Skip to content

Commit c122076

Browse files
lucasmcdonald3lucasmcdonald3
authored
chore(CFN): Commit existing CFN (aws#636)
1 parent bbb2281 commit c122076

File tree

1 file changed

+341
-0
lines changed

1 file changed

+341
-0
lines changed

cfn/ESDK-Python.yml

+341
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,341 @@
1+
AWSTemplateFormatVersion: "2010-09-09"
2+
Description: "Template to build a CodeBuild Project, assumes that GitHub credentials are already set up."
3+
Parameters:
4+
ProjectName:
5+
Type: String
6+
Description: The name of the CodeBuild Project
7+
ProjectDescription:
8+
Type: String
9+
Description: The description for the CodeBuild Project
10+
SourceLocation:
11+
Type: String
12+
Description: The https GitHub URL for the project
13+
NumberOfBuildsInBatch:
14+
Type: Number
15+
MaxValue: 100
16+
MinValue: 1
17+
Default: 4
18+
Description: The number of builds you expect to run in a batch
19+
20+
Metadata:
21+
AWS::CloudFormation::Interface:
22+
ParameterGroups:
23+
-
24+
Label:
25+
default: "Crypto Tools CodeBuild Project Template"
26+
Parameters:
27+
- ProjectName
28+
- ProjectDescription
29+
- SourceLocation
30+
31+
Resources:
32+
CodeBuildProject:
33+
Type: "AWS::CodeBuild::Project"
34+
Properties:
35+
Name: !Ref ProjectName
36+
Description: !Ref ProjectDescription
37+
Source:
38+
Location: !Ref SourceLocation
39+
GitCloneDepth: 1
40+
GitSubmodulesConfig:
41+
FetchSubmodules: true
42+
InsecureSsl: false
43+
ReportBuildStatus: false
44+
Type: "GITHUB"
45+
Artifacts:
46+
Type: "NO_ARTIFACTS"
47+
Cache:
48+
Type: "NO_CACHE"
49+
Environment:
50+
ComputeType: "BUILD_GENERAL1_MEDIUM"
51+
Image: "aws/codebuild/standard:3.0"
52+
ImagePullCredentialsType: "CODEBUILD"
53+
PrivilegedMode: false
54+
Type: "LINUX_CONTAINER"
55+
ServiceRole: !GetAtt CodeBuildCIServiceRole.Arn
56+
TimeoutInMinutes: 60
57+
QueuedTimeoutInMinutes: 480
58+
EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3"
59+
BadgeEnabled: false
60+
BuildBatchConfig:
61+
ServiceRole: !GetAtt CodeBuildCIServiceRole.Arn
62+
Restrictions:
63+
MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch
64+
ComputeTypesAllowed:
65+
- BUILD_GENERAL1_SMALL
66+
- BUILD_GENERAL1_MEDIUM
67+
TimeoutInMins: 480
68+
LogsConfig:
69+
CloudWatchLogs:
70+
Status: "ENABLED"
71+
S3Logs:
72+
Status: "DISABLED"
73+
EncryptionDisabled: false
74+
75+
CodeBuildProjectTestRelease:
76+
Type: "AWS::CodeBuild::Project"
77+
Properties:
78+
Name: !Sub "${ProjectName}-test-release"
79+
Description: !Sub "CodeBuild project for ${ProjectName} to release to test PyPi."
80+
Source:
81+
Location: !Ref SourceLocation
82+
BuildSpec: "codebuild/release/test-release.yml"
83+
GitCloneDepth: 1
84+
GitSubmodulesConfig:
85+
FetchSubmodules: false
86+
InsecureSsl: false
87+
ReportBuildStatus: false
88+
Type: "GITHUB"
89+
Artifacts:
90+
Type: "NO_ARTIFACTS"
91+
Cache:
92+
Type: "NO_CACHE"
93+
Environment:
94+
ComputeType: "BUILD_GENERAL1_SMALL"
95+
Image: "aws/codebuild/standard:3.0"
96+
ImagePullCredentialsType: "CODEBUILD"
97+
PrivilegedMode: false
98+
Type: "LINUX_CONTAINER"
99+
ServiceRole: !GetAtt CodeBuildServiceRole.Arn
100+
TimeoutInMinutes: 60
101+
QueuedTimeoutInMinutes: 480
102+
EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3"
103+
BadgeEnabled: false
104+
BuildBatchConfig:
105+
ServiceRole: !GetAtt CodeBuildServiceRole.Arn
106+
Restrictions:
107+
MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch
108+
ComputeTypesAllowed:
109+
- BUILD_GENERAL1_SMALL
110+
- BUILD_GENERAL1_MEDIUM
111+
TimeoutInMins: 480
112+
LogsConfig:
113+
CloudWatchLogs:
114+
Status: "ENABLED"
115+
S3Logs:
116+
Status: "DISABLED"
117+
EncryptionDisabled: false
118+
119+
CodeBuildProjectProdRelease:
120+
Type: "AWS::CodeBuild::Project"
121+
Properties:
122+
Name: !Sub "${ProjectName}-prod-release"
123+
Description: !Sub "CodeBuild project for ${ProjectName} to release to prod PyPi."
124+
Source:
125+
Location: !Ref SourceLocation
126+
BuildSpec: "codebuild/release/prod-release.yml"
127+
GitCloneDepth: 1
128+
GitSubmodulesConfig:
129+
FetchSubmodules: false
130+
InsecureSsl: false
131+
ReportBuildStatus: false
132+
Type: "GITHUB"
133+
Artifacts:
134+
Type: "NO_ARTIFACTS"
135+
Cache:
136+
Type: "NO_CACHE"
137+
Environment:
138+
ComputeType: "BUILD_GENERAL1_SMALL"
139+
Image: "aws/codebuild/standard:3.0"
140+
ImagePullCredentialsType: "CODEBUILD"
141+
PrivilegedMode: false
142+
Type: "LINUX_CONTAINER"
143+
ServiceRole: !GetAtt CodeBuildServiceRole.Arn
144+
TimeoutInMinutes: 60
145+
QueuedTimeoutInMinutes: 480
146+
EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3"
147+
BadgeEnabled: false
148+
BuildBatchConfig:
149+
ServiceRole: !GetAtt CodeBuildServiceRole.Arn
150+
Restrictions:
151+
MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch
152+
ComputeTypesAllowed:
153+
- BUILD_GENERAL1_SMALL
154+
- BUILD_GENERAL1_MEDIUM
155+
TimeoutInMins: 480
156+
LogsConfig:
157+
CloudWatchLogs:
158+
Status: "ENABLED"
159+
S3Logs:
160+
Status: "DISABLED"
161+
EncryptionDisabled: false
162+
163+
164+
165+
CodeBuildServiceRole:
166+
Type: "AWS::IAM::Role"
167+
Properties:
168+
Path: "/service-role/"
169+
RoleName: !Sub "codebuild-${ProjectName}-service-role"
170+
AssumeRolePolicyDocument: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"codebuild.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"}]}"
171+
MaxSessionDuration: 3600
172+
ManagedPolicyArns:
173+
- !Ref CryptoToolsKMS
174+
- !Ref CodeBuildBatchPolicy
175+
- !Ref CodeBuildBasePolicy
176+
- !Ref SecretsManagerPolicy
177+
178+
CodeBuildCIServiceRole:
179+
Type: "AWS::IAM::Role"
180+
Properties:
181+
Path: "/service-role/"
182+
RoleName: !Sub "codebuild-${ProjectName}-CI-service-role"
183+
AssumeRolePolicyDocument: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"codebuild.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"}]}"
184+
MaxSessionDuration: 3600
185+
ManagedPolicyArns:
186+
- !Ref CryptoToolsKMS
187+
- !Ref CodeBuildCIBatchPolicy
188+
- !Ref CodeBuildBasePolicy
189+
190+
CodeBuildBatchPolicy:
191+
Type: "AWS::IAM::ManagedPolicy"
192+
Properties:
193+
ManagedPolicyName: !Sub "CodeBuildBuildBatchPolicy-${ProjectName}-${AWS::Region}-codebuild-${ProjectName}-service-role"
194+
Path: "/service-role/"
195+
PolicyDocument: !Sub |
196+
{
197+
"Version": "2012-10-17",
198+
"Statement": [
199+
{
200+
"Effect": "Allow",
201+
"Resource": [
202+
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}",
203+
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-test-release",
204+
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-prod-release"
205+
],
206+
"Action": [
207+
"codebuild:StartBuild",
208+
"codebuild:StopBuild",
209+
"codebuild:RetryBuild"
210+
]
211+
}
212+
]
213+
}
214+
215+
CodeBuildCIBatchPolicy:
216+
Type: "AWS::IAM::ManagedPolicy"
217+
Properties:
218+
ManagedPolicyName: !Sub "CodeBuildBuildBatchPolicy-${ProjectName}-${AWS::Region}-codebuild-${ProjectName}-CI-service-role"
219+
Path: "/service-role/"
220+
PolicyDocument: !Sub |
221+
{
222+
"Version": "2012-10-17",
223+
"Statement": [
224+
{
225+
"Effect": "Allow",
226+
"Resource": [
227+
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}"
228+
],
229+
"Action": [
230+
"codebuild:StartBuild",
231+
"codebuild:StopBuild",
232+
"codebuild:RetryBuild"
233+
]
234+
}
235+
]
236+
}
237+
238+
CodeBuildBasePolicy:
239+
Type: "AWS::IAM::ManagedPolicy"
240+
Properties:
241+
ManagedPolicyName: !Sub "CodeBuildBasePolicy-${ProjectName}-${AWS::Region}"
242+
Path: "/service-role/"
243+
PolicyDocument: !Sub |
244+
{
245+
"Version": "2012-10-17",
246+
"Statement": [
247+
{
248+
"Effect": "Allow",
249+
"Resource": [
250+
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}",
251+
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}:*",
252+
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-test-release",
253+
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-test-release:*",
254+
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-prod-release",
255+
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-prod-release:*"
256+
],
257+
"Action": [
258+
"logs:CreateLogGroup",
259+
"logs:CreateLogStream",
260+
"logs:PutLogEvents"
261+
]
262+
},
263+
{
264+
"Effect": "Allow",
265+
"Resource": [
266+
"arn:aws:s3:::codepipeline-${AWS::Region}-*"
267+
],
268+
"Action": [
269+
"s3:PutObject",
270+
"s3:GetObject",
271+
"s3:GetObjectVersion",
272+
"s3:GetBucketAcl",
273+
"s3:GetBucketLocation"
274+
]
275+
},
276+
{
277+
"Effect": "Allow",
278+
"Action": [
279+
"codebuild:CreateReportGroup",
280+
"codebuild:CreateReport",
281+
"codebuild:UpdateReport",
282+
"codebuild:BatchPutTestCases",
283+
"codebuild:BatchPutCodeCoverages"
284+
],
285+
"Resource": [
286+
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/${ProjectName}-*"
287+
]
288+
}
289+
]
290+
}
291+
292+
SecretsManagerPolicy:
293+
Type: "AWS::IAM::ManagedPolicy"
294+
Properties:
295+
ManagedPolicyName: !Sub "CryptoTools-SecretsManager-${ProjectName}-release"
296+
Path: "/service-role/"
297+
PolicyDocument: !Sub |
298+
{
299+
"Version": "2012-10-17",
300+
"Statement": [
301+
{
302+
"Effect": "Allow",
303+
"Resource": [
304+
"arn:aws:secretsmanager:us-west-2:587316601012:secret:TestPyPiCryptoTools-SxeLBh",
305+
"arn:aws:secretsmanager:us-west-2:587316601012:secret:PyPiAdmin-ZWyd1T"
306+
],
307+
"Action": "secretsmanager:GetSecretValue"
308+
}
309+
]
310+
}
311+
312+
# There exist public AWS KMS CMKs that are used for testing
313+
# Take care with these CMKs they are **ONLY** for testing!!!
314+
CryptoToolsKMS:
315+
Type: "AWS::IAM::ManagedPolicy"
316+
Properties:
317+
ManagedPolicyName: !Sub "CrypotToolsKMSPolicy-${ProjectName}-${AWS::Region}-codebuild-${ProjectName}-service-role"
318+
Path: "/service-role/"
319+
PolicyDocument: !Sub |
320+
{
321+
"Version": "2012-10-17",
322+
"Statement": [
323+
{
324+
"Effect": "Allow",
325+
"Resource": [
326+
"arn:aws:kms:*:658956600833:key/*",
327+
"arn:aws:kms:*:658956600833:alias/*",
328+
"arn:aws:kms:*:370957321024:key/*",
329+
"arn:aws:kms:*:370957321024:alias/*"
330+
],
331+
"Action": [
332+
"kms:Encrypt",
333+
"kms:Decrypt",
334+
"kms:ReEncrypt*",
335+
"kms:Generate*",
336+
"kms:GetPublicKey",
337+
"kms:DescribeKey"
338+
]
339+
}
340+
]
341+
}

0 commit comments

Comments
 (0)