-
Notifications
You must be signed in to change notification settings - Fork 0
/
pipeline-prerequisites.yaml
142 lines (141 loc) · 4.52 KB
/
pipeline-prerequisites.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
AWSTemplateFormatVersion: 2010-09-09
Description: "Pre-Requisites Deployment Required for CI/CD Pipeline"
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: Account Configuration
Parameters:
- pDevelopmentAccountId
- pTestAccountId
- pProductionAccountId
- Label:
default: ECR Repo Configuration
Parameters:
- pEcrRepoName
- Label:
default: Tagging Configuration
Parameters:
- pEnvironmentName
- pWorkloadName
Parameters:
pDevelopmentAccountId:
Type: String
Description: "The AWS Account ID that will be used as the Development Account."
AllowedPattern: '^[0-9]{12}$'
ConstraintDescription: "This must be a 12 character string."
MinLength: 12
MaxLength: 12
pTestAccountId:
Type: String
Description: "The AWS Account ID that will be used as the Test Account."
AllowedPattern: '^[0-9]{12}$'
ConstraintDescription: "This must be a 12 character string."
MinLength: 12
MaxLength: 12
pProductionAccountId:
Type: String
Description: "The AWS Account ID that will be used as the Production Account."
AllowedPattern: '^[0-9]{12}$'
ConstraintDescription: "This must be a 12 character string."
MinLength: 12
MaxLength: 12
pEcrRepoName:
Type: String
Description: "Name of the ECR Repo"
pEnvironmentName:
Type: String
Description: "Select the Name of the Environment"
AllowedValues:
- Production
- Test
- Development
pWorkloadName:
Type: String
Description: "Name of the Workload"
Resources:
# S3 Bucket
rS3LambdaBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub "lambda-resources-${AWS::Region}-${AWS::AccountId}"
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: "AES256"
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
Tags:
- Key: Environment
Value: !Ref pEnvironmentName
- Key: Workload
Value: !Ref pWorkloadName
rS3LambdaBucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref rS3LambdaBucket
PolicyDocument:
Version: 2012-10-17
Statement:
- Action: "s3:*"
Effect: "Deny"
Principal: "*"
Resource:
- !Sub "arn:aws:s3:::${rS3LambdaBucket}"
- !Sub "arn:aws:s3:::${rS3LambdaBucket}/*"
Condition:
Bool:
aws:SecureTransport: false
- Effect: "Allow"
Principal:
AWS:
- !Sub "arn:aws:iam::${pDevelopmentAccountId}:root"
- !Sub "arn:aws:iam::${pTestAccountId}:root"
- !Sub "arn:aws:iam::${pProductionAccountId}:root"
Action:
- "s3:Get*"
- "s3:Put*"
Resource:
- !Sub "arn:aws:s3:::${rS3LambdaBucket}/*"
- Effect: "Allow"
Principal:
AWS:
- !Sub "arn:aws:iam::${pDevelopmentAccountId}:root"
- !Sub "arn:aws:iam::${pTestAccountId}:root"
- !Sub "arn:aws:iam::${pProductionAccountId}:root"
Action:
- "s3:ListBucket"
Resource:
- !Sub "arn:aws:s3:::${rS3LambdaBucket}"
# ECR Repository
rEcrRepo:
Type: AWS::ECR::Repository
Properties:
ImageScanningConfiguration:
ScanOnPush: true
RepositoryName: !Ref pEcrRepoName
RepositoryPolicyText:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
AWS:
- !Sub "arn:aws:iam::${pDevelopmentAccountId}:role/ECS-Task-Execution"
- !Sub "arn:aws:iam::${pTestAccountId}:role/ECS-Task-Execution"
- !Sub "arn:aws:iam::${pProductionAccountId}:role/ECS-Task-Execution"
Action:
- "ecr:GetDownloadUrlForLayer"
- "ecr:BatchGetImage"
- "ecr:BatchCheckLayerAvailability"
- "ecr:PutImage"
- "ecr:InitiateLayerUpload"
- "ecr:UploadLayerPart"
- "ecr:CompleteLayerUpload"
Tags:
- Key: Environment
Value: !Ref pEnvironmentName
- Key: Workload
Value: !Ref pWorkloadName