This repository has been archived by the owner on Jun 23, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 107
/
template.yaml
98 lines (95 loc) · 3.7 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Description: >-
This template creates IAM roles and use them to setup CD pipeline for the ops component.
Parameters:
GitHubOAuthTokenSecretId:
Type: String
Description: The AWS Secrets Manager Secret Id that stores Github OAuth token.
Default: 'GitHubOAuthToken'
GitHubOwner:
Type: String
Description: The GitHub owner of the repository.
Default: 'awslabs'
ApplicationStackName:
Type: String
Description: The stack name the CICD will deploy the application to.
Default: 'realworld-serverless-application-ops'
Stage:
Type: String
Description: The stage where the application is running in, e.g., dev, prod.
Default: 'dev'
Resources:
CD:
Type: 'AWS::Serverless::Application'
Properties:
Location:
ApplicationId: arn:aws:serverlessrepo:us-east-1:646794253159:applications/aws-sam-codepipeline-cd
SemanticVersion: 0.1.3
Parameters:
GitHubOAuthToken: !Sub '{{resolve:secretsmanager:${GitHubOAuthTokenSecretId}}}'
GitHubOwner: !Ref GitHubOwner
GitHubRepo: realworld-serverless-application
DeployStackName: !Ref ApplicationStackName
DeployRoleName: !Ref DeployRole
DeployParameterOverrides: !Sub '{"Stage":"${Stage}"}'
BuildSpecFilePath: 'ops/buildspec.yaml'
# This policy defines the minimum IAM permissions required to Create and Delete a stack for ops component into CloudFormation
CloudFormationDeployPolicy:
Type: AWS::IAM::Policy
Properties:
Roles:
- !Ref DeployRole
PolicyName: "deploy-create-delete-access"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- cloudformation:CreateChangeSet
Resource:
- !Sub arn:${AWS::Partition}:cloudformation:${AWS::Region}:aws:transform/Serverless-2016-10-31
- !Sub arn:${AWS::Partition}:cloudformation:${AWS::Region}:aws:transform/Include
- Effect: "Allow"
Action:
- sns:CreateTopic
- sns:GetTopicAttributes
- sns:DeleteTopic
Resource:
- !Sub arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${ApplicationStackName}-*
- Effect: "Allow"
Action:
- cloudwatch:PutDashboard
- cloudwatch:DeleteDashboards
Resource:
- !Sub arn:${AWS::Partition}:cloudwatch::${AWS::AccountId}:dashboard/*
- Effect: "Allow"
Action:
- cloudwatch:PutMetricAlarm
- cloudwatch:DeleteAlarms
Resource:
- !Sub arn:${AWS::Partition}:cloudwatch:${AWS::Region}:${AWS::AccountId}:alarm:${ApplicationStackName}-*
- Effect: "Allow"
Action:
- ssm:PutParameter
- ssm:DeleteParameter
- ssm:GetParameters
- ssm:GetParametersByPath
- ssm:AddTagsToResource
- ssm:RemoveTagsFromResource
Resource:
- !Sub arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/applications/apprepo/*
# This role is used to deploy realworld-serverless-application-ops to CloudFormation.
DeployRole:
Type: "AWS::IAM::Role"
Properties:
Description: !Sub "Deploy CloudFormation stack ${ApplicationStackName}. Created by CloudFormation ${AWS::StackId}"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- "cloudformation.amazonaws.com"
Action:
- "sts:AssumeRole"