Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
522 lines (513 sloc) 16.6 KB
AWSTemplateFormatVersion: 2010-09-09
Description: join mp3 file on the fly.
Parameters:
AppName:
Description: Name of the application.
MaxLength: 100
MinLength: 1
Type: String
ProjectId:
AllowedPattern: ^[a-z]([a-z0-9-])+$
ConstraintDescription: Project IDs must be between 2 and 15 characters, begin with a letter, and only contain lowercase letters, numbers, and hyphens (-).
Description: Project ID.
MaxLength: 15
MinLength: 2
Type: String
RepositoryName:
Description: AWS CodeCommit repository name.
MaxLength: 100
MinLength: 1
Type: String
Outputs:
LambdaTrustRole:
Description: Used for passRole to Lambda functions.
Export:
Name: !Join
- '-'
- - !Ref 'ProjectId'
- !Ref 'AWS::Region'
- LambdaTrustRole
Value: !GetAtt 'LambdaTrustRole.Arn'
Resources:
LambdaTrustRole:
Type: AWS::IAM::Role
Description: Creating service role in IAM for AWS Lambda. Lambda function need to read/write file on the S3 bucket.
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
- edgelambda.amazonaws.com
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
- arn:aws:iam::aws:policy/service-role/AWSConfigRulesExecutionRole
Path: /
Policies:
- PolicyDocument:
Statement:
- Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Effect: Allow
Resource: '*'
- Action:
- s3:GetObject
- s3:PutObject
- s3:PutObjectTagging
Effect: Allow
Resource: !Join ['', ['arn:aws:s3:::', !Join ['-', [!Ref 'AWS::Region',!Ref 'AWS::AccountId',!Ref 'ProjectId','data']] , /*]]
Version: 2012-10-17
PolicyName: LambdaWorkerPolicy
RoleName: !Join ['-', ['Role',!Ref 'ProjectId', 'Lambda']]
CloudFormationTrustRole:
Type: AWS::IAM::Role
Description: Creating service role in IAM for AWS CloudFormation
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service:
- cloudformation.amazonaws.com
Path: /
Policies:
- PolicyDocument:
Statement:
- Action:
- s3:PutObject
- s3:GetObject
- s3:GetObjectVersion
Effect: Allow
Resource:
- !GetAtt ArtifactS3Bucket.Arn
- !Join ['', [!GetAtt ArtifactS3Bucket.Arn , '/*']]
- Action:
- lambda:*
Effect: Allow
Resource: '*'
- Action:
- s3:*
Effect: Allow
Resource:
- !Join ['', ['arn:aws:s3:::', !Join ['-', [!Ref 'AWS::Region',!Ref 'AWS::AccountId',!Ref 'ProjectId','data']] ]]
- Action:
- cloudfront:*
Effect: Allow
Resource: '*'
- Action:
- iam:PassRole
Effect: Allow
Resource:
- !GetAtt
- LambdaTrustRole
- Arn
- Action:
- cloudformation:CreateChangeSet
Effect: Allow
Resource:
- arn:aws:cloudformation:us-east-1:aws:transform/Serverless-2016-10-31
PolicyName: CloudFormationRolePolicy
RoleName: !Join ['-', ['Role',!Ref 'ProjectId','CloudFormation']]
CodeBuildPolicy:
Type: AWS::IAM::Policy
Description: Setting IAM policy for service role for Amazon EC2 instances
Properties:
PolicyDocument:
Statement:
- Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Effect: Allow
Resource: '*'
- Action:
- s3:PutObject
- s3:GetObject
- s3:GetObjectVersion
Effect: Allow
Resource:
- !GetAtt ArtifactS3Bucket.Arn
- !Join ['', [!GetAtt ArtifactS3Bucket.Arn , '/*']]
- !Join ['', ['arn:aws:s3:::', !Join ['-', [!Ref 'AWS::Region',!Ref 'AWS::AccountId',!Ref 'ProjectId','data']] ]]
- !Join ['', ['arn:aws:s3:::', !Join ['-', [!Ref 'AWS::Region',!Ref 'AWS::AccountId',!Ref 'ProjectId','data']] , '/*']]
- Action:
- codecommit:GitPull
Effect: Allow
Resource:
- !Join [':', ['arn:aws:codecommit',!Ref 'AWS::Region', !Ref 'AWS::AccountId',!Ref 'RepositoryName']]
- Action:
- kms:GenerateDataKey*
- kms:Encrypt
- kms:Decrypt
Effect: Allow
Resource:
- !Join [':', ['arn:aws:kms',!Ref 'AWS::Region', !Ref 'AWS::AccountId','alias/aws/s3']]
PolicyName: CodeBuildPolicy
Roles:
- !Ref 'CodeBuildRole'
CodeBuildProject:
DependsOn:
- CodeBuildPolicy
Properties:
Artifacts:
Packaging: zip
Type: codepipeline
Description: CodeBuild project
Environment:
ComputeType: small
EnvironmentVariables:
- Name: S3_BUCKET
Value: !Ref 'ArtifactS3Bucket'
- Name: AUDIO_FILE_BUCKET
Value: !Join ['-', [!Ref 'AWS::Region',!Ref 'AWS::AccountId',!Ref 'ProjectId','data']]
Image: aws/codebuild/nodejs:10.14.1
Type: container
Name: !Ref 'ProjectId'
ServiceRole: !Ref 'CodeBuildRole'
Source:
Type: codepipeline
Type: AWS::CodeBuild::Project
CodeBuildRole:
Description: Creating service role in IAM for Amazon EC2 instances
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: codebuild.amazonaws.com
Path: /
RoleName: !Join ['-', ['Role',!Ref 'ProjectId','CodeBuild']]
Type: AWS::IAM::Role
CodeCommitRepo:
Description: Creating AWS CodeCommit repository for application source code
Properties:
RepositoryDescription: !Join
- ''
- - !Ref 'ProjectId'
- ' project repository'
RepositoryName: !Ref 'RepositoryName'
Type: AWS::CodeCommit::Repository
CodePipelineTrustRole:
Description: Creating service role in IAM for AWS CodePipeline
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service:
- codepipeline.amazonaws.com
Sid: 1
Path: /
Policies:
- PolicyDocument:
Statement:
- Action:
- s3:GetObject
- s3:GetObjectVersion
- s3:GetBucketVersioning
- s3:PutObject
Effect: Allow
Resource:
- !GetAtt ArtifactS3Bucket.Arn
- !Join ['', [!GetAtt ArtifactS3Bucket.Arn , '/*']]
- Action:
- codecommit:CancelUploadArchive
- codecommit:GetBranch
- codecommit:GetCommit
- codecommit:GetUploadArchiveStatus
- codecommit:UploadArchive
Effect: Allow
Resource:
- !Join
- ':'
- - arn
- aws
- codecommit
- !Ref 'AWS::Region'
- !Ref 'AWS::AccountId'
- !Ref 'RepositoryName'
- Action:
- codebuild:StartBuild
- codebuild:BatchGetBuilds
- codebuild:StopBuild
Effect: Allow
Resource:
- !GetAtt 'CodeBuildProject.Arn'
- Action:
- cloudformation:DescribeStacks
- cloudformation:DescribeChangeSet
- cloudformation:CreateChangeSet
- cloudformation:DeleteChangeSet
- cloudformation:ExecuteChangeSet
Effect: Allow
Resource:
- !Join
- ':'
- - arn
- aws
- cloudformation
- !Ref 'AWS::Region'
- !Ref 'AWS::AccountId'
- !Join
- /
- - stack
- !Join
- '-'
- - !Ref 'ProjectId'
- lambda
- '*'
- Action:
- iam:PassRole
Effect: Allow
Resource:
- !GetAtt
- CloudFormationTrustRole
- Arn
PolicyName: CodePipelineRolePolicy
RoleName: !Join
- '-'
- - !Ref 'ProjectId'
- CodePipeline
Type: AWS::IAM::Role
ProjectPipeline:
DependsOn:
- LambdaTrustRole
- CodePipelineTrustRole
- ArtifactS3Bucket
# - CloudFormationTrustRole
Description: Creating a deployment pipeline for your project in AWS CodePipeline
Properties:
ArtifactStore:
Location: !Ref 'ArtifactS3Bucket'
Type: S3
Name: !Join
- '-'
- - !Ref 'ProjectId'
- Pipeline
RoleArn: !GetAtt
- CodePipelineTrustRole
- Arn
Stages:
- Actions:
- ActionTypeId:
Category: Source
Owner: AWS
Provider: CodeCommit
Version: 1
Configuration:
BranchName: master
PollForSourceChanges: false
RepositoryName: !Ref 'RepositoryName'
InputArtifacts: [
]
Name: ApplicationSource
OutputArtifacts:
- Name: !Join
- '-'
- - !Ref 'ProjectId'
- SourceArtifact
RunOrder: 1
Name: Source
- Actions:
- ActionTypeId:
Category: Build
Owner: AWS
Provider: CodeBuild
Version: 1
Configuration:
ProjectName: !Ref 'ProjectId'
InputArtifacts:
- Name: !Join
- '-'
- - !Ref 'ProjectId'
- SourceArtifact
Name: PackageExport
OutputArtifacts:
- Name: !Join
- '-'
- - !Ref 'ProjectId'
- BuildArtifact
RunOrder: 1
Name: Build
- Actions:
- ActionTypeId:
Category: Deploy
Owner: AWS
Provider: CloudFormation
Version: 1
Configuration:
ActionMode: CHANGE_SET_REPLACE
Capabilities: CAPABILITY_IAM
ChangeSetName: pipeline-changeset
ParameterOverrides: !Join
- ''
- - '{"ProjectId":"'
- !Ref 'ProjectId'
- '"}'
RoleArn: !GetAtt
- CloudFormationTrustRole
- Arn
StackName: !Join
- '-'
- - !Ref 'ProjectId'
- lambda
TemplatePath: !Join
- ''
- - !Ref 'ProjectId'
- -BuildArtifact
- ::template-export.yml
InputArtifacts:
- Name: !Join
- '-'
- - !Ref 'ProjectId'
- BuildArtifact
Name: GenerateChangeSet
OutputArtifacts: [
]
RunOrder: 1
- ActionTypeId:
Category: Deploy
Owner: AWS
Provider: CloudFormation
Version: 1
Configuration:
ActionMode: CHANGE_SET_EXECUTE
ChangeSetName: pipeline-changeset
StackName: !Join
- '-'
- - !Ref 'ProjectId'
- lambda
InputArtifacts: [
]
Name: ExecuteChangeSet
OutputArtifacts: [
]
RunOrder: 2
Name: Deploy
Type: AWS::CodePipeline::Pipeline
ArtifactS3Bucket:
Type: AWS::S3::Bucket
Description: Creating Amazon S3 bucket for AWS CodePipeline artifacts
Properties:
BucketName: !Join
- '-'
- - !Ref 'AWS::Region'
- !Ref 'AWS::AccountId'
- !Ref 'ProjectId'
- pipe
Tags:
- Key: APP
Value: !Ref 'ProjectId'
VersioningConfiguration:
Status: Enabled
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
S3ArtifactBucketPolicy:
Description: Setting Amazon S3 bucket policy for AWS CodePipeline access
Properties:
Bucket: !Ref 'ArtifactS3Bucket'
PolicyDocument:
Id: SSEAndSSLPolicy
Statement:
- Action:
- s3:GetObject
- s3:GetObjectVersion
- s3:GetBucketVersioning
Condition:
Bool:
aws:SecureTransport: false
Effect: Allow
Principal:
AWS:
- !GetAtt
- CodePipelineTrustRole
- Arn
- !GetAtt
- CodeBuildRole
- Arn
- !GetAtt
- CloudFormationTrustRole
- Arn
Resource:
- !GetAtt ArtifactS3Bucket.Arn
- !Join ['', [!GetAtt ArtifactS3Bucket.Arn , '/*']]
Sid: WhitelistedGet
- Action:
- s3:PutObject
Effect: Allow
Principal:
AWS:
- !GetAtt
- CodePipelineTrustRole
- Arn
- !GetAtt
- CodeBuildRole
- Arn
Resource:
- !GetAtt ArtifactS3Bucket.Arn
- !Join ['', [!GetAtt ArtifactS3Bucket.Arn , '/*']]
Sid: WhitelistedPut
Version: 2012-10-17
Type: AWS::S3::BucketPolicy
SourceEvent:
Properties:
Description: Rule for Amazon CloudWatch Events to detect changes to the source repository and trigger pipeline execution
EventPattern:
detail:
event:
- referenceCreated
- referenceUpdated
referenceName:
- master
referenceType:
- branch
detail-type:
- CodeCommit Repository State Change
resources:
- !GetAtt 'CodeCommitRepo.Arn'
source:
- aws.codecommit
Name: !Join
- '-'
- - !Ref 'ProjectId'
- SourceEvent
State: ENABLED
Targets:
- Arn: !Join [':', ['arn:aws:codepipeline',!Ref 'AWS::Region', !Ref 'AWS::AccountId', !Join ['-', [!Ref 'ProjectId','Pipeline']] ]]
Id: ProjectPipelineTarget
RoleArn: !GetAtt 'SourceEventRole.Arn'
Type: AWS::Events::Rule
SourceEventRole:
Description: IAM role to allow Amazon CloudWatch Events to trigger AWS CodePipeline execution
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service:
- events.amazonaws.com
Sid: 1
Policies:
- PolicyDocument:
Statement:
- Action:
- codepipeline:StartPipelineExecution
Effect: Allow
Resource: !Join [':', ['arn:aws:codepipeline',!Ref 'AWS::Region', !Ref 'AWS::AccountId', !Join ['-', [!Ref 'ProjectId','Pipeline']] ]]
PolicyName: CloudWatchEventPolicy
RoleName: !Join
- '-'
- - !Ref 'ProjectId'
- CloudWatchEventRule
Type: AWS::IAM::Role
You can’t perform that action at this time.