Last active
November 5, 2021 21:59
-
-
Save douglampe/dfafa270db02e8a39b88bc66a2514deb to your computer and use it in GitHub Desktop.
CloudFormation Template for SAM pipeline with names
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AWSTemplateFormatVersion: '2010-09-09' | |
| Transform: AWS::Serverless-2016-10-31 | |
| Description: > | |
| This template deploys resources required for deploying a Lambda function via SAM. This template was initially | |
| created by running sam pipeline bootstrap. This command creates a CloudFormation stack and deploys it to | |
| a specific account. Therefore, this template can be updated to match future SAM requirements by running | |
| sam pipeline bootstrap and then capturing the template from the generated stack. | |
| The names of resources have been set in this template to allow for reuse across multiple Lambda deployments. | |
| The GitHub actions workflow included in this project uses default values for resources which match the naming | |
| convention of this template. | |
| Parameters: | |
| Identifier: | |
| Type: String | |
| Default: 'AwsSamDemo' | |
| IdentifierLower: | |
| Type: String | |
| Default: 'aws-sam-demo' | |
| PipelineUserArn: | |
| Type: String | |
| PipelineExecutionRoleArn: | |
| Type: String | |
| CloudFormationExecutionRoleArn: | |
| Type: String | |
| ArtifactsBucketArn: | |
| Type: String | |
| Conditions: | |
| MissingPipelineUser: !Equals [!Ref PipelineUserArn, ""] | |
| MissingPipelineExecutionRole: !Equals [!Ref PipelineExecutionRoleArn, ""] | |
| MissingCloudFormationExecutionRole: !Equals [!Ref CloudFormationExecutionRoleArn, ""] | |
| MissingArtifactsBucket: !Equals [!Ref ArtifactsBucketArn, ""] | |
| Resources: | |
| PipelineUser: | |
| Type: AWS::IAM::User | |
| Condition: MissingPipelineUser | |
| Properties: | |
| UserName: | |
| Fn::Join: | |
| - '' | |
| - - !Ref Identifier | |
| - 'PipelineUser-' | |
| - !Ref AWS::AccountId | |
| Policies: | |
| - PolicyName: AssumeRoles | |
| PolicyDocument: | |
| Version: "2012-10-17" | |
| Statement: | |
| - Effect: Allow | |
| Action: | |
| - "sts:AssumeRole" | |
| Resource: "*" | |
| Condition: | |
| StringEquals: | |
| aws:ResourceTag/Role: pipeline-execution-role | |
| PipelineUserAccessKey: | |
| Type: AWS::IAM::AccessKey | |
| Condition: MissingPipelineUser | |
| Properties: | |
| Serial: 1 | |
| Status: Active | |
| UserName: !Ref PipelineUser | |
| PipelineUserSecretKey: | |
| Type: AWS::SecretsManager::Secret | |
| Condition: MissingPipelineUser | |
| Properties: | |
| Name: | |
| Fn::Join: | |
| - '' | |
| - - !Ref Identifier | |
| - '-PipelineUser' | |
| SecretString: !Sub '{"aws_access_key_id": "${PipelineUserAccessKey}", "aws_secret_access_key": "${PipelineUserAccessKey.SecretAccessKey}"}' | |
| CloudFormationExecutionRole: | |
| Type: AWS::IAM::Role | |
| Condition: MissingCloudFormationExecutionRole | |
| Properties: | |
| RoleName: | |
| Fn::Join: | |
| - '' | |
| - - !Ref Identifier | |
| - 'CloudFormationExecutionRole' | |
| AssumeRolePolicyDocument: | |
| Version: 2012-10-17 | |
| Statement: | |
| - Effect: Allow | |
| Principal: | |
| Service: cloudformation.amazonaws.com | |
| Action: | |
| - 'sts:AssumeRole' | |
| Policies: | |
| - PolicyName: GrantCloudFormationFullAccess | |
| PolicyDocument: | |
| Version: 2012-10-17 | |
| Statement: | |
| - Effect: Allow | |
| Action: '*' | |
| Resource: '*' | |
| PipelineExecutionRole: | |
| Type: AWS::IAM::Role | |
| Condition: MissingPipelineExecutionRole | |
| Properties: | |
| RoleName: | |
| Fn::Join: | |
| - '' | |
| - - !Ref Identifier | |
| - 'PipelineExecutionRole' | |
| Tags: | |
| - Key: Role | |
| Value: pipeline-execution-role | |
| AssumeRolePolicyDocument: | |
| Version: 2012-10-17 | |
| Statement: | |
| - Effect: Allow | |
| Principal: | |
| AWS: | |
| - Fn::If: | |
| - MissingPipelineUser | |
| - !GetAtt PipelineUser.Arn | |
| - !Ref PipelineUserArn | |
| Action: | |
| - 'sts:AssumeRole' | |
| - Effect: Allow | |
| Principal: | |
| # Allow roles with tag Role=aws-sam-pipeline-codebuild-service-role to assume this role. | |
| # This is required when CodePipeline is the CI/CD system of choice. | |
| AWS: | |
| - !If | |
| - MissingPipelineUser | |
| - !Ref AWS::AccountId | |
| - !Select [4, !Split [':', !Ref PipelineUserArn]] | |
| Action: | |
| - 'sts:AssumeRole' | |
| Condition: | |
| StringEquals: | |
| aws:PrincipalTag/Role: aws-sam-pipeline-codebuild-service-role | |
| ArtifactsBucket: | |
| Type: AWS::S3::Bucket | |
| Condition: MissingArtifactsBucket | |
| DeletionPolicy: "Retain" | |
| Properties: | |
| BucketName: | |
| Fn::Join: | |
| - '' | |
| - - !Ref IdentifierLower | |
| - '-pipeline-artifacts-' | |
| - !Ref AWS::AccountId | |
| Tags: | |
| - Key: ManagedStackSource | |
| Value: AwsSamCli | |
| LoggingConfiguration: | |
| DestinationBucketName: | |
| !Ref ArtifactsLoggingBucket | |
| LogFilePrefix: "artifacts-logs" | |
| VersioningConfiguration: | |
| Status: Enabled | |
| BucketEncryption: | |
| ServerSideEncryptionConfiguration: | |
| - ServerSideEncryptionByDefault: | |
| SSEAlgorithm: AES256 | |
| ArtifactsBucketPolicy: | |
| Type: AWS::S3::BucketPolicy | |
| Condition: MissingArtifactsBucket | |
| Properties: | |
| Bucket: !Ref ArtifactsBucket | |
| PolicyDocument: | |
| Statement: | |
| - Effect: "Deny" | |
| Action: "s3:*" | |
| Principal: "*" | |
| Resource: | |
| - !Join [ '',[ !GetAtt ArtifactsBucket.Arn, '/*' ] ] | |
| - !GetAtt ArtifactsBucket.Arn | |
| Condition: | |
| Bool: | |
| aws:SecureTransport: false | |
| - Effect: "Allow" | |
| Action: | |
| - 's3:GetObject*' | |
| - 's3:PutObject*' | |
| - 's3:GetBucket*' | |
| - 's3:List*' | |
| Resource: | |
| - !Join ['',[!GetAtt ArtifactsBucket.Arn, '/*']] | |
| - !GetAtt ArtifactsBucket.Arn | |
| Principal: | |
| AWS: | |
| - Fn::If: | |
| - MissingPipelineExecutionRole | |
| - !GetAtt PipelineExecutionRole.Arn | |
| - !Ref PipelineExecutionRoleArn | |
| - Fn::If: | |
| - MissingCloudFormationExecutionRole | |
| - !GetAtt CloudFormationExecutionRole.Arn | |
| - !Ref CloudFormationExecutionRoleArn | |
| ArtifactsLoggingBucket: | |
| Type: AWS::S3::Bucket | |
| Condition: MissingArtifactsBucket | |
| DeletionPolicy: "Retain" | |
| Properties: | |
| BucketName: | |
| Fn::Join: | |
| - '' | |
| - - !Ref IdentifierLower | |
| - '-pipeline-artifacts-logging-' | |
| - !Ref AWS::AccountId | |
| AccessControl: "LogDeliveryWrite" | |
| Tags: | |
| - Key: ManagedStackSource | |
| Value: AwsSamCli | |
| VersioningConfiguration: | |
| Status: Enabled | |
| BucketEncryption: | |
| ServerSideEncryptionConfiguration: | |
| - ServerSideEncryptionByDefault: | |
| SSEAlgorithm: AES256 | |
| ArtifactsLoggingBucketPolicy: | |
| Type: AWS::S3::BucketPolicy | |
| Condition: MissingArtifactsBucket | |
| Properties: | |
| Bucket: !Ref ArtifactsLoggingBucket | |
| PolicyDocument: | |
| Statement: | |
| - Effect: "Deny" | |
| Action: "s3:*" | |
| Principal: "*" | |
| Resource: | |
| - !Join [ '',[ !GetAtt ArtifactsLoggingBucket.Arn, '/*' ] ] | |
| - !GetAtt ArtifactsLoggingBucket.Arn | |
| Condition: | |
| Bool: | |
| aws:SecureTransport: false | |
| PipelineExecutionRolePermissionPolicy: | |
| Type: AWS::IAM::Policy | |
| Condition: MissingPipelineExecutionRole | |
| Properties: | |
| PolicyName: PipelineExecutionRolePermissions | |
| PolicyDocument: | |
| Version: 2012-10-17 | |
| Statement: | |
| - Effect: Allow | |
| Action: 'iam:PassRole' | |
| Resource: | |
| Fn::If: | |
| - MissingCloudFormationExecutionRole | |
| - !GetAtt CloudFormationExecutionRole.Arn | |
| - !Ref CloudFormationExecutionRoleArn | |
| - Effect: Allow | |
| Action: | |
| - "cloudformation:CreateChangeSet" | |
| - "cloudformation:DescribeChangeSet" | |
| - "cloudformation:ExecuteChangeSet" | |
| - "cloudformation:DescribeStackEvents" | |
| - "cloudformation:DescribeStacks" | |
| - "cloudformation:GetTemplateSummary" | |
| - "cloudformation:DescribeStackResource" | |
| Resource: '*' | |
| - Effect: Allow | |
| Action: | |
| - 's3:GetObject*' | |
| - 's3:PutObject*' | |
| - 's3:GetBucket*' | |
| - 's3:List*' | |
| Resource: | |
| Fn::If: | |
| - MissingArtifactsBucket | |
| - - !Join [ '',[ !GetAtt ArtifactsBucket.Arn, '/*' ] ] | |
| - !GetAtt ArtifactsBucket.Arn | |
| - - !Join [ '',[ !Ref ArtifactsBucketArn, '/*' ] ] | |
| - !Ref ArtifactsBucketArn | |
| Roles: | |
| - !Ref PipelineExecutionRole | |
| Outputs: | |
| PipelineUser: | |
| Description: ARN of the Pipeline IAM User | |
| Value: | |
| Fn::If: | |
| - MissingPipelineUser | |
| - !GetAtt PipelineUser.Arn | |
| - !Ref PipelineUserArn | |
| PipelineUserSecretKey: | |
| Description: AWS Access Key and Secret Key of pipeline user. | |
| Condition: MissingPipelineUser | |
| Value: !Ref PipelineUserSecretKey | |
| CloudFormationExecutionRole: | |
| Description: ARN of the IAM Role(CloudFormationExecutionRole) | |
| Value: | |
| Fn::If: | |
| - MissingCloudFormationExecutionRole | |
| - !GetAtt CloudFormationExecutionRole.Arn | |
| - !Ref CloudFormationExecutionRoleArn | |
| PipelineExecutionRole: | |
| Description: ARN of the IAM Role(PipelineExecutionRole) | |
| Value: | |
| Fn::If: | |
| - MissingPipelineExecutionRole | |
| - !GetAtt PipelineExecutionRole.Arn | |
| - !Ref PipelineExecutionRoleArn | |
| ArtifactsBucket: | |
| Description: ARN of the Artifacts bucket | |
| Value: | |
| Fn::If: | |
| - MissingArtifactsBucket | |
| - !GetAtt ArtifactsBucket.Arn | |
| - !Ref ArtifactsBucketArn |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment