diff --git a/templates/code_pipeline.yml b/templates/code_pipeline.yml index f351b52..9781e6d 100644 --- a/templates/code_pipeline.yml +++ b/templates/code_pipeline.yml @@ -50,208 +50,6 @@ Resources: !Ref RepositoryDescription]] RepositoryName: !Ref ProjectName - ########################################## - #Code Pipeline Is broken down into stages - #that occur sequentially These can be - #the following ci/cd actions - # Source - # Build - # Test - # Deploy - # Approval - # Invoke - # - #Stages for this environment: - #Stage 1) Source = Get source code repository - # - #stage 2) Deploy create/updates the - #templates/prod_resource_import.yml - ########################################### - CodePipelineStack: - Type: AWS::CodePipeline::Pipeline - Properties: - RoleArn: !GetAtt [CodePipelineRole, Arn] - ArtifactStore: - Location: - Ref: - ArtifactStoreBucket - Type: S3 - Stages: - ############################### - #Stage 1, gets the source control git repo - # - # - ############################### - - Name: SourceCodeRepo - Actions: - #The input artifact of an action must exactly - # match the output artifact declared - #in a preceding action - - InputArtifacts: [] - Name: Source - ###################################### - #List of valid action type providers - #by action can be found here: - #https://docs.aws.amazon.com/codepipeline/latest/userguide/reference-pipeline-structure.html#actions-valid-providers - ###################################### - ActionTypeId: - Category: Source - Owner: AWS - Version: '1' - Provider: CodeCommit - OutputArtifacts: - - Name: !GetAtt GitRepo.Name - #Git repo for first stage - ######################################### - #Configuration Details by provider can be found here: - #https://docs.aws.amazon.com/codepipeline/latest/userguide/reference-pipeline-structure.html#structure-configuration-examples - # - ######################################### - Configuration: - BranchName: !Ref RepositoryBranch - RepositoryName: !GetAtt GitRepo.Name - #Run order within stage not between stages - RunOrder: 1 - - - ################################### - #stage 3) Deploys to production - #by updating or creating a stack as - #necessary - ################################### - - Name: DeployProd - Actions: - ############################ - #First action of this deploy prod stage - #cloudformation template which was an import - #existing cloudresources - ############################ - - Name: DeployProdImport - ActionTypeId: - Category: Deploy - Owner: AWS - Provider: CloudFormation - Version: '1' - InputArtifacts: - - Name: !GetAtt GitRepo.Name - OutputArtifacts: - - Name: ProdImportCf - ########################################## - #configuration properties documentation: - #https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/continuous-delivery-codepipeline-action-reference.html - ########################################## - Configuration: - #If the cloudformation stack does not exist - #it will be created, otherwise the stack will be updated - #with the template provided in TemplatePath - ActionMode: CREATE_UPDATE - RoleArn: !GetAtt [ProdCodeDeployRole, Arn] - StackName: prod-homepage - #TemplatePath: !Ref GitRepoName !Sub "TemplateSource::${ProdStackConfig}" - #Artifact::template_file_name - #is what the deploy stage is expecting as input for the - #cloudformation template location - TemplatePath: - !Join ['::', [!Ref ProjectName, 'templates/prod_resource_import.yml']] - RunOrder: 1 - - - -#################### -#Role assumed by cloudformation -#in stage 2 of the CodePipeline to -#create/update the templates/prod_resource_import.yml stack -#################### - ProdCodeDeployRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Statement: - - Action: ['sts:AssumeRole'] - Effect: Allow - Principal: - Service: [cloudformation.amazonaws.com] - Version: '2012-10-17' - ManagedPolicyArns: - - arn:aws:iam::aws:policy/AmazonS3FullAccess - - arn:aws:iam::aws:policy/CloudFrontFullAccess - Path: / - #Ability to create record sets in Route53 - Policies: - - PolicyName: DeployRoute53 - PolicyDocument: - Version: "2012-10-17" - Statement: - - Sid: RecordSetsOneHostedZone - Effect: Allow - Action: - - route53:GetHostedZone - - route53:ListResourceRecordSets - - route53:ListHostedZones - - route53:GetChange - Resource: - - "*" - - - Sid: RequestAcmCertificate - Effect: Allow - Action: - - acm:RequestCertificate - - acm:DeleteCertificate - - acm:DescribeCertificate - Resource: - - "*" - #Change Record Sets but limit - #to one hosted zone - - Sid: WriteRecordSetsOneHostedZone - Effect: Allow - Action: - - route53:ChangeResourceRecordSets - #Name of the hosted zone to allow Record - #sets to be changed on - Resource: - - "arn:aws:route53:::hostedzone/Z3K3UR6983C2YB" - #policy needed for serverless transform - - PolicyName: BackendDeployPolicy - PolicyDocument: - Version: "2012-10-17" - Statement: - - Sid: RecordSetsOneHostedZone - Effect: Allow - Action: - - cloudformation:CreateChangeSet - #- cloudformation:ExecuteChangeSet - Resource: - - "*" - #secretsmanager creation privleges - - Sid: !Join ['', [!Ref ProjectName,'SecretsMangerDeploy']] - Effect: Allow - Action: - - secretsmanager:CreateSecret # pragma: allowlist secret - - secretsmanager:DeleteSecret # pragma: allowlist secret - - secretsmanager:TagResource # pragma: allowlist secret - - secretsmanager:UpdateSecret # pragma: allowlist secret - Resource: - - "*" - #create vpc privleges - - Sid: !Join ['', [!Ref ProjectName,'VpcDeploy']] - Effect: Allow - Action: - - ec2:CreateVpc - - ec2:CreateSubnet - - ec2:DeleteSubnet - - ec2:DeleteVpc - - ec2:DescribeVpcs - - ec2:ModifyVpcAttribute - - ec2:createTags - - ec2:DescribeAvailabilityZones - - ec2:DescribeAccountAttributes - - ec2:DescribeSubnets - - ec2:CreateRouteTable - - ec2:DeleteRouteTable - - ec2:DescribeRouteTables - Resource: - - "*" - CFNRole: Type: AWS::IAM::Role Properties: @@ -288,41 +86,6 @@ Resources: Resource: - "*" - CodePipelineRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Version: "2012-10-17" - Statement: - Effect: Allow - Principal: - Service: codepipeline.amazonaws.com - Action: sts:AssumeRole - Path: / - #List of Policies for Code Pipeline - ManagedPolicyArns: - - arn:aws:iam::aws:policy/AWSCodePipelineFullAccess - - arn:aws:iam::aws:policy/AWSCodeCommitFullAccess - - arn:aws:iam::aws:policy/AWSCodeBuildDeveloperAccess - - arn:aws:iam::aws:policy/AmazonS3FullAccess - - arn:aws:iam::aws:policy/AWSCloudFormationFullAccess - Policies: - - PolicyName: PipelinePassRole - PolicyDocument: - Version: "2012-10-17" - Statement: - - Sid: IamPassRoleAllow - Effect: Allow - ####################################### - #Allowing lambda to perform a PutItem on - #DynamoDB - # - ####################################### - Action: - - iam:PassRole - Resource: - - "*" - Outputs: CodeCommitURL: