cfn-pipeline.yml

AWSTemplateFormatVersion: 2010-09-09

Description: zillow-webscraper

Parameters:
  ProjectName:
    Type: String
    Default: h-webscraper
    Description: Name for the project, used in the code repository.
    
  BuildArtifactsBucket:
    Type: String
    Default: h-webscraper-build-artifacts-us-east-1
    Description: S3 Bucket used for storing code artifacts.

  GitHubOAuthToken:
    Type: String
    NoEcho: true
    MinLength: 40
    MaxLength: 40
    AllowedPattern: "[a-z0-9]*"

  GitHubOwner:
    Type: String
    Default: nickadiemus
    AllowedPattern: "[A-Za-z0-9-]+"

  GitHubRepo:
    Type: String
    Default: h-webscraper
    AllowedPattern: "[A-Za-z0-9-]+"

  GitHubBranch:
    Type: String
    Default: dev
    AllowedPattern: "[A-Za-z0-9-]+"

Resources:

  CodeBuildServiceRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Action:
              - "sts:AssumeRole"
            Effect: Allow
            Principal:
              Service:
                - codebuild.amazonaws.com
      Path: /
      Policies:
        - PolicyName: CodeBuildAccess
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Resource:
                  - !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-build"
                  - !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-build:*"
                Action:
                  - "logs:CreateLogGroup"
                  - "logs:CreateLogStream"
                  - "logs:PutLogEvents"
              - Effect: Allow
                Resource:
                  - !Sub "arn:aws:s3:::${BuildArtifactsBucket}/*"
                Action:
                  - "s3:GetObject"
                  - "s3:GetObjectVersion"
                  - "s3:PutObject"
                  

  CodeBuildProject:
    Type: AWS::CodeBuild::Project
    Properties:
      Name: !Sub "${ProjectName}-build"
      Description: Build project for the s3 static content deployment
      Artifacts:
        Type: CODEPIPELINE
      Environment:
        Type: LINUX_CONTAINER
        ComputeType: BUILD_GENERAL1_SMALL
        Image: aws/codebuild/standard:3.0
        EnvironmentVariables:
          - Name: APPNAME
            Value: !Ref ProjectName
          - Name: REGION
            Value: !Ref "AWS::Region"
          - Name: BUILD_OUTPUT_BUCKET
            Value: !Ref BuildArtifactsBucket
      ServiceRole: !GetAtt CodeBuildServiceRole.Arn
      # Source:
      #   Auth:
      #     Type: OAUTH
      #   Location: https://github.com/Nickadiemus/zillow-webscraper
      #   BuildSpec: buildspec.yml
      #   Type: GITHUB
      # Triggers:
      #   Webhook: true
      Source:
        Type: CODEPIPELINE
      TimeoutInMinutes: 10

  # CloudFormation role
  CloudFormationExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          Action:
            - "sts:AssumeRole"
          Effect: Allow
          Principal:
            Service:
              - cloudformation.amazonaws.com
      Path: /
      Policies:
        - PolicyName: CloudFormationPolicy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Action:
                  - cloudfront:*
                  - lambda:*
                  - cloudformation:*
                  - iam:*
                Effect: Allow
                Resource: "*"
              - Action:
                  - s3:GetObject
                Effect: Allow
                Resource:
                  - !Sub "arn:aws:s3:::${BuildArtifactsBucket}"
                  - !Sub "arn:aws:s3:::${BuildArtifactsBucket}/*"

    # CodePipeline definition and role

  PipelineExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Action:
              - "sts:AssumeRole"
            Effect: Allow
            Principal:
              Service:
                - codepipeline.amazonaws.com
      Path: /
      Policies:
        - PolicyName: CodePipelineAccess
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Action:
                  - iam:GetRole
                  - iam:CreateRole
                  - iam:DeleteRole
                  - iam:PutRolePolicy
                  - iam:AttachRolePolicy
                  - iam:DeleteRolePolicy
                  - iam:DetachRolePolicy
                  - iam:PassRole
                  - cloudformation:*
                  - codebuild:BatchGetBuilds
                  - codebuild:StartBuild
                  - lambda:InvokeFunction
                  - lambda:ListFunctions
                Effect: Allow
                Resource: "*"
              - Action:
                  - "s3:*"
                Effect: Allow
                Resource:
                  - !Sub "arn:aws:s3:::${BuildArtifactsBucket}"
                  - !Sub "arn:aws:s3:::${BuildArtifactsBucket}/*"

  CodePipelineDev:
    Type: AWS::CodePipeline::Pipeline
    Properties:
      ArtifactStore:
        Type: S3
        Location: !Ref BuildArtifactsBucket
      RestartExecutionOnUpdate: true
      RoleArn: !GetAtt PipelineExecutionRole.Arn
      Stages:
        - Name: Source
          Actions:
            - Name: Source
              InputArtifacts: []
              ActionTypeId:
                Category: Source
                Owner: ThirdParty
                Version: 1
                Provider: GitHub
              OutputArtifacts:
                - Name: SourceZip
              Configuration:
                Owner: !Ref GitHubOwner
                Repo: !Ref GitHubRepo
                Branch: !Ref GitHubBranch
                PollForSourceChanges: false
                OAuthToken: !Ref GitHubOAuthToken
              RunOrder: 1
        - Name: Build
          Actions:
            - Name: CodeBuild
              ActionTypeId:
                Category: Build
                Owner: AWS
                Provider: CodeBuild
                Version: 1
              Configuration:
                ProjectName: !Ref CodeBuildProject
                EnvironmentVariables: !Sub '[{"name":"ENVIRONMENT","value":"dev"}]'
              InputArtifacts:
                - Name: SourceZip
              OutputArtifacts:
                - Name: BuildZip
              # Build and Deploy, etc., stages would follow. Here is an example
        - Name: DeployDEV
          Actions:
          - Name: CreateChangeSet
            ActionTypeId:
              Category: Deploy
              Owner: AWS
              Provider: CloudFormation
              Version: '1'
            InputArtifacts:
              - Name: BuildZip
            Configuration:
              ActionMode: CHANGE_SET_REPLACE
              Capabilities: CAPABILITY_IAM
              RoleArn: !GetAtt CloudFormationExecutionRole.Arn    
              StackName: !Sub ${ProjectName}-dev
              ChangeSetName: !Sub '${ProjectName}-ChangeSet-dev'
              TemplatePath: !Sub "BuildZip::cfn.yml"
              TemplateConfiguration: !Sub "BuildZip::cfn-params.json"
            RunOrder: 1
          - Name: ExecuteChangeSet
            ActionTypeId:
              Category: Deploy
              Owner: AWS
              Provider: CloudFormation
              Version: 1
            Configuration:
              ActionMode: CHANGE_SET_EXECUTE
              RoleArn: !GetAtt CloudFormationExecutionRole.Arn
              StackName: !Sub '${ProjectName}-dev'
              ChangeSetName: !Sub '${ProjectName}-ChangeSet-dev'
            OutputArtifacts:
              - Name: !Sub '${ProjectName}PrdChangeSet'
            RunOrder: 2
  # 'GithubWebhook' satisfies two requirements:
  # -- Means that updates are pushed from GitHub, rather than AWS having to poll
  # -- Means we can filter for required changes
  GithubWebhook:
    Type: "AWS::CodePipeline::Webhook"
    Properties:
      Authentication: GITHUB_HMAC
      AuthenticationConfiguration:
        SecretToken: !Ref GitHubOAuthToken
      RegisterWithThirdParty: "true"
      Filters:
        - JsonPath: "$.ref"
          MatchEquals: refs/heads/{Branch}
      TargetPipeline: !Ref CodePipelineDev
      TargetAction: Source
      TargetPipelineVersion: !GetAtt CodePipelineDev.Version