Skip to content
Permalink
master
Switch branches/tags

everettsprojects.com/_deploy/pipeline_template.yaml

Go to file
 
 
Cannot retrieve contributors at this time
398 lines (392 sloc) 13.2 KB
Raw Blame
Open in GitHub Desktop
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Description: >-
Setup CICD using the template and code form https://github.com/awslabs/aws-sam-codepipeline-cd
Outputs:
ArtifactsBucketArn:
Value: !GetAtt Artifacts.Arn
ArtifactsBucketName:
Value: !Ref Artifacts
PipelineName:
Value: !Ref Pipeline
PipelineVersion:
Value: !GetAtt Pipeline.Version
S3WebsiteBucketName:
Value: !Ref S3WebsiteBucketName
Export:
Name: !Sub "${AWS::StackName}-S3WebsiteBucketName"
Parameters:
ComputeType:
AllowedValues:
- BUILD_GENERAL1_SMALL
- BUILD_GENERAL1_MEDIUM
- BUILD_GENERAL1_LARGE
Default: BUILD_GENERAL1_SMALL
Description: AWS CodeBuild project compute type.
Type: String
EnvironmentType:
AllowedValues:
- LINUX_CONTAINER
- WINDOWS_CONTAINER
Default: LINUX_CONTAINER
Description: Environment type used by AWS CodeBuild. See the documentation for details (https://docs.aws.amazon.com/codebuild/latest/userguide/create-project.html#create-project-cli).
Type: String
GitHubOAuthToken:
Description: OAuth token used by AWS CodePipeline to connect to GitHub
NoEcho: true
Type: String
Default: ''
GitHubOwner:
Description: GitHub username owning the repo
Type: String
Default: ''
GitHubRepo:
Description: GitHub repo name
Type: String
Default: ''
GitHubBranch:
Description: GitHub repo branch name. It defaults to master if not specified.
Type: String
Default: master
DeployParameterOverrides:
Description: Parameter overrides for the deploy stage
Type: String
Default: '{}'
DeployStackName:
Description: The stack name for the deploy stage
Type: String
Default: ''
DeployRoleName:
Description: >-
The IAM role name to deploy the CloudFormation stack. This role needs to be configured to allow
cloudformation.amazonaws.com to assume it. Deploy stage will not be added if not specified.
Type: String
Default: ''
IntegTestRoleName:
Description: >-
The IAM role name to deploy a test stack and run integration tests. This role needs to be configured
to allow codebuild.amazonaws.com and cloudformation.amazonaws.com to assume it. Test stage will not
be added if not specified.
Type: String
Default: ''
BuildSpecFilePath:
Description: >-
Relative BuildSpec file path for build stage. For more information, see https://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html
Type: String
Default: '_deploy/buildspec.yaml'
IntegTestBuildSpecFilePath:
Description: >-
Relative BuildSpec file path for test stage. For more information, see https://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html
Type: String
Default: '_deploy/buildspec-integ-test.yaml'
S3WebsiteBucketName:
Type: String
Default: everettsprojectstest
Conditions:
HasTestStage:
!Not [!Equals [!Ref IntegTestRoleName, '']]
HasDeployStage:
!Not [!Equals [!Ref DeployRoleName, '']]
Rules:
ValidateGitHub:
Assertions:
- Assert: !Not [!Equals [!Ref GitHubOwner, '']]
AssertDescription: "GitHubOwner must be specified"
- Assert: !Not [!Equals [!Ref GitHubRepo, '']]
AssertDescription: "GitHubRepo must be specified"
- Assert: !Not [!Equals [!Ref GitHubOAuthToken, '']]
AssertDescription: "GitHubOAuthToken must be specified"
- Assert: !Not [!Equals [!Ref GitHubBranch, '']]
AssertDescription: "GitHubBranch must be specified"
Resources:
Artifacts:
Properties:
LifecycleConfiguration:
Rules:
- ExpirationInDays: 30
Status: Enabled
Type: AWS::S3::Bucket
Pipeline:
Type: AWS::CodePipeline::Pipeline
Properties:
ArtifactStore:
Location: !Ref Artifacts
Type: S3
RoleArn: !GetAtt PipelineRole.Arn
Stages:
- Name: Source
Actions:
- Name: GitHubSource
ActionTypeId:
Category: Source
Owner: ThirdParty
Provider: GitHub
Version: "1"
Configuration:
Owner: !Ref GitHubOwner
OAuthToken: !Ref GitHubOAuthToken
Repo: !Ref GitHubRepo
Branch: !Ref GitHubBranch
PollForSourceChanges: false
OutputArtifacts:
- Name: SourceArtifact
- Name: Build
Actions:
- Name: Build
ActionTypeId:
Category: Build
Owner: AWS
Provider: CodeBuild
Version: "1"
Configuration:
ProjectName: !Ref BuildProject
InputArtifacts:
- Name: SourceArtifact
OutputArtifacts:
- Name: SAMArtifacts
- Name: BlogArtifacts
- !If
- HasTestStage
- Name: Test
Actions:
- Name: IntegrationTests
ActionTypeId:
Category: Test
Owner: AWS
Provider: CodeBuild
Version: '1'
Configuration:
ProjectName: !Ref IntegrationTestsProject
PrimarySource: SourceArtifact
InputArtifacts:
- Name: SourceArtifact
- Name: BuildArtifact
- !Ref AWS::NoValue
- !If
- HasDeployStage
- Name: Deploy
Actions:
- Name: CreateChangeSet
ActionTypeId:
Category: Deploy
Owner: AWS
Provider: CloudFormation
Version: '1'
InputArtifacts:
- Name: SAMArtifacts
Configuration:
ActionMode: CHANGE_SET_REPLACE
Capabilities: CAPABILITY_IAM,CAPABILITY_AUTO_EXPAND,CAPABILITY_NAMED_IAM
ParameterOverrides: !Ref DeployParameterOverrides
RoleArn: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${DeployRoleName}
StackName: !Ref DeployStackName
TemplatePath: "SAMArtifacts::packaged-template.yaml"
ChangeSetName: !Sub a-${DeployStackName}-Deploy
RunOrder: 1
- Name: ExecuteChangeSet
ActionTypeId:
Category: Deploy
Owner: AWS
Provider: CloudFormation
Version: '1'
Configuration:
ActionMode: CHANGE_SET_EXECUTE
StackName: !Ref DeployStackName
ChangeSetName: !Sub a-${DeployStackName}-Deploy
RunOrder: 2
- Name: UploadWebAssets
ActionTypeId:
Category: Deploy
Owner: AWS
Version: '1'
Provider: S3
InputArtifacts:
- Name: BlogArtifacts
Configuration:
BucketName: !Ref S3WebsiteBucketName
Extract: true
RunOrder: 3
- !Ref AWS::NoValue
PipelineRole:
Type: AWS::IAM::Role
Properties:
Description: !Sub "Used by CodePipeline. Created by CloudFormation ${AWS::StackId}"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- "codepipeline.amazonaws.com"
Action:
- "sts:AssumeRole"
Policies:
- PolicyName: s3-access
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "s3:DeleteObject"
- "s3:GetObject"
- "s3:GetObjectVersion"
- "s3:PutObject"
Resource:
- !Sub arn:${AWS::Partition}:s3:::${Artifacts}/*
- !Sub arn:${AWS::Partition}:s3:::${S3WebsiteBucketName}/*
- Effect: Allow
Action:
- "s3:ListBucket"
- "s3:GetBucketPolicy"
Resource:
- !Sub arn:${AWS::Partition}:s3:::${Artifacts}
- !Sub arn:${AWS::Partition}:s3:::${S3WebsiteBucketName}
- PolicyName: codebuild-access
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "codebuild:StartBuild"
- "codebuild:BatchGetBuilds"
Resource:
- !GetAtt BuildProject.Arn
- !If
- HasTestStage
- !GetAtt IntegrationTestsProject.Arn
- !Ref AWS::NoValue
- !If
- HasDeployStage
- PolicyName: deploy-cloudformation-access
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "cloudformation:DescribeStacks"
- "cloudformation:CreateChangeSet"
- "cloudformation:ExecuteChangeSet"
- "cloudformation:DescribeChangeSet"
- "cloudformation:DeleteChangeSet"
Resource:
- !Sub arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${DeployStackName}/*
- !Ref AWS::NoValue
- !If
- HasDeployStage
- PolicyName: deploy-iam-access
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "iam:PassRole"
Resource:
- !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${DeployRoleName}
- !Ref AWS::NoValue
BuildProject:
Type: AWS::CodeBuild::Project
Properties:
ServiceRole: !GetAtt BuildProjectRole.Arn
Source:
Type: CODEPIPELINE
BuildSpec: !Ref BuildSpecFilePath
Artifacts:
Type: CODEPIPELINE
Environment:
ComputeType: !Ref ComputeType
Image: 'aws/codebuild/standard:4.0'
Type: !Ref EnvironmentType
EnvironmentVariables:
- Name: PACKAGE_BUCKET
Value: !Ref Artifacts
GitHubWebhook:
Type: 'AWS::CodePipeline::Webhook'
Properties:
AuthenticationConfiguration:
SecretToken: !Ref GitHubOAuthToken
Filters:
- JsonPath: "$.ref"
MatchEquals: refs/heads/{Branch}
Authentication: GITHUB_HMAC
TargetPipeline: !Ref Pipeline
TargetAction: GitHubSource
TargetPipelineVersion: !GetAtt Pipeline.Version
RegisterWithThirdParty: true
IntegrationTestsProject:
Condition: HasTestStage
Type: AWS::CodeBuild::Project
Properties:
ServiceRole: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${IntegTestRoleName}
Source:
Type: CODEPIPELINE
BuildSpec: !Ref IntegTestBuildSpecFilePath
Artifacts:
Type: CODEPIPELINE
Environment:
ComputeType: !Ref ComputeType
Image: 'aws/codebuild/standard:4.0'
Type: !Ref EnvironmentType
EnvironmentVariables:
- Name: PACKAGE_BUCKET
Value: !Ref Artifacts
CodeBuildPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: !Sub codebuild-access-${AWS::StackName}
Roles:
- !Ref BuildProjectRole
- !If
- HasTestStage
- !Ref IntegTestRoleName
- !Ref AWS::NoValue
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Effect: Allow
Resource:
- !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/*
- Action:
- s3:PutObject
- s3:GetObject
- s3:GetObjectVersion
Effect: Allow
Resource:
- !Sub arn:${AWS::Partition}:s3:::${Artifacts}/*
- Action:
- s3:ListBucket
Effect: Allow
Resource:
- !Sub arn:${AWS::Partition}:s3:::${Artifacts}
BuildProjectRole:
Type: AWS::IAM::Role
Properties:
Description: !Sub "Used in CodeBuild project. Created by CloudFormation ${AWS::StackId}"
AssumeRolePolicyDocument:
Statement:
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
Service:
- codebuild.amazonaws.com
Version: '2012-10-17'
Path: /service-role/
DeployStagePolicy:
Condition: HasDeployStage
Type: AWS::IAM::Policy
Properties:
PolicyName: !Sub deploy-stage-access-${AWS::StackName}
Roles:
- !Ref DeployRoleName
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- s3:GetObject
Effect: Allow
Resource:
- !Sub arn:${AWS::Partition}:s3:::${Artifacts}/*