Last active
June 7, 2018 16:39
-
-
Save singledigit/ce36cdca630a7ce300cc315f998452ef to your computer and use it in GitHub Desktop.
Cloudformation Files for Creating a Serverless CICD Pipeline
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AWSTemplateFormatVersion: '2010-09-09' | |
Description: 'Deployment Stack' | |
Parameters: | |
GitHubToken: | |
NoEcho: true | |
Type: String | |
Description: Secret. It might look something like 9b189a1654643522561f7b3ebd44a1531a4287af OAuthToken with access to Repo. Go to https://github.com/settings/tokens" | |
GitHubOwner: | |
Type: String | |
Description: GitHub UserName | |
Repo: | |
Type: String | |
Description: GitHub Repo to pull from. Only the Name. not the URL | |
Branch: | |
Type: String | |
Description: Branch to use from Repo. Only the Name. not the URL | |
Default: master | |
Project: | |
Type: String | |
Description: Project being built | |
BetaTestLink: | |
Type: String | |
Description: Link to test beta site | |
StageTestLink: | |
Type: String | |
Description: Link to test stage site | |
ProdTestLink: | |
Type: String | |
Description: Link to test prod site | |
StageMessage: | |
Type: String | |
Description: Message to stage tester | |
Default: Please verify and approve | |
ProdMessage: | |
Type: String | |
Description: Message to prod tester | |
Default: Please verify and approve | |
AWSAccessKeyID: | |
Type: String | |
Description: AWS Access Key Id | |
AWSSecretAccessKey: | |
Type: String | |
Description: AWS Secret Access Key Id | |
TemplateBucket: | |
Type: String | |
Description: Bucket holding templates | |
Resources: | |
BuildRole: | |
Type: 'AWS::IAM::Role' | |
Properties: | |
AssumeRolePolicyDocument: | |
Version: '2012-10-17' | |
Statement: | |
- Effect: Allow | |
Principal: | |
Service: | |
- codepipeline.amazonaws.com | |
- codebuild.amazonaws.com | |
- lambda.amazonaws.com | |
Action: | |
- 'sts:AssumeRole' | |
Policies: | |
- PolicyName: DeployPolicy | |
PolicyDocument: | |
Version: '2012-10-17' | |
Statement: | |
- Effect: Allow | |
Action: | |
- 's3:GetObject' | |
- 's3:GetObjectVersion' | |
- 's3:GetBucketVersioning' | |
Resource: '*' | |
- Effect: Allow | |
Action: | |
- 'codecommit:CancelUploadArchive' | |
- 'codecommit:GetBranch' | |
- 'codecommit:GetCommit' | |
- 'codecommit:GetUploadArchiveStatus' | |
- 'codecommit:UploadArchive' | |
Resource: '*' | |
- Effect: Allow | |
Action: | |
- 'cloudwatch:*' | |
- 's3:*' | |
- 'sns:*' | |
- 'cloudformation:*' | |
- 'sqs:*' | |
- 'iam:PassRole' | |
- 'logs:*' | |
Resource: '*' | |
- Effect: Allow | |
Action: | |
- 'cloudformation:CreateStack' | |
- 'cloudformation:DeleteStack' | |
- 'cloudformation:DescribeStacks' | |
- 'cloudformation:UpdateStack' | |
- 'cloudformation:CreateChangeSet' | |
- 'cloudformation:DeleteChangeSet' | |
- 'cloudformation:DescribeChangeSet' | |
- 'cloudformation:ExecuteChangeSet' | |
- 'cloudformation:SetStackPolicy' | |
- 'cloudformation:ValidateTemplate' | |
- 'iam:PassRole' | |
Resource: '*' | |
- Effect: Allow | |
Action: | |
- 'codebuild:BatchGetBuilds' | |
- 'codebuild:StartBuild' | |
Resource: '*' | |
- Effect: Allow | |
Action: | |
- 'lambda:*' | |
Resource: '*' | |
- Effect: Allow | |
Action: | |
- "codepipeline:PutJobSuccessResult" | |
- "codepipeline:PutJobFailureResult" | |
Resource: '*' | |
BuildArtifactsBucket: | |
Type: "AWS::S3::Bucket" | |
BuildApprovalSNS: | |
Type: "AWS::SNS::Topic" | |
BuildPipeLine: | |
Type: "AWS::CodePipeline::Pipeline" | |
Properties: | |
ArtifactStore: | |
Location: !Ref BuildArtifactsBucket | |
Type: S3 | |
RoleArn: !GetAtt BuildRole.Arn | |
Stages: | |
- Name: Source | |
Actions: | |
- Name: GetSource | |
ActionTypeId: | |
Category: Source | |
Owner: ThirdParty | |
Provider: GitHub | |
Version: 1 | |
OutputArtifacts: | |
- Name: SourceOutput | |
Configuration: | |
Owner: !Ref GitHubOwner | |
Repo: !Ref Repo | |
Branch: !Ref Branch | |
OAuthToken: !Ref GitHubToken | |
RunOrder: 1 | |
- Name: Build-Beta | |
Actions: | |
- Name: Build | |
ActionTypeId: | |
Category: Build | |
Owner: AWS | |
Provider: "CodeBuild" | |
Version: 1 | |
InputArtifacts: | |
- Name: SourceOutput | |
OutputArtifacts: | |
- Name: BetaBuiltOutput | |
Configuration: | |
ProjectName: !GetAtt BetaBuildProject.Outputs.BuildProjectName | |
RunOrder: 1 | |
- Name: Build-Stage | |
Actions: | |
- Name: Approval | |
ActionTypeId: | |
Category: Approval | |
Owner: AWS | |
Provider: "Manual" | |
Version: 1 | |
Configuration: | |
NotificationArn: !Ref BuildApprovalSNS | |
ExternalEntityLink: !Ref BetaTestLink | |
CustomData: !Ref StageMessage | |
RunOrder: 1 | |
- Name: Build | |
ActionTypeId: | |
Category: Build | |
Owner: AWS | |
Provider: "CodeBuild" | |
Version: 1 | |
InputArtifacts: | |
- Name: SourceOutput | |
OutputArtifacts: | |
- Name: StageBuiltOutput | |
Configuration: | |
ProjectName: !GetAtt StageBuildProject.Outputs.BuildProjectName | |
RunOrder: 2 | |
- Name: Build-Prod | |
Actions: | |
- Name: Approval | |
ActionTypeId: | |
Category: Approval | |
Owner: AWS | |
Provider: "Manual" | |
Version: 1 | |
Configuration: | |
NotificationArn: !Ref BuildApprovalSNS | |
ExternalEntityLink: !Ref StageTestLink | |
CustomData: !Ref ProdMessage | |
RunOrder: 1 | |
- Name: Build | |
ActionTypeId: | |
Category: Build | |
Owner: AWS | |
Provider: "CodeBuild" | |
Version: 1 | |
InputArtifacts: | |
- Name: SourceOutput | |
OutputArtifacts: | |
- Name: ProdBuiltOutput | |
Configuration: | |
ProjectName: !GetAtt ProdBuildProject.Outputs.BuildProjectName | |
RunOrder: 2 | |
BetaBuildProject: | |
Type: "AWS::CloudFormation::Stack" | |
Properties: | |
TemplateURL: !Join ["/", ["https://s3.amazonaws.com", !Ref TemplateBucket, "nested-api-build.yml"]] | |
Parameters: | |
Project: !Ref Project | |
Environment: beta | |
Role: !Ref BuildRole | |
AWSAccessKeyID: !Ref AWSAccessKeyID | |
AWSSecretAccessKey: !Ref AWSSecretAccessKey | |
StageBuildProject: | |
Type: "AWS::CloudFormation::Stack" | |
Properties: | |
TemplateURL: !Join ["/", ["https://s3.amazonaws.com", !Ref TemplateBucket, "nested-api-build.yml"]] | |
Parameters: | |
Project: !Ref Project | |
Environment: stage | |
Role: !Ref BuildRole | |
AWSAccessKeyID: !Ref AWSAccessKeyID | |
AWSSecretAccessKey: !Ref AWSSecretAccessKey | |
ProdBuildProject: | |
Type: "AWS::CloudFormation::Stack" | |
Properties: | |
TemplateURL: !Join ["/", ["https://s3.amazonaws.com", !Ref TemplateBucket, "nested-api-build.yml"]] | |
Parameters: | |
Project: !Ref Project | |
Environment: prod | |
Role: !Ref BuildRole | |
AWSAccessKeyID: !Ref AWSAccessKeyID | |
AWSSecretAccessKey: !Ref AWSSecretAccessKey |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AWSTemplateFormatVersion: '2010-09-09' | |
Description: 'API Build Project' | |
Parameters: | |
Project: | |
Type: String | |
Description: Project being built | |
Environment: | |
Type: String | |
Description: Environment being deployed | |
Role: | |
Type: String | |
Description: IAM Role | |
AWSAccessKeyID: | |
Type: String | |
Description: Access Key ID | |
AWSSecretAccessKey: | |
Type: String | |
Description: Secret Access Key | |
Resources: | |
BuildProject: | |
Type: "AWS::CodeBuild::Project" | |
Properties: | |
Name: !Join [ -, [ !Ref Project, BuildProject, !Ref Environment ] ] | |
Description: !Join [ " ", [ "API build project for",!Ref Project ] ] | |
Source: | |
Type: CODEPIPELINE | |
Artifacts: | |
Type: CODEPIPELINE | |
Environment: | |
ComputeType: BUILD_GENERAL1_SMALL | |
Image: 'aws/codebuild/nodejs:6.3.1' | |
Type: LINUX_CONTAINER | |
EnvironmentVariables: | |
- Name: BUILD_ENV | |
Value: !Ref Environment | |
- Name: AWS_ACCESS_KEY_ID | |
Value: !Ref AWSAccessKeyID | |
- Name: AWS_SECRET_ACCESS_KEY | |
Value: !Ref AWSSecretAccessKey | |
ServiceRole: !Ref Role | |
Outputs: | |
BuildProjectName: | |
Description: Name of the build project | |
Value: !Ref BuildProject |
Also, the build role is pretty loose for POC. Definitely suggest tightening up for production cases.
This example uses AWS credentials for the CLI. To remove these, look here https://github.com/nerdguru/serverlessTodos/blob/master/docs/serverlessToDoPolicy.json for the right permission roles. This gist will be updated to reflect soon
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
FYI, github personal token must have repo and admin:repo_hooks access