ssaraswati/samtemplate

## samtemplate
AWSTemplateFormatVersion: 2010-09-09
Parameters:
    ServiceName:
        Type: String
        Default: serverlessptv
        Description: Name for the service, used in the code repository, Lambda function, and pipeline names
    CodeBuildEnvironment:
        Type: String
        Default: "aws/codebuild/dot-net:core-2.1"
        Description: Name of the image to use for the CodeBuild container
    GitHubOwner:
      Type: String
      Description: GitHub repository owner
    GitHubRepo:
      Type: String
      Default: serverlessptv
      Description: GitHub repository name
    GitHubBranch:
      Type: String
      Default: master
      Description: GitHub repository branch
    GitHubToken:
      Type: String
      Description: GitHub repository OAuth token
Resources:
    # CodeBuild project and resources (S3 Bucket for build artifacts, Role, Project)
    BuildArtifactsBucket:
        Type: AWS::S3::Bucket
    CodeBuildServiceRole:
        Type: AWS::IAM::Role
        Properties:
            AssumeRolePolicyDocument:
                Version: '2012-10-17'
                Statement:
                  - Action:
                      - 'sts:AssumeRole'
                    Effect: Allow
                    Principal:
                      Service:
                        - codebuild.amazonaws.com
            Path: /
            Policies:
                - PolicyName: CodeBuildAccess
                  PolicyDocument:
                    Version: '2012-10-17'
                    Statement:
                      - Effect: Allow
                        Resource:
                          - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ServiceName}_build'
                          - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ServiceName}_build:*'
                        Action:
                          - 'logs:CreateLogGroup'
                          - 'logs:CreateLogStream'
                          - 'logs:PutLogEvents'
                      - Effect: Allow
                        Resource:
                          - !Sub 'arn:aws:s3:::${BuildArtifactsBucket}/*'
                        Action:
                          - 's3:GetObject'
                          - 's3:GetObjectVersion'
                          - 's3:PutObject'
    CodeBuildProject:
        Type: AWS::CodeBuild::Project
        Properties:
            Name: !Sub '${ServiceName}_build'
            Artifacts:
                Type: CODEPIPELINE
            Environment:
                Type: LINUX_CONTAINER
                ComputeType: BUILD_GENERAL1_SMALL
                Image: !Sub '${CodeBuildEnvironment}'
                EnvironmentVariables:
                  - Name: BUILD_OUTPUT_BUCKET
                    Value: !Ref BuildArtifactsBucket
            ServiceRole: !GetAtt CodeBuildServiceRole.Arn
            Source:
                Type: CODEPIPELINE
                BuildSpec: api/buildspec.yaml

    # CodePipeline definition and required roles
    CFNPipelinePolicy:
        Type: AWS::IAM::ManagedPolicy
        Properties:
            Description: CloudFormation Pipeline Execution Policy
            Path: "/"
            PolicyDocument:
                Version: '2012-10-17'
                Statement:
                    Effect: Allow
                    Action:
                        - 'cloudformation:CreateStack'
                        - 'cloudformation:DescribeStacks'
                        - 'cloudformation:DeleteStack'
                        - 'cloudformation:UpdateStack'
                        - 'cloudformation:CreateChangeSet'
                        - 'cloudformation:ExecuteChangeSet'
                        - 'cloudformation:DeleteChangeSet'
                        - 'cloudformation:DescribeChangeSet'
                        - 'cloudformation:SetStackPolicy'
                        - 'cloudformation:SetStackPolicy'
                        - 'cloudformation:ValidateTemplate'
                        - 'codebuild:StartBuild'
                        - 'codebuild:BatchGetBuilds'
                    Resource: "*"
    CloudFormationExecutionRole:
      Type: AWS::IAM::Role
      Properties:
        AssumeRolePolicyDocument:
          Version: '2012-10-17'
          Statement:
            Action:
              - 'sts:AssumeRole'
            Effect: Allow
            Principal:
              Service:
                - cloudformation.amazonaws.com
        Path: /
        ManagedPolicyArns:
          - 'arn:aws:iam::aws:policy/AdministratorAccess'
    PipelineExecutionRole:
        Type: AWS::IAM::Role
        Properties:
            AssumeRolePolicyDocument:
                Version: '2012-10-17'
                Statement:
                  - Action:
                    - 'sts:AssumeRole'
                    Effect: Allow
                    Principal:
                      Service:
                        - codepipeline.amazonaws.com
            Path: /
            ManagedPolicyArns:
                - 'arn:aws:iam::aws:policy/AWSCodeCommitFullAccess'
                - 'arn:aws:iam::aws:policy/AmazonS3FullAccess'
                - !Ref CFNPipelinePolicy
            Policies:
                - PolicyName: CodePipelineAccess
                  PolicyDocument:
                    Version: '2012-10-17'
                    Statement:
                        - Action:
                            - 'iam:PassRole'
                            - 'lambda:InvokeFunction'
                            - 'lambda:ListFunctions'
                            - 'lambda:InvokeAsyc'
                          Effect: Allow
                          Resource: '*'
    Pipeline:
        Type: AWS::CodePipeline::Pipeline
        Properties:
            ArtifactStore:
                Location: !Ref BuildArtifactsBucket
                Type: S3
            Name: !Sub ${ServiceName}_pipeline
            RoleArn: !GetAtt PipelineExecutionRole.Arn
            Stages:
                - Name: Source
                  Actions:
                    - Name: Source
                      ActionTypeId:
                        Category: Source
                        Owner: ThirdParty
                        Version: 1
                        Provider: GitHub
                      Configuration:
                        Owner: !Ref GitHubOwner
                        Repo: !Ref GitHubRepo
                        Branch: !Ref GitHubBranch
                        OAuthToken: !Ref GitHubToken
                      OutputArtifacts:
                        - Name: SourceZip
                      RunOrder: 1
                - Name: Build
                  Actions:
                    - Name: CodeBuild
                      ActionTypeId:
                        Category: Build
                        Owner: AWS
                        Provider: CodeBuild
                        Version: 1
                      Configuration:
                        ProjectName: !Ref CodeBuildProject
                      InputArtifacts:
                        - Name: SourceZip
                      OutputArtifacts:
                        - Name: BuiltZip
                - Name: Dev
                  Actions:
                    - Name: CreateChangeSet
                      ActionTypeId:
                        Category: Deploy
                        Owner: AWS
                        Provider: CloudFormation
                        Version: 1
                      Configuration:
                        ActionMode: CHANGE_SET_REPLACE
                        RoleArn: !GetAtt CloudFormationExecutionRole.Arn
                        StackName: !Sub '${ServiceName}-Stack-Beta'
                        ChangeSetName: !Sub '${ServiceName}-ChangeSet-Beta'
                        TemplatePath: BuiltZip::app-output_sam.yaml
                        Capabilities: CAPABILITY_IAM
                      InputArtifacts:
                        - Name: BuiltZip
                      RunOrder: 1
                    - Name: ExecuteChangeSet
                      ActionTypeId:
                        Category: Deploy
                        Owner: AWS
                        Provider: CloudFormation
                        Version: 1
                      Configuration:
                        ActionMode: CHANGE_SET_EXECUTE
                        RoleArn: !GetAtt CloudFormationExecutionRole.Arn
                        StackName: !Sub '${ServiceName}-Stack-Beta'
                        ChangeSetName: !Sub '${ServiceName}-ChangeSet-Beta'
                      OutputArtifacts:
                        - Name: !Sub '${ServiceName}BetaChangeSet'
                      RunOrder: 2
                - Name: Prod
                  Actions:
                    - Name: DeploymentApproval
                      ActionTypeId:
                        Category: Approval
                        Owner: AWS
                        Provider: Manual
                        Version: 1
                      RunOrder: 1
                    - Name: CreateChangeSet
                      ActionTypeId:
                        Category: Deploy
                        Owner: AWS
                        Provider: CloudFormation
                        Version: 1
                      Configuration:
                        ActionMode: CHANGE_SET_REPLACE
                        RoleArn: !GetAtt CloudFormationExecutionRole.Arn
                        StackName: !Sub '${ServiceName}-Stack-Prod'
                        ChangeSetName: !Sub '${ServiceName}-ChangeSet-Prod'
                        TemplatePath: BuiltZip::app-output_sam.yaml
                        Capabilities: CAPABILITY_IAM
                      InputArtifacts:
                        - Name: BuiltZip
                      RunOrder: 2
                    - Name: ExecuteChangeSet
                      ActionTypeId:
                        Category: Deploy
                        Owner: AWS
                        Provider: CloudFormation
                        Version: 1
                      Configuration:
                        ActionMode: CHANGE_SET_EXECUTE
                        RoleArn: !GetAtt CloudFormationExecutionRole.Arn
                        StackName: !Sub '${ServiceName}-Stack-Prod'
                        ChangeSetName: !Sub '${ServiceName}-ChangeSet-Prod'
                      OutputArtifacts:
                        - Name: !Sub '${ServiceName}ProdChangeSet'
                      RunOrder: 3
	AWSTemplateFormatVersion: 2010-09-09
	Parameters:
	ServiceName:
	Type: String
	Default: serverlessptv
	Description: Name for the service, used in the code repository, Lambda function, and pipeline names
	CodeBuildEnvironment:
	Type: String
	Default: "aws/codebuild/dot-net:core-2.1"
	Description: Name of the image to use for the CodeBuild container
	GitHubOwner:
	Type: String
	Description: GitHub repository owner
	GitHubRepo:
	Type: String
	Default: serverlessptv
	Description: GitHub repository name
	GitHubBranch:
	Type: String
	Default: master
	Description: GitHub repository branch
	GitHubToken:
	Type: String
	Description: GitHub repository OAuth token
	Resources:
	# CodeBuild project and resources (S3 Bucket for build artifacts, Role, Project)
	BuildArtifactsBucket:
	Type: AWS::S3::Bucket
	CodeBuildServiceRole:
	Type: AWS::IAM::Role
	Properties:
	AssumeRolePolicyDocument:
	Version: '2012-10-17'
	Statement:
	- Action:
	- 'sts:AssumeRole'
	Effect: Allow
	Principal:
	Service:
	- codebuild.amazonaws.com
	Path: /
	Policies:
	- PolicyName: CodeBuildAccess
	PolicyDocument:
	Version: '2012-10-17'
	Statement:
	- Effect: Allow
	Resource:
	- !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ServiceName}_build'
	- !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ServiceName}_build:*'
	Action:
	- 'logs:CreateLogGroup'
	- 'logs:CreateLogStream'
	- 'logs:PutLogEvents'
	- Effect: Allow
	Resource:
	- !Sub 'arn:aws:s3:::${BuildArtifactsBucket}/*'
	Action:
	- 's3:GetObject'
	- 's3:GetObjectVersion'
	- 's3:PutObject'
	CodeBuildProject:
	Type: AWS::CodeBuild::Project
	Properties:
	Name: !Sub '${ServiceName}_build'
	Artifacts:
	Type: CODEPIPELINE
	Environment:
	Type: LINUX_CONTAINER
	ComputeType: BUILD_GENERAL1_SMALL
	Image: !Sub '${CodeBuildEnvironment}'
	EnvironmentVariables:
	- Name: BUILD_OUTPUT_BUCKET
	Value: !Ref BuildArtifactsBucket
	ServiceRole: !GetAtt CodeBuildServiceRole.Arn
	Source:
	Type: CODEPIPELINE
	BuildSpec: api/buildspec.yaml

	# CodePipeline definition and required roles
	CFNPipelinePolicy:
	Type: AWS::IAM::ManagedPolicy
	Properties:
	Description: CloudFormation Pipeline Execution Policy
	Path: "/"
	PolicyDocument:
	Version: '2012-10-17'
	Statement:
	Effect: Allow
	Action:
	- 'cloudformation:CreateStack'
	- 'cloudformation:DescribeStacks'
	- 'cloudformation:DeleteStack'
	- 'cloudformation:UpdateStack'
	- 'cloudformation:CreateChangeSet'
	- 'cloudformation:ExecuteChangeSet'
	- 'cloudformation:DeleteChangeSet'
	- 'cloudformation:DescribeChangeSet'
	- 'cloudformation:SetStackPolicy'
	- 'cloudformation:SetStackPolicy'
	- 'cloudformation:ValidateTemplate'
	- 'codebuild:StartBuild'
	- 'codebuild:BatchGetBuilds'
	Resource: "*"
	CloudFormationExecutionRole:
	Type: AWS::IAM::Role
	Properties:
	AssumeRolePolicyDocument:
	Version: '2012-10-17'
	Statement:
	Action:
	- 'sts:AssumeRole'
	Effect: Allow
	Principal:
	Service:
	- cloudformation.amazonaws.com
	Path: /
	ManagedPolicyArns:
	- 'arn:aws:iam::aws:policy/AdministratorAccess'
	PipelineExecutionRole:
	Type: AWS::IAM::Role
	Properties:
	AssumeRolePolicyDocument:
	Version: '2012-10-17'
	Statement:
	- Action:
	- 'sts:AssumeRole'
	Effect: Allow
	Principal:
	Service:
	- codepipeline.amazonaws.com
	Path: /
	ManagedPolicyArns:
	- 'arn:aws:iam::aws:policy/AWSCodeCommitFullAccess'
	- 'arn:aws:iam::aws:policy/AmazonS3FullAccess'
	- !Ref CFNPipelinePolicy
	Policies:
	- PolicyName: CodePipelineAccess
	PolicyDocument:
	Version: '2012-10-17'
	Statement:
	- Action:
	- 'iam:PassRole'
	- 'lambda:InvokeFunction'
	- 'lambda:ListFunctions'
	- 'lambda:InvokeAsyc'
	Effect: Allow
	Resource: '*'
	Pipeline:
	Type: AWS::CodePipeline::Pipeline
	Properties:
	ArtifactStore:
	Location: !Ref BuildArtifactsBucket
	Type: S3
	Name: !Sub ${ServiceName}_pipeline
	RoleArn: !GetAtt PipelineExecutionRole.Arn
	Stages:
	- Name: Source
	Actions:
	- Name: Source
	ActionTypeId:
	Category: Source
	Owner: ThirdParty
	Version: 1
	Provider: GitHub
	Configuration:
	Owner: !Ref GitHubOwner
	Repo: !Ref GitHubRepo
	Branch: !Ref GitHubBranch
	OAuthToken: !Ref GitHubToken
	OutputArtifacts:
	- Name: SourceZip
	RunOrder: 1
	- Name: Build
	Actions:
	- Name: CodeBuild
	ActionTypeId:
	Category: Build
	Owner: AWS
	Provider: CodeBuild
	Version: 1
	Configuration:
	ProjectName: !Ref CodeBuildProject
	InputArtifacts:
	- Name: SourceZip
	OutputArtifacts:
	- Name: BuiltZip
	- Name: Dev
	Actions:
	- Name: CreateChangeSet
	ActionTypeId:
	Category: Deploy
	Owner: AWS
	Provider: CloudFormation
	Version: 1
	Configuration:
	ActionMode: CHANGE_SET_REPLACE
	RoleArn: !GetAtt CloudFormationExecutionRole.Arn
	StackName: !Sub '${ServiceName}-Stack-Beta'
	ChangeSetName: !Sub '${ServiceName}-ChangeSet-Beta'
	TemplatePath: BuiltZip::app-output_sam.yaml
	Capabilities: CAPABILITY_IAM
	InputArtifacts:
	- Name: BuiltZip
	RunOrder: 1
	- Name: ExecuteChangeSet
	ActionTypeId:
	Category: Deploy
	Owner: AWS
	Provider: CloudFormation
	Version: 1
	Configuration:
	ActionMode: CHANGE_SET_EXECUTE
	RoleArn: !GetAtt CloudFormationExecutionRole.Arn
	StackName: !Sub '${ServiceName}-Stack-Beta'
	ChangeSetName: !Sub '${ServiceName}-ChangeSet-Beta'
	OutputArtifacts:
	- Name: !Sub '${ServiceName}BetaChangeSet'
	RunOrder: 2
	- Name: Prod
	Actions:
	- Name: DeploymentApproval
	ActionTypeId:
	Category: Approval
	Owner: AWS
	Provider: Manual
	Version: 1
	RunOrder: 1
	- Name: CreateChangeSet
	ActionTypeId:
	Category: Deploy
	Owner: AWS
	Provider: CloudFormation
	Version: 1
	Configuration:
	ActionMode: CHANGE_SET_REPLACE
	RoleArn: !GetAtt CloudFormationExecutionRole.Arn
	StackName: !Sub '${ServiceName}-Stack-Prod'
	ChangeSetName: !Sub '${ServiceName}-ChangeSet-Prod'
	TemplatePath: BuiltZip::app-output_sam.yaml
	Capabilities: CAPABILITY_IAM
	InputArtifacts:
	- Name: BuiltZip
	RunOrder: 2
	- Name: ExecuteChangeSet
	ActionTypeId:
	Category: Deploy
	Owner: AWS
	Provider: CloudFormation
	Version: 1
	Configuration:
	ActionMode: CHANGE_SET_EXECUTE
	RoleArn: !GetAtt CloudFormationExecutionRole.Arn
	StackName: !Sub '${ServiceName}-Stack-Prod'
	ChangeSetName: !Sub '${ServiceName}-ChangeSet-Prod'
	OutputArtifacts:
	- Name: !Sub '${ServiceName}ProdChangeSet'
	RunOrder: 3