--- AWSTemplateFormatVersion: '2010-09-09' Description: CodePipeline with CodeBuild workflow to run TaskCat test CloudFormation templates Parameters: GitHubUser: Type: String Description: GitHub User Default: "PaulDuvall" GitHubRepo: Type: String Description: GitHub Repo to pull from. Only the Name. not the URL Default: "aws-encryption-workshop" GitHubBranch: Type: String Description: GitHub Branch Default: "master" GitHubToken: NoEcho: true Type: String Default: '{{resolve:secretsmanager:github/personal-access-token:SecretString}}' Description: GitHub Token. Must be defined in AWS Secrets Manager and here https://github.com/settings/tokens Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: "GitHub Configuration" Parameters: - GitHubToken - GitHubUser - GitHubRepo - GitHubBranch ParameterLabels: GitHubToken: default: GitHub OAuth2 Token GitHubUser: default: GitHub User/Org Name GitHubRepo: default: GitHub Repository Name GitHubBranch: default: GitHub Branch Name Resources: SiteBucket: Type: AWS::S3::Bucket DeletionPolicy: Retain Properties: AccessControl: PublicRead WebsiteConfiguration: IndexDocument: index.html CodePipelineRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: - codepipeline.amazonaws.com Action: - sts:AssumeRole Path: "/" Policies: - PolicyName: codepipeline-service PolicyDocument: Statement: - Action: - logs:* - lambda:* - cloudwatch:* - codebuild:* - s3:* Resource: "*" Effect: Allow - Action: - s3:PutObject Resource: - arn:aws:s3:::codepipeline* Effect: Allow - Action: - logs:* - lambda:* - cloudwatch:* - codebuild:* - s3:* - ec2:* - iam:PassRole Resource: "*" Effect: Allow Version: '2012-10-17' CodeBuildRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: - codebuild.amazonaws.com Action: - sts:AssumeRole Path: "/" Policies: - PolicyName: codebuild-service PolicyDocument: Statement: - Action: - apigateway:* - cloudformation:* - cloudwatch:* - cloudtrail:* - codebuild:* - codecommit:* - codepipeline:* - config:* - dynamodb:* - ec2:* - iam:* - kms:* - lambda:* - logs:* - redshift:* - rds:* - secretsmanager:* - s3:* - sns:* - sqs:* Effect: Allow Resource: "*" Version: '2012-10-17' CodeBuildSetup: Type: AWS::CodeBuild::Project DependsOn: CodeBuildRole Properties: Description: Setup Test Files. For example uploading to S3 ServiceRole: !GetAtt CodeBuildRole.Arn Artifacts: Type: NO_ARTIFACTS Environment: Type: LINUX_CONTAINER ComputeType: BUILD_GENERAL1_SMALL Image: "aws/codebuild/amazonlinux2-x86_64-standard:4.0" EnvironmentVariables: - Name: PIPELINE_BUCKET Type: PLAINTEXT Value: Fn::Sub: ${PipelineBucket} Source: Type: GITHUB Location: !Sub https://github.com/${GitHubUser}/${GitHubRepo}.git BuildSpec: buildspec-setup.yml TimeoutInMinutes: 10 CodeBuildCleanup: Type: AWS::CodeBuild::Project DependsOn: CodeBuildRole Properties: Description: Setup Test Files. For example uploading to S3 ServiceRole: !GetAtt CodeBuildRole.Arn Artifacts: Type: NO_ARTIFACTS Environment: Type: LINUX_CONTAINER ComputeType: BUILD_GENERAL1_SMALL Image: "aws/codebuild/amazonlinux2-x86_64-standard:4.0" Source: Type: GITHUB Location: !Sub https://github.com/${GitHubUser}/${GitHubRepo}.git BuildSpec: buildspec-cleanup.yml TimeoutInMinutes: 10 CodeBuildTaskCatTest: Type: AWS::CodeBuild::Project DependsOn: CodeBuildRole Properties: Description: Run TaskCat ServiceRole: !GetAtt CodeBuildRole.Arn Artifacts: Type: CODEPIPELINE Environment: Type: LINUX_CONTAINER ComputeType: BUILD_GENERAL1_SMALL Image: "aws/codebuild/amazonlinux2-x86_64-standard:4.0" Source: Type: CODEPIPELINE TimeoutInMinutes: 60 CodeBuildDashboard: Type: AWS::CodeBuild::Project DependsOn: CodeBuildRole Properties: Description: Deploy site to S3 ServiceRole: !GetAtt CodeBuildRole.Arn Artifacts: Type: CODEPIPELINE Environment: Type: LINUX_CONTAINER ComputeType: BUILD_GENERAL1_SMALL Image: "aws/codebuild/amazonlinux2-x86_64-standard:4.0" Source: Type: CODEPIPELINE BuildSpec: !Sub | version: 0.2 phases: install: runtime-versions: python: 3.9 post_build: commands: - aws s3 cp --recursive --acl public-read ./taskcat_outputs s3://${SiteBucket}/ artifacts: type: zip files: - ./index.html TimeoutInMinutes: 10 PipelineBucket: Type: AWS::S3::Bucket DeletionPolicy: Delete Pipeline: Type: AWS::CodePipeline::Pipeline Properties: RoleArn: !GetAtt CodePipelineRole.Arn Stages: - Name: Source Actions: - InputArtifacts: [] Name: Source ActionTypeId: Category: Source Owner: ThirdParty Version: '1' Provider: GitHub OutputArtifacts: - Name: SourceArtifacts Configuration: Owner: !Ref GitHubUser Repo: !Ref GitHubRepo Branch: !Ref GitHubBranch OAuthToken: !Ref GitHubToken RunOrder: 1 - Name: Build Actions: - InputArtifacts: - Name: SourceArtifacts Name: Setup ActionTypeId: Category: Test Owner: AWS Version: '1' Provider: CodeBuild OutputArtifacts: - Name: SetupArtifacts Configuration: ProjectName: Ref: CodeBuildSetup RunOrder: 1 - InputArtifacts: - Name: SetupArtifacts Name: RunTaskCat ActionTypeId: Category: Test Owner: AWS Version: '1' Provider: CodeBuild OutputArtifacts: - Name: TaskCatArtifacts Configuration: ProjectName: Ref: CodeBuildTaskCatTest RunOrder: 10 - InputArtifacts: - Name: TaskCatArtifacts Name: TaskCatDashboard ActionTypeId: Category: Test Owner: AWS Version: '1' Provider: CodeBuild OutputArtifacts: [] Configuration: ProjectName: Ref: CodeBuildDashboard RunOrder: 20 - Name: Cleanup Actions: - InputArtifacts: - Name: SourceArtifacts Name: RemoveS3Buckets ActionTypeId: Category: Test Owner: AWS Version: '1' Provider: CodeBuild OutputArtifacts: [] Configuration: ProjectName: Ref: CodeBuildCleanup RunOrder: 1 ArtifactStore: Type: S3 Location: !Ref PipelineBucket Outputs: PipelineUrl: Value: !Sub https://console.aws.amazon.com/codepipeline/home?region=${AWS::Region}#/view/${Pipeline} Description: CodePipeline URL TaskCatDashboardUrl: Value: !Sub http://${SiteBucket}.s3-website-us-east-1.amazonaws.com Description: URL for TaskCat Dashboard (Available after the CodePipeline completes)