diff --git a/12-codepipeline/Practice-12.1/stack.yml b/12-codepipeline/Practice-12.1/stack.yml new file mode 100644 index 00000000..5ff92d67 --- /dev/null +++ b/12-codepipeline/Practice-12.1/stack.yml @@ -0,0 +1,285 @@ +Description: Codepipeline + +Parameters: + FullRepositoryId: + Type: String + Description: GitHub Repo to pull from. Only the Name. not the URL + Default: "dezo2018/aws-codepipeline-github" + BranchName: + Type: String + Description: GitHub Branch + Default: main + ConnectionId: + Type: String + Default: '5f0c2ae6-eeca-42af-82fb-ecf867c31b5e' + Description: GitHub Connection Id + TemplateFileName: + Type: String + Default: "template.yaml" + StackName: + Type: String + Default: codepipeline + +Resources: + SourceBucket: + Type: AWS::S3::Bucket + # IAM execution role that trusts CloudFormation to create an S3 bucket + CFNDeployRole: + Type: AWS::IAM::Role + Properties: + RoleName: "cfn-deploy-role" + AssumeRolePolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Principal: + Service: + - cloudformation.amazonaws.com + Action: + - sts:AssumeRole + CFNExecPolicy: + Type: AWS::IAM::Policy + Properties: + PolicyName: !Sub "s3-policy" + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - s3:CreateBucket + - s3:ListAllMyBuckets + - s3:GetBucketLocation + - s3:DeleteBucket # in case we need to replace existing bucket + Resource: "*" + - Effect: Allow + Action: + - dynamodb:Create* + - dynamodb:Describe* + - dynamodb:Update* + - dynamodb:DeleteTable + Resource: "*" + - Effect: Allow + Action: + - iam:ListRoles + - iam:ListPolicies + - iam:CreateRole + - iam:CreatePolicy + - iam:GetRole + - iam:DeleteRole + - iam:PutRolePolicy + - iam:PassRole + - iam:getRolePolicy + - iam:TagResource + - iam:DeleteRolePolicy + - iam:AttachRolePolicy + - iam:DetachRolePolicy + Resource: "*" + Roles: + - !Ref CFNDeployRole + +# --- IAM execution role that trusts the CodePipeline service and provides sufficient permissions to deploy CloudFormation stack + CodePipelineServiceRole: + Type: AWS::IAM::Role + Properties: + RoleName: "codepipeline-role" + AssumeRolePolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Principal: + Service: + - codepipeline.amazonaws.com + Action: + - sts:AssumeRole + Path: / + Policies: + - PolicyName: AWS-CodePipeline-Service-3 + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - 'iam:PassRole' + - 'codebuild:BatchGetBuilds' + - 'codebuild:StartBuild' + Resource: '*' + - Effect: Allow + Action: + - 's3:*' + - 'cloudformation:*' + Resource: '*' + - Effect: Allow + Action: + - 'codestar-connections:UseConnection' + Resource: + - !Sub "arn:aws:codestar-connections:us-east-1:${AWS::AccountId}:connection/${ConnectionId}" + # IAM execution role that trusts the CodeBuild service and provides sufficient permissions to perform the actions + CodeBuildRole: + Type: AWS::IAM::Role + Properties: + RoleName: "codebuild-role" + AssumeRolePolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Principal: + Service: + - codebuild.amazonaws.com + Action: + - sts:AssumeRole + CodeBuildPolicy: + Type: AWS::IAM::Policy + Properties: + PolicyName: !Sub "codebuild-s3-policy" + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow # access to artifact bucket + Action: + - s3:PutObject + - s3:GetBucketPolicy + - s3:GetObject + - s3:ListBucket + Resource: "*" + - Effect: Allow + Action: + - logs:CreateLogGroup + - logs:CreateLogStream + - logs:PutLogEvents + - logs:DescribeLogStreams + Resource: "*" + - Effect: Allow + Action: + - cloudformation:ValidateTemplate + - cloudformation:ListStacks + - cloudformation:Describe* + Resource: "*" + - Effect: Allow + Action: + - codebuild:ListBuilds + - codebuild:UpdateProject + - codebuild:ListProjects + - codebuild:CreateReportGroup + - codebuild:CreateReport + - codebuild:BatchPutTestCases + - codebuild:UpdateReport + Resource: "*" + Roles: + - !Ref CodeBuildRole + # CodeBuid Project + BuildSource: + Type: AWS::CodeBuild::Project + Properties: + Name: "codebuild-project" + Artifacts: + Type: CODEPIPELINE + ServiceRole: !GetAtt CodeBuildRole.Arn + Source: + Type: CODEPIPELINE + BuildSpec: buildspec.yml + Environment: + Type: LINUX_CONTAINER + Image: aws/codebuild/amazonlinux2-x86_64-standard:3.0 + ComputeType: BUILD_GENERAL1_SMALL + EnvironmentVariables: + - Name: TEMPLATE_FILE_NAME + Value: !Ref TemplateFileName + - Name: REGION + Value: !Ref AWS::Region + TestSource: + Type: AWS::CodeBuild::Project + Properties: + Name: !Sub "codebuild-test-source" + Artifacts: + Type: CODEPIPELINE + ServiceRole: !GetAtt CodeBuildRole.Arn + Source: + Type: CODEPIPELINE + BuildSpec: testspec.yml + Environment: + Type: LINUX_CONTAINER + Image: aws/codebuild/amazonlinux2-x86_64-standard:3.0 + ComputeType: BUILD_GENERAL1_SMALL + EnvironmentVariables: + - Name: STACK_NAME + Value: "codepipeline" + - Name: REGION + Value: !Ref AWS::Region + + AppPipeline: + Type: AWS::CodePipeline::Pipeline + Properties: + Name: github-events-pipeline + ArtifactStore: + Type: S3 + Location: !Ref SourceBucket + RoleArn: !GetAtt CodePipelineServiceRole.Arn + Stages: + # 1 stage - source - github + - Name: Source + Actions: + - Name: SourceAction + RunOrder: 1 + ActionTypeId: + Category: Source + Owner: AWS + Version: '1' + Provider: CodeStarSourceConnection + Configuration: + ConnectionArn: !Sub "arn:aws:codestar-connections:us-east-1:${AWS::AccountId}:connection/${ConnectionId}" + FullRepositoryId: !Ref FullRepositoryId + BranchName: !Ref BranchName + OutputArtifacts: + - Name: SourceOutput + # 2 stage - build - CodeBuild + - Name: Build + Actions: + # 2.1 - create changeset + - Name: ValidateTemplate + RunOrder: 1 + ActionTypeId: + Category: Build + Owner: AWS + Provider: CodeBuild + Version: '1' + InputArtifacts: + - Name: SourceOutput + Configuration: + ProjectName: !Ref BuildSource + OutputArtifacts: + - Name: BuildOutput + # 3 stage - deploy - cloudformation + - Name: Deploy + Actions: + - Name: CreateChangeSet + RunOrder: 1 + ActionTypeId: + Category: Deploy + Owner: AWS + Provider: CloudFormation + Version: '1' + InputArtifacts: + - Name: SourceOutput + Configuration: + ActionMode: CHANGE_SET_REPLACE + StackName: !Ref StackName + ChangeSetName: !Sub "${StackName}-changeset" + Capabilities: CAPABILITY_IAM,CAPABILITY_NAMED_IAM + RoleArn: !GetAtt CFNDeployRole.Arn + TemplatePath: !Sub "SourceOutput::${TemplateFileName}" + # 4 stage - test - CodeBuild + - Name: Test + Actions: + - Name: CheckStackStatus + RunOrder: 1 + ActionTypeId: + Category: Build + Owner: AWS + Provider: CodeBuild + Version: '1' + InputArtifacts: + - Name: SourceOutput + Configuration: + ProjectName: !Ref TestSource + OutputArtifacts: + - Name: TestOutput diff --git a/12-codepipeline/Practice-12.1/template.yaml b/12-codepipeline/Practice-12.1/template.yaml new file mode 100644 index 00000000..47caae87 --- /dev/null +++ b/12-codepipeline/Practice-12.1/template.yaml @@ -0,0 +1,6 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: github-codepipeline-app + +Resources: + ApplicationBucket: + Type: AWS::S3::Bucket \ No newline at end of file diff --git a/12-codepipeline/Practice-12.2/stack.yml b/12-codepipeline/Practice-12.2/stack.yml new file mode 100644 index 00000000..07dc063e --- /dev/null +++ b/12-codepipeline/Practice-12.2/stack.yml @@ -0,0 +1,315 @@ +Description: Codepipeline + +Parameters: + FullRepositoryId: + Type: String + Description: GitHub Repo to pull from. Only the Name. not the URL + Default: "dezo2018/aws-codepipeline-github" + BranchName: + Type: String + Description: GitHub Branch + Default: main + ConnectionId: + Type: String + Default: '5f0c2ae6-eeca-42af-82fb-ecf867c31b5e' + Description: GitHub Connection Id + TemplateFileName: + Type: String + Default: "template1.yaml" + StackName: + Type: String + Default: codepipeline + +Resources: + SourceBucket: + Type: AWS::S3::Bucket + # IAM execution role that trusts CloudFormation to create an S3 bucket + CFNDeployRole: + Type: AWS::IAM::Role + Properties: + RoleName: "cfn-deploy-role" + AssumeRolePolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Principal: + Service: + - cloudformation.amazonaws.com + Action: + - sts:AssumeRole + CFNExecPolicy: + Type: AWS::IAM::Policy + Properties: + PolicyName: "s3-policy" + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - s3:CreateBucket + - s3:ListAllMyBuckets + - s3:GetBucketLocation + - s3:DeleteBucket # in case we need to replace existing bucket + Resource: "*" + - Effect: Allow + Action: + - dynamodb:Create* + - dynamodb:Describe* + - dynamodb:Update* + - dynamodb:DeleteTable + Resource: "*" + - Effect: Allow + Action: + - iam:ListRoles + - iam:ListPolicies + - iam:CreateRole + - iam:CreatePolicy + - iam:GetRole + - iam:DeleteRole + - iam:PutRolePolicy + - iam:PassRole + - iam:getRolePolicy + - iam:TagResource + - iam:DeleteRolePolicy + - iam:AttachRolePolicy + - iam:DetachRolePolicy + Resource: "*" + Roles: + - !Ref CFNDeployRole + +# --- IAM execution role that trusts the CodePipeline service and provides sufficient permissions to deploy CloudFormation stack + CodePipelineServiceRole: + Type: AWS::IAM::Role + Properties: + RoleName: "codepipeline-role" + AssumeRolePolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Principal: + Service: + - codepipeline.amazonaws.com + Action: + - sts:AssumeRole + Path: / + Policies: + - PolicyName: AWS-CodePipeline-Service-3 + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - 'iam:PassRole' + - 'codebuild:BatchGetBuilds' + - 'codebuild:StartBuild' + Resource: '*' + - Effect: Allow + Action: + - 's3:*' + - 'cloudformation:*' + Resource: '*' + - Effect: Allow + Action: + - 'codestar-connections:UseConnection' + Resource: + - !Sub "arn:aws:codestar-connections:us-east-1:${AWS::AccountId}:connection/${ConnectionId}" + # IAM execution role that trusts the CodeBuild service and provides sufficient permissions to perform the actions + CodeBuildRole: + Type: AWS::IAM::Role + Properties: + RoleName: "codebuild-role" + AssumeRolePolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Principal: + Service: + - codebuild.amazonaws.com + Action: + - sts:AssumeRole + CodeBuildPolicy: + Type: AWS::IAM::Policy + Properties: + PolicyName: !Sub "codebuild-s3-policy" + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow # access to artifact bucket + Action: + - s3:PutObject + - s3:GetBucketPolicy + - s3:GetObject + - s3:ListBucket + Resource: "*" + - Effect: Allow + Action: + - logs:CreateLogGroup + - logs:CreateLogStream + - logs:PutLogEvents + - logs:DescribeLogStreams + Resource: "*" + - Effect: Allow + Action: + - cloudformation:ValidateTemplate + - cloudformation:ListStacks + - cloudformation:Describe* + Resource: "*" + - Effect: Allow + Action: + - codebuild:ListBuilds + - codebuild:UpdateProject + - codebuild:ListProjects + - codebuild:CreateReportGroup + - codebuild:CreateReport + - codebuild:BatchPutTestCases + - codebuild:UpdateReport + Resource: "*" + Roles: + - !Ref CodeBuildRole + # CodeBuid Project + BuildSource: + Type: AWS::CodeBuild::Project + Properties: + Name: "codebuild-project" + Artifacts: + Type: CODEPIPELINE + ServiceRole: !GetAtt CodeBuildRole.Arn + Source: + Type: CODEPIPELINE + BuildSpec: buildspec.yml + Environment: + Type: LINUX_CONTAINER + Image: aws/codebuild/amazonlinux2-x86_64-standard:3.0 + ComputeType: BUILD_GENERAL1_SMALL + EnvironmentVariables: + - Name: TEMPLATE_FILE_NAME + Value: !Ref TemplateFileName + - Name: REGION + Value: !Ref AWS::Region + TestSource: + Type: AWS::CodeBuild::Project + Properties: + Name: !Sub "codebuild-test-source" + Artifacts: + Type: CODEPIPELINE + ServiceRole: !GetAtt CodeBuildRole.Arn + Source: + Type: CODEPIPELINE + BuildSpec: testspec.yml + Environment: + Type: LINUX_CONTAINER + Image: aws/codebuild/amazonlinux2-x86_64-standard:3.0 + ComputeType: BUILD_GENERAL1_SMALL + EnvironmentVariables: + - Name: STACK_NAME + Value: "codepipeline" + - Name: REGION + Value: !Ref AWS::Region + + AppPipeline: + Type: AWS::CodePipeline::Pipeline + Properties: + Name: github-events-pipeline + ArtifactStore: + Type: S3 + Location: !Ref SourceBucket + RoleArn: !GetAtt CodePipelineServiceRole.Arn + Stages: + # 1 stage - source - github + - Name: Source + Actions: + - Name: SourceAction + RunOrder: 1 + ActionTypeId: + Category: Source + Owner: AWS + Version: '1' + Provider: CodeStarSourceConnection + Configuration: + ConnectionArn: !Sub "arn:aws:codestar-connections:us-east-1:${AWS::AccountId}:connection/${ConnectionId}" + FullRepositoryId: !Ref FullRepositoryId + BranchName: !Ref BranchName + OutputArtifacts: + - Name: SourceOutput + # 2 stage - build - CodeBuild + - Name: Build + Actions: + # 2.1 - create changeset + - Name: ValidateTemplate + RunOrder: 1 + ActionTypeId: + Category: Build + Owner: AWS + Provider: CodeBuild + Version: '1' + InputArtifacts: + - Name: SourceOutput + Configuration: + ProjectName: !Ref BuildSource + OutputArtifacts: + - Name: BuildOutput + # 3 stage - deploy - cloudformation + - Name: Creation + Actions: + - Name: CreateChangeSet + RunOrder: 1 + ActionTypeId: + Category: Deploy + Owner: AWS + Provider: CloudFormation + Version: '1' + InputArtifacts: + - Name: SourceOutput + Configuration: + ActionMode: CHANGE_SET_REPLACE + StackName: !Ref StackName + ChangeSetName: !Sub "${StackName}-changeset" + Capabilities: CAPABILITY_IAM,CAPABILITY_NAMED_IAM + RoleArn: !GetAtt CFNDeployRole.Arn + TemplatePath: !Sub "SourceOutput::${TemplateFileName}" + # 4 Approval action + - Name: ApproveDeploy + Actions: + - Name: ApproveDeployProd + ActionTypeId: + Category: Approval + Owner: AWS + Version: '1' + Provider: Manual + Configuration: + CustomData: "Check CFN stack changeset before approving." + # 5 stage - execution - cloudformation + - Name: Execution + Actions: + - Name: DeployChangeSet + RunOrder: 1 + ActionTypeId: + Category: Deploy + Owner: AWS + Provider: CloudFormation + Version: '1' + InputArtifacts: + - Name: SourceOutput + Configuration: + ActionMode: CHANGE_SET_EXECUTE + StackName: "codepipeline" + ChangeSetName: "codepipeline-changeset" + RoleArn: !GetAtt CFNDeployRole.Arn + OutputArtifacts: + - Name: DeployOutput + # 6 stage - test - CodeBuild + - Name: Test + Actions: + - Name: CheckStackStatus + RunOrder: 1 + ActionTypeId: + Category: Build + Owner: AWS + Provider: CodeBuild + Version: '1' + InputArtifacts: + - Name: SourceOutput + Configuration: + ProjectName: !Ref TestSource + OutputArtifacts: + - Name: TestOutput diff --git a/12-codepipeline/Practice-12.2/template1.yaml b/12-codepipeline/Practice-12.2/template1.yaml new file mode 100644 index 00000000..16d695f0 --- /dev/null +++ b/12-codepipeline/Practice-12.2/template1.yaml @@ -0,0 +1,33 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: github-codepipeline-app + +Resources: + ApplicationBucket: + Type: AWS::S3::Bucket + myDynamoDBTable: + Type: AWS::DynamoDB::Table + Properties: + TableName: "User" + KeySchema: + - AttributeName: "id" + KeyType: "HASH" + AttributeDefinitions: + - AttributeName: "id" + AttributeType: "S" + ProvisionedThroughput: + ReadCapacityUnits: 5 + WriteCapacityUnits: 5 + DynamoDBRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Principal: + Service: + - lambda.amazonaws.com + Action: + - sts:AssumeRole + ManagedPolicyArns: + - arn:aws:iam::aws:policy/AmazonDynamoDBReadOnlyAccess \ No newline at end of file