow
            Principal:
              AWS:
                Fn::If:
                  - IsBuildPipeline
                  - !Ref AWS::AccountId
                  - !Ref BuildAccount
            Action:
              - 'sts:AssumeRole'
            Condition:
                StringLike:
                  aws:PrincipalTag/Role:
                    - codepipeline-execution-role
                    - codebuild-service-role
      ManagedPolicyArns:
        - !If
          - IsBuildPipeline
          - !Ref CodeBuildServicePolicy
          - !Ref AWS::NoValue
      Policies:
        Fn::If:
          - IsBuildPipeline
          - !Ref AWS::NoValue
          - - PolicyName: CloudFormation
              PolicyDocument:
                Statement:
                  - Effect: Allow
                    Action:
                      - "cloudformation:describe*"
                    Resource: "*"
            - PolicyName: CloudTrail
              PolicyDocument:
                Statement:
                  - Effect: Allow
                    Action:
                      - "cloudtrail:*"
                    Resource: "*"
            - PolicyName: CloudWatch
              PolicyDocument:
                Statement:
                  - Effect: Allow
                    Action:
                      - "cloudwatch:*"
                    Resource: "*"
            - PolicyName: CloudWatchLogs
              PolicyDocument:
                Statement:
                  - Effect: Allow
                    Action:
                      - "logs:*"
                    Resource: "*"
            - PolicyName: DDB
              PolicyDocument:
                Statement:
                  - Effect: Allow
                    Action:
                      - "dynamodb:*"
                    Resource: "*"
            - PolicyName: EventBridge
              PolicyDocument:
                Statement:
                  - Effect: Allow
                    Action:
                      - "events:*"
                    Resource: "*"
            - PolicyName: Lambda
              PolicyDocument:
                Statement:
                  - Effect: Allow
                    Action:
                      - "lambda:*"
                    Resource: "*"
            - PolicyName: S3
              PolicyDocument:
                Statement:
                  - Effect: Allow
                    Action:
                      - "s3:*"
                    Resource: "*"
            - PolicyName: SNS
              PolicyDocument:
                Statement:
                  - Effect: Allow
                    Action:
                      - "sns:*"
                    Resource: "*"
            - PolicyName: SQS
              PolicyDocument:
                Statement:
                  - Effect: Allow
                    Action:
                      - "sqs:*"
                    Resource: "*"
            - PolicyName: SSM
              PolicyDocument:
                Statement:
                  - Effect: Allow
                    Action:
                      - "ssm:*"
                    Resource: "*"
            - PolicyName: StepFunctions
              PolicyDocument:
                Statement:
                  - Effect: Allow
                    Action:
                      - "states:*"
                    Resource: "*"
            - PolicyName: XRay
              PolicyDocument:
                Statement:
                  - Effect: Allow
                    Action:
                      - "xray:*"
                    Resource: "*"

  CodeBuildServiceRoleArnSsmParameter:
    Type: AWS::SSM::Parameter
    Properties:
      Name: !Sub "/${AWS::StackName}/CodeBuildServiceRoleArn"
      Type: "String"
      Description: "CodeBuild service role ARN"
      Value: !Ref CodeBuildServiceRole


  CodeStarConnection:
    Type: AWS::CodeStarConnections::Connection
    Condition: IsBuildPipeline
    Properties:
      ConnectionName: GitRepositoryConnection
      ProviderType: !Ref GitProviderType

  CodeStarConnectionArnSsmParam:
    Type: AWS::SSM::Parameter
    Condition: IsBuildPipeline
    Properties:
      Type: String
      Description: "ARN of CodeStar connection"
      Name: !Sub "/${AWS::StackName}/CodeStarConnectionArn"
      Value: !Ref CodeStarConnection

  ImageRepository:
    Type: AWS::ECR::Repository
    Condition: IsBuildPipeline
    Properties:
      RepositoryPolicyText:
        Version: "2012-10-17"
        Statement:
          - Sid: LambdaECRImageRetrievalPolicy
            Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action:
              - "ecr:GetDownloadUrlForLayer"
              - "ecr:BatchGetImage"
              - "ecr:GetRepositoryPolicy"
              - "ecr:SetRepositoryPolicy"
              - "ecr:DeleteRepositoryPolicy"
          - Sid: AllowPushPull
            Effect: Allow
            Principal:
              AWS: !Ref AWS::AccountId
            Action:
              - "ecr:GetDownloadUrlForLayer"
              - "ecr:BatchGetImage"
              - "ecr:BatchCheckLayerAvailability"
              - "ecr:PutImage"
              - "ecr:InitiateLayerUpload"
              - "ecr:UploadLayerPart"
              - "ecr:CompleteLayerUpload"
            Condition:
                StringLike:
                  aws:PrincipalTag/Role:
                    - codepipeline-execution-role
                    - cloudformation-execution-role
          - Sid: AllowPushPullCrossAccount
            Effect: Allow
            Principal:
              AWS: !Ref DeployAccounts
            Action:
              - "ecr:GetDownloadUrlForLayer"
              - "ecr:BatchGetImage"
              - "ecr:BatchCheckLayerAvailability"
              - "ecr:PutImage"
              - "ecr:InitiateLayerUpload"
              - "ecr:UploadLayerPart"
              - "ecr:CompleteLayerUpload"
            Condition:
                StringLike:
                  aws:PrincipalTag/Role:
                    - codepipeline-execution-role
                    - codebuild-service-role
                    - cloudformation-execution-role

  ImageRepositoryArnSsmParam:
    Type: AWS::SSM::Parameter
    Condition: IsBuildPipeline
    Properties:
      Type: String
      Description: "ARN of ECR repo"
      Name: !Sub "/${AWS::StackName}/ImageRepositoryArn"
      Value: !GetAtt ImageRepository.Arn

Outputs:
  PipelineUser:
    Description: ARN of the Pipeline IAM User
    Condition: IsBuildPipeline
    Value: !GetAtt PipelineUser.Arn

  PipelineUserSecretKey:
    Description: AWS Access Key and Secret Key of pipeline user.
    Condition: IsBuildPipeline
    Value: !Ref PipelineUserSecretKey

  CloudFormationExecutionRole:
    Description: ARN of the IAM Role (CloudFormationExecutionRole)
    Value: !GetAtt CloudFormationExecutionRole.Arn

  PipelineExecutionRole:
    Description: ARN of the IAM Role (PipelineExecutionRole)
    Value: !GetAtt PipelineExecutionRole.Arn

  CodeBuildServiceRole:
    Description: "ARN of the IAM Role (CodeBuildServiceRole)"
    Value: !GetAtt CodeBuildServiceRole.Arn

  ArtifactsBucket:
    Description: ARN of the Artifacts bucket
    Value:
      Fn::If:
        - IsBuildPipeline
        - !GetAtt ArtifactsBucket.Arn
        - !Ref ArtifactsBucketArn

  ArtifactsBucketKmsKey:
    Description: ARN of the Artifacts bucket KMS key
    Value:
      Fn::If:
        - IsBuildPipeline
        - !GetAtt ArtifactsBucketKmsKey.Arn
        - !Ref ArtifactsBucketKmsKeyArn

  ImageRepository:
    Description: ARN of the ECR image repository
    Condition: IsBuildPipeline
    Value:
      Fn::If:
        - IsBuildPipeline
        - !GetAtt ImageRepository.Arn
        - !Ref ImageRepositoryArn