--- AWSTemplateFormatVersion: '2010-09-09' Description: CodePipeline for Deploying CloudFront and ACM Parameters: RepositoryBranch: Description: The name of the branch for the CodeCommit repo Type: String Default: main AllowedPattern: "[\\x20-\\x7E]*" ConstraintDescription: Can contain only ASCII characters. CodeCommitS3Bucket: Description: S3 bucket that holds zip of source code for CodeCommit Repo Type: String CodeCommitS3Key: Description: zipfile key located in CodeCommitS3Bucket Type: String Resources: ArtifactBucket: Type: AWS::S3::Bucket DeletionPolicy: Retain UpdateReplacePolicy: Retain CodeBuildRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: - codebuild.amazonaws.com Action: - sts:AssumeRole Path: "/" Policies: - PolicyName: codebuild-service PolicyDocument: Statement: - Action: - logs:* - cloudwatch:* - codebuild:* - s3:* Effect: Allow Resource: "*" Version: '2012-10-17' MySNSTopic: Type: AWS::SNS::Topic CodeCommitRepo: Type: AWS::CodeCommit::Repository Properties: RepositoryName: !Ref SiteBucket RepositoryDescription: CodeCommit Repository for TLS solution Code: S3: Bucket: !Ref CodeCommitS3Bucket Key: !Ref CodeCommitS3Key Triggers: - Name: MasterTrigger CustomData: Ref: AWS::StackName DestinationArn: Ref: MySNSTopic Events: - all CloudFormationTrustRole: Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: - cloudformation.amazonaws.com Path: "/" Policies: - PolicyDocument: Statement: - Action: - s3:PutObject - s3:GetObject - s3:GetObjectVersion Effect: Allow Resource: - Fn::Join: - '' - - 'arn:aws:s3:::' - Ref: ArtifactBucket - Fn::Join: - '' - - 'arn:aws:s3:::' - Ref: ArtifactBucket - "/*" - Action: - sns:CreateTopic - sns:DeleteTopic - sns:ListTopics - sns:GetTopicAttributes - sns:SetTopicAttributes - acm:* - cloudfront:* - s3:CreateBucket - s3:DeleteBucket - route53:* Effect: Allow Resource: "*" - Action: - iam:PassRole Effect: Allow Resource: "*" - Action: - cloudformation:CreateChangeSet Effect: Allow Resource: - arn:aws:cloudformation:us-east-1:aws:transform/Serverless-2016-10-31 PolicyName: CloudFormationRolePolicy Type: AWS::IAM::Role CodePipelineRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: - codepipeline.amazonaws.com Action: - sts:AssumeRole Path: "/" Policies: - PolicyName: codepipeline-service PolicyDocument: Statement: - Action: - s3:GetObject - s3:GetObjectVersion - s3:GetBucketVersioning Resource: "*" Effect: Allow - Action: - s3:PutObject Resource: - arn:aws:s3:::codepipeline* Effect: Allow - Action: - s3:GetObject - s3:GetObjectVersion - s3:GetBucketVersioning - s3:PutObject - iam:PassRole Resource: "*" Effect: Allow - Action: - codecommit:* - codebuild:* - cloudformation:* Resource: "*" Effect: Allow Version: '2012-10-17' SiteBucket: Type: AWS::S3::Bucket DeletionPolicy: Retain UpdateReplacePolicy: Retain Properties: AccessControl: PublicRead WebsiteConfiguration: IndexDocument: index.html CodeBuildDeploySite: Type: AWS::CodeBuild::Project Properties: Description: Deploy site to S3 ServiceRole: !GetAtt CodeBuildRole.Arn Artifacts: Type: CODEPIPELINE Environment: Type: "LINUX_CONTAINER" ComputeType: "BUILD_GENERAL1_SMALL" Image: "aws/codebuild/amazonlinux2-x86_64-standard:4.0" Source: Type: CODEPIPELINE BuildSpec: !Sub | version: 0.2 phases: post_build: commands: - aws s3 cp --recursive --acl public-read . s3://${SiteBucket}/ artifacts: type: zip files: - ./index.html TimeoutInMinutes: 10 PipelineBucket: Type: AWS::S3::Bucket DeletionPolicy: Retain UpdateReplacePolicy: Retain Pipeline: Type: AWS::CodePipeline::Pipeline Properties: RoleArn: !GetAtt CodePipelineRole.Arn Stages: - Name: Source Actions: - InputArtifacts: [] Name: Source ActionTypeId: Category: Source Owner: AWS Version: '1' Provider: CodeCommit OutputArtifacts: - Name: SourceArtifacts Configuration: BranchName: Ref: RepositoryBranch RepositoryName: !Ref SiteBucket RunOrder: 1 - Name: Build Actions: - InputArtifacts: - Name: SourceArtifacts Name: DeployWebsite ActionTypeId: Category: Build Owner: AWS Version: '1' Provider: CodeBuild OutputArtifacts: - Name: WebsiteArtifacts Configuration: ProjectName: Ref: CodeBuildDeploySite RunOrder: 1 - Name: Deploy Actions: - InputArtifacts: - Name: SourceArtifacts Name: DeployACMTemplate ActionTypeId: Category: Deploy Owner: AWS Version: '1' Provider: CloudFormation OutputArtifacts: [] Configuration: ActionMode: CHANGE_SET_REPLACE ChangeSetName: acm-changeset RoleArn: Fn::GetAtt: - CloudFormationTrustRole - Arn Capabilities: CAPABILITY_IAM ParameterOverrides: !Sub | { "CertificateExportName": "${SiteBucket}" } StackName: !Sub ${AWS::StackName}-acm TemplatePath: SourceArtifacts::ceoa-4-acm.yml RunOrder: 1 - ActionTypeId: Category: Deploy Owner: AWS Provider: CloudFormation Version: '1' Configuration: ActionMode: CHANGE_SET_EXECUTE ChangeSetName: acm-changeset StackName: !Sub ${AWS::StackName}-acm InputArtifacts: [] Name: ExecuteChangeSetACM OutputArtifacts: [] RunOrder: 2 - InputArtifacts: - Name: SourceArtifacts Name: DeployCloudFront ActionTypeId: Category: Deploy Owner: AWS Version: '1' Provider: CloudFormation OutputArtifacts: [] Configuration: ActionMode: CHANGE_SET_REPLACE ChangeSetName: cloudfront-changeset RoleArn: Fn::GetAtt: - CloudFormationTrustRole - Arn Capabilities: CAPABILITY_IAM ParameterOverrides: !Sub | { "SiteBucketName": "${SiteBucket}.s3.amazonaws.com", "CertificateExportName": "${SiteBucket}" } StackName: !Sub ${AWS::StackName}-cloudfront TemplatePath: SourceArtifacts::ceoa-4-cloudfront.yml RunOrder: 3 - ActionTypeId: Category: Deploy Owner: AWS Provider: CloudFormation Version: '1' Configuration: ActionMode: CHANGE_SET_EXECUTE ChangeSetName: cloudfront-changeset StackName: !Sub ${AWS::StackName}-cloudfront InputArtifacts: [] Name: ExecuteChangeSetCloudFront OutputArtifacts: [] RunOrder: 4 ArtifactStore: Type: S3 Location: !Ref PipelineBucket Outputs: PipelineUrl: Value: !Sub https://console.aws.amazon.com/codepipeline/home?region=${AWS::Region}#/view/${Pipeline} Description: CodePipeline URL