-
Notifications
You must be signed in to change notification settings - Fork 0
/
pipeline_template.yaml
398 lines (392 loc) · 13.2 KB
/
pipeline_template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Description: >-
Setup CICD using the template and code form https://github.com/awslabs/aws-sam-codepipeline-cd
Outputs:
ArtifactsBucketArn:
Value: !GetAtt Artifacts.Arn
ArtifactsBucketName:
Value: !Ref Artifacts
PipelineName:
Value: !Ref Pipeline
PipelineVersion:
Value: !GetAtt Pipeline.Version
S3WebsiteBucketName:
Value: !Ref S3WebsiteBucketName
Export:
Name: !Sub "${AWS::StackName}-S3WebsiteBucketName"
Parameters:
ComputeType:
AllowedValues:
- BUILD_GENERAL1_SMALL
- BUILD_GENERAL1_MEDIUM
- BUILD_GENERAL1_LARGE
Default: BUILD_GENERAL1_SMALL
Description: AWS CodeBuild project compute type.
Type: String
EnvironmentType:
AllowedValues:
- LINUX_CONTAINER
- WINDOWS_CONTAINER
Default: LINUX_CONTAINER
Description: Environment type used by AWS CodeBuild. See the documentation for details (https://docs.aws.amazon.com/codebuild/latest/userguide/create-project.html#create-project-cli).
Type: String
GitHubOAuthToken:
Description: OAuth token used by AWS CodePipeline to connect to GitHub
NoEcho: true
Type: String
Default: ''
GitHubOwner:
Description: GitHub username owning the repo
Type: String
Default: ''
GitHubRepo:
Description: GitHub repo name
Type: String
Default: ''
GitHubBranch:
Description: GitHub repo branch name. It defaults to master if not specified.
Type: String
Default: master
DeployParameterOverrides:
Description: Parameter overrides for the deploy stage
Type: String
Default: '{}'
DeployStackName:
Description: The stack name for the deploy stage
Type: String
Default: ''
DeployRoleName:
Description: >-
The IAM role name to deploy the CloudFormation stack. This role needs to be configured to allow
cloudformation.amazonaws.com to assume it. Deploy stage will not be added if not specified.
Type: String
Default: ''
IntegTestRoleName:
Description: >-
The IAM role name to deploy a test stack and run integration tests. This role needs to be configured
to allow codebuild.amazonaws.com and cloudformation.amazonaws.com to assume it. Test stage will not
be added if not specified.
Type: String
Default: ''
BuildSpecFilePath:
Description: >-
Relative BuildSpec file path for build stage. For more information, see https://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html
Type: String
Default: '_deploy/buildspec.yaml'
IntegTestBuildSpecFilePath:
Description: >-
Relative BuildSpec file path for test stage. For more information, see https://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html
Type: String
Default: '_deploy/buildspec-integ-test.yaml'
S3WebsiteBucketName:
Type: String
Default: everettsprojectstest
Conditions:
HasTestStage:
!Not [!Equals [!Ref IntegTestRoleName, '']]
HasDeployStage:
!Not [!Equals [!Ref DeployRoleName, '']]
Rules:
ValidateGitHub:
Assertions:
- Assert: !Not [!Equals [!Ref GitHubOwner, '']]
AssertDescription: "GitHubOwner must be specified"
- Assert: !Not [!Equals [!Ref GitHubRepo, '']]
AssertDescription: "GitHubRepo must be specified"
- Assert: !Not [!Equals [!Ref GitHubOAuthToken, '']]
AssertDescription: "GitHubOAuthToken must be specified"
- Assert: !Not [!Equals [!Ref GitHubBranch, '']]
AssertDescription: "GitHubBranch must be specified"
Resources:
Artifacts:
Properties:
LifecycleConfiguration:
Rules:
- ExpirationInDays: 30
Status: Enabled
Type: AWS::S3::Bucket
Pipeline:
Type: AWS::CodePipeline::Pipeline
Properties:
ArtifactStore:
Location: !Ref Artifacts
Type: S3
RoleArn: !GetAtt PipelineRole.Arn
Stages:
- Name: Source
Actions:
- Name: GitHubSource
ActionTypeId:
Category: Source
Owner: ThirdParty
Provider: GitHub
Version: "1"
Configuration:
Owner: !Ref GitHubOwner
OAuthToken: !Ref GitHubOAuthToken
Repo: !Ref GitHubRepo
Branch: !Ref GitHubBranch
PollForSourceChanges: false
OutputArtifacts:
- Name: SourceArtifact
- Name: Build
Actions:
- Name: Build
ActionTypeId:
Category: Build
Owner: AWS
Provider: CodeBuild
Version: "1"
Configuration:
ProjectName: !Ref BuildProject
InputArtifacts:
- Name: SourceArtifact
OutputArtifacts:
- Name: SAMArtifacts
- Name: BlogArtifacts
- !If
- HasTestStage
- Name: Test
Actions:
- Name: IntegrationTests
ActionTypeId:
Category: Test
Owner: AWS
Provider: CodeBuild
Version: '1'
Configuration:
ProjectName: !Ref IntegrationTestsProject
PrimarySource: SourceArtifact
InputArtifacts:
- Name: SourceArtifact
- Name: BuildArtifact
- !Ref AWS::NoValue
- !If
- HasDeployStage
- Name: Deploy
Actions:
- Name: CreateChangeSet
ActionTypeId:
Category: Deploy
Owner: AWS
Provider: CloudFormation
Version: '1'
InputArtifacts:
- Name: SAMArtifacts
Configuration:
ActionMode: CHANGE_SET_REPLACE
Capabilities: CAPABILITY_IAM,CAPABILITY_AUTO_EXPAND,CAPABILITY_NAMED_IAM
ParameterOverrides: !Ref DeployParameterOverrides
RoleArn: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${DeployRoleName}
StackName: !Ref DeployStackName
TemplatePath: "SAMArtifacts::packaged-template.yaml"
ChangeSetName: !Sub a-${DeployStackName}-Deploy
RunOrder: 1
- Name: ExecuteChangeSet
ActionTypeId:
Category: Deploy
Owner: AWS
Provider: CloudFormation
Version: '1'
Configuration:
ActionMode: CHANGE_SET_EXECUTE
StackName: !Ref DeployStackName
ChangeSetName: !Sub a-${DeployStackName}-Deploy
RunOrder: 2
- Name: UploadWebAssets
ActionTypeId:
Category: Deploy
Owner: AWS
Version: '1'
Provider: S3
InputArtifacts:
- Name: BlogArtifacts
Configuration:
BucketName: !Ref S3WebsiteBucketName
Extract: true
RunOrder: 3
- !Ref AWS::NoValue
PipelineRole:
Type: AWS::IAM::Role
Properties:
Description: !Sub "Used by CodePipeline. Created by CloudFormation ${AWS::StackId}"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- "codepipeline.amazonaws.com"
Action:
- "sts:AssumeRole"
Policies:
- PolicyName: s3-access
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "s3:DeleteObject"
- "s3:GetObject"
- "s3:GetObjectVersion"
- "s3:PutObject"
Resource:
- !Sub arn:${AWS::Partition}:s3:::${Artifacts}/*
- !Sub arn:${AWS::Partition}:s3:::${S3WebsiteBucketName}/*
- Effect: Allow
Action:
- "s3:ListBucket"
- "s3:GetBucketPolicy"
Resource:
- !Sub arn:${AWS::Partition}:s3:::${Artifacts}
- !Sub arn:${AWS::Partition}:s3:::${S3WebsiteBucketName}
- PolicyName: codebuild-access
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "codebuild:StartBuild"
- "codebuild:BatchGetBuilds"
Resource:
- !GetAtt BuildProject.Arn
- !If
- HasTestStage
- !GetAtt IntegrationTestsProject.Arn
- !Ref AWS::NoValue
- !If
- HasDeployStage
- PolicyName: deploy-cloudformation-access
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "cloudformation:DescribeStacks"
- "cloudformation:CreateChangeSet"
- "cloudformation:ExecuteChangeSet"
- "cloudformation:DescribeChangeSet"
- "cloudformation:DeleteChangeSet"
Resource:
- !Sub arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${DeployStackName}/*
- !Ref AWS::NoValue
- !If
- HasDeployStage
- PolicyName: deploy-iam-access
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "iam:PassRole"
Resource:
- !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${DeployRoleName}
- !Ref AWS::NoValue
BuildProject:
Type: AWS::CodeBuild::Project
Properties:
ServiceRole: !GetAtt BuildProjectRole.Arn
Source:
Type: CODEPIPELINE
BuildSpec: !Ref BuildSpecFilePath
Artifacts:
Type: CODEPIPELINE
Environment:
ComputeType: !Ref ComputeType
Image: 'aws/codebuild/standard:4.0'
Type: !Ref EnvironmentType
EnvironmentVariables:
- Name: PACKAGE_BUCKET
Value: !Ref Artifacts
GitHubWebhook:
Type: 'AWS::CodePipeline::Webhook'
Properties:
AuthenticationConfiguration:
SecretToken: !Ref GitHubOAuthToken
Filters:
- JsonPath: "$.ref"
MatchEquals: refs/heads/{Branch}
Authentication: GITHUB_HMAC
TargetPipeline: !Ref Pipeline
TargetAction: GitHubSource
TargetPipelineVersion: !GetAtt Pipeline.Version
RegisterWithThirdParty: true
IntegrationTestsProject:
Condition: HasTestStage
Type: AWS::CodeBuild::Project
Properties:
ServiceRole: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${IntegTestRoleName}
Source:
Type: CODEPIPELINE
BuildSpec: !Ref IntegTestBuildSpecFilePath
Artifacts:
Type: CODEPIPELINE
Environment:
ComputeType: !Ref ComputeType
Image: 'aws/codebuild/standard:4.0'
Type: !Ref EnvironmentType
EnvironmentVariables:
- Name: PACKAGE_BUCKET
Value: !Ref Artifacts
CodeBuildPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: !Sub codebuild-access-${AWS::StackName}
Roles:
- !Ref BuildProjectRole
- !If
- HasTestStage
- !Ref IntegTestRoleName
- !Ref AWS::NoValue
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Effect: Allow
Resource:
- !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/*
- Action:
- s3:PutObject
- s3:GetObject
- s3:GetObjectVersion
Effect: Allow
Resource:
- !Sub arn:${AWS::Partition}:s3:::${Artifacts}/*
- Action:
- s3:ListBucket
Effect: Allow
Resource:
- !Sub arn:${AWS::Partition}:s3:::${Artifacts}
BuildProjectRole:
Type: AWS::IAM::Role
Properties:
Description: !Sub "Used in CodeBuild project. Created by CloudFormation ${AWS::StackId}"
AssumeRolePolicyDocument:
Statement:
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
Service:
- codebuild.amazonaws.com
Version: '2012-10-17'
Path: /service-role/
DeployStagePolicy:
Condition: HasDeployStage
Type: AWS::IAM::Policy
Properties:
PolicyName: !Sub deploy-stage-access-${AWS::StackName}
Roles:
- !Ref DeployRoleName
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- s3:GetObject
Effect: Allow
Resource:
- !Sub arn:${AWS::Partition}:s3:::${Artifacts}/*