Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

added changes #54

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

added changes #54

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
246 changes: 246 additions & 0 deletions 12-codepipeline/12-1-1.yaml
View file
Open in desktop
@@ -0,0 +1,246 @@
AWSTemplateFormatVersion: '2010-09-09'
Description: github-codepipeline

Parameters:

GitHubOwner:
Type: String
Default: fidelisogunsanmi
AllowedPattern: "[A-Za-z0-9-]+"

GitHubRepo:
Type: String
Default: stelligent-u
AllowedPattern: "[A-Za-z0-9-]+"

GitHubBranch:
Type: String
AllowedPattern: '[A-Za-z0-9-]+'
Default: 12-fidelis

StackBucketName:
Type: String
Default: stelligent-u-fidelis.ogunsanmi.labs-codepipeline

PipelineName:
Type: String
Default: 12-1-1-fidelis-pipeline

GitHubToken:
NoEcho: true
Type: String
Default: '{{resolve:secretsmanager:FIDELIS_GITHUB_ACCESS:SecretString:GITHUB_ACCESS_TOKEN}}'
Description: GitHub Token. Must be defined in AWS Secrets Manager and here https://github.com/settings/tokens

ApplicationStackName:
Type: String
Default: github-pipeline-app

TemplatePath:
Type: String
Default: 12-codepipeline/application.yaml

Resources:

# Service Role For CodePipeline

CodePipelineServiceRole:
Type: AWS::IAM::Role
Properties:
Path: /
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: codepipeline.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: root
PolicyDocument:
Version: 2012-10-17
Statement:
- Resource: "*"
Effect: Allow
Action:
- codebuild:StartBuild
- codebuild:BatchGetBuilds
- iam:PassRole
- cloudformation:Describe*
- cloudFormation:List*
- cloudformation:CreateStack
- cloudformation:DeleteStack
- cloudformation:DescribeStacks
- cloudformation:UpdateStack
- cloudformation:CreateChangeSet
- cloudformation:DeleteChangeSet
- cloudformation:DescribeChangeSet
- cloudformation:ExecuteChangeSet
- cloudformation:SetStackPolicy
- cloudformation:ValidateTemplate
- cloudformation:UpdateTerminationProtection
- cloudformation:TagResource
- cloudformation:UntagResource
- codedeploy:CreateDeployment
- codedeploy:CreateDeploymentGroup
- codedeploy:GetApplication
- codedeploy:GetApplicationRevision
- codedeploy:GetDeployment
- codedeploy:GetDeploymentConfig
- codedeploy:RegisterApplicationRevision
- ssm:GetParameters
- Resource:
- !Sub "arn:aws:s3:::${ArtifactBucket}/*"
- !Sub "arn:aws:s3:::${ArtifactBucket}"
Effect: Allow
Action:
- s3:PutObject
- s3:GetBucketPolicy
- s3:GetObject
- s3:GetObjectVersion
- s3:GetBucketVersioning
- s3:ListBucket

CFNdeployerRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${AWS::StackName}-cfn-deployer-role"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- cloudformation.amazonaws.com
Action:
- sts:AssumeRole
CFNexecPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: !Sub "${AWS::StackName}-create-s3-policy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- s3:CreateBucket
- s3:ListAllMyBuckets
- s3:GetBucketLocation
- s3:DeleteBucket
Resource: "*"
- Effect: Allow
Action:
- dynamodb:Create*
- dynamodb:Describe*
- dynamodb:Update*
- dynamodb:DeleteTable
Resource: "*"
- Effect: Allow
Action:
- iam:ListRoles
- iam:ListPolicies
- iam:CreateRole
- iam:CreatePolicy
- iam:GetRole
- iam:DeleteRole
- iam:PutRolePolicy
- iam:PassRole
- iam:getRolePolicy
- iam:TagResource
- iam:DeleteRolePolicy
- iam:AttachRolePolicy
- iam:DetachRolePolicy
Resource: "*"
Roles:
- !Ref CFNdeployerRole

ArtifactBucket:
Type: AWS::S3::Bucket
DeletionPolicy: Delete
Properties:
BucketName: !Ref StackBucketName

ArtifactBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref ArtifactBucket
PolicyDocument:
Statement:
- Effect: Allow
Action:
- s3:*
Resource:
- !Sub arn:aws:s3:::${ArtifactBucket}
- !Sub arn:aws:s3:::${ArtifactBucket}/*
Principal:
AWS:
- !GetAtt [CodePipelineServiceRole, Arn]
- !GetAtt [CFNdeployerRole, Arn]

# Create the pipeline

CodePipeline:
Type: AWS::CodePipeline::Pipeline
Properties:
ArtifactStore:
Type: S3
Location: !Ref ArtifactBucket
RestartExecutionOnUpdate: true
RoleArn: !GetAtt CodePipelineServiceRole.Arn
Stages:
- Name: Source
Actions:
- Name: Source
InputArtifacts: []
ActionTypeId:
Category: Source
Owner: ThirdParty
Version: "1"
Provider: GitHub
OutputArtifacts:
- Name: SourceCode
Configuration:
Owner: !Ref GitHubOwner
Repo: !Ref GitHubRepo
Branch: !Ref GitHubBranch
PollForSourceChanges: false
OAuthToken: !Ref GitHubToken
RunOrder: 1
# Build and Deploy, etc., stages would follow. Here is an example
- Name: Deploy
Actions:
- Name: CloudFormationDeploy
ActionTypeId:
Category: Deploy
Owner: AWS
Provider: CloudFormation
Version: '1'
InputArtifacts:
- Name: SourceCode
Configuration:
ActionMode: CREATE_UPDATE
Capabilities: CAPABILITY_IAM
RoleArn: !GetAtt CFNdeployerRole.Arn
StackName: !Ref ApplicationStackName
TemplatePath: !Sub "SourceCode::${TemplatePath}"
RunOrder: 1


GitHubWebHook:
Type: AWS::CodePipeline::Webhook
Properties:
Authentication: GITHUB_HMAC
AuthenticationConfiguration:
SecretToken: !Ref GitHubToken
RegisterWithThirdParty: true
Filters:
- JsonPath: '$.ref'
MatchEquals: refs/heads/{Branch}
- JsonPath: '$.repository.name'
MatchEquals: '{Repo}'
TargetPipeline: !Ref CodePipeline
TargetAction: Source
TargetPipelineVersion: !GetAtt CodePipeline.Version
Name: fidelis-pipeline-hook