-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy path04-widgets-code-build.yml
executable file
·146 lines (141 loc) · 4.57 KB
/
04-widgets-code-build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
ProjectName:
Type: String
BranchName:
Type: String
CommitHash:
Type: String
ArtifactBucketArn:
Type: String
Resources:
WidgetsCodeBuildProject:
Type: AWS::CodeBuild::Project
Properties:
Name: !Sub ${ProjectName}-${BranchName}-CodeBuildProject-Widgets
ServiceRole: !GetAtt CodeBuildRole.Arn
Artifacts:
Type: CODEPIPELINE
Environment:
Type: LINUX_CONTAINER
ComputeType: BUILD_GENERAL1_SMALL
PrivilegedMode: true
Image: aws/codebuild/amazonlinux2-x86_64-standard:2.0
EnvironmentVariables:
- Name: T3CHFLICKS_ROOT_DOMAIN
Value: !ImportValue T3chFlicksRootDomainName
- Name: BUCKET_NAME
Value: !ImportValue T3chFlicks-EmojiSearchBucketName
- Name: SERVICE_ROOT_DOMAIN
Value: !Sub
- emoji-search.${Domain}
- Domain: !ImportValue T3chFlicksRootDomainName
- Name: SERVICE_API_DOMAIN
Value: !Sub
- ${Domain}/emoji-search
- Domain: !ImportValue T3chFlicksAPIDomainName
- Name: CloudFrontDistId
Value: !ImportValue T3chFlicks-EmojiSearchCloudFrontDistId
- Name: CommitHash
Value: !Ref CommitHash
- Name: AWS_DEFAULT_REGION
Value: !Ref AWS::Region
- Name: AWS_ACCOUNT_ID
Value: !Ref AWS::AccountId
Source:
Type: CODEPIPELINE
BuildSpec: aws/widgets-buildspec.yml
TimeoutInMinutes: 10
CodeBuildRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: ['sts:AssumeRole']
Effect: Allow
Principal:
Service: [codebuild.amazonaws.com]
Version: '2012-10-17'
Path: /
Policies:
- PolicyName: ArtifactBucket
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- "s3:*"
Effect: Allow
Resource:
- !Sub ${ArtifactBucketArn}/*
- !Sub ${ArtifactBucketArn}
- PolicyName: WidgetBucket
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- "s3:*"
Effect: Allow
Resource:
- !Sub
- ${BucketArn}/*
- BucketArn: !ImportValue T3chFlicks-EmojiSearchBucketArn
- !Sub
- ${BucketArn}
- BucketArn: !ImportValue T3chFlicks-EmojiSearchBucketArn
- PolicyName: CodeBucket
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- "s3:*"
Effect: Allow
Resource:
- !Sub
- ${BucketArn}/*
- BucketArn: !ImportValue CodeBucketArn
- !ImportValue CodeBucketArn
- PolicyName: LogsCreation
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- 'logs:CreateLogStream'
- 'logs:CreateLogGroup'
- 'logs:PutLogEvents'
Effect: Allow
Resource: "*"
- PolicyName: "DecryptSecrets"
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- ssm:DescribeParameters
- ssm:GetParameters
- ssm:GetParameter
- kms:Decrypt
Resource:
- !ImportValue KMSKeyArn
- !Sub arn:aws:ssm:eu-west-1:${ AWS::AccountId }:parameter/DOCKER_PASS
- PolicyName: ecrBuild
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- 'ecr:GetAuthorizationToken'
- 'ecr:BatchCheckLayerAvailability'
- 'ecr:CompleteLayerUpload'
- 'ecr:InitiateLayerUpload'
- 'ecr:PutImage'
- 'ecr:UploadLayerPart'
Effect: Allow
Resource:
- "*"
- PolicyName: CloudfrontUpdate
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- 'cloudfront:CreateInvalidation'
Effect: Allow
Resource: "*"