├── .github └── PULL_REQUEST_TEMPLATE.md ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── LICENSE ├── README.md ├── buildspec.yaml ├── images ├── aws-sam-codepipeline-cd-pipeline-example.png └── github-token-permissions.png └── sam └── app └── template.yaml /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | *Issue #, if available:* 2 | 3 | *Description of changes:* 4 | 5 | 6 | By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice. 7 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | ## Code of Conduct 2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 3 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 4 | opensource-codeofconduct@amazon.com with any additional questions or comments. 5 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing Guidelines 2 | 3 | Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional 4 | documentation, we greatly value feedback and contributions from our community. 5 | 6 | Please read through this document before submitting any issues or pull requests to ensure we have all the necessary 7 | information to effectively respond to your bug report or contribution. 8 | 9 | 10 | ## Reporting Bugs/Feature Requests 11 | 12 | We welcome you to use the GitHub issue tracker to report bugs or suggest features. 13 | 14 | When filing an issue, please check [existing open](https://github.com/awslabs/aws-sam-codepipeline-cd/issues), or [recently closed](https://github.com/awslabs/aws-sam-codepipeline-cd/issues?utf8=%E2%9C%93&q=is%3Aissue%20is%3Aclosed%20), issues to make sure somebody else hasn't already 15 | reported the issue. Please try to include as much information as you can. Details like these are incredibly useful: 16 | 17 | * A reproducible test case or series of steps 18 | * The version of our code being used 19 | * Any modifications you've made relevant to the bug 20 | * Anything unusual about your environment or deployment 21 | 22 | 23 | ## Contributing via Pull Requests 24 | Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that: 25 | 26 | 1. You are working against the latest source on the *master* branch. 27 | 2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already. 28 | 3. You open an issue to discuss any significant work - we would hate for your time to be wasted. 29 | 30 | To send us a pull request, please: 31 | 32 | 1. Fork the repository. 33 | 2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change. 34 | 3. Ensure local tests pass. 35 | 4. Commit to your fork using clear commit messages. 36 | 5. Send us a pull request, answering any default questions in the pull request interface. 37 | 6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation. 38 | 39 | GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and 40 | [creating a pull request](https://help.github.com/articles/creating-a-pull-request/). 41 | 42 | 43 | ## Finding contributions to work on 44 | Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any ['help wanted'](https://github.com/awslabs/aws-sam-codepipeline-cd/labels/help%20wanted) issues is a great place to start. 45 | 46 | 47 | ## Code of Conduct 48 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 49 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 50 | opensource-codeofconduct@amazon.com with any additional questions or comments. 51 | 52 | 53 | ## Security issue notifications 54 | If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue. 55 | 56 | 57 | ## Licensing 58 | 59 | See the [LICENSE](https://github.com/awslabs/aws-sam-codepipeline-cd/blob/master/LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution. 60 | 61 | We may ask you to sign a [Contributor License Agreement (CLA)](http://en.wikipedia.org/wiki/Contributor_License_Agreement) for larger changes. 62 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of 4 | this software and associated documentation files (the "Software"), to deal in 5 | the Software without restriction, including without limitation the rights to 6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of 7 | the Software, and to permit persons to whom the Software is furnished to do so. 8 | 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 10 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 11 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 12 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 13 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 14 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 15 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # :warning: Repository Deprecation Notice :warning: 2 | This repository, `awslabs/aws-sam-codepipeline-cd`, is scheduled for archival by the end of August 2024. After this date, the repository will become read-only, and no further updates or support will be provided. 3 | 4 | We recommend that you migrate to the AWS Serverless Application Model (SAM) CLI's `sam pipelines` command, which provides a streamlined and integrated experience for automatically generating deployment pipelines for your serverless applications. 5 | 6 | The `sam pipelines` command replaces the functionality provided by this repository and offers a more seamless and up-to-date solution. You can find detailed documentation and guidance on using sam pipelines at the following links: 7 | - [Introducing AWS SAM Pipelines: Automatically Generate Deployment Pipelines for Serverless Applications](https://aws.amazon.com/blogs/compute/introducing-aws-sam-pipelines-automatically-generate-deployment-pipelines-for-serverless-applications/) 8 | - [AWS SAM CLI Command Reference: sam pipeline bootstrap](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-cli-command-reference-sam-pipeline-bootstrap.html) 9 | - [AWS SAM CLI Command Reference: sam pipeline init](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-cli-command-reference-sam-pipeline-init.html) 10 | 11 | Please take the necessary steps to migrate your projects to the sam pipelines command before the end of August 2024. After this date, this repository will be archived, and no further updates or support will be provided. 12 | 13 | Thank you for your understanding and cooperation. 14 | 15 | --- 16 | 17 | # AWS SAM CodePipeline CD ![Build Status](https://codebuild.us-east-1.amazonaws.com/badges?uuid=eyJlbmNyeXB0ZWREYXRhIjoiSlYvZlpjVEttS0FjbXFyUEpvWFpwdGJtbTlSbjRTaEsranM4QjFpUWxUSTB4ZUdPeDROSlNTMW14bnRxM1l6YTRpUDZsSXg2L3hyRXpWN0ZxM1BpeGFBPSIsIml2UGFyYW1ldGVyU3BlYyI6Ik9pWWV1MXhKbnR6alB2NTUiLCJtYXRlcmlhbFNldFNlcmlhbCI6MX0%3D&branch=master) 18 | 19 | This serverless app sets up an AWS CodePipeline pipeline as a Continuous Deployment (CD) solution for a SAM project hosted on GitHub or AWS CodeCommit. Once setup, every time you push to the specified Git repository branch, the change will flow through the AWS CodePipeline pipeline. 20 | 21 | ## Pipeline Structure 22 | 23 | When this application is deployed, it will create an AWS CodePipeline pipeline that has up to the following 5 stages: 24 | 1. **Source**: This stage is the entry point of the pipeline. It is triggered when you push a change to the specified Git repository branch. 25 | 1. **Build**: This stage builds the project using AWS CodeBuild. 26 | 1. **Test** (optional): This stage runs the integration tests of the project using CodeBuild. This stage will only be created if you provide the `IntegTestRoleName` parameter when setting up this module. See the "Parameters" section below. 27 | 1. **Deploy** (optional): This stage deploys the project using CloudFormation. This stage will only be created if you provide the `DeployRoleName` parameter when setting up this application. See the "Parameters" section below. 28 | 1. **Publish** (optional): This stage publishes the project to AWS Serverless Application Repository using the publish [app](https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:077246666028:applications~aws-serverless-codepipeline-serverlessrepo-publish). This stage will only be created if you pass 'true' to the `PublishToSAR` parameter when setting up this module. See the "Parameters" section below. 29 | 30 | Here is an example CodePipeline pipeline that has all 5 stages: 31 | ![aws-sam-codepipeline-cd-pipeline-example](https://github.com/awslabs/aws-sam-codepipeline-cd/raw/master/images/aws-sam-codepipeline-cd-pipeline-example.png) 32 | 33 | ## Installation 34 | 35 | 1. [Create an AWS account](https://portal.aws.amazon.com/gp/aws/developer/registration/index.html) if you do not already have one and login 36 | 1. If your source code repository is on GitHub, then create a GitHub OAuth token (see instructions below). 37 | 1. Go to this app's page on the [Serverless Application Repository](https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:646794253159:applications~aws-sam-codepipeline-cd) and click "Deploy" 38 | 1. Provide the required app parameters and click "Deploy" 39 | 40 | ### Creating a GitHub OAuth token 41 | 42 | General instructions for creating a GitHub OAuth token can be found [here](https://help.github.com/articles/creating-a-personal-access-token-for-the-command-line/). When you get to the scopes/permissions page, you should select the "repo" and "admin:repo_hook" scopes, which will automatically select all permissions under those two scopes. 43 | 44 | ![GitHub OAuth Token Permissions](https://github.com/awslabs/aws-sam-codepipeline-cd/raw/master/images/github-token-permissions.png) 45 | 46 | ## Parameters 47 | 48 | The app has the following parameters: 49 | 50 | | Parameter | Required | Description | 51 | | ------------- | ------------- | ------------- | 52 | | SourceCodeProvider | Optional | Whether the Git repository is hosted on GitHub or CodeCommit. Allowed values: GitHub, CodeCommit. Default: GitHub | 53 | | ComputeType | Optional | AWS CodeBuild project compute type. See [the documentation](https://docs.aws.amazon.com/codebuild/latest/userguide/create-project.html#create-project-cli) for details. Default: BUILD_GENERAL1_SMALL | 54 | | EnvironmentType | Optional | Environment type used by AWS CodeBuild. See [the documentation](https://docs.aws.amazon.com/codebuild/latest/userguide/create-project.html#create-project-cli) for details. Default: LINUX_CONTAINER | 55 | | BuildSpecFilePath | Optional | CodeBuild build spec file name for build stage. See [Build Specification Reference for CodeBuild](https://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html). Default: buildspec.yaml | 56 | | IntegTestRoleName | Optional | IAM role name for test stage. This role needs to be configured to allow codebuild.amazonaws.com and cloudformation.amazonaws.com to assume it. Test stage will not be added if default value is used. Default: '' | 57 | | IntegTestBuildSpecFilePath | Optional | CodeBuild build spec file name for test stage. This parameter is only used if you provide the `IntegTestRoleName` parameter. See [the documentation](https://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html). Default: integ-test-buildspec.yaml | 58 | | DeployRoleName | Optional | IAM role name for deploy stage. This role needs to be configured to allow cloudformation.amazonaws.com to assume it. Deploy stage will not be added if default value is used. Default: '' | 59 | | DeployStackName | Optional | CloudFormation stack name for deploy stage. Default: ''. This parameter is only used if you provide the `DeployRoleName` parameter. Note that if you provide the `DeployRoleName` but do not provide a `DeployStackName` then AWS CodePipeline will fail. | 60 | | DeployParameterOverrides | Optional | CloudFormation parameter overrides for deploy stage in JSON string. For more information and an example, see the `ParameterOverrides` parameter of [AWS CloudFormation Configuration Properties Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/continuous-delivery-codepipeline-action-reference.html#w2ab1c13c13b9). Default: {} | 61 | | PublishToSAR | Optional | Boolean to indicate whether or not include publish stage. Allowed values: true, false. Default: false | 62 | 63 | The following parameters are only applicable if `SourceCodeProvider` is GitHub. 64 | 65 | | Parameter | Required | Description | 66 | | ------------- | ------------- | ------------- | 67 | | GitHubOwner | Optional | GitHub username owning the repo. | 68 | | GitHubRepo | Optional | GitHub repo name (just the name, not the full URL). | 69 | | GitHubOAuthToken | Optional | OAuth token used by AWS CodeBuild to connect to GitHub. | 70 | | GitHubBranch | Optional | GitHub repo branch name. Default: master. | 71 | 72 | The following parameters are only applicable if `SourceCodeProvider` is CodeCommit. 73 | 74 | | Parameter | Required | Description | 75 | | ------------- | ------------- | ------------- | 76 | | CodeCommitRepo | Optional | CodeCommit repository name (just the name, not the full URL). | 77 | | CodeCommitBranch | Optional | CodeCommit repo branch name. Default: master. | 78 | 79 | ## Outputs 80 | 81 | 1. `ArtifactsBucketArn` - The S3 bucket ARN that stores artifacts for the pipeline such as input and output artifacts between stages. 82 | 1. `ArtifactsBucketName` - The S3 bucket name that stores artifacts for the pipeline such as input and output artifacts between stages. 83 | 1. `PipelineName` - The CodePipeline pipeline name. 84 | 1. `PipelineVersion` - The CodePipeline pipeline version. 85 | 86 | ## IAM Roles in Test and Deploy stages 87 | 88 | You must provide IAM roles in order to create Test and Deploy stages. IAM policies will be attached to the IAM roles that you provide. The sections below describe what IAM policies are attached to the IAM role for each stage. 89 | 90 | ### Test stage 91 | 92 | In Test stage, the tests are run in AWS CodeBuild. IAM policies are attached to the provided `IntegTestRole` to grant permissions to CodeBuild to: 93 | - Write logs to CloudWatch logs 94 | - Read artifacts from previous stage in S3 artifacts bucket. 95 | - Write artifacts to be used by later stage in S3 artifacts bucket. 96 | 97 | Here is the IAM policy that will be attached to the provided `IntegTestRole`: 98 | 99 | ``` 100 | { 101 | "Version": "2012-10-17", 102 | "Statement": [ 103 | { 104 | "Action": [ 105 | "logs:CreateLogGroup", 106 | "logs:CreateLogStream", 107 | "logs:PutLogEvents" 108 | ], 109 | "Resource": [ 110 | "arn:aws:logs:::log-group:/aws/codebuild/*" 111 | ], 112 | "Effect": "Allow" 113 | }, 114 | { 115 | "Action": [ 116 | "s3:PutObject", 117 | "s3:GetObject", 118 | "s3:GetObjectVersion" 119 | ], 120 | "Resource": [ 121 | "arn:aws:s3:::/*" 122 | ], 123 | "Effect": "Allow" 124 | }, 125 | { 126 | "Action": [ 127 | "s3:ListBucket" 128 | ], 129 | "Resource": [ 130 | "arn:aws:s3:::" 131 | ], 132 | "Effect": "Allow" 133 | } 134 | ] 135 | } 136 | ``` 137 | 138 | ### Deploy stage 139 | 140 | In deploy stage, the application is deployed using AWS CloudFormation. IAM policies are attached to the provided `DeployRole` to grant permissions to CloudFormation to: 141 | - Read artifacts from previous stage in S3 artifacts bucket. 142 | 143 | Here is the IAM policy that will be attached to the provided `DeployRole`: 144 | 145 | ``` 146 | { 147 | "Version": "2012-10-17", 148 | "Statement": [ 149 | { 150 | "Action": [ 151 | "s3:GetObject" 152 | ], 153 | "Resource": [ 154 | "arn:aws:s3:::/*" 155 | ], 156 | "Effect": "Allow" 157 | } 158 | ] 159 | } 160 | ``` 161 | 162 | ## License Summary 163 | 164 | This sample code is made available under the MIT-0 license. See the LICENSE file. 165 | -------------------------------------------------------------------------------- /buildspec.yaml: -------------------------------------------------------------------------------- 1 | version: 0.2 2 | 3 | phases: 4 | install: 5 | runtime-versions: 6 | python: 3.7 7 | commands: 8 | - pip install cfn-lint 9 | build: 10 | commands: 11 | - cfn-lint -t sam/app/template.yaml 12 | - aws cloudformation package --template-file sam/app/template.yaml --s3-bucket ${PACKAGE_BUCKET} --output-template-file packaged-template.yaml 13 | artifacts: 14 | files: 15 | - packaged-template.yaml 16 | -------------------------------------------------------------------------------- /images/aws-sam-codepipeline-cd-pipeline-example.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awslabs/aws-sam-codepipeline-cd/a16102a7718d6d5bdbbcc1c2565fe42489b16c8d/images/aws-sam-codepipeline-cd-pipeline-example.png -------------------------------------------------------------------------------- /images/github-token-permissions.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awslabs/aws-sam-codepipeline-cd/a16102a7718d6d5bdbbcc1c2565fe42489b16c8d/images/github-token-permissions.png -------------------------------------------------------------------------------- /sam/app/template.yaml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: '2010-09-09' 2 | Transform: 'AWS::Serverless-2016-10-31' 3 | Description: >- 4 | This serverless app sets up an AWS CodePipeline Pipeline as a CD solution for a GitHub-based SAM project. Once setup, every time the specified GitHub repository branch is updated, the change will flow through the CodePipeline pipeline. 5 | 6 | Metadata: 7 | AWS::ServerlessRepo::Application: 8 | Name: aws-sam-codepipeline-cd 9 | Description: >- 10 | This serverless app sets up an AWS CodePipeline Pipeline as a CD solution for a GitHub-based SAM project. Once setup, every time the specified GitHub repository branch is updated, the change will flow through the CodePipeline pipeline. 11 | Author: AWS Serverless Application Repository 12 | SpdxLicenseId: MIT-0 13 | Labels: [github, cd, codepipeline, continuous-deploy, sam] 14 | HomePageUrl: https://github.com/awslabs/aws-sam-codepipeline-cd 15 | SemanticVersion: 1.1.0 16 | SourceCodeUrl: https://github.com/awslabs/aws-sam-codepipeline-cd/tree/1.1.0 17 | LicenseUrl: ../../LICENSE 18 | ReadmeUrl: ../../README.md 19 | 20 | Outputs: 21 | ArtifactsBucketArn: 22 | Value: !GetAtt Artifacts.Arn 23 | ArtifactsBucketName: 24 | Value: !Ref Artifacts 25 | PipelineName: 26 | Value: !Ref Pipeline 27 | PipelineVersion: 28 | Value: !GetAtt Pipeline.Version 29 | 30 | Parameters: 31 | ComputeType: 32 | AllowedValues: 33 | - BUILD_GENERAL1_SMALL 34 | - BUILD_GENERAL1_MEDIUM 35 | - BUILD_GENERAL1_LARGE 36 | Default: BUILD_GENERAL1_SMALL 37 | Description: AWS CodeBuild project compute type. 38 | Type: String 39 | EnvironmentType: 40 | AllowedValues: 41 | - LINUX_CONTAINER 42 | - WINDOWS_CONTAINER 43 | Default: LINUX_CONTAINER 44 | Description: Environment type used by AWS CodeBuild. See the documentation for details (https://docs.aws.amazon.com/codebuild/latest/userguide/create-project.html#create-project-cli). 45 | Type: String 46 | SourceCodeProvider: 47 | Type: String 48 | Description: Location of your source code repository 49 | Default: GitHub 50 | AllowedValues: 51 | - GitHub 52 | - CodeCommit 53 | GitHubOAuthToken: 54 | Description: OAuth token used by AWS CodePipeline to connect to GitHub 55 | NoEcho: true 56 | Type: String 57 | Default: '' 58 | GitHubOwner: 59 | Description: GitHub username owning the repo 60 | Type: String 61 | Default: '' 62 | GitHubRepo: 63 | Description: GitHub repo name 64 | Type: String 65 | Default: '' 66 | GitHubBranch: 67 | Description: GitHub repo branch name. It defaults to master if not specified. 68 | Type: String 69 | Default: master 70 | CodeCommitRepo: 71 | Type: String 72 | Description: CodeCommit repository name, only specify if you chose CodeCommit in SourceCodeProvider 73 | Default: '' 74 | CodeCommitBranch: 75 | Type: String 76 | Description: CodeCommit repository branch name, only specify if you chose CodeCommit in SourceCodeProvider. 77 | Default: master 78 | DeployParameterOverrides: 79 | Description: Parameter overrides for the deploy stage 80 | Type: String 81 | Default: '{}' 82 | DeployStackName: 83 | Description: The stack name for the deploy stage 84 | Type: String 85 | Default: '' 86 | DeployRoleName: 87 | Description: >- 88 | The IAM role name to deploy the CloudFormation stack. This role needs to be configured to allow 89 | cloudformation.amazonaws.com to assume it. Deploy stage will not be added if not specified. 90 | Type: String 91 | Default: '' 92 | IntegTestRoleName: 93 | Description: >- 94 | The IAM role name to deploy a test stack and run integration tests. This role needs to be configured 95 | to allow codebuild.amazonaws.com and cloudformation.amazonaws.com to assume it. Test stage will not 96 | be added if not specified. 97 | Type: String 98 | Default: '' 99 | BuildSpecFilePath: 100 | Description: >- 101 | Relative BuildSpec file path for build stage. For more information, see https://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html 102 | Type: String 103 | Default: 'buildspec.yaml' 104 | IntegTestBuildSpecFilePath: 105 | Description: >- 106 | Relative BuildSpec file path for test stage. For more information, see https://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html 107 | Type: String 108 | Default: 'buildspec-integ-test.yaml' 109 | PublishToSAR: 110 | Description: Whether to publish the application to AWS Serverless Application Repository 111 | Type: String 112 | AllowedValues: 113 | - true 114 | - false 115 | Default: false 116 | 117 | Conditions: 118 | HasTestStage: 119 | !Not [!Equals [!Ref IntegTestRoleName, '']] 120 | HasDeployStage: 121 | !Not [!Equals [!Ref DeployRoleName, '']] 122 | HasPublishStage: 123 | !Equals [!Ref PublishToSAR, 'true'] 124 | UseCodeCommit: 125 | !Equals [!Ref SourceCodeProvider, 'CodeCommit'] 126 | UseGitHub: 127 | !Equals [!Ref SourceCodeProvider, 'GitHub'] 128 | 129 | Rules: 130 | ValidateGitHub: 131 | RuleCondition: !Equals [!Ref SourceCodeProvider, 'GitHub'] 132 | Assertions: 133 | - Assert: !Not [!Equals [!Ref GitHubOwner, '']] 134 | AssertDescription: "GitHubOwner must be specified when SourceCodeProvider is GitHub" 135 | - Assert: !Not [!Equals [!Ref GitHubRepo, '']] 136 | AssertDescription: "GitHubRepo must be specified when SourceCodeProvider is GitHub" 137 | - Assert: !Not [!Equals [!Ref GitHubOAuthToken, '']] 138 | AssertDescription: "GitHubOAuthToken must be specified when SourceCodeProvider is GitHub" 139 | - Assert: !Not [!Equals [!Ref GitHubBranch, '']] 140 | AssertDescription: "GitHubBranch must be specified when SourceCodeProvider is GitHub" 141 | ValidateCodeCommit: 142 | RuleCondition: !Equals [!Ref SourceCodeProvider, 'CodeCommit'] 143 | Assertions: 144 | - Assert: !Not [!Equals [!Ref CodeCommitRepo, '']] 145 | AssertDescription: "CodeCommitRepo must be specified when SourceCodeProvider is CodeCommit" 146 | - Assert: !Not [!Equals [!Ref CodeCommitBranch, '']] 147 | AssertDescription: "CodeCommitBranch must be specified when SourceCodeProvider is CodeCommit" 148 | 149 | Resources: 150 | Artifacts: 151 | Properties: 152 | LifecycleConfiguration: 153 | Rules: 154 | - ExpirationInDays: 30 155 | Status: Enabled 156 | Type: AWS::S3::Bucket 157 | ArtifactsPolicy: 158 | Condition: HasPublishStage 159 | Type: 'AWS::S3::BucketPolicy' 160 | Properties: 161 | Bucket: 162 | Ref: Artifacts 163 | PolicyDocument: 164 | Version: "2012-10-17" 165 | Statement: 166 | - Action: 167 | - s3:GetObject 168 | Effect: Allow 169 | Principal: 170 | Service: 171 | - 'serverlessrepo.amazonaws.com' 172 | Resource: 173 | !Sub '${Artifacts.Arn}/*' 174 | Pipeline: 175 | Type: AWS::CodePipeline::Pipeline 176 | Properties: 177 | ArtifactStore: 178 | Location: !Ref Artifacts 179 | Type: S3 180 | RoleArn: !GetAtt PipelineRole.Arn 181 | Stages: 182 | - Name: Source 183 | Actions: 184 | - !If 185 | - UseCodeCommit 186 | - Name: CodeCommitSource 187 | ActionTypeId: 188 | Category: Source 189 | Owner: AWS 190 | Provider: CodeCommit 191 | Version: "1" 192 | Configuration: 193 | RepositoryName: !Ref CodeCommitRepo 194 | BranchName: !Ref CodeCommitBranch 195 | OutputArtifacts: 196 | - Name: SourceArtifact 197 | - Name: GitHubSource 198 | ActionTypeId: 199 | Category: Source 200 | Owner: ThirdParty 201 | Provider: GitHub 202 | Version: "1" 203 | Configuration: 204 | Owner: !Ref GitHubOwner 205 | OAuthToken: !Ref GitHubOAuthToken 206 | Repo: !Ref GitHubRepo 207 | Branch: !Ref GitHubBranch 208 | PollForSourceChanges: false 209 | OutputArtifacts: 210 | - Name: SourceArtifact 211 | - Name: Build 212 | Actions: 213 | - Name: Build 214 | ActionTypeId: 215 | Category: Build 216 | Owner: AWS 217 | Provider: CodeBuild 218 | Version: "1" 219 | Configuration: 220 | ProjectName: !Ref BuildProject 221 | InputArtifacts: 222 | - Name: SourceArtifact 223 | OutputArtifacts: 224 | - Name: BuildArtifact 225 | - !If 226 | - HasTestStage 227 | - Name: Test 228 | Actions: 229 | - Name: IntegrationTests 230 | ActionTypeId: 231 | Category: Test 232 | Owner: AWS 233 | Provider: CodeBuild 234 | Version: '1' 235 | Configuration: 236 | ProjectName: !Ref IntegrationTestsProject 237 | PrimarySource: SourceArtifact 238 | InputArtifacts: 239 | - Name: SourceArtifact 240 | - Name: BuildArtifact 241 | - !Ref AWS::NoValue 242 | - !If 243 | - HasDeployStage 244 | - Name: Deploy 245 | Actions: 246 | - Name: CreateChangeSet 247 | ActionTypeId: 248 | Category: Deploy 249 | Owner: AWS 250 | Provider: CloudFormation 251 | Version: '1' 252 | InputArtifacts: 253 | - Name: BuildArtifact 254 | Configuration: 255 | ActionMode: CHANGE_SET_REPLACE 256 | Capabilities: CAPABILITY_IAM,CAPABILITY_AUTO_EXPAND 257 | ParameterOverrides: !Ref DeployParameterOverrides 258 | RoleArn: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${DeployRoleName} 259 | StackName: !Ref DeployStackName 260 | TemplatePath: "BuildArtifact::packaged-template.yaml" 261 | ChangeSetName: !Sub a-${DeployStackName}-Deploy 262 | RunOrder: 1 263 | - Name: ExecuteChangeSet 264 | ActionTypeId: 265 | Category: Deploy 266 | Owner: AWS 267 | Provider: CloudFormation 268 | Version: '1' 269 | Configuration: 270 | ActionMode: CHANGE_SET_EXECUTE 271 | StackName: !Ref DeployStackName 272 | ChangeSetName: !Sub a-${DeployStackName}-Deploy 273 | RunOrder: 2 274 | - !Ref AWS::NoValue 275 | - !If 276 | - HasPublishStage 277 | - Name: Publish 278 | Actions: 279 | - Name: Publish 280 | ActionTypeId: 281 | Category: Invoke 282 | Owner: AWS 283 | Provider: Lambda 284 | Version: '1' 285 | Configuration: 286 | FunctionName: !GetAtt SARPublishApp.Outputs.ServerlessRepoPublishFunctionName 287 | InputArtifacts: 288 | - Name: BuildArtifact 289 | RunOrder: 1 290 | - !Ref AWS::NoValue 291 | PipelineRole: 292 | Type: AWS::IAM::Role 293 | Properties: 294 | Description: !Sub "Used by CodePipeline. Created by CloudFormation ${AWS::StackId}" 295 | AssumeRolePolicyDocument: 296 | Version: "2012-10-17" 297 | Statement: 298 | - Effect: Allow 299 | Principal: 300 | Service: 301 | - "codepipeline.amazonaws.com" 302 | Action: 303 | - "sts:AssumeRole" 304 | Policies: 305 | - PolicyName: s3-access 306 | PolicyDocument: 307 | Version: "2012-10-17" 308 | Statement: 309 | - Effect: Allow 310 | Action: 311 | - "s3:DeleteObject" 312 | - "s3:GetObject" 313 | - "s3:GetObjectVersion" 314 | - "s3:PutObject" 315 | Resource: 316 | - !Sub arn:${AWS::Partition}:s3:::${Artifacts}/* 317 | - Effect: Allow 318 | Action: 319 | - "s3:ListBucket" 320 | - "s3:GetBucketPolicy" 321 | Resource: 322 | - !Sub arn:${AWS::Partition}:s3:::${Artifacts} 323 | - PolicyName: codebuild-access 324 | PolicyDocument: 325 | Version: "2012-10-17" 326 | Statement: 327 | - Effect: Allow 328 | Action: 329 | - "codebuild:StartBuild" 330 | - "codebuild:BatchGetBuilds" 331 | Resource: 332 | - !GetAtt BuildProject.Arn 333 | - !If 334 | - HasTestStage 335 | - !GetAtt IntegrationTestsProject.Arn 336 | - !Ref AWS::NoValue 337 | - !If 338 | - HasDeployStage 339 | - PolicyName: deploy-cloudformation-access 340 | PolicyDocument: 341 | Version: "2012-10-17" 342 | Statement: 343 | - Effect: Allow 344 | Action: 345 | - "cloudformation:DescribeStacks" 346 | - "cloudformation:CreateChangeSet" 347 | - "cloudformation:ExecuteChangeSet" 348 | - "cloudformation:DescribeChangeSet" 349 | Resource: 350 | - !Sub arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${DeployStackName}/* 351 | - !Ref AWS::NoValue 352 | - !If 353 | - HasPublishStage 354 | - PolicyName: publish-lambda-access 355 | PolicyDocument: 356 | Version: "2012-10-17" 357 | Statement: 358 | - Effect: Allow 359 | Action: 360 | - "lambda:InvokeFunction" 361 | Resource: 362 | - !GetAtt SARPublishApp.Outputs.ServerlessRepoPublishFunctionArn 363 | - !Ref AWS::NoValue 364 | - !If 365 | - HasDeployStage 366 | - PolicyName: deploy-iam-access 367 | PolicyDocument: 368 | Version: "2012-10-17" 369 | Statement: 370 | - Effect: Allow 371 | Action: 372 | - "iam:PassRole" 373 | Resource: 374 | - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${DeployRoleName} 375 | - !Ref AWS::NoValue 376 | - !If 377 | - UseCodeCommit 378 | - PolicyName: codecommit-access 379 | PolicyDocument: 380 | Version: "2012-10-17" 381 | Statement: 382 | - Effect: Allow 383 | Action: 384 | - "codecommit:ListBranches" 385 | - "codecommit:GetBranch" 386 | - "codecommit:GetCommit" 387 | - "codecommit:GetUploadArchiveStatus" 388 | - "codecommit:GitPull" 389 | - "codecommit:UploadArchive" 390 | - "codecommit:CancelUploadArchive" 391 | Resource: 392 | - !Sub arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${CodeCommitRepo} 393 | - !Ref AWS::NoValue 394 | BuildProject: 395 | Type: AWS::CodeBuild::Project 396 | Properties: 397 | ServiceRole: !GetAtt BuildProjectRole.Arn 398 | Source: 399 | Type: CODEPIPELINE 400 | BuildSpec: !Ref BuildSpecFilePath 401 | Artifacts: 402 | Type: CODEPIPELINE 403 | Environment: 404 | ComputeType: !Ref ComputeType 405 | Image: 'aws/codebuild/standard:2.0' 406 | Type: !Ref EnvironmentType 407 | EnvironmentVariables: 408 | - Name: PACKAGE_BUCKET 409 | Value: !Ref Artifacts 410 | GitHubWebhook: 411 | Type: 'AWS::CodePipeline::Webhook' 412 | Condition: UseGitHub 413 | Properties: 414 | AuthenticationConfiguration: 415 | SecretToken: !Ref GitHubOAuthToken 416 | Filters: 417 | - JsonPath: "$.ref" 418 | MatchEquals: refs/heads/{Branch} 419 | Authentication: GITHUB_HMAC 420 | TargetPipeline: !Ref Pipeline 421 | TargetAction: GitHubSource 422 | TargetPipelineVersion: !GetAtt Pipeline.Version 423 | RegisterWithThirdParty: true 424 | IntegrationTestsProject: 425 | Condition: HasTestStage 426 | Type: AWS::CodeBuild::Project 427 | Properties: 428 | ServiceRole: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${IntegTestRoleName} 429 | Source: 430 | Type: CODEPIPELINE 431 | BuildSpec: !Ref IntegTestBuildSpecFilePath 432 | Artifacts: 433 | Type: CODEPIPELINE 434 | Environment: 435 | ComputeType: !Ref ComputeType 436 | Image: 'aws/codebuild/standard:2.0' 437 | Type: !Ref EnvironmentType 438 | EnvironmentVariables: 439 | - Name: PACKAGE_BUCKET 440 | Value: !Ref Artifacts 441 | CodeBuildPolicy: 442 | Type: AWS::IAM::Policy 443 | Properties: 444 | PolicyName: !Sub codebuild-access-${AWS::StackName} 445 | Roles: 446 | - !Ref BuildProjectRole 447 | - !If 448 | - HasTestStage 449 | - !Ref IntegTestRoleName 450 | - !Ref AWS::NoValue 451 | PolicyDocument: 452 | Version: '2012-10-17' 453 | Statement: 454 | - Action: 455 | - logs:CreateLogGroup 456 | - logs:CreateLogStream 457 | - logs:PutLogEvents 458 | Effect: Allow 459 | Resource: 460 | - !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/* 461 | - Action: 462 | - s3:PutObject 463 | - s3:GetObject 464 | - s3:GetObjectVersion 465 | Effect: Allow 466 | Resource: 467 | - !Sub arn:${AWS::Partition}:s3:::${Artifacts}/* 468 | - Action: 469 | - s3:ListBucket 470 | Effect: Allow 471 | Resource: 472 | - !Sub arn:${AWS::Partition}:s3:::${Artifacts} 473 | BuildProjectRole: 474 | Type: AWS::IAM::Role 475 | Properties: 476 | Description: !Sub "Used in CodeBuild project. Created by CloudFormation ${AWS::StackId}" 477 | AssumeRolePolicyDocument: 478 | Statement: 479 | - Action: 480 | - sts:AssumeRole 481 | Effect: Allow 482 | Principal: 483 | Service: 484 | - codebuild.amazonaws.com 485 | Version: '2012-10-17' 486 | Path: /service-role/ 487 | DeployStagePolicy: 488 | Condition: HasDeployStage 489 | Type: AWS::IAM::Policy 490 | Properties: 491 | PolicyName: !Sub deploy-stage-access-${AWS::StackName} 492 | Roles: 493 | - !Ref DeployRoleName 494 | PolicyDocument: 495 | Version: '2012-10-17' 496 | Statement: 497 | - Action: 498 | - s3:GetObject 499 | Effect: Allow 500 | Resource: 501 | - !Sub arn:${AWS::Partition}:s3:::${Artifacts}/* 502 | SARPublishApp: 503 | Condition: HasPublishStage 504 | Type: 'AWS::Serverless::Application' 505 | Properties: 506 | Location: 507 | ApplicationId: 'arn:aws:serverlessrepo:us-east-1:077246666028:applications/aws-serverless-codepipeline-serverlessrepo-publish' 508 | SemanticVersion: 1.0.1 509 | --------------------------------------------------------------------------------