--- AWSTemplateFormatVersion: '2010-09-09' Description: Run cfn_nag as part of AWS CodeBuild in CodePipeline Parameters: EmailAddress: Description: Email Address for sending SNS notifications for CodeCommit Type: String Default: fake-email@fake-fake-fake-email.com RepositoryBranch: Description: The name of the branch for the CodeCommit repo Type: String Default: main AllowedPattern: "[\\x20-\\x7E]*" ConstraintDescription: Can contain only ASCII characters. CodeCommitS3Bucket: Description: S3 bucket that holds zip of source code for CodeCommit Repo Type: String AllowedPattern: "^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$" MaxLength: 63 CodeCommitS3Key: Description: zipfile key located in CodeCommitS3Bucket Type: String Resources: MySNSTopic: Type: AWS::SNS::Topic Properties: Subscription: - Endpoint: Ref: EmailAddress Protocol: email CodeCommitRepo: Type: AWS::CodeCommit::Repository Properties: RepositoryName: Ref: AWS::StackName RepositoryDescription: CodeCommit Repository for cfn_nag solution Code: S3: Bucket: Ref: CodeCommitS3Bucket Key: Ref: CodeCommitS3Key Triggers: - Name: MasterTrigger CustomData: Ref: AWS::StackName DestinationArn: Ref: MySNSTopic Events: - all CodeBuildRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Effect: Allow Action: 'sts:AssumeRole' Principal: Service: codebuild.amazonaws.com Version: 2012-10-17 Policies: - PolicyName: CanLog PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - logs:CreateLogStream - logs:CreateLogGroup - logs:PutLogEvents Resource: - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${AWS::StackName}*:log-stream:*' - Effect: Allow Action: - s3:GetObject - s3:PutObject Resource: - !GetAtt PipelineBucket.Arn - !Sub '${PipelineBucket.Arn}/*' - PolicyName: CanAccessS3 PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - s3:GetObject Resource: - !GetAtt PipelineBucket.Arn CodePipelineRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: [codepipeline.amazonaws.com] Action: ['sts:AssumeRole'] Policies: - PolicyName: CanAccessCodeCommit PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - codecommit:GetBranch - codecommit:GetCommit - codecommit:UploadArchive - codecommit:GetUploadArchiveStatus Resource: '*' - PolicyName: CanAccessS3 PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: s3:ListBucket Resource: '*' - Effect: Allow Action: - s3:GetObject - s3:GetObjectVersion - s3:GetBucketVersioning - s3:PutObject - s3:GetBucketPolicy - s3:GetObjectAcl - s3:PutObjectAcl - s3:DeleteObject Resource: - !GetAtt PipelineBucket.Arn - !Sub '${PipelineBucket.Arn}/*' - Effect: Allow Action: - codebuild:BatchGetBuilds - codebuild:StartBuild Resource: - !GetAtt CodeBuildCfnNag.Arn CodeBuildCfnNag: Type: AWS::CodeBuild::Project Properties: Name: Ref: AWS::StackName Description: Build application ServiceRole: Fn::GetAtt: - CodeBuildRole - Arn Artifacts: Type: NO_ARTIFACTS Environment: Type: LINUX_CONTAINER ComputeType: BUILD_GENERAL1_SMALL Image: "aws/codebuild/amazonlinux2-x86_64-standard:4.0" Source: BuildSpec: buildspec.yml Location: !Sub https://git-codecommit.${AWS::Region}.amazonaws.com/v1/repos/${AWS::StackName}/ Type: CODECOMMIT TimeoutInMinutes: 10 Tags: - Key: Owner Value: MyCodeBuildProject PipelineBucket: Type: AWS::S3::Bucket DeletionPolicy: Retain UpdateReplacePolicy: Retain Pipeline: Type: AWS::CodePipeline::Pipeline Properties: RoleArn: !GetAtt CodePipelineRole.Arn Stages: - Name: Source Actions: - InputArtifacts: [] Name: Source ActionTypeId: Category: Source Owner: AWS Version: '1' Provider: CodeCommit OutputArtifacts: - Name: MyApp Configuration: BranchName: Ref: RepositoryBranch RepositoryName: Ref: AWS::StackName RunOrder: 1 - Name: Build Actions: - InputArtifacts: - Name: MyApp Name: cfn_nag ActionTypeId: Category: Test Owner: AWS Version: '1' Provider: CodeBuild OutputArtifacts: [] Configuration: ProjectName: Ref: CodeBuildCfnNag RunOrder: 1 - Name: Deploy Actions: - Name: Deploy ActionTypeId: Category: Approval Owner: AWS Version: '1' Provider: Manual RunOrder: 2 ArtifactStore: Type: S3 Location: !Ref PipelineBucket Outputs: PipelineUrl: Value: !Sub https://console.aws.amazon.com/codepipeline/home?region=${AWS::Region}#/view/${Pipeline} Description: CodePipeline URL