generated from amazon-archives/__template_MIT-0
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathtemplate.yml
More file actions
272 lines (261 loc) · 8.1 KB
/
template.yml
File metadata and controls
272 lines (261 loc) · 8.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
AWSTemplateFormatVersion: 2010-09-09
Description: Cedar policy validation pipeline
Parameters:
CedarPolicyRepoName:
Description: The name of a CodeCommit repository to be created.
Type: String
Default: cedar-policy-validation
Resources:
CodePipelineBucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: 'AES256'
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
Metadata:
cfn_nag:
rules_to_suppress:
- id: W35
reason: 'Access logging not configured for this sample'
- id: W51
reason: 'Bucket policy not configured for this sample'
CedarPolicyRepo:
Type: AWS::CodeCommit::Repository
Properties:
RepositoryName: !Ref CedarPolicyRepoName
CodeBuildLogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: '/aws/codebuild/cedar-policy-validation'
RetentionInDays: 7
DeletionPolicy: 'Delete'
UpdateReplacePolicy: 'Delete'
Metadata:
cfn_nag:
rules_to_suppress:
- id: W84
reason: 'Default encryption (not AWS KMS) used for this sample'
CodeBuildPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- logs:CreateLogStream
- logs:PutLogEvents
Effect: Allow
Resource:
- !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:${CodeBuildLogGroup}:log-stream:*'
- Action:
- s3:PutObject
- s3:GetObject
- s3:GetObjectVersion
Effect: Allow
Resource:
- !GetAtt CodePipelineBucket.Arn
- !Sub '${CodePipelineBucket.Arn}/*'
- Action:
- codecommit:GitPull
Effect: Allow
Resource: !GetAtt CedarPolicyRepo.Arn
PolicyName: !Join
- '-'
- - !Ref 'AWS::StackName'
- CodeBuildPolicy
Roles:
- !Ref 'CodeBuildServiceRole'
CedarValidationBuild:
Type: AWS::CodeBuild::Project
Properties:
Name: cedar-policy-validation
Description: Validates policies
ServiceRole: !GetAtt CodeBuildServiceRole.Arn
Source:
Type: CODECOMMIT
Location: !GetAtt CedarPolicyRepo.CloneUrlHttp
BuildSpec: buildspec.yml
Artifacts:
Type: NO_ARTIFACTS
Cache:
Location: !Ref 'CodePipelineBucket'
Type: S3
LogsConfig:
CloudWatchLogs:
Status: ENABLED
Environment:
Type: LINUX_CONTAINER
ComputeType: BUILD_GENERAL1_SMALL
Image: aws/codebuild/amazonlinux2-x86_64-standard:5.0
TimeoutInMinutes: 60
Metadata:
cfn_nag:
rules_to_suppress:
- id: W32
reason: 'Managed CMK for EncryptionKey used for this sample'
CedarValidationReportGroup:
Type: AWS::CodeBuild::ReportGroup
Properties:
Name: cedar-policy-validation-test-report
DeleteReports: true
ExportConfig:
ExportConfigType: NO_EXPORT
Type: TEST
CedarValidationPipeline:
Type: AWS::CodePipeline::Pipeline
Properties:
Name: cedar-policy-validation
RoleArn: !GetAtt CodePipelineServiceRole.Arn
Stages:
- Name: Source
Actions:
- Name: SourceAction
ActionTypeId:
Category: Source
Owner: AWS
Version: 1
Provider: CodeCommit
OutputArtifacts:
- Name: SourceOutput
Configuration:
BranchName: main
RepositoryName: !Ref CedarPolicyRepoName
PollForSourceChanges: false
RunOrder: 1
- Name: Build
Actions:
- Name: BuildAction
ActionTypeId:
Category: Build
Owner: AWS
Version: 1
Provider: CodeBuild
Configuration:
ProjectName: cedar-policy-validation
InputArtifacts:
- Name: SourceOutput
RunOrder: 1
ArtifactStore:
Type: S3
Location: !Ref CodePipelineBucket
CodeBuildServiceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: codebuild.amazonaws.com
Action: sts:AssumeRole
Condition:
StringEquals:
aws:SourceArn: !Sub 'arn:${AWS::Partition}:codebuild:${AWS::Region}:${AWS::AccountId}:project/cedar-policy-validation'
Policies:
- PolicyDocument:
Statement:
- Action:
- codebuild:CreateReportGroup
- codebuild:CreateReport
- codebuild:BatchPutTestCases
- codebuild:UpdateReport
Effect: Allow
Resource: !GetAtt CedarValidationReportGroup.Arn
PolicyName: !Join
- '-'
- - !Ref 'AWS::StackName'
- CodeBuildServiceRolePolicy
CodePipelineServiceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: codepipeline.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyDocument:
Statement:
- Action:
- s3:GetObject
- s3:GetObjectVersion
- s3:GetBucketVersioning
- s3:PutObject
Effect: Allow
Resource:
- !GetAtt CodePipelineBucket.Arn
- !Sub '${CodePipelineBucket.Arn}/*'
- Action:
- codecommit:CancelUploadArchive
- codecommit:GetBranch
- codecommit:GetCommit
- codecommit:GetUploadArchiveStatus
- codecommit:UploadArchive
Effect: Allow
Resource: !GetAtt CedarPolicyRepo.Arn
- Action:
- codebuild:StartBuild
- codebuild:BatchGetBuilds
- codebuild:StopBuild
Effect: Allow
Resource: !GetAtt CedarValidationBuild.Arn
PolicyName: !Join
- '-'
- - !Ref 'AWS::StackName'
- CodePipelineRolePolicy
EventRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: events.amazonaws.com
Action: sts:AssumeRole
Condition:
StringEquals:
aws:SourceAccount: !Ref 'AWS::AccountId'
Policies:
- PolicyName: cedar-pipeline-execution
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: codepipeline:StartPipelineExecution
Resource: !Sub 'arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${CedarValidationPipeline}'
EventRule:
Type: AWS::Events::Rule
Properties:
EventPattern:
source:
- aws.codecommit
detail-type:
- 'CodeCommit Repository State Change'
resources: [ !GetAtt CedarPolicyRepo.Arn ]
detail:
event:
- referenceCreated
- referenceUpdated
referenceType:
- branch
referenceName:
- main
Targets:
- Arn: !Sub 'arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${CedarValidationPipeline}'
RoleArn: !GetAtt EventRole.Arn
Id: codepipeline-CedarValidationPipeline
Outputs:
CedarPolicyRepoCloneUrl:
Description: CodeCommit repository HTTPS clone URL
Value: !GetAtt CedarPolicyRepo.CloneUrlHttp
CedarPolicyRepoCloneGRCUrl:
Description: CodeCommit repository HTTPS (GRC) clone URL
Value: !Sub 'codecommit::${AWS::Region}://${CedarPolicyRepoName}'