Skip to content

Instantly share code, notes, and snippets.

@singledigit
Last active June 7, 2018 16:39
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save singledigit/ce36cdca630a7ce300cc315f998452ef to your computer and use it in GitHub Desktop.
Save singledigit/ce36cdca630a7ce300cc315f998452ef to your computer and use it in GitHub Desktop.
Cloudformation Files for Creating a Serverless CICD Pipeline
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Deployment Stack'
Parameters:
GitHubToken:
NoEcho: true
Type: String
Description: Secret. It might look something like 9b189a1654643522561f7b3ebd44a1531a4287af OAuthToken with access to Repo. Go to https://github.com/settings/tokens"
GitHubOwner:
Type: String
Description: GitHub UserName
Repo:
Type: String
Description: GitHub Repo to pull from. Only the Name. not the URL
Branch:
Type: String
Description: Branch to use from Repo. Only the Name. not the URL
Default: master
Project:
Type: String
Description: Project being built
BetaTestLink:
Type: String
Description: Link to test beta site
StageTestLink:
Type: String
Description: Link to test stage site
ProdTestLink:
Type: String
Description: Link to test prod site
StageMessage:
Type: String
Description: Message to stage tester
Default: Please verify and approve
ProdMessage:
Type: String
Description: Message to prod tester
Default: Please verify and approve
AWSAccessKeyID:
Type: String
Description: AWS Access Key Id
AWSSecretAccessKey:
Type: String
Description: AWS Secret Access Key Id
TemplateBucket:
Type: String
Description: Bucket holding templates
Resources:
BuildRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- codepipeline.amazonaws.com
- codebuild.amazonaws.com
- lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
Policies:
- PolicyName: DeployPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 's3:GetObject'
- 's3:GetObjectVersion'
- 's3:GetBucketVersioning'
Resource: '*'
- Effect: Allow
Action:
- 'codecommit:CancelUploadArchive'
- 'codecommit:GetBranch'
- 'codecommit:GetCommit'
- 'codecommit:GetUploadArchiveStatus'
- 'codecommit:UploadArchive'
Resource: '*'
- Effect: Allow
Action:
- 'cloudwatch:*'
- 's3:*'
- 'sns:*'
- 'cloudformation:*'
- 'sqs:*'
- 'iam:PassRole'
- 'logs:*'
Resource: '*'
- Effect: Allow
Action:
- 'cloudformation:CreateStack'
- 'cloudformation:DeleteStack'
- 'cloudformation:DescribeStacks'
- 'cloudformation:UpdateStack'
- 'cloudformation:CreateChangeSet'
- 'cloudformation:DeleteChangeSet'
- 'cloudformation:DescribeChangeSet'
- 'cloudformation:ExecuteChangeSet'
- 'cloudformation:SetStackPolicy'
- 'cloudformation:ValidateTemplate'
- 'iam:PassRole'
Resource: '*'
- Effect: Allow
Action:
- 'codebuild:BatchGetBuilds'
- 'codebuild:StartBuild'
Resource: '*'
- Effect: Allow
Action:
- 'lambda:*'
Resource: '*'
- Effect: Allow
Action:
- "codepipeline:PutJobSuccessResult"
- "codepipeline:PutJobFailureResult"
Resource: '*'
BuildArtifactsBucket:
Type: "AWS::S3::Bucket"
BuildApprovalSNS:
Type: "AWS::SNS::Topic"
BuildPipeLine:
Type: "AWS::CodePipeline::Pipeline"
Properties:
ArtifactStore:
Location: !Ref BuildArtifactsBucket
Type: S3
RoleArn: !GetAtt BuildRole.Arn
Stages:
- Name: Source
Actions:
- Name: GetSource
ActionTypeId:
Category: Source
Owner: ThirdParty
Provider: GitHub
Version: 1
OutputArtifacts:
- Name: SourceOutput
Configuration:
Owner: !Ref GitHubOwner
Repo: !Ref Repo
Branch: !Ref Branch
OAuthToken: !Ref GitHubToken
RunOrder: 1
- Name: Build-Beta
Actions:
- Name: Build
ActionTypeId:
Category: Build
Owner: AWS
Provider: "CodeBuild"
Version: 1
InputArtifacts:
- Name: SourceOutput
OutputArtifacts:
- Name: BetaBuiltOutput
Configuration:
ProjectName: !GetAtt BetaBuildProject.Outputs.BuildProjectName
RunOrder: 1
- Name: Build-Stage
Actions:
- Name: Approval
ActionTypeId:
Category: Approval
Owner: AWS
Provider: "Manual"
Version: 1
Configuration:
NotificationArn: !Ref BuildApprovalSNS
ExternalEntityLink: !Ref BetaTestLink
CustomData: !Ref StageMessage
RunOrder: 1
- Name: Build
ActionTypeId:
Category: Build
Owner: AWS
Provider: "CodeBuild"
Version: 1
InputArtifacts:
- Name: SourceOutput
OutputArtifacts:
- Name: StageBuiltOutput
Configuration:
ProjectName: !GetAtt StageBuildProject.Outputs.BuildProjectName
RunOrder: 2
- Name: Build-Prod
Actions:
- Name: Approval
ActionTypeId:
Category: Approval
Owner: AWS
Provider: "Manual"
Version: 1
Configuration:
NotificationArn: !Ref BuildApprovalSNS
ExternalEntityLink: !Ref StageTestLink
CustomData: !Ref ProdMessage
RunOrder: 1
- Name: Build
ActionTypeId:
Category: Build
Owner: AWS
Provider: "CodeBuild"
Version: 1
InputArtifacts:
- Name: SourceOutput
OutputArtifacts:
- Name: ProdBuiltOutput
Configuration:
ProjectName: !GetAtt ProdBuildProject.Outputs.BuildProjectName
RunOrder: 2
BetaBuildProject:
Type: "AWS::CloudFormation::Stack"
Properties:
TemplateURL: !Join ["/", ["https://s3.amazonaws.com", !Ref TemplateBucket, "nested-api-build.yml"]]
Parameters:
Project: !Ref Project
Environment: beta
Role: !Ref BuildRole
AWSAccessKeyID: !Ref AWSAccessKeyID
AWSSecretAccessKey: !Ref AWSSecretAccessKey
StageBuildProject:
Type: "AWS::CloudFormation::Stack"
Properties:
TemplateURL: !Join ["/", ["https://s3.amazonaws.com", !Ref TemplateBucket, "nested-api-build.yml"]]
Parameters:
Project: !Ref Project
Environment: stage
Role: !Ref BuildRole
AWSAccessKeyID: !Ref AWSAccessKeyID
AWSSecretAccessKey: !Ref AWSSecretAccessKey
ProdBuildProject:
Type: "AWS::CloudFormation::Stack"
Properties:
TemplateURL: !Join ["/", ["https://s3.amazonaws.com", !Ref TemplateBucket, "nested-api-build.yml"]]
Parameters:
Project: !Ref Project
Environment: prod
Role: !Ref BuildRole
AWSAccessKeyID: !Ref AWSAccessKeyID
AWSSecretAccessKey: !Ref AWSSecretAccessKey
AWSTemplateFormatVersion: '2010-09-09'
Description: 'API Build Project'
Parameters:
Project:
Type: String
Description: Project being built
Environment:
Type: String
Description: Environment being deployed
Role:
Type: String
Description: IAM Role
AWSAccessKeyID:
Type: String
Description: Access Key ID
AWSSecretAccessKey:
Type: String
Description: Secret Access Key
Resources:
BuildProject:
Type: "AWS::CodeBuild::Project"
Properties:
Name: !Join [ -, [ !Ref Project, BuildProject, !Ref Environment ] ]
Description: !Join [ " ", [ "API build project for",!Ref Project ] ]
Source:
Type: CODEPIPELINE
Artifacts:
Type: CODEPIPELINE
Environment:
ComputeType: BUILD_GENERAL1_SMALL
Image: 'aws/codebuild/nodejs:6.3.1'
Type: LINUX_CONTAINER
EnvironmentVariables:
- Name: BUILD_ENV
Value: !Ref Environment
- Name: AWS_ACCESS_KEY_ID
Value: !Ref AWSAccessKeyID
- Name: AWS_SECRET_ACCESS_KEY
Value: !Ref AWSSecretAccessKey
ServiceRole: !Ref Role
Outputs:
BuildProjectName:
Description: Name of the build project
Value: !Ref BuildProject
@singledigit
Copy link
Author

FYI, github personal token must have repo and admin:repo_hooks access

@singledigit
Copy link
Author

Also, the build role is pretty loose for POC. Definitely suggest tightening up for production cases.

@singledigit
Copy link
Author

This example uses AWS credentials for the CLI. To remove these, look here https://github.com/nerdguru/serverlessTodos/blob/master/docs/serverlessToDoPolicy.json for the right permission roles. This gist will be updated to reflect soon

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment