--- AWSTemplateFormatVersion: '2010-09-09' Description: CodePipeline for Deploying Multiple Managed Config Rules Parameters: RepositoryBranch: Description: The name of the branch for the CodeCommit repo Type: String Default: main AllowedPattern: "[\\x20-\\x7E]*" ConstraintDescription: Can contain only ASCII characters. CodeCommitS3Bucket: Description: S3 bucket that holds zip of source code for CodeCommit Repo Type: String CodeCommitS3Key: Description: zipfile key located in CodeCommitS3Bucket Type: String Resources: ArtifactBucket: Type: AWS::S3::Bucket DeletionPolicy: Delete CodeBuildRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: - codebuild.amazonaws.com Action: - sts:AssumeRole Path: "/" Policies: - PolicyName: codebuild-service PolicyDocument: Statement: - Action: - logs:* - cloudwatch:* - codebuild:* - s3:* Effect: Allow Resource: "*" Version: '2012-10-17' CodeBuildConfigRules: Type: AWS::CodeBuild::Project DependsOn: CodeBuildRole Properties: Name: Fn::Join: - '' - - Run - "CodePipeline" - Ref: AWS::StackName Description: Build application ServiceRole: Fn::GetAtt: - CodeBuildRole - Arn Artifacts: Type: no_artifacts Environment: EnvironmentVariables: - Name: S3_BUCKET Value: Ref: ArtifactBucket Type: LINUX_CONTAINER ComputeType: BUILD_GENERAL1_SMALL Image: aws/codebuild/eb-nodejs-4.4.6-amazonlinux-64:2.1.3 Source: BuildSpec: buildspec.yml Location: Fn::Join: - '' - - https://git-codecommit. - Ref: AWS::Region - ".amazonaws.com/v1/repos/" - Ref: AWS::StackName Type: CODECOMMIT TimeoutInMinutes: 10 Tags: - Key: Owner Value: MyCodeBuildProject MySNSTopic: Type: AWS::SNS::Topic CodeCommitRepo: Type: AWS::CodeCommit::Repository Properties: RepositoryName: Ref: AWS::StackName RepositoryDescription: CodeCommit Repository for Config Rule solution Code: S3: Bucket: !Ref CodeCommitS3Bucket Key: !Ref CodeCommitS3Key Triggers: - Name: MasterTrigger CustomData: Ref: AWS::StackName DestinationArn: Ref: MySNSTopic Events: - all CloudFormationTrustRole: DependsOn: - ArtifactBucket Description: Creating service role in IAM for AWS CloudFormation Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: - cloudformation.amazonaws.com Path: "/" Policies: - PolicyDocument: Statement: - Action: - s3:PutObject - s3:GetObject - s3:GetObjectVersion Effect: Allow Resource: - Fn::Join: - '' - - 'arn:aws:s3:::' - Ref: ArtifactBucket - Fn::Join: - '' - - 'arn:aws:s3:::' - Ref: ArtifactBucket - "/*" - Action: - sns:CreateTopic - sns:DeleteTopic - sns:ListTopics - sns:GetTopicAttributes - sns:SetTopicAttributes - s3:CreateBucket - s3:DeleteBucket - events:* - config:* Effect: Allow Resource: "*" - Action: - iam:PassRole Effect: Allow Resource: "*" - Action: - cloudformation:CreateChangeSet - config:* Effect: Allow Resource: - arn:aws:cloudformation:us-east-1:aws:transform/Serverless-2016-10-31 PolicyName: CloudFormationRolePolicy RoleName: Fn::Join: - "-" - - stelligent - Ref: AWS::StackName - CloudFormation Type: AWS::IAM::Role CodePipelineRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: - codepipeline.amazonaws.com Action: - sts:AssumeRole Path: "/" Policies: - PolicyName: codepipeline-service PolicyDocument: Statement: - Action: - s3:GetObject - s3:GetObjectVersion - s3:GetBucketVersioning Resource: "*" Effect: Allow - Action: - s3:PutObject Resource: - arn:aws:s3:::codepipeline* Effect: Allow - Action: - s3:GetObject - s3:GetObjectVersion - s3:GetBucketVersioning - s3:PutObject - iam:PassRole Resource: "*" Effect: Allow - Action: - codecommit:* - codebuild:* - cloudformation:* Resource: "*" Effect: Allow Version: '2012-10-17' PipelineBucket: Type: AWS::S3::Bucket DeletionPolicy: Delete Pipeline: Type: AWS::CodePipeline::Pipeline Properties: RoleArn: !GetAtt CodePipelineRole.Arn Properties: RoleArn: Fn::Join: - '' - - 'arn:aws:iam::' - Ref: AWS::AccountId - ":role/" - Ref: CodePipelineRole Stages: - Name: Source Actions: - InputArtifacts: [] Name: Source ActionTypeId: Category: Source Owner: AWS Version: '1' Provider: CodeCommit OutputArtifacts: - Name: MyApp Configuration: BranchName: Ref: RepositoryBranch RepositoryName: Ref: AWS::StackName RunOrder: 1 - Name: Build Actions: - InputArtifacts: - Name: MyApp Name: StoreConfigRules ActionTypeId: Category: Build Owner: AWS Version: '1' Provider: CodeBuild OutputArtifacts: - Name: ConfigRuleTemplateArtifacts Configuration: ProjectName: Ref: CodeBuildConfigRules RunOrder: 1 - Name: Deploy Actions: - InputArtifacts: - Name: ConfigRuleTemplateArtifacts Name: DeployCloudTrailEncryptionTemplate ActionTypeId: Category: Deploy Owner: AWS Version: '1' Provider: CloudFormation OutputArtifacts: [] Configuration: ActionMode: CHANGE_SET_REPLACE ChangeSetName: pipeline-changeset RoleArn: Fn::GetAtt: - CloudFormationTrustRole - Arn Capabilities: CAPABILITY_IAM StackName: Fn::Join: - '' - - "" - Ref: AWS::StackName - "-" - Ref: AWS::Region - "" TemplatePath: ConfigRuleTemplateArtifacts::CLOUD_TRAIL_ENCRYPTION_ENABLED.template RunOrder: 1 - ActionTypeId: Category: Deploy Owner: AWS Provider: CloudFormation Version: 1 Configuration: ActionMode: CHANGE_SET_EXECUTE ChangeSetName: pipeline-changeset StackName: Fn::Join: - '' - - "" - Ref: AWS::StackName - "-" - Ref: AWS::Region - "" InputArtifacts: [] Name: ExecuteChangeSetCloudTrailEncryption OutputArtifacts: [] RunOrder: 2 ArtifactStore: Type: S3 Location: !Ref PipelineBucket Outputs: PipelineUrl: Value: !Sub https://console.aws.amazon.com/codepipeline/home?region=${AWS::Region}#/view/${Pipeline} Description: CodePipeline URL