Created
September 21, 2020 07:05
-
-
Save andreidiaconu90/178a74c4bba55406bd6f60106a8ad0d3 to your computer and use it in GitHub Desktop.
tl-dr-pipeline-template
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AWSTemplateFormatVersion: "2010-09-09" | |
Parameters: | |
BranchName: | |
Description: CodeCommit branch name | |
Type: String | |
Default: master | |
RepositoryName: | |
Description: CodeCommit repository name | |
Type: String | |
Default: my-codecommit-repository-name | |
Resources: | |
MyDeployBucket: | |
Type: AWS::S3::Bucket | |
DeletionPolicy: Delete | |
Properties: | |
AccessControl: Private | |
VersioningConfiguration: | |
Status: Suspended | |
MyCodePipeline: | |
Type: AWS::CodePipeline::Pipeline | |
Properties: | |
ArtifactStore: | |
Type: S3 | |
Location: !Ref MyDeployBucket | |
RoleArn: !GetAtt | |
- MyCodePipelineServiceRole | |
- Arn | |
Stages: | |
- Name: Source # this is the name that will show up in the AWS console, so consider this the user-friendly name | |
Actions: | |
- Name: Get-sources # this is the name used to reference a step by. Consider this the developer-friendly name | |
ActionTypeId: | |
Category: Source | |
Owner: AWS | |
Provider: CodeCommit #we're using CodeCommit but you can also use other supported repo providers | |
Version: "1" | |
OutputArtifacts: | |
- Name: code-artifact #the name of the zip file containing our source code. This will be used as InputArtifact by the following stages | |
Configuration: | |
BranchName: master | |
RepositoryName: my-repository-name | |
PollForSourceChanges: false | |
RunOrder: 1 | |
- Name: Staging | |
Actions: | |
- Name: Deploy-to-Staging | |
ActionTypeId: | |
Category: Build | |
Owner: AWS | |
Provider: CodeBuild | |
Version: "1" | |
RunOrder: 1 | |
Configuration: | |
ProjectName: "Deploy-to-staging" # reference to the CodeBuild project with this name. Must mach the name of an existing CodeBuild project | |
InputArtifacts: | |
- Name: code-artifact # reference to the source code artifact with the same name. Must mach the Output artifact name in the Source stage. | |
- Name: Promote | |
Actions: | |
- Name: Promote-staging-to-production #Built-in step that adds a manual approval step | |
ActionTypeId: | |
Category: Approval | |
Owner: AWS | |
Provider: Manual | |
Version: "1" | |
- Name: Production | |
Actions: | |
- Name: Deploy-to-Production | |
ActionTypeId: | |
Category: Build | |
Owner: AWS | |
Provider: CodeBuild | |
Version: "1" | |
RunOrder: 1 | |
Configuration: | |
ProjectName: "Deploy-to-production" #reference to the CodeBuild project with this name. Must mach the name of an existing CodeBuild project | |
InputArtifacts: | |
- Name: code-artifact | |
DeployToStaging: | |
Type: AWS::CodeBuild::Project | |
Properties: | |
Name: "Deploy-to-staging" | |
ServiceRole: !GetAtt | |
- MyCodePipelineServiceRole | |
- Arn | |
Artifacts: | |
Type: CODEPIPELINE | |
Environment: | |
Type: LINUX_CONTAINER | |
ComputeType: BUILD_GENERAL1_SMALL | |
Image: aws/codebuild/standard:4.0 | |
EnvironmentVariables: | |
- Name: environment | |
Value: staging | |
Source: | |
Type: CODEPIPELINE | |
BuildSpec: "buildspec.yml" | |
TimeoutInMinutes: 10 | |
DeployToProduction: | |
Type: AWS::CodeBuild::Project | |
Properties: | |
Name: "Deploy-to-production" | |
ServiceRole: !GetAtt | |
- MyCodePipelineServiceRole | |
- Arn | |
Artifacts: | |
Type: CODEPIPELINE | |
Environment: | |
Type: LINUX_CONTAINER | |
ComputeType: BUILD_GENERAL1_SMALL | |
Image: aws/codebuild/standard:4.0 | |
EnvironmentVariables: | |
- Name: environment | |
Value: prod | |
Source: | |
Type: CODEPIPELINE | |
BuildSpec: "buildspec.yml" | |
TimeoutInMinutes: 10 | |
MyCodePipelineServiceRole: | |
Type: "AWS::IAM::Role" | |
Properties: | |
RoleName: "my-pipeline-role" | |
AssumeRolePolicyDocument: | |
Version: "2012-10-17" | |
Statement: | |
- Effect: Allow | |
Principal: | |
Service: | |
- codepipeline.amazonaws.com | |
- codebuild.amazonaws.com | |
Action: "sts:AssumeRole" | |
Path: / | |
Policies: | |
- PolicyName: my-pipeline-policy | |
PolicyDocument: | |
Version: "2012-10-17" | |
Statement: | |
- Effect: Allow #this will be needed if you use CodeCommit as a repo provider | |
Action: | |
- "codecommit:CancelUploadArchive" | |
- "codecommit:GetBranch" | |
- "codecommit:GetCommit" | |
- "codecommit:GetUploadArchiveStatus" | |
- "codecommit:UploadArchive" | |
Resource: !Sub "arn:aws:codecommit:*:${AWS::AccountId}:<your-stack-name>" | |
- Effect: Allow | |
Action: | |
- "logs:CreateLogGroup" | |
- "logs:CreateLogStream" | |
- "logs:PutLogEvents" | |
Resource: | |
- !Sub "arn:aws:logs:*:${AWS::AccountId}:log-group:/aws/codebuild/*" | |
- !Sub "arn:aws:logs:*:${AWS::AccountId}:log-group:/aws/codebuild/*:log-stream:*" | |
- Effect: Allow | |
Action: | |
- "codebuild:BatchGetBuilds" | |
- "codebuild:StartBuild" | |
Resource: | |
- !Sub "arn:aws:codebuild:*:${AWS::AccountId}:project/Deploy-to-staging" #CodeBuild project we've created earlier | |
- !Sub "arn:aws:codebuild:*:${AWS::AccountId}:project/Deploy-to-production" #CodeBuild project we've created earlier | |
- Effect: Allow | |
Action: | |
- "iam:GetRole" | |
- "iam:GetRolePolicy" | |
Resource: !Sub "arn:aws:iam::${AWS::AccountId}*" | |
- Effect: Allow | |
Action: | |
- "cloudformation:CreateStack" | |
- "cloudformation:UpdateStack" | |
- "cloudformation:DeleteStack" | |
- "cloudformation:Describe*" | |
- "cloudformation:List*" | |
- "cloudformation:Get*" | |
- "cloudformation:PreviewStackUpdate" | |
- "cloudformation:ValidateTemplate" | |
Resource: !Sub "arn:aws:cloudformation:*:${AWS::AccountId}:stack/*" | |
- Effect: Allow | |
Action: | |
- "logs:CreateLogGroup" | |
- "logs:CreateLogStream" | |
- "logs:DeleteLogGroup" | |
- "logs:DeleteLogStream" | |
- "logs:DescribeLog*" | |
- "logs:FilterLogEvents" | |
Resource: | |
- !Sub "arn:aws:logs:*:${AWS::AccountId}:log-group::log-stream*" | |
MyCloudWatchWebHookRole: | |
Type: "AWS::IAM::Role" | |
Properties: | |
AssumeRolePolicyDocument: | |
Version: "2012-10-17" | |
Statement: | |
- Effect: Allow | |
Principal: | |
Service: | |
- events.amazonaws.com | |
Action: "sts:AssumeRole" | |
Path: / | |
Policies: | |
- PolicyName: my-pipeline-webhook-role | |
PolicyDocument: | |
Version: "2012-10-17" | |
Statement: | |
- Effect: Allow | |
Action: "codepipeline:StartPipelineExecution" | |
Resource: !Join | |
- "" | |
- - "arn:aws:codepipeline:*:" | |
- !Ref "AWS::AccountId" | |
- ":" | |
- !Ref MyCodePipeline | |
MyCloudWatchWebHook: | |
Type: "AWS::Events::Rule" | |
Properties: | |
EventPattern: | |
source: | |
- aws.codecommit | |
detail-type: | |
- "CodeCommit Repository State Change" | |
resources: | |
- !Join | |
- "" | |
- - "arn:aws:codecommit:*:" | |
- !Ref "AWS::AccountId" | |
- ":" | |
- !Ref RepositoryName | |
detail: | |
event: | |
- referenceCreated | |
- referenceUpdated | |
referenceType: | |
- branch | |
referenceName: | |
- !Ref BranchName | |
Targets: | |
- Arn: !Join | |
- "" | |
- - "arn:aws:codepipeline:" | |
- !Ref "AWS::Region" | |
- ":" | |
- !Ref "AWS::AccountId" | |
- ":" | |
- !Ref MyCodePipeline # reference to the name of the CodePipeline resource | |
RoleArn: !GetAtt | |
- MyCloudWatchWebHookRole # reference to the webhook role we've created in the previous step | |
- Arn | |
Id: my-webhook # we'll not use this, but it's a required property so you can put anything you want here |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment