Last active
January 27, 2024 08:09
-
-
Save kudoh/e5da51f09c1e7f8d068fddc33591e913 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AWSTemplateFormatVersion: "2010-09-09" | |
Parameters: | |
RepositoryName: | |
Type: String | |
PipelineName: | |
Default: cloudfront-cd-pipeline | |
Type: String | |
CloudFormationStackName: | |
Default: staging-cloudfront-distribution | |
Type: String | |
CloudFormationFileName: | |
Default: staging-cloudfront-distribution.yml | |
Type: String | |
PrimaryDistributionId: | |
Type: String | |
PromoteLambdaName: | |
Type: String | |
EnableCloudFrontCDLambdaName: | |
Type: String | |
StaticResourceBucketName: | |
Type: String | |
OriginAccessControlId: | |
Type: String | |
Resources: | |
ArtifactStoreBucket: | |
Type: AWS::S3::Bucket | |
Properties: | |
LoggingConfiguration: | |
LogFilePrefix: "codepipeline-artifact-accesslogs" | |
BucketEncryption: | |
ServerSideEncryptionConfiguration: | |
- BucketKeyEnabled: true | |
VersioningConfiguration: | |
Status: Enabled | |
PublicAccessBlockConfiguration: | |
BlockPublicAcls: true | |
BlockPublicPolicy: true | |
IgnorePublicAcls: true | |
RestrictPublicBuckets: true | |
ArtifactStoreBucketPolicy: | |
Type: AWS::S3::BucketPolicy | |
Properties: | |
Bucket: !Ref ArtifactStoreBucket | |
PolicyDocument: | |
Version: "2012-10-17" | |
Statement: | |
- Sid: "DenyUnEncryptedObjectUploads" | |
Effect: Deny | |
Principal: "*" | |
Action: | |
- "s3:PutObject" | |
Resource: !Sub | |
- "arn:aws:s3:::${Bucket}/*" | |
- Bucket: !Ref ArtifactStoreBucket | |
Condition: | |
StringNotEquals: | |
"s3:x-amz-server-side-encryption": "aws:kms" | |
- Sid: "DenyInsecureConnections" | |
Effect: Deny | |
Principal: "*" | |
Action: | |
- "s3:*" | |
Resource: !Sub | |
- "arn:aws:s3:::${Bucket}/*" | |
- Bucket: !Ref ArtifactStoreBucket | |
Condition: | |
Bool: | |
"aws:SecureTransport": "false" | |
CodePipeline: | |
Type: AWS::CodePipeline::Pipeline | |
Properties: | |
ArtifactStore: | |
Location: !Ref ArtifactStoreBucket | |
Type: S3 | |
Name: !Ref PipelineName | |
RoleArn: !GetAtt [ "CodePipelineRole", Arn] | |
Stages: | |
- Name: Source | |
Actions: | |
- Name: Source | |
ActionTypeId: | |
Category: Source | |
Owner: AWS | |
Provider: CodeCommit | |
Version: "1" | |
Configuration: | |
BranchName: "main" | |
RepositoryName: !Ref RepositoryName | |
OutputArtifacts: | |
- Name: SourceArtifactOutput | |
RunOrder: "1" | |
# ステージング用のディストリビューション、継続的デプロイメントポリシーのプロビジョニング | |
- Name: Deploy | |
Actions: | |
- Name: Deploy_to_Staging | |
ActionTypeId: | |
Category: Deploy | |
Owner: AWS | |
Provider: CloudFormation | |
Version: "1" | |
InputArtifacts: | |
- Name: SourceArtifactOutput | |
Configuration: | |
ActionMode: CREATE_UPDATE | |
Capabilities: CAPABILITY_IAM,CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND | |
RoleArn: !GetAtt CloudFormationRole.Arn | |
StackName: !Ref CloudFormationStackName | |
TemplatePath: !Sub SourceArtifactOutput::${CloudFormationFileName} | |
ParameterOverrides: !Sub | |
- | | |
{ | |
"PrimaryDistributionId": "${PrimaryDistributionId}", | |
"StaticResourceBucketName": "${StaticResourceBucketName}", | |
"OriginAccessControlId": "${OriginAccessControlId}" | |
} | |
- | |
PrimaryDistributionId: !Ref PrimaryDistributionId | |
StaticResourceBucketName: !Ref StaticResourceBucketName | |
OriginAccessControlId: !Ref OriginAccessControlId | |
OutputArtifacts: | |
- Name: CloudFormationOutputs | |
Namespace: CFOutput | |
RunOrder: "1" | |
- Name: Enable_CloudFront_CD | |
ActionTypeId: | |
Category: Invoke | |
Owner: AWS | |
Provider: Lambda | |
Version: "1" | |
InputArtifacts: | |
- Name: CloudFormationOutputs | |
Configuration: | |
FunctionName: !Ref EnableCloudFrontCDLambdaName | |
UserParameters: !Sub | |
- | | |
{ | |
"PrimaryDistributionId": "${PrimaryDistributionId}", | |
"StagingDistributionId": "#{CFOutput.StagingDistributionId}", | |
"StaticResourceBucketName": "${StaticResourceBucketName}", | |
"ContinuousDeploymentPolicyId": "#{CFOutput.ContinuousDeploymentPolicyId}" | |
} | |
- | |
PrimaryDistributionId: !Ref PrimaryDistributionId | |
StaticResourceBucketName: !Ref StaticResourceBucketName | |
RunOrder: "2" | |
- Name: ManualApproval | |
Actions: | |
- Name: ManualApproval | |
ActionTypeId: | |
Category: Approval | |
Owner: AWS | |
Provider: Manual | |
Version: "1" | |
RunOrder: "3" | |
- Name: Promotion | |
Actions: | |
- Name: Promote_to_Production | |
ActionTypeId: | |
Category: Invoke | |
Owner: AWS | |
Provider: Lambda | |
Version: "1" | |
InputArtifacts: | |
- Name: CloudFormationOutputs | |
Configuration: | |
FunctionName: !Ref PromoteLambdaName | |
UserParameters: !Sub '{"PrimaryDistributionId": "${PrimaryDistributionId}", "StagingDistributionId": "#{CFOutput.StagingDistributionId}"}' | |
RunOrder: "4" | |
CodePipelineRole: | |
Type: AWS::IAM::Role | |
Properties: | |
RoleName: !Sub "CodePipelineRole-${AWS::StackName}" | |
AssumeRolePolicyDocument: | |
Version: "2012-10-17" | |
Statement: | |
- Effect: Allow | |
Principal: | |
Service: | |
- codepipeline.amazonaws.com | |
Action: sts:AssumeRole | |
Policies: | |
- PolicyName: !Sub "CodePipelinePolicy-${AWS::StackName}" | |
PolicyDocument: | |
Version: 2012-10-17 | |
Statement: | |
- Action: | |
- iam:PassRole | |
Resource: !Sub arn:aws:iam::${AWS::AccountId}:role/${CloudFormationRole} | |
Effect: Allow | |
Condition: | |
StringEqualsIfExists: | |
iam:PassedToService: | |
- cloudformation.amazonaws.com | |
- Action: | |
- codecommit:CancelUploadArchive | |
- codecommit:GetBranch | |
- codecommit:GetCommit | |
- codecommit:GetUploadArchiveStatus | |
- codecommit:UploadArchive | |
Resource: "*" | |
Effect: Allow | |
- Action: | |
- s3:PutObject | |
- s3:GetObject | |
- s3:GetObjectVersion | |
- s3:DeleteObject | |
- s3:DeleteObjectVersion | |
Resource: !Sub "arn:aws:s3:::${ArtifactStoreBucket}/*" | |
Effect: Allow | |
- Action: | |
- s3:ListAllMyBuckets | |
- s3:GetBucketLocation | |
Resource: "*" | |
Effect: Allow | |
- Action: | |
- cloudformation:CreateStack | |
- cloudformation:DeleteStack | |
- cloudformation:DescribeStacks | |
- cloudformation:UpdateStack | |
- cloudformation:CreateChangeSet | |
- cloudformation:DeleteChangeSet | |
- cloudformation:DescribeChangeSet | |
- cloudformation:ExecuteChangeSet | |
- cloudformation:SetStackPolicy | |
- cloudformation:ValidateTemplate | |
Resource: | |
- "*" | |
Effect: Allow | |
- Action: | |
- lambda:InvokeFunction | |
Resource: | |
- !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:cloudfront-cd-tools-*" | |
Effect: Allow | |
Path: / | |
CloudFormationRole: | |
Type: AWS::IAM::Role | |
Properties: | |
RoleName: !Sub "CodePipeline-CloudFormationRole-${AWS::StackName}" | |
ManagedPolicyArns: | |
- !Sub "arn:aws:iam::${AWS::Partition}:policy/CloudFrontFullAccess" | |
- !Sub "arn:aws:iam::${AWS::Partition}:policy/AmazonS3FullAccess" | |
AssumeRolePolicyDocument: | |
Version: "2012-10-17" | |
Statement: | |
- Effect: Allow | |
Principal: | |
Service: | |
- cloudformation.amazonaws.com | |
Action: sts:AssumeRole | |
Policies: | |
- PolicyName: !Sub "CodePipeline-CloudFormationPermissions-${AWS::StackName}" | |
PolicyDocument: | |
Version: 2012-10-17 | |
Statement: | |
- Effect: Allow | |
Action: | |
- cloudformation:CreateStack | |
- cloudformation:DeleteStack | |
- cloudformation:DescribeStacks | |
- cloudformation:UpdateStack | |
- cloudformation:CreateChangeSet | |
- cloudformation:DeleteChangeSet | |
- cloudformation:DescribeChangeSet | |
- cloudformation:ExecuteChangeSet | |
- cloudformation:SetStackPolicy | |
- cloudformation:ValidateTemplate | |
Resource: "*" | |
Path: / |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment