Skip to content

Commit 5fbc517

Browse files
committed
chore(CFN): Adding cfn template
1 parent 921aeda commit 5fbc517

File tree

1 file changed

+368
-0
lines changed

1 file changed

+368
-0
lines changed

cfn/CB.yml

Lines changed: 368 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,368 @@
1+
AWSTemplateFormatVersion: "2010-09-09"
2+
Description: "Template to build a CodeBuild Project, assumes that GitHub credentials are already set up."
3+
Parameters:
4+
ProjectName:
5+
Type: String
6+
Description: The name of the CodeBuild Project
7+
ProjectDescription:
8+
Type: String
9+
Description: The description for the CodeBuild Project
10+
SourceLocation:
11+
Type: String
12+
Description: The https GitHub URL for the project
13+
NumberOfBuildsInBatch:
14+
Type: Number
15+
MaxValue: 100
16+
MinValue: 1
17+
Default: 4
18+
Description: The number of builds you expect to run in a batch
19+
20+
Metadata:
21+
AWS::CloudFormation::Interface:
22+
ParameterGroups:
23+
-
24+
Label:
25+
default: "Crypto Tools CodeBuild Project Template"
26+
Parameters:
27+
- ProjectName
28+
- ProjectDescription
29+
- SourceLocation
30+
31+
Resources:
32+
CodeBuildProject:
33+
Type: "AWS::CodeBuild::Project"
34+
Properties:
35+
Name: !Ref ProjectName
36+
Description: !Ref ProjectDescription
37+
Source:
38+
Location: !Ref SourceLocation
39+
GitCloneDepth: 1
40+
GitSubmodulesConfig:
41+
FetchSubmodules: false
42+
InsecureSsl: false
43+
ReportBuildStatus: false
44+
Type: "GITHUB"
45+
Triggers:
46+
BuildType: BUILD_BATCH
47+
Webhook: True
48+
FilterGroups:
49+
- - Type: EVENT
50+
Pattern: PULL_REQUEST_CREATED,PULL_REQUEST_UPDATED,PUSH,PULL_REQUEST_REOPENED
51+
Artifacts:
52+
Type: "NO_ARTIFACTS"
53+
Cache:
54+
Type: "NO_CACHE"
55+
Environment:
56+
ComputeType: "BUILD_GENERAL1_SMALL"
57+
Image: "aws/codebuild/standard:3.0"
58+
ImagePullCredentialsType: "CODEBUILD"
59+
PrivilegedMode: false
60+
Type: "LINUX_CONTAINER"
61+
ServiceRole: !GetAtt CodeBuildCIServiceRole.Arn
62+
TimeoutInMinutes: 60
63+
QueuedTimeoutInMinutes: 480
64+
EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3"
65+
BadgeEnabled: false
66+
BuildBatchConfig:
67+
ServiceRole: !GetAtt CodeBuildCIServiceRole.Arn
68+
Restrictions:
69+
MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch
70+
ComputeTypesAllowed:
71+
- BUILD_GENERAL1_SMALL
72+
- BUILD_GENERAL1_MEDIUM
73+
TimeoutInMins: 480
74+
LogsConfig:
75+
CloudWatchLogs:
76+
Status: "ENABLED"
77+
S3Logs:
78+
Status: "DISABLED"
79+
EncryptionDisabled: false
80+
81+
CodeBuildProjectTestRelease:
82+
Type: "AWS::CodeBuild::Project"
83+
Properties:
84+
Name: !Sub "${ProjectName}-test-release"
85+
Description: !Sub "CodeBuild project for ${ProjectName} to release to test PyPi."
86+
Source:
87+
Location: !Ref SourceLocation
88+
BuildSpec: "codebuild/release/test-release.yml"
89+
GitCloneDepth: 1
90+
GitSubmodulesConfig:
91+
FetchSubmodules: false
92+
InsecureSsl: false
93+
ReportBuildStatus: false
94+
Type: "GITHUB"
95+
Artifacts:
96+
Type: "NO_ARTIFACTS"
97+
Cache:
98+
Type: "NO_CACHE"
99+
Environment:
100+
ComputeType: "BUILD_GENERAL1_SMALL"
101+
Image: "aws/codebuild/standard:3.0"
102+
ImagePullCredentialsType: "CODEBUILD"
103+
PrivilegedMode: false
104+
Type: "LINUX_CONTAINER"
105+
ServiceRole: !GetAtt CodeBuildServiceRole.Arn
106+
TimeoutInMinutes: 60
107+
QueuedTimeoutInMinutes: 480
108+
EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3"
109+
BadgeEnabled: false
110+
BuildBatchConfig:
111+
ServiceRole: !GetAtt CodeBuildServiceRole.Arn
112+
Restrictions:
113+
MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch
114+
ComputeTypesAllowed:
115+
- BUILD_GENERAL1_SMALL
116+
- BUILD_GENERAL1_MEDIUM
117+
TimeoutInMins: 480
118+
LogsConfig:
119+
CloudWatchLogs:
120+
Status: "ENABLED"
121+
S3Logs:
122+
Status: "DISABLED"
123+
EncryptionDisabled: false
124+
125+
CodeBuildProjectProdRelease:
126+
Type: "AWS::CodeBuild::Project"
127+
Properties:
128+
Name: !Sub "${ProjectName}-prod-release"
129+
Description: !Sub "CodeBuild project for ${ProjectName} to release to prod PyPi."
130+
Source:
131+
Location: !Ref SourceLocation
132+
BuildSpec: "codebuild/release/prod-release.yml"
133+
GitCloneDepth: 1
134+
GitSubmodulesConfig:
135+
FetchSubmodules: false
136+
InsecureSsl: false
137+
ReportBuildStatus: false
138+
Type: "GITHUB"
139+
Artifacts:
140+
Type: "NO_ARTIFACTS"
141+
Cache:
142+
Type: "NO_CACHE"
143+
Environment:
144+
ComputeType: "BUILD_GENERAL1_SMALL"
145+
Image: "aws/codebuild/standard:3.0"
146+
ImagePullCredentialsType: "CODEBUILD"
147+
PrivilegedMode: false
148+
Type: "LINUX_CONTAINER"
149+
ServiceRole: !GetAtt CodeBuildServiceRole.Arn
150+
TimeoutInMinutes: 60
151+
QueuedTimeoutInMinutes: 480
152+
EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3"
153+
BadgeEnabled: false
154+
BuildBatchConfig:
155+
ServiceRole: !GetAtt CodeBuildServiceRole.Arn
156+
Restrictions:
157+
MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch
158+
ComputeTypesAllowed:
159+
- BUILD_GENERAL1_SMALL
160+
- BUILD_GENERAL1_MEDIUM
161+
TimeoutInMins: 480
162+
LogsConfig:
163+
CloudWatchLogs:
164+
Status: "ENABLED"
165+
S3Logs:
166+
Status: "DISABLED"
167+
EncryptionDisabled: false
168+
169+
CodeBuildServiceRole:
170+
Type: "AWS::IAM::Role"
171+
Properties:
172+
Path: "/service-role/"
173+
RoleName: !Sub "codebuild-${ProjectName}-service-role"
174+
AssumeRolePolicyDocument: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"codebuild.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"}]}"
175+
MaxSessionDuration: 3600
176+
ManagedPolicyArns:
177+
- !Ref CryptoToolsKMS
178+
- !Ref CodeBuildBatchPolicy
179+
- !Ref CodeBuildBasePolicy
180+
- !Ref SecretsManagerPolicy
181+
- !Ref DDBPolicy
182+
- "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess"
183+
# the following three are hard coded to incorporate the drift on CFN
184+
- "arn:aws:iam::587316601012:policy/service-role/CodeBuildBuildBatchPolicy-python-ddb-ec-test-release-us-west-2-codebuild-python-ddb-ec-service-role"
185+
- "arn:aws:iam::587316601012:policy/service-role/CodeBuildBasePolicy-python-ddb-ec-prod-release-us-west-2"
186+
- "arn:aws:iam::587316601012:policy/service-role/CodeBuildBasePolicy-python-ddb-ec-test-release-us-west-2"
187+
188+
CodeBuildCIServiceRole:
189+
Type: "AWS::IAM::Role"
190+
Properties:
191+
Path: "/service-role/"
192+
RoleName: !Sub "codebuild-${ProjectName}-CI-service-role"
193+
AssumeRolePolicyDocument: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"codebuild.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"}]}"
194+
MaxSessionDuration: 3600
195+
ManagedPolicyArns:
196+
- !Ref CryptoToolsKMS
197+
- !Ref CodeBuildCIBatchPolicy
198+
- !Ref CodeBuildBasePolicy
199+
- !Ref DDBPolicy
200+
- "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess"
201+
202+
CodeBuildBatchPolicy:
203+
Type: "AWS::IAM::ManagedPolicy"
204+
Properties:
205+
ManagedPolicyName: !Sub "CodeBuildBuildBatchPolicy-${ProjectName}-${AWS::Region}-codebuild-${ProjectName}-service-role"
206+
Path: "/service-role/"
207+
PolicyDocument: !Sub |
208+
{
209+
"Version": "2012-10-17",
210+
"Statement": [
211+
{
212+
"Effect": "Allow",
213+
"Resource": [
214+
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}",
215+
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-test-release",
216+
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-prod-release"
217+
],
218+
"Action": [
219+
"codebuild:StartBuild",
220+
"codebuild:StopBuild",
221+
"codebuild:RetryBuild"
222+
]
223+
}
224+
]
225+
}
226+
227+
CodeBuildCIBatchPolicy:
228+
Type: "AWS::IAM::ManagedPolicy"
229+
Properties:
230+
ManagedPolicyName: !Sub "CodeBuildBuildBatchPolicy-${ProjectName}-${AWS::Region}-codebuild-${ProjectName}-CI-service-role"
231+
Path: "/service-role/"
232+
PolicyDocument: !Sub |
233+
{
234+
"Version": "2012-10-17",
235+
"Statement": [
236+
{
237+
"Effect": "Allow",
238+
"Resource": [
239+
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}"
240+
],
241+
"Action": [
242+
"codebuild:StartBuild",
243+
"codebuild:StopBuild",
244+
"codebuild:RetryBuild"
245+
]
246+
}
247+
]
248+
}
249+
250+
CodeBuildBasePolicy:
251+
Type: "AWS::IAM::ManagedPolicy"
252+
Properties:
253+
ManagedPolicyName: !Sub "CodeBuildBasePolicy-${ProjectName}-${AWS::Region}"
254+
Path: "/service-role/"
255+
PolicyDocument: !Sub |
256+
{
257+
"Version": "2012-10-17",
258+
"Statement": [
259+
{
260+
"Effect": "Allow",
261+
"Resource": [
262+
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}",
263+
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}:*",
264+
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-test-release",
265+
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-test-release:*",
266+
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-prod-release",
267+
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-prod-release:*"
268+
],
269+
"Action": [
270+
"logs:CreateLogGroup",
271+
"logs:CreateLogStream",
272+
"logs:PutLogEvents"
273+
]
274+
},
275+
{
276+
"Effect": "Allow",
277+
"Resource": [
278+
"arn:aws:s3:::codepipeline-${AWS::Region}-*"
279+
],
280+
"Action": [
281+
"s3:PutObject",
282+
"s3:GetObject",
283+
"s3:GetObjectVersion",
284+
"s3:GetBucketAcl",
285+
"s3:GetBucketLocation"
286+
]
287+
},
288+
{
289+
"Effect": "Allow",
290+
"Action": [
291+
"codebuild:CreateReportGroup",
292+
"codebuild:CreateReport",
293+
"codebuild:UpdateReport",
294+
"codebuild:BatchPutTestCases",
295+
"codebuild:BatchPutCodeCoverages"
296+
],
297+
"Resource": [
298+
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/${ProjectName}-*"
299+
]
300+
}
301+
]
302+
}
303+
304+
SecretsManagerPolicy:
305+
Type: "AWS::IAM::ManagedPolicy"
306+
Properties:
307+
ManagedPolicyName: !Sub "CryptoTools-SecretsManager-${ProjectName}-release"
308+
Path: "/service-role/"
309+
PolicyDocument: !Sub |
310+
{
311+
"Version": "2012-10-17",
312+
"Statement": [
313+
{
314+
"Effect": "Allow",
315+
"Resource": [
316+
"arn:aws:secretsmanager:us-west-2:587316601012:secret:TestPyPiAPIToken-uERFjs",
317+
"arn:aws:secretsmanager:us-west-2:587316601012:secret:PyPiAPIToken-nu1Gu6"
318+
],
319+
"Action": "secretsmanager:GetSecretValue"
320+
}
321+
]
322+
}
323+
324+
DDBPolicy:
325+
Type: "AWS::IAM::ManagedPolicy"
326+
Properties:
327+
ManagedPolicyName: !Sub "CryptoTools-DynamoDB-${ProjectName}-CI"
328+
Path: "/service-role/"
329+
PolicyDocument: !Sub |
330+
{
331+
"Version": "2012-10-17",
332+
"Statement": [
333+
{
334+
"Effect": "Allow",
335+
"Resource": [
336+
"arn:aws:dynamodb:us-east-1:587316601012:table/ddbec-mrk-testing",
337+
"arn:aws:dynamodb:us-west-2:587316601012:table/ddbec-mrk-testing"
338+
],
339+
"Action": "*"
340+
}
341+
]
342+
}
343+
344+
# There exist public AWS KMS CMKs that are used for testing
345+
# Take care with these CMKs they are **ONLY** for testing!!!
346+
CryptoToolsKMS:
347+
Type: "AWS::IAM::ManagedPolicy"
348+
Properties:
349+
ManagedPolicyName: !Sub "CrypotToolsKMSPolicy-${ProjectName}-${AWS::Region}-codebuild-${ProjectName}-service-role"
350+
Path: "/service-role/"
351+
PolicyDocument: !Sub |
352+
{
353+
"Version": "2012-10-17",
354+
"Statement": [
355+
{
356+
"Effect": "Allow",
357+
"Resource": [
358+
"arn:aws:kms:*:658956600833:key/*",
359+
"arn:aws:kms:*:658956600833:alias/*"
360+
],
361+
"Action": [
362+
"kms:Encrypt",
363+
"kms:Decrypt",
364+
"kms:GenerateDataKey"
365+
]
366+
}
367+
]
368+
}

0 commit comments

Comments
 (0)