├── .gitignore ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── LICENSE ├── README.md ├── data.tf ├── examples └── terraform.tfvars ├── locals.tf ├── main.tf ├── modules ├── codebuild │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ └── variables.tf ├── codecommit │ ├── README.md │ ├── data.tf │ ├── main.tf │ ├── outputs.tf │ └── variables.tf ├── codepipeline │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ └── variables.tf ├── iam-role │ ├── README.md │ ├── data.tf │ ├── main.tf │ ├── outputs.tf │ └── variables.tf ├── kms │ ├── README.md │ ├── data.tf │ ├── main.tf │ ├── outputs.tf │ └── variables.tf └── s3 │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── provider.tf │ └── variables.tf ├── outputs.tf ├── templates ├── buildspec_apply.yml ├── buildspec_destroy.yml ├── buildspec_plan.yml ├── buildspec_validate.yml └── scripts │ └── tf_ssp_validation.sh └── variables.tf /.gitignore: -------------------------------------------------------------------------------- 1 | /.terraform/ 2 | /.idea/ 3 | /.terraform.lock.hcl 4 | /terraform.tfstate 5 | /terraform.tfstate.backup 6 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | ## Code of Conduct 2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 3 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 4 | opensource-codeofconduct@amazon.com with any additional questions or comments. 5 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing Guidelines 2 | 3 | Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional 4 | documentation, we greatly value feedback and contributions from our community. 5 | 6 | Please read through this document before submitting any issues or pull requests to ensure we have all the necessary 7 | information to effectively respond to your bug report or contribution. 8 | 9 | 10 | ## Reporting Bugs/Feature Requests 11 | 12 | We welcome you to use the GitHub issue tracker to report bugs or suggest features. 13 | 14 | When filing an issue, please check existing open, or recently closed, issues to make sure somebody else hasn't already 15 | reported the issue. Please try to include as much information as you can. Details like these are incredibly useful: 16 | 17 | * A reproducible test case or series of steps 18 | * The version of our code being used 19 | * Any modifications you've made relevant to the bug 20 | * Anything unusual about your environment or deployment 21 | 22 | 23 | ## Contributing via Pull Requests 24 | Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that: 25 | 26 | 1. You are working against the latest source on the *main* branch. 27 | 2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already. 28 | 3. You open an issue to discuss any significant work - we would hate for your time to be wasted. 29 | 30 | To send us a pull request, please: 31 | 32 | 1. Fork the repository. 33 | 2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change. 34 | 3. Ensure local tests pass. 35 | 4. Commit to your fork using clear commit messages. 36 | 5. Send us a pull request, answering any default questions in the pull request interface. 37 | 6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation. 38 | 39 | GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and 40 | [creating a pull request](https://help.github.com/articles/creating-a-pull-request/). 41 | 42 | 43 | ## Finding contributions to work on 44 | Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any 'help wanted' issues is a great place to start. 45 | 46 | 47 | ## Code of Conduct 48 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 49 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 50 | opensource-codeofconduct@amazon.com with any additional questions or comments. 51 | 52 | 53 | ## Security issue notifications 54 | If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue. 55 | 56 | 57 | ## Licensing 58 | 59 | See the [LICENSE](LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution. 60 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of 4 | this software and associated documentation files (the "Software"), to deal in 5 | the Software without restriction, including without limitation the rights to 6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of 7 | the Software, and to permit persons to whom the Software is furnished to do so. 8 | 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 10 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 11 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 12 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 13 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 14 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 15 | 16 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # AWS CodePipeline CI/CD example 2 | Terraform is an infrastructure-as-code (IaC) tool that helps you create, update, and version your infrastructure in a secure and repeatable manner. 3 | 4 | The scope of this pattern is to provide a guide and ready to use terraform configurations to setup validation pipelines with end-to-end tests based on AWS CodePipeline, AWS CodeBuild, AWS CodeCommit and Terraform. 5 | 6 | The created pipeline uses the best practices for infrastructure validation and has the below stages 7 | 8 | - validate - This stage focuses on terraform IaC validation tools and commands such as terraform validate, terraform format, tfsec, tflint and checkov 9 | - plan - This stage creates an execution plan, which lets you preview the changes that Terraform plans to make to your infrastructure. 10 | - apply - This stage uses the plan created above to provision the infrastructure in the test account. 11 | - destroy - This stage destroys the infrastructure created in the above stage. 12 | Running these four stages ensures the integrity of the terraform configurations. 13 | 14 | ## Directory Structure 15 | ```shell 16 | |-- CODE_OF_CONDUCT.md 17 | |-- CONTRIBUTING.md 18 | |-- LICENSE 19 | |-- README.md 20 | |-- data.tf 21 | |-- examples 22 | | `-- terraform.tfvars 23 | |-- locals.tf 24 | |-- main.tf 25 | |-- modules 26 | | |-- codebuild 27 | | | |-- README.md 28 | | | |-- main.tf 29 | | | |-- outputs.tf 30 | | | `-- variables.tf 31 | | |-- codecommit 32 | | | |-- README.md 33 | | | |-- data.tf 34 | | | |-- main.tf 35 | | | |-- outputs.tf 36 | | | `-- variables.tf 37 | | |-- codepipeline 38 | | | |-- README.md 39 | | | |-- main.tf 40 | | | |-- outputs.tf 41 | | | `-- variables.tf 42 | | |-- iam-role 43 | | | |-- README.md 44 | | | |-- data.tf 45 | | | |-- main.tf 46 | | | |-- outputs.tf 47 | | | `-- variables.tf 48 | | |-- kms 49 | | | |-- README.md 50 | | | |-- main.tf 51 | | | |-- outputs.tf 52 | | | `-- variables.tf 53 | | `-- s3 54 | | |-- README.md 55 | | |-- main.tf 56 | | |-- outputs.tf 57 | | `-- variables.tf 58 | |-- templates 59 | | |-- buildspec_apply.yml 60 | | |-- buildspec_destroy.yml 61 | | |-- buildspec_plan.yml 62 | | |-- buildspec_validate.yml 63 | | `-- scripts 64 | | `-- tf_ssp_validation.sh 65 | `-- variables.tf 66 | 67 | ``` 68 | ## Installation 69 | 70 | #### Step 1: Clone this repository. 71 | 72 | ```shell 73 | git@github.com:aws-samples/aws-codepipeline-terraform-cicd-samples.git 74 | ``` 75 | Note: If you don't have git installed, [install git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git). 76 | 77 | 78 | #### Step 2: Update the variables in `examples/terraform.tfvars` based on your requirement. Make sure you ae updating the variables project_name, environment, source_repo_name, source_repo_branch, create_new_repo, stage_input and build_projects. 79 | 80 | - If you are planning to use an existing terraform CodeCommit repository, then update the variable create_new_repo as **false** and provide the name of your existing repo under the variable source_repo_name 81 | - If you are planning to create new terraform CodeCommit repository, then update the variable create_new_repo as **true** and provide the name of your new repo under the variable source_repo_name 82 | 83 | #### Step 3: Update remote backend configuration as required 84 | 85 | #### Step 4: Configure the AWS Command Line Interface (AWS CLI) where this IaC is being executed. For more information, see [Configuring the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html). 86 | 87 | #### Step 5: Initialize the directory. Run terraform init 88 | 89 | #### Step 6: Start a Terraform run using the command terraform apply 90 | 91 | Note: Sample terraform.tfvars are available in the examples directory. You may use the below command if you need to provide this sample tfvars as an input to the apply command. 92 | ```shell 93 | terraform apply -var-file=./examples/terraform.tfvars 94 | ``` 95 | 96 | ## Pre-Requisites 97 | 98 | #### Step 1: You would get source_repo_clone_url_http as an output of the installation step. Clone the repository to your local. 99 | 100 | git clone 101 | 102 | #### Step 2: Clone this repository. 103 | 104 | ```shell 105 | git@github.com:aws-samples/aws-eks-accelerator-for-terraform.git 106 | ``` 107 | Note: If you don't have git installed, [install git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git). 108 | 109 | #### Step 3: Copy the templates folder to the AWS CodeCommit sourcecode repository which contains the terraform code to be deployed. 110 | ```shell 111 | cd examples/ci-cd/aws-codepipeline 112 | cp -r templates $YOUR_CODECOMMIT_REPO_ROOT 113 | ``` 114 | 115 | 116 | #### Step 4: Update the variables in the template files with appropriate values and push the same. 117 | 118 | #### Step 5: Trigger the pipeline created in the Installation step. 119 | 120 | **Note1**: The IAM Role used by the newly created pipeline is very restrictive and follows the Principle of least privilege. Please update the IAM Policy with the required permissions. 121 | Alternatively, use the _**create_new_role = false**_ option to use an existing IAM role and specify the role name using the variable _**codepipeline_iam_role_name**_ 122 | 123 | **Note2**: If the **create_new_repo** flag is set to **true**, a new blank repository will be created with the name assigned to the variable **_source_repo_name_**. Since this repository will not be containing the templates folder specified in Step 3 nor any code files, the initial run of the pipeline will be marked as failed in the _Download-Source_ stage itself. 124 | 125 | **Note3**: If the **create_new_repo** flag is set to **false** to use an existing repository, ensure the pre-requisite steps specified in step 3 have been done on the target repository. 126 | 127 | 128 | ## Requirements 129 | 130 | | Name | Version | 131 | |------|-----------| 132 | | [terraform](#requirement\_terraform) | \>= 1.0.0 | 133 | 134 | 135 | ## Providers 136 | 137 | | Name | Version | 138 | |------|------------| 139 | | [aws](#provider\_aws) | \>= 4.20.1 | 140 | 141 | ## Modules 142 | 143 | | Name | Source | Version | 144 | |------|--------|---------| 145 | | [codebuild\_terraform](#module\_codebuild\_terraform) | ./modules/codebuild | n/a | 146 | | [codecommit\_infrastructure\_source\_repo](#module\_codecommit\_infrastructure\_source\_repo) | ./modules/codecommit | n/a | 147 | | [codepipeline\_iam\_role](#module\_codepipeline\_iam\_role) | ./modules/iam-role | n/a | 148 | | [codepipeline\_kms](#module\_codepipeline\_kms) | ./modules/kms | n/a | 149 | | [codepipeline\_terraform](#module\_codepipeline\_terraform) | ./modules/codepipeline | n/a | 150 | | [s3\_artifacts\_bucket](#module\_s3\_artifacts\_bucket) | ./modules/s3 | n/a | 151 | 152 | ## Resources 153 | 154 | | Name | Type | 155 | |------|------| 156 | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | 157 | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | 158 | 159 | ## Inputs 160 | 161 | | Name | Description | Type | Default | Required | 162 | |------|-------------|------|---------|:--------:| 163 | | [build\_project\_source](#input\_build\_project\_source) | aws/codebuild/standard:4.0 | `string` | `"CODEPIPELINE"` | no | 164 | | [build\_projects](#input\_build\_projects) | Tags to be attached to the CodePipeline | `list(string)` | n/a | yes | 165 | | [builder\_compute\_type](#input\_builder\_compute\_type) | Relative path to the Apply and Destroy build spec file | `string` | `"BUILD_GENERAL1_SMALL"` | no | 166 | | [builder\_image](#input\_builder\_image) | Docker Image to be used by codebuild | `string` | `"aws/codebuild/amazonlinux2-x86_64-standard:3.0"` | no | 167 | | [builder\_image\_pull\_credentials\_type](#input\_builder\_image\_pull\_credentials\_type) | Image pull credentials type used by codebuild project | `string` | `"CODEBUILD"` | no | 168 | | [builder\_type](#input\_builder\_type) | Type of codebuild run environment | `string` | `"LINUX_CONTAINER"` | no | 169 | | [codepipeline\_iam\_role\_name](#input\_codepipeline\_iam\_role\_name) | Name of the IAM role to be used by the Codepipeline | `string` | `"codepipeline-role"` | no | 170 | | [create\_new\_repo](#input\_create\_new\_repo) | Whether to create a new repository. Values are true or false. Defaulted to true always. | `bool` | `true` | no | 171 | | [create\_new\_role](#input\_create\_new\_role) | Whether to create a new IAM Role. Values are true or false. Defaulted to true always. | `bool` | `true` | no | 172 | | [environment](#input\_environment) | Environment in which the script is run. Eg: dev, prod, etc | `string` | n/a | yes | 173 | | [project\_name](#input\_project\_name) | Unique name for this project | `string` | n/a | yes | 174 | | [repo\_approvers\_arn](#input\_repo\_approvers\_arn) | ARN or ARN pattern for the IAM User/Role/Group that can be used for approving Pull Requests | `string` | n/a | yes | 175 | | [source\_repo\_branch](#input\_source\_repo\_branch) | Default branch in the Source repo for which CodePipeline needs to be configured | `string` | n/a | yes | 176 | | [source\_repo\_name](#input\_source\_repo\_name) | Source repo name of the CodeCommit repository | `string` | n/a | yes | 177 | | [stage\_input](#input\_stage\_input) | Tags to be attached to the CodePipeline | `list(map(any))` | n/a | yes | 178 | 179 | ## Outputs 180 | 181 | | Name | Description | 182 | |------|-------------| 183 | | [codebuild\_arn](#output\_codebuild\_arn) | The ARN of the Codebuild Project | 184 | | [codebuild\_name](#output\_codebuild\_name) | The Name of the Codebuild Project | 185 | | [codecommit\_arn](#output\_codecommit\_arn) | The ARN of the Codecommit repository | 186 | | [codecommit\_name](#output\_codecommit\_name) | The name of the Codecommit repository | 187 | | [codecommit\_url](#output\_codecommit\_url) | The Clone URL of the Codecommit repository | 188 | | [codepipeline\_arn](#output\_codepipeline\_arn) | The ARN of the CodePipeline | 189 | | [codepipeline\_name](#output\_codepipeline\_name) | The Name of the CodePipeline | 190 | | [iam\_arn](#output\_iam\_arn) | The ARN of the IAM Role used by the CodePipeline | 191 | | [kms\_arn](#output\_kms\_arn) | The ARN of the KMS key used in the codepipeline | 192 | | [s3\_arn](#output\_s3\_arn) | The ARN of the S3 Bucket | 193 | | [s3\_bucket\_name](#output\_s3\_bucket\_name) | The Name of the S3 Bucket | 194 | 195 | 196 | ## Security 197 | 198 | See [CONTRIBUTING](CONTRIBUTING.md#security-issue-notifications) for more information. 199 | 200 | ## License 201 | 202 | This library is licensed under the MIT-0 License. See the LICENSE file. 203 | 204 | -------------------------------------------------------------------------------- /data.tf: -------------------------------------------------------------------------------- 1 | #This solution, non-production-ready template describes AWS Codepipeline based CICD Pipeline for terraform code deployment. 2 | #© 2023 Amazon Web Services, Inc. or its affiliates. All Rights Reserved. 3 | #This AWS Content is provided subject to the terms of the AWS Customer Agreement available at 4 | #http://aws.amazon.com/agreement or other written agreement between Customer and either 5 | #Amazon Web Services, Inc. or Amazon Web Services EMEA SARL or both. 6 | 7 | data "aws_caller_identity" "current" {} 8 | data "aws_region" "current" {} -------------------------------------------------------------------------------- /examples/terraform.tfvars: -------------------------------------------------------------------------------- 1 | project_name = "tf-validate-project" 2 | environment = "dev" 3 | source_repo_name = "terraform-sample-repo" 4 | source_repo_branch = "main" 5 | create_new_repo = false 6 | repo_approvers_arn = "arn:aws:sts::123456789012:assumed-role/CodeCommitReview/*" #Update ARN (IAM Role/User/Group) of Approval Members 7 | create_new_role = true 8 | #codepipeline_iam_role_name = - Use this to specify the role name to be used by codepipeline if the create_new_role flag is set to false. 9 | stage_input = [ 10 | { name = "validate", category = "Test", owner = "AWS", provider = "CodeBuild", input_artifacts = "SourceOutput", output_artifacts = "ValidateOutput" }, 11 | { name = "plan", category = "Test", owner = "AWS", provider = "CodeBuild", input_artifacts = "ValidateOutput", output_artifacts = "PlanOutput" }, 12 | { name = "apply", category = "Build", owner = "AWS", provider = "CodeBuild", input_artifacts = "PlanOutput", output_artifacts = "ApplyOutput" }, 13 | { name = "destroy", category = "Build", owner = "AWS", provider = "CodeBuild", input_artifacts = "ApplyOutput", output_artifacts = "DestroyOutput" } 14 | ] 15 | build_projects = ["validate", "plan", "apply", "destroy"] 16 | -------------------------------------------------------------------------------- /locals.tf: -------------------------------------------------------------------------------- 1 | #This solution, non-production-ready template describes AWS Codepipeline based CICD Pipeline for terraform code deployment. 2 | #© 2023 Amazon Web Services, Inc. or its affiliates. All Rights Reserved. 3 | #This AWS Content is provided subject to the terms of the AWS Customer Agreement available at 4 | #http://aws.amazon.com/agreement or other written agreement between Customer and either 5 | #Amazon Web Services, Inc. or Amazon Web Services EMEA SARL or both. 6 | 7 | locals { 8 | account_id = data.aws_caller_identity.current.account_id 9 | region = data.aws_region.current.name 10 | } -------------------------------------------------------------------------------- /main.tf: -------------------------------------------------------------------------------- 1 | #This solution, non-production-ready template describes AWS Codepipeline based CICD Pipeline for terraform code deployment. 2 | #© 2023 Amazon Web Services, Inc. or its affiliates. All Rights Reserved. 3 | #This AWS Content is provided subject to the terms of the AWS Customer Agreement available at 4 | #http://aws.amazon.com/agreement or other written agreement between Customer and either 5 | #Amazon Web Services, Inc. or Amazon Web Services EMEA SARL or both. 6 | 7 | terraform { 8 | required_version = ">= 1.0.0" 9 | 10 | required_providers { 11 | aws = { 12 | source = "hashicorp/aws" 13 | version = ">= 4.20.1" 14 | } 15 | } 16 | 17 | } 18 | 19 | #Module for creating a new S3 bucket for storing pipeline artifacts 20 | module "s3_artifacts_bucket" { 21 | source = "./modules/s3" 22 | project_name = var.project_name 23 | kms_key_arn = module.codepipeline_kms.arn 24 | codepipeline_role_arn = module.codepipeline_iam_role.role_arn 25 | tags = { 26 | Project_Name = var.project_name 27 | Environment = var.environment 28 | Account_ID = local.account_id 29 | Region = local.region 30 | } 31 | } 32 | 33 | # Resources 34 | 35 | # Module for Infrastructure Source code repository 36 | module "codecommit_infrastructure_source_repo" { 37 | source = "./modules/codecommit" 38 | 39 | create_new_repo = var.create_new_repo 40 | source_repository_name = var.source_repo_name 41 | source_repository_branch = var.source_repo_branch 42 | repo_approvers_arn = var.repo_approvers_arn 43 | kms_key_arn = module.codepipeline_kms.arn 44 | tags = { 45 | Project_Name = var.project_name 46 | Environment = var.environment 47 | Account_ID = local.account_id 48 | Region = local.region 49 | } 50 | 51 | } 52 | 53 | # Module for Infrastructure Validation - CodeBuild 54 | module "codebuild_terraform" { 55 | depends_on = [ 56 | module.codecommit_infrastructure_source_repo 57 | ] 58 | source = "./modules/codebuild" 59 | 60 | project_name = var.project_name 61 | role_arn = module.codepipeline_iam_role.role_arn 62 | s3_bucket_name = module.s3_artifacts_bucket.bucket 63 | build_projects = var.build_projects 64 | build_project_source = var.build_project_source 65 | builder_compute_type = var.builder_compute_type 66 | builder_image = var.builder_image 67 | builder_image_pull_credentials_type = var.builder_image_pull_credentials_type 68 | builder_type = var.builder_type 69 | kms_key_arn = module.codepipeline_kms.arn 70 | tags = { 71 | Project_Name = var.project_name 72 | Environment = var.environment 73 | Account_ID = local.account_id 74 | Region = local.region 75 | } 76 | } 77 | 78 | module "codepipeline_kms" { 79 | source = "./modules/kms" 80 | codepipeline_role_arn = module.codepipeline_iam_role.role_arn 81 | tags = { 82 | Project_Name = var.project_name 83 | Environment = var.environment 84 | Account_ID = local.account_id 85 | Region = local.region 86 | } 87 | 88 | } 89 | 90 | module "codepipeline_iam_role" { 91 | source = "./modules/iam-role" 92 | project_name = var.project_name 93 | create_new_role = var.create_new_role 94 | codepipeline_iam_role_name = var.create_new_role == true ? "${var.project_name}-codepipeline-role" : var.codepipeline_iam_role_name 95 | source_repository_name = var.source_repo_name 96 | kms_key_arn = module.codepipeline_kms.arn 97 | s3_bucket_arn = module.s3_artifacts_bucket.arn 98 | tags = { 99 | Project_Name = var.project_name 100 | Environment = var.environment 101 | Account_ID = local.account_id 102 | Region = local.region 103 | } 104 | } 105 | # Module for Infrastructure Validate, Plan, Apply and Destroy - CodePipeline 106 | module "codepipeline_terraform" { 107 | depends_on = [ 108 | module.codebuild_terraform, 109 | module.s3_artifacts_bucket 110 | ] 111 | source = "./modules/codepipeline" 112 | 113 | project_name = var.project_name 114 | source_repo_name = var.source_repo_name 115 | source_repo_branch = var.source_repo_branch 116 | s3_bucket_name = module.s3_artifacts_bucket.bucket 117 | codepipeline_role_arn = module.codepipeline_iam_role.role_arn 118 | stages = var.stage_input 119 | kms_key_arn = module.codepipeline_kms.arn 120 | tags = { 121 | Project_Name = var.project_name 122 | Environment = var.environment 123 | Account_ID = local.account_id 124 | Region = local.region 125 | } 126 | } 127 | -------------------------------------------------------------------------------- /modules/codebuild/README.md: -------------------------------------------------------------------------------- 1 | 2 | ## Requirements 3 | 4 | No requirements. 5 | 6 | ## Providers 7 | 8 | | Name | Version | 9 | |------|---------| 10 | | [aws](#provider\_aws) | n/a | 11 | 12 | ## Modules 13 | 14 | No modules. 15 | 16 | ## Resources 17 | 18 | | Name | Type | 19 | |------|------| 20 | | [aws_codebuild_project.terraform_codebuild_project](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project) | resource | 21 | 22 | ## Inputs 23 | 24 | | Name | Description | Type | Default | Required | 25 | |------|-------------|------|---------|:--------:| 26 | | [build\_project\_source](#input\_build\_project\_source) | Information about the build output artifact location | `string` | n/a | yes | 27 | | [build\_projects](#input\_build\_projects) | List of Names of the CodeBuild projects to be created | `list(string)` | n/a | yes | 28 | | [builder\_compute\_type](#input\_builder\_compute\_type) | Information about the compute resources the build project will use | `string` | n/a | yes | 29 | | [builder\_image](#input\_builder\_image) | Docker image to use for the build project | `string` | n/a | yes | 30 | | [builder\_image\_pull\_credentials\_type](#input\_builder\_image\_pull\_credentials\_type) | Type of credentials AWS CodeBuild uses to pull images in your build. | `string` | n/a | yes | 31 | | [builder\_type](#input\_builder\_type) | Type of build environment to use for related builds | `string` | n/a | yes | 32 | | [kms\_key\_arn](#input\_kms\_key\_arn) | ARN of KMS key for encryption | `string` | n/a | yes | 33 | | [project\_name](#input\_project\_name) | Unique name for this project | `string` | n/a | yes | 34 | | [role\_arn](#input\_role\_arn) | Codepipeline IAM role arn. | `string` | `""` | no | 35 | | [s3\_bucket\_name](#input\_s3\_bucket\_name) | Name of the S3 bucket used to store the deployment artifacts | `string` | n/a | yes | 36 | | [tags](#input\_tags) | Tags to be applied to the codebuild project | `map(any)` | n/a | yes | 37 | 38 | ## Outputs 39 | 40 | | Name | Description | 41 | |------|-------------| 42 | | [arn](#output\_arn) | List of ARNs of the CodeBuild projects | 43 | | [id](#output\_id) | List of IDs of the CodeBuild projects | 44 | | [name](#output\_name) | List of Names of the CodeBuild projects | 45 | -------------------------------------------------------------------------------- /modules/codebuild/main.tf: -------------------------------------------------------------------------------- 1 | #This solution, non-production-ready template describes AWS Codepipeline based CICD Pipeline for terraform code deployment. 2 | #© 2023 Amazon Web Services, Inc. or its affiliates. All Rights Reserved. 3 | #This AWS Content is provided subject to the terms of the AWS Customer Agreement available at 4 | #http://aws.amazon.com/agreement or other written agreement between Customer and either 5 | #Amazon Web Services, Inc. or Amazon Web Services EMEA SARL or both. 6 | 7 | resource "aws_codebuild_project" "terraform_codebuild_project" { 8 | 9 | count = length(var.build_projects) 10 | 11 | name = "${var.project_name}-${var.build_projects[count.index]}" 12 | service_role = var.role_arn 13 | encryption_key = var.kms_key_arn 14 | tags = var.tags 15 | artifacts { 16 | type = var.build_project_source 17 | } 18 | environment { 19 | compute_type = var.builder_compute_type 20 | image = var.builder_image 21 | type = var.builder_type 22 | privileged_mode = true 23 | image_pull_credentials_type = var.builder_image_pull_credentials_type 24 | } 25 | logs_config { 26 | cloudwatch_logs { 27 | status = "ENABLED" 28 | } 29 | } 30 | source { 31 | type = var.build_project_source 32 | buildspec = "./templates/buildspec_${var.build_projects[count.index]}.yml" 33 | } 34 | } -------------------------------------------------------------------------------- /modules/codebuild/outputs.tf: -------------------------------------------------------------------------------- 1 | #This solution, non-production-ready template describes AWS Codepipeline based CICD Pipeline for terraform code deployment. 2 | #© 2023 Amazon Web Services, Inc. or its affiliates. All Rights Reserved. 3 | #This AWS Content is provided subject to the terms of the AWS Customer Agreement available at 4 | #http://aws.amazon.com/agreement or other written agreement between Customer and either 5 | #Amazon Web Services, Inc. or Amazon Web Services EMEA SARL or both. 6 | 7 | output "id" { 8 | value = aws_codebuild_project.terraform_codebuild_project[*].id 9 | description = "List of IDs of the CodeBuild projects" 10 | } 11 | 12 | output "name" { 13 | value = aws_codebuild_project.terraform_codebuild_project[*].name 14 | description = "List of Names of the CodeBuild projects" 15 | } 16 | 17 | output "arn" { 18 | value = aws_codebuild_project.terraform_codebuild_project[*].arn 19 | description = "List of ARNs of the CodeBuild projects" 20 | } 21 | 22 | -------------------------------------------------------------------------------- /modules/codebuild/variables.tf: -------------------------------------------------------------------------------- 1 | #This solution, non-production-ready template describes AWS Codepipeline based CICD Pipeline for terraform code deployment. 2 | #© 2023 Amazon Web Services, Inc. or its affiliates. All Rights Reserved. 3 | #This AWS Content is provided subject to the terms of the AWS Customer Agreement available at 4 | #http://aws.amazon.com/agreement or other written agreement between Customer and either 5 | #Amazon Web Services, Inc. or Amazon Web Services EMEA SARL or both. 6 | 7 | variable "project_name" { 8 | description = "Unique name for this project" 9 | type = string 10 | } 11 | 12 | variable "role_arn" { 13 | description = "Codepipeline IAM role arn. " 14 | type = string 15 | default = "" 16 | } 17 | 18 | variable "s3_bucket_name" { 19 | description = "Name of the S3 bucket used to store the deployment artifacts" 20 | type = string 21 | } 22 | 23 | variable "tags" { 24 | description = "Tags to be applied to the codebuild project" 25 | type = map(any) 26 | } 27 | 28 | variable "build_projects" { 29 | description = "List of Names of the CodeBuild projects to be created" 30 | type = list(string) 31 | } 32 | 33 | variable "builder_compute_type" { 34 | description = "Information about the compute resources the build project will use" 35 | type = string 36 | } 37 | 38 | variable "builder_image" { 39 | description = "Docker image to use for the build project" 40 | type = string 41 | } 42 | 43 | variable "builder_type" { 44 | description = "Type of build environment to use for related builds" 45 | type = string 46 | } 47 | 48 | variable "builder_image_pull_credentials_type" { 49 | description = "Type of credentials AWS CodeBuild uses to pull images in your build." 50 | type = string 51 | } 52 | 53 | variable "build_project_source" { 54 | description = "Information about the build output artifact location" 55 | type = string 56 | } 57 | 58 | variable "kms_key_arn" { 59 | description = "ARN of KMS key for encryption" 60 | type = string 61 | } -------------------------------------------------------------------------------- /modules/codecommit/README.md: -------------------------------------------------------------------------------- 1 | 2 | ## Requirements 3 | 4 | No requirements. 5 | 6 | ## Providers 7 | 8 | | Name | Version | 9 | |------|---------| 10 | | [aws](#provider\_aws) | n/a | 11 | 12 | ## Modules 13 | 14 | No modules. 15 | 16 | ## Resources 17 | 18 | | Name | Type | 19 | |------|------| 20 | | [aws_codecommit_approval_rule_template.source_repository_approval](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codecommit_approval_rule_template) | resource | 21 | | [aws_codecommit_approval_rule_template_association.source_repository_approval_association](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codecommit_approval_rule_template_association) | resource | 22 | | [aws_codecommit_repository.source_repository](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codecommit_repository) | resource | 23 | | [aws_codecommit_repository.existing_repository](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/codecommit_repository) | data source | 24 | 25 | ## Inputs 26 | 27 | | Name | Description | Type | Default | Required | 28 | |------|-------------|------|---------|:--------:| 29 | | [create\_new\_repo](#input\_create\_new\_repo) | Flag for deciding if a new repository needs to be created | `bool` | `false` | no | 30 | | [kms\_key\_arn](#input\_kms\_key\_arn) | Name of the project to be prefixed to create the s3 bucket | `string` | n/a | yes | 31 | | [repo\_approvers\_arn](#input\_repo\_approvers\_arn) | ARN or ARN pattern for the IAM User/Role/Group etc that can be used for approving Pull Requests | `string` | n/a | yes | 32 | | [source\_repository\_branch](#input\_source\_repository\_branch) | Branch of the Source CodeCommit repository used in pipeline | `string` | n/a | yes | 33 | | [source\_repository\_name](#input\_source\_repository\_name) | Name of the Source CodeCommit repository used by the pipeline | `string` | n/a | yes | 34 | | [tags](#input\_tags) | Tags to be attached to the source CodeCommit repository | `map(any)` | n/a | yes | 35 | 36 | ## Outputs 37 | 38 | | Name | Description | 39 | |------|-------------| 40 | | [arn](#output\_arn) | LList containing the arn of the CodeCommit repositories | 41 | | [clone\_url\_http](#output\_clone\_url\_http) | List containing the clone url of the CodeCommit repositories | 42 | | [repository\_name](#output\_repository\_name) | List containing the name of the CodeCommit repositories | 43 | -------------------------------------------------------------------------------- /modules/codecommit/data.tf: -------------------------------------------------------------------------------- 1 | #This solution, non-production-ready template describes AWS Codepipeline based CICD Pipeline for terraform code deployment. 2 | #© 2023 Amazon Web Services, Inc. or its affiliates. All Rights Reserved. 3 | #This AWS Content is provided subject to the terms of the AWS Customer Agreement available at 4 | #http://aws.amazon.com/agreement or other written agreement between Customer and either 5 | #Amazon Web Services, Inc. or Amazon Web Services EMEA SARL or both. 6 | 7 | # To be used only in case of an Existing Repository 8 | data "aws_codecommit_repository" "existing_repository" { 9 | count = var.create_new_repo ? 0 : 1 10 | repository_name = var.source_repository_name 11 | } 12 | -------------------------------------------------------------------------------- /modules/codecommit/main.tf: -------------------------------------------------------------------------------- 1 | #This solution, non-production-ready template describes AWS Codepipeline based CICD Pipeline for terraform code deployment. 2 | #© 2023 Amazon Web Services, Inc. or its affiliates. All Rights Reserved. 3 | #This AWS Content is provided subject to the terms of the AWS Customer Agreement available at 4 | #http://aws.amazon.com/agreement or other written agreement between Customer and either 5 | #Amazon Web Services, Inc. or Amazon Web Services EMEA SARL or both. 6 | 7 | resource "aws_codecommit_repository" "source_repository" { 8 | count = var.create_new_repo ? 1 : 0 9 | repository_name = var.source_repository_name 10 | default_branch = var.source_repository_branch 11 | description = "Code Repository for hosting the terraform code and pipeline configuration files" 12 | tags = var.tags 13 | } 14 | resource "aws_codecommit_approval_rule_template" "source_repository_approval" { 15 | count = var.create_new_repo ? 1 : 0 16 | name = "${var.source_repository_name}-${var.source_repository_branch}-Rule" 17 | description = "Approval rule template for enabling approval process" 18 | 19 | content = < 2 | ## Requirements 3 | 4 | No requirements. 5 | 6 | ## Providers 7 | 8 | | Name | Version | 9 | |------|---------| 10 | | [aws](#provider\_aws) | n/a | 11 | 12 | ## Modules 13 | 14 | No modules. 15 | 16 | ## Resources 17 | 18 | | Name | Type | 19 | |------|------| 20 | | [aws_codepipeline.terraform_pipeline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codepipeline) | resource | 21 | 22 | ## Inputs 23 | 24 | | Name | Description | Type | Default | Required | 25 | |------|-------------|------|---------|:--------:| 26 | | [codepipeline\_role\_arn](#input\_codepipeline\_role\_arn) | ARN of the codepipeline IAM role | `string` | n/a | yes | 27 | | [kms\_key\_arn](#input\_kms\_key\_arn) | ARN of KMS key for encryption | `string` | n/a | yes | 28 | | [project\_name](#input\_project\_name) | Unique name for this project | `string` | n/a | yes | 29 | | [s3\_bucket\_name](#input\_s3\_bucket\_name) | S3 bucket name to be used for storing the artifacts | `string` | n/a | yes | 30 | | [source\_repo\_branch](#input\_source\_repo\_branch) | Default branch in the Source repo for which CodePipeline needs to be configured | `string` | n/a | yes | 31 | | [source\_repo\_name](#input\_source\_repo\_name) | Source repo name of the CodeCommit repository | `string` | n/a | yes | 32 | | [stages](#input\_stages) | List of Map containing information about the stages of the CodePipeline | `list(map(any))` | n/a | yes | 33 | | [tags](#input\_tags) | Tags to be attached to the CodePipeline | `map(any)` | n/a | yes | 34 | 35 | ## Outputs 36 | 37 | | Name | Description | 38 | |------|-------------| 39 | | [arn](#output\_arn) | The arn of the CodePipeline | 40 | | [id](#output\_id) | The id of the CodePipeline | 41 | | [name](#output\_name) | The name of the CodePipeline | 42 | -------------------------------------------------------------------------------- /modules/codepipeline/main.tf: -------------------------------------------------------------------------------- 1 | #This solution, non-production-ready template describes AWS Codepipeline based CICD Pipeline for terraform code deployment. 2 | #© 2023 Amazon Web Services, Inc. or its affiliates. All Rights Reserved. 3 | #This AWS Content is provided subject to the terms of the AWS Customer Agreement available at 4 | #http://aws.amazon.com/agreement or other written agreement between Customer and either 5 | #Amazon Web Services, Inc. or Amazon Web Services EMEA SARL or both. 6 | 7 | resource "aws_codepipeline" "terraform_pipeline" { 8 | 9 | name = "${var.project_name}-pipeline" 10 | role_arn = var.codepipeline_role_arn 11 | tags = var.tags 12 | 13 | artifact_store { 14 | location = var.s3_bucket_name 15 | type = "S3" 16 | encryption_key { 17 | id = var.kms_key_arn 18 | type = "KMS" 19 | } 20 | } 21 | 22 | stage { 23 | name = "Source" 24 | 25 | action { 26 | name = "Download-Source" 27 | category = "Source" 28 | owner = "AWS" 29 | version = "1" 30 | provider = "CodeCommit" 31 | namespace = "SourceVariables" 32 | output_artifacts = ["SourceOutput"] 33 | run_order = 1 34 | 35 | configuration = { 36 | RepositoryName = var.source_repo_name 37 | BranchName = var.source_repo_branch 38 | PollForSourceChanges = "true" 39 | } 40 | } 41 | } 42 | 43 | dynamic "stage" { 44 | for_each = var.stages 45 | 46 | content { 47 | name = "Stage-${stage.value["name"]}" 48 | action { 49 | category = stage.value["category"] 50 | name = "Action-${stage.value["name"]}" 51 | owner = stage.value["owner"] 52 | provider = stage.value["provider"] 53 | input_artifacts = [stage.value["input_artifacts"]] 54 | output_artifacts = [stage.value["output_artifacts"]] 55 | version = "1" 56 | run_order = index(var.stages, stage.value) + 2 57 | 58 | configuration = { 59 | ProjectName = stage.value["provider"] == "CodeBuild" ? "${var.project_name}-${stage.value["name"]}" : null 60 | } 61 | } 62 | } 63 | } 64 | 65 | } -------------------------------------------------------------------------------- /modules/codepipeline/outputs.tf: -------------------------------------------------------------------------------- 1 | #This solution, non-production-ready template describes AWS Codepipeline based CICD Pipeline for terraform code deployment. 2 | #© 2023 Amazon Web Services, Inc. or its affiliates. All Rights Reserved. 3 | #This AWS Content is provided subject to the terms of the AWS Customer Agreement available at 4 | #http://aws.amazon.com/agreement or other written agreement between Customer and either 5 | #Amazon Web Services, Inc. or Amazon Web Services EMEA SARL or both. 6 | 7 | output "id" { 8 | value = aws_codepipeline.terraform_pipeline.id 9 | description = "The id of the CodePipeline" 10 | } 11 | 12 | output "name" { 13 | value = aws_codepipeline.terraform_pipeline.name 14 | description = "The name of the CodePipeline" 15 | } 16 | 17 | output "arn" { 18 | value = aws_codepipeline.terraform_pipeline.arn 19 | description = "The arn of the CodePipeline" 20 | } 21 | 22 | 23 | -------------------------------------------------------------------------------- /modules/codepipeline/variables.tf: -------------------------------------------------------------------------------- 1 | #This solution, non-production-ready template describes AWS Codepipeline based CICD Pipeline for terraform code deployment. 2 | #© 2023 Amazon Web Services, Inc. or its affiliates. All Rights Reserved. 3 | #This AWS Content is provided subject to the terms of the AWS Customer Agreement available at 4 | #http://aws.amazon.com/agreement or other written agreement between Customer and either 5 | #Amazon Web Services, Inc. or Amazon Web Services EMEA SARL or both. 6 | 7 | variable "project_name" { 8 | description = "Unique name for this project" 9 | type = string 10 | } 11 | 12 | variable "source_repo_name" { 13 | description = "Source repo name of the CodeCommit repository" 14 | type = string 15 | } 16 | 17 | variable "source_repo_branch" { 18 | description = "Default branch in the Source repo for which CodePipeline needs to be configured" 19 | type = string 20 | } 21 | 22 | variable "s3_bucket_name" { 23 | description = "S3 bucket name to be used for storing the artifacts" 24 | type = string 25 | } 26 | 27 | variable "codepipeline_role_arn" { 28 | description = "ARN of the codepipeline IAM role" 29 | type = string 30 | } 31 | 32 | variable "kms_key_arn" { 33 | description = "ARN of KMS key for encryption" 34 | type = string 35 | } 36 | 37 | variable "tags" { 38 | description = "Tags to be attached to the CodePipeline" 39 | type = map(any) 40 | } 41 | 42 | variable "stages" { 43 | description = "List of Map containing information about the stages of the CodePipeline" 44 | type = list(map(any)) 45 | } 46 | -------------------------------------------------------------------------------- /modules/iam-role/README.md: -------------------------------------------------------------------------------- 1 | 2 | ## Requirements 3 | 4 | No requirements. 5 | 6 | ## Providers 7 | 8 | | Name | Version | 9 | |------|---------| 10 | | [aws](#provider\_aws) | n/a | 11 | 12 | ## Modules 13 | 14 | No modules. 15 | 16 | ## Resources 17 | 18 | | Name | Type | 19 | |------|------| 20 | | [aws_accessanalyzer_analyzer.codepipeline_analyzer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/accessanalyzer_analyzer) | resource | 21 | | [aws_iam_policy.codepipeline_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | 22 | | [aws_iam_role.codepipeline_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | 23 | | [aws_iam_role_policy_attachment.codepipeline_role_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | 24 | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | 25 | | [aws_iam_role.existing_codepipeline_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role) | data source | 26 | | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | 27 | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | 28 | 29 | ## Inputs 30 | 31 | | Name | Description | Type | Default | Required | 32 | |------|-------------|------|---------|:--------:| 33 | | [codepipeline\_iam\_role\_name](#input\_codepipeline\_iam\_role\_name) | Name of the IAM role to be used by the project | `string` | n/a | yes | 34 | | [create\_new\_role](#input\_create\_new\_role) | Flag for deciding if a new role needs to be created | `bool` | `true` | no | 35 | | [kms\_key\_arn](#input\_kms\_key\_arn) | ARN of KMS key for encryption | `string` | n/a | yes | 36 | | [project\_name](#input\_project\_name) | Unique name for this project | `string` | n/a | yes | 37 | | [s3\_bucket\_arn](#input\_s3\_bucket\_arn) | The ARN of the S3 Bucket | `string` | n/a | yes | 38 | | [source\_repository\_name](#input\_source\_repository\_name) | Name of the Source CodeCommit repository | `string` | n/a | yes | 39 | | [tags](#input\_tags) | Tags to be attached to the IAM Role | `map(any)` | n/a | yes | 40 | 41 | ## Outputs 42 | 43 | | Name | Description | 44 | |------|-------------| 45 | | [role\_arn](#output\_role\_arn) | The ARN of the IAM Role | 46 | | [role\_name](#output\_role\_name) | The ARN of the IAM Role | 47 | -------------------------------------------------------------------------------- /modules/iam-role/data.tf: -------------------------------------------------------------------------------- 1 | #This solution, non-production-ready template describes AWS Codepipeline based CICD Pipeline for terraform code deployment. 2 | #© 2023 Amazon Web Services, Inc. or its affiliates. All Rights Reserved. 3 | #This AWS Content is provided subject to the terms of the AWS Customer Agreement available at 4 | #http://aws.amazon.com/agreement or other written agreement between Customer and either 5 | #Amazon Web Services, Inc. or Amazon Web Services EMEA SARL or both. 6 | 7 | data "aws_region" "current" {} 8 | data "aws_caller_identity" "current" {} 9 | data "aws_partition" "current" {} 10 | 11 | # To be used only in case of an Existing Repository 12 | data "aws_iam_role" "existing_codepipeline_role" { 13 | count = var.create_new_role ? 0 : 1 14 | name = var.codepipeline_iam_role_name 15 | } -------------------------------------------------------------------------------- /modules/iam-role/main.tf: -------------------------------------------------------------------------------- 1 | #This solution, non-production-ready template describes AWS Codepipeline based CICD Pipeline for terraform code deployment. 2 | #© 2023 Amazon Web Services, Inc. or its affiliates. All Rights Reserved. 3 | #This AWS Content is provided subject to the terms of the AWS Customer Agreement available at 4 | #http://aws.amazon.com/agreement or other written agreement between Customer and either 5 | #Amazon Web Services, Inc. or Amazon Web Services EMEA SARL or both. 6 | 7 | resource "aws_iam_role" "codepipeline_role" { 8 | count = var.create_new_role ? 1 : 0 9 | name = var.codepipeline_iam_role_name 10 | tags = var.tags 11 | assume_role_policy = < 2 | ## Requirements 3 | 4 | No requirements. 5 | 6 | ## Providers 7 | 8 | | Name | Version | 9 | |------|---------| 10 | | [aws](#provider\_aws) | n/a | 11 | 12 | ## Modules 13 | 14 | No modules. 15 | 16 | ## Resources 17 | 18 | | Name | Type | 19 | |------|------| 20 | | [aws_kms_key.encryption_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | 21 | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | 22 | | [aws_iam_policy_document.kms_key_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | 23 | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | 24 | 25 | ## Inputs 26 | 27 | | Name | Description | Type | Default | Required | 28 | |------|-------------|------|---------|:--------:| 29 | | [codepipeline\_role\_arn](#input\_codepipeline\_role\_arn) | ARN of the codepipeline IAM role | `string` | n/a | yes | 30 | | [tags](#input\_tags) | Tags to be attached to the KMS Key | `map(any)` | n/a | yes | 31 | 32 | ## Outputs 33 | 34 | | Name | Description | 35 | |------|-------------| 36 | | [arn](#output\_arn) | The ARN of the KMS key | 37 | -------------------------------------------------------------------------------- /modules/kms/data.tf: -------------------------------------------------------------------------------- 1 | #This solution, non-production-ready template describes AWS Codepipeline based CICD Pipeline for terraform code deployment. 2 | #© 2023 Amazon Web Services, Inc. or its affiliates. All Rights Reserved. 3 | #This AWS Content is provided subject to the terms of the AWS Customer Agreement available at 4 | #http://aws.amazon.com/agreement or other written agreement between Customer and either 5 | #Amazon Web Services, Inc. or Amazon Web Services EMEA SARL or both. 6 | 7 | data "aws_caller_identity" "current" {} 8 | data "aws_region" "current" {} -------------------------------------------------------------------------------- /modules/kms/main.tf: -------------------------------------------------------------------------------- 1 | #This solution, non-production-ready template describes AWS Codepipeline based CICD Pipeline for terraform code deployment. 2 | #© 2023 Amazon Web Services, Inc. or its affiliates. All Rights Reserved. 3 | #This AWS Content is provided subject to the terms of the AWS Customer Agreement available at 4 | #http://aws.amazon.com/agreement or other written agreement between Customer and either 5 | #Amazon Web Services, Inc. or Amazon Web Services EMEA SARL or both. 6 | 7 | locals { 8 | account_id = data.aws_caller_identity.current.account_id 9 | } 10 | 11 | resource "aws_kms_key" "encryption_key" { 12 | description = "This key is used to encrypt bucket objects" 13 | deletion_window_in_days = 10 14 | policy = data.aws_iam_policy_document.kms_key_policy_doc.json 15 | enable_key_rotation = true 16 | tags = var.tags 17 | } 18 | 19 | data "aws_iam_policy_document" "kms_key_policy_doc" { 20 | statement { 21 | sid = "Enable IAM User Permissions" 22 | effect = "Allow" 23 | actions = ["kms:*"] 24 | #checkov:skip=CKV_AWS_111:Without this statement, KMS key cannot be managed by root 25 | #checkov:skip=CKV_AWS_109:Without this statement, KMS key cannot be managed by root 26 | resources = ["*"] 27 | 28 | principals { 29 | type = "AWS" 30 | identifiers = ["arn:aws:iam::${local.account_id}:root"] 31 | } 32 | } 33 | 34 | statement { 35 | sid = "Allow access for Key Administrators" 36 | effect = "Allow" 37 | actions = ["kms:*"] 38 | resources = ["*"] 39 | 40 | principals { 41 | type = "AWS" 42 | identifiers = [ 43 | var.codepipeline_role_arn 44 | ] 45 | } 46 | } 47 | 48 | statement { 49 | sid = "Allow use of the key" 50 | effect = "Allow" 51 | actions = [ 52 | "kms:Encrypt", 53 | "kms:Decrypt", 54 | "kms:ReEncrypt*", 55 | "kms:GenerateDataKey*", 56 | "kms:DescribeKey" 57 | ] 58 | resources = ["*"] 59 | 60 | principals { 61 | type = "AWS" 62 | identifiers = [ 63 | var.codepipeline_role_arn 64 | ] 65 | } 66 | } 67 | 68 | statement { 69 | sid = "Allow attachment of persistent resources" 70 | effect = "Allow" 71 | actions = [ 72 | "kms:CreateGrant", 73 | "kms:ListGrants", 74 | "kms:RevokeGrant" 75 | ] 76 | resources = ["*"] 77 | 78 | principals { 79 | type = "AWS" 80 | identifiers = [ 81 | var.codepipeline_role_arn 82 | ] 83 | } 84 | 85 | condition { 86 | test = "Bool" 87 | variable = "kms:GrantIsForAWSResource" 88 | values = ["true"] 89 | } 90 | } 91 | } 92 | -------------------------------------------------------------------------------- /modules/kms/outputs.tf: -------------------------------------------------------------------------------- 1 | #This solution, non-production-ready template describes AWS Codepipeline based CICD Pipeline for terraform code deployment. 2 | #© 2023 Amazon Web Services, Inc. or its affiliates. All Rights Reserved. 3 | #This AWS Content is provided subject to the terms of the AWS Customer Agreement available at 4 | #http://aws.amazon.com/agreement or other written agreement between Customer and either 5 | #Amazon Web Services, Inc. or Amazon Web Services EMEA SARL or both. 6 | 7 | output "arn" { 8 | value = aws_kms_key.encryption_key.arn 9 | description = "The ARN of the KMS key" 10 | } -------------------------------------------------------------------------------- /modules/kms/variables.tf: -------------------------------------------------------------------------------- 1 | #This solution, non-production-ready template describes AWS Codepipeline based CICD Pipeline for terraform code deployment. 2 | #© 2023 Amazon Web Services, Inc. or its affiliates. All Rights Reserved. 3 | #This AWS Content is provided subject to the terms of the AWS Customer Agreement available at 4 | #http://aws.amazon.com/agreement or other written agreement between Customer and either 5 | #Amazon Web Services, Inc. or Amazon Web Services EMEA SARL or both. 6 | 7 | variable "tags" { 8 | description = "Tags to be attached to the KMS Key" 9 | type = map(any) 10 | } 11 | 12 | variable "codepipeline_role_arn" { 13 | description = "ARN of the codepipeline IAM role" 14 | type = string 15 | } -------------------------------------------------------------------------------- /modules/s3/README.md: -------------------------------------------------------------------------------- 1 | 2 | ## Requirements 3 | 4 | No requirements. 5 | 6 | ## Providers 7 | 8 | | Name | Version | 9 | |------|---------| 10 | | [aws](#provider\_aws) | n/a | 11 | | [aws.replication](#provider\_aws.replication) | n/a | 12 | 13 | ## Modules 14 | 15 | No modules. 16 | 17 | ## Resources 18 | 19 | | Name | Type | 20 | |------|------| 21 | | [aws_iam_policy.replication_s3_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | 22 | | [aws_iam_role.replication_s3_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | 23 | | [aws_iam_role_policy_attachment.replication_s3_role_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | 24 | | [aws_s3_bucket.codepipeline_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | 25 | | [aws_s3_bucket.replication_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | 26 | | [aws_s3_bucket_acl.codepipeline_bucket_acl](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | 27 | | [aws_s3_bucket_acl.replication_bucket_acl](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | 28 | | [aws_s3_bucket_logging.codepipeline_bucket_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource | 29 | | [aws_s3_bucket_logging.replication_bucket_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource | 30 | | [aws_s3_bucket_policy.bucket_policy_codepipeline_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | 31 | | [aws_s3_bucket_policy.bucket_policy_replication_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | 32 | | [aws_s3_bucket_public_access_block.codepipeline_bucket_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | 33 | | [aws_s3_bucket_public_access_block.replication_bucket_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | 34 | | [aws_s3_bucket_replication_configuration.replication_config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_replication_configuration) | resource | 35 | | [aws_s3_bucket_server_side_encryption_configuration.codepipeline_bucket_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | 36 | | [aws_s3_bucket_server_side_encryption_configuration.replication_bucket_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | 37 | | [aws_s3_bucket_versioning.codepipeline_bucket_versioning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | 38 | | [aws_s3_bucket_versioning.replication_bucket_versioning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | 39 | | [aws_iam_policy_document.bucket_policy_doc_codepipeline_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | 40 | | [aws_iam_policy_document.bucket_policy_doc_replication_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | 41 | 42 | ## Inputs 43 | 44 | | Name | Description | Type | Default | Required | 45 | |------|-------------|------|---------|:--------:| 46 | | [codepipeline\_role\_arn](#input\_codepipeline\_role\_arn) | ARN of the codepipeline IAM role | `string` | n/a | yes | 47 | | [kms\_key\_arn](#input\_kms\_key\_arn) | ARN of KMS key for encryption | `string` | n/a | yes | 48 | | [project\_name](#input\_project\_name) | Name of the project to be prefixed to create the s3 bucket | `string` | n/a | yes | 49 | | [tags](#input\_tags) | Tags to be associated with the S3 bucket | `map(any)` | n/a | yes | 50 | 51 | ## Outputs 52 | 53 | | Name | Description | 54 | |------|-------------| 55 | | [arn](#output\_arn) | The ARN of the S3 Bucket | 56 | | [bucket](#output\_bucket) | The Name of the S3 Bucket | 57 | | [bucket\_url](#output\_bucket\_url) | The URL of the S3 Bucket | 58 | -------------------------------------------------------------------------------- /modules/s3/main.tf: -------------------------------------------------------------------------------- 1 | #This solution, non-production-ready template describes AWS Codepipeline based CICD Pipeline for terraform code deployment. 2 | #© 2023 Amazon Web Services, Inc. or its affiliates. All Rights Reserved. 3 | #This AWS Content is provided subject to the terms of the AWS Customer Agreement available at 4 | #http://aws.amazon.com/agreement or other written agreement between Customer and either 5 | #Amazon Web Services, Inc. or Amazon Web Services EMEA SARL or both. 6 | 7 | resource "aws_iam_role" "replication_s3_role" { 8 | name = "${var.project_name}-replication-role" 9 | 10 | assume_role_policy = <checkov.xml 45 | fi 46 | tfCheckovOutput=$? 47 | 48 | if (( ${tfTfsec} == "Y")) 49 | then 50 | echo "## VALIDATION : Running tfsec ..." 51 | #tfsec . 52 | tfsec ./ --format junit --out tfsec-junit.xml 53 | fi 54 | tfTfsecOutput=$? 55 | 56 | echo "## VALIDATION Summary ##" 57 | echo "------------------------" 58 | echo "Terraform Validate : ${tfValidateOutput}" 59 | echo "Terraform Format : ${tfFormatOutput}" 60 | echo "Terraform checkov : ${tfCheckovOutput}" 61 | echo "Terraform tfsec : ${tfTfsecOutput}" 62 | echo "------------------------" 63 | 64 | if (( ${SKIPVALIDATIONFAILURE} == "Y" )) 65 | then 66 | #if SKIPVALIDATIONFAILURE is set as Y, then validation failures are skipped during execution 67 | echo "## VALIDATION : Skipping validation failure checks..." 68 | elif (( $tfValidateOutput == 0 && $tfFormatOutput == 0 && $tfCheckovOutput == 0 && $tfTfsecOutput == 0 )) 69 | then 70 | echo "## VALIDATION : Checks Passed!!!" 71 | else 72 | # When validation checks fails, build process is halted. 73 | echo "## ERROR : Validation Failed" 74 | exit 1; 75 | fi -------------------------------------------------------------------------------- /variables.tf: -------------------------------------------------------------------------------- 1 | #This solution, non-production-ready template describes AWS Codepipeline based CICD Pipeline for terraform code deployment. 2 | #© 2023 Amazon Web Services, Inc. or its affiliates. All Rights Reserved. 3 | #This AWS Content is provided subject to the terms of the AWS Customer Agreement available at 4 | #http://aws.amazon.com/agreement or other written agreement between Customer and either 5 | #Amazon Web Services, Inc. or Amazon Web Services EMEA SARL or both. 6 | 7 | variable "project_name" { 8 | description = "Unique name for this project" 9 | type = string 10 | } 11 | 12 | variable "create_new_repo" { 13 | description = "Whether to create a new repository. Values are true or false. Defaulted to true always." 14 | type = bool 15 | default = true 16 | } 17 | 18 | variable "create_new_role" { 19 | description = "Whether to create a new IAM Role. Values are true or false. Defaulted to true always." 20 | type = bool 21 | default = true 22 | } 23 | 24 | variable "codepipeline_iam_role_name" { 25 | description = "Name of the IAM role to be used by the Codepipeline" 26 | type = string 27 | default = "codepipeline-role" 28 | } 29 | 30 | variable "source_repo_name" { 31 | description = "Source repo name of the CodeCommit repository" 32 | type = string 33 | } 34 | 35 | variable "source_repo_branch" { 36 | description = "Default branch in the Source repo for which CodePipeline needs to be configured" 37 | type = string 38 | } 39 | 40 | variable "repo_approvers_arn" { 41 | description = "ARN or ARN pattern for the IAM User/Role/Group that can be used for approving Pull Requests" 42 | type = string 43 | } 44 | 45 | variable "environment" { 46 | description = "Environment in which the script is run. Eg: dev, prod, etc" 47 | type = string 48 | } 49 | 50 | variable "stage_input" { 51 | description = "Tags to be attached to the CodePipeline" 52 | type = list(map(any)) 53 | } 54 | 55 | variable "build_projects" { 56 | description = "Tags to be attached to the CodePipeline" 57 | type = list(string) 58 | } 59 | 60 | variable "builder_compute_type" { 61 | description = "Relative path to the Apply and Destroy build spec file" 62 | type = string 63 | default = "BUILD_GENERAL1_SMALL" 64 | } 65 | 66 | variable "builder_image" { 67 | description = "Docker Image to be used by codebuild" 68 | type = string 69 | default = "aws/codebuild/amazonlinux2-x86_64-standard:3.0" 70 | } 71 | 72 | variable "builder_type" { 73 | description = "Type of codebuild run environment" 74 | type = string 75 | default = "LINUX_CONTAINER" 76 | } 77 | 78 | variable "builder_image_pull_credentials_type" { 79 | description = "Image pull credentials type used by codebuild project" 80 | type = string 81 | default = "CODEBUILD" 82 | } 83 | 84 | variable "build_project_source" { 85 | description = "aws/codebuild/standard:4.0" 86 | type = string 87 | default = "CODEPIPELINE" 88 | } 89 | --------------------------------------------------------------------------------