Skip to content

Commit e6747a5

Browse files
ShubhamChaturvedi7ShubhamChaturvedi7
committed
chore: Check-in the cfn template
1 parent 4265768 commit e6747a5

File tree

1 file changed

+256
-0
lines changed

1 file changed

+256
-0
lines changed

cfn/ESDK-Javascript.yml

Lines changed: 256 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,256 @@
1+
AWSTemplateFormatVersion: "2010-09-09"
2+
Description: "Template to build a CodeBuild Project, assumes that GitHub credentials are already set up."
3+
Parameters:
4+
ProjectName:
5+
Type: String
6+
Description: The name of the CodeBuild Project
7+
ProjectDescription:
8+
Type: String
9+
Description: The description for the CodeBuild Project
10+
SourceLocation:
11+
Type: String
12+
Description: The https GitHub URL for the project
13+
NumberOfBuildsInBatch:
14+
Type: Number
15+
MaxValue: 100
16+
MinValue: 1
17+
Default: 4
18+
Description: The number of builds you expect to run in a batch
19+
20+
Metadata:
21+
AWS::CloudFormation::Interface:
22+
ParameterGroups:
23+
-
24+
Label:
25+
default: "Crypto Tools CodeBuild Project Template"
26+
Parameters:
27+
- ProjectName
28+
- ProjectDescription
29+
- SourceLocation
30+
31+
Resources:
32+
CodeBuildProject:
33+
Type: "AWS::CodeBuild::Project"
34+
DeletionPolicy: Retain
35+
Properties:
36+
Name: !Ref ProjectName
37+
Description: !Ref ProjectDescription
38+
Source:
39+
Location: !Ref SourceLocation
40+
GitCloneDepth: 50
41+
GitSubmodulesConfig:
42+
FetchSubmodules: true
43+
InsecureSsl: false
44+
ReportBuildStatus: false
45+
Type: "GITHUB"
46+
Artifacts:
47+
Type: "NO_ARTIFACTS"
48+
Cache:
49+
Type: "NO_CACHE"
50+
Environment:
51+
ComputeType: "BUILD_GENERAL1_LARGE"
52+
Image: "aws/codebuild/standard:4.0"
53+
ImagePullCredentialsType: "CODEBUILD"
54+
PrivilegedMode: false
55+
Type: "LINUX_CONTAINER"
56+
ServiceRole: !GetAtt CodeBuildServiceRole.Arn
57+
TimeoutInMinutes: 60
58+
QueuedTimeoutInMinutes: 480
59+
EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3"
60+
BadgeEnabled: false
61+
BuildBatchConfig:
62+
ServiceRole: !GetAtt CodeBuildServiceRole.Arn
63+
Restrictions:
64+
MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch
65+
ComputeTypesAllowed:
66+
- BUILD_GENERAL1_LARGE
67+
TimeoutInMins: 480
68+
LogsConfig:
69+
CloudWatchLogs:
70+
Status: "ENABLED"
71+
S3Logs:
72+
Status: "DISABLED"
73+
EncryptionDisabled: false
74+
75+
CodeBuildProjectProdRelease:
76+
Type: "AWS::CodeBuild::Project"
77+
Properties:
78+
Name: !Sub "${ProjectName}-prod-release"
79+
Description: !Sub "CodeBuild project for ${ProjectName} to release to prod NPM."
80+
Source:
81+
Location: !Ref SourceLocation
82+
BuildSpec: "codebuild/release/prod-release.yml"
83+
GitCloneDepth: 50
84+
GitSubmodulesConfig:
85+
FetchSubmodules: true
86+
InsecureSsl: false
87+
ReportBuildStatus: false
88+
Type: "GITHUB"
89+
Artifacts:
90+
Type: "NO_ARTIFACTS"
91+
Cache:
92+
Type: "NO_CACHE"
93+
Environment:
94+
ComputeType: "BUILD_GENERAL1_LARGE"
95+
Image: "aws/codebuild/standard:4.0"
96+
ImagePullCredentialsType: "CODEBUILD"
97+
PrivilegedMode: false
98+
Type: "LINUX_CONTAINER"
99+
ServiceRole: !GetAtt CodeBuildServiceRole.Arn
100+
TimeoutInMinutes: 60
101+
QueuedTimeoutInMinutes: 480
102+
EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3"
103+
BadgeEnabled: false
104+
BuildBatchConfig:
105+
ServiceRole: !GetAtt CodeBuildServiceRole.Arn
106+
Restrictions:
107+
MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch
108+
ComputeTypesAllowed:
109+
- BUILD_GENERAL1_LARGE
110+
TimeoutInMins: 480
111+
LogsConfig:
112+
CloudWatchLogs:
113+
Status: "ENABLED"
114+
S3Logs:
115+
Status: "DISABLED"
116+
EncryptionDisabled: false
117+
118+
119+
120+
CodeBuildServiceRole:
121+
Type: "AWS::IAM::Role"
122+
Properties:
123+
Path: "/service-role/"
124+
RoleName: !Sub "codebuild-${ProjectName}-service-role"
125+
AssumeRolePolicyDocument: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"codebuild.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"}]}"
126+
MaxSessionDuration: 3600
127+
ManagedPolicyArns:
128+
- !Ref CryptoToolsKMS
129+
- !Ref CodeBuildBatchPolicy
130+
- !Ref CodeBuildBasePolicy
131+
- !Ref SecretsManagerPolicy
132+
133+
CodeBuildBatchPolicy:
134+
Type: "AWS::IAM::ManagedPolicy"
135+
Properties:
136+
ManagedPolicyName: !Sub "CodeBuildBuildBatchPolicy-${ProjectName}-${AWS::Region}-codebuild-${ProjectName}-service-role"
137+
Path: "/service-role/"
138+
PolicyDocument: !Sub |
139+
{
140+
"Version": "2012-10-17",
141+
"Statement": [
142+
{
143+
"Effect": "Allow",
144+
"Resource": [
145+
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}",
146+
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-test-release",
147+
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-prod-release"
148+
],
149+
"Action": [
150+
"codebuild:StartBuild",
151+
"codebuild:StopBuild",
152+
"codebuild:RetryBuild"
153+
]
154+
}
155+
]
156+
}
157+
158+
CodeBuildBasePolicy:
159+
Type: "AWS::IAM::ManagedPolicy"
160+
Properties:
161+
ManagedPolicyName: !Sub "CodeBuildBasePolicy-${ProjectName}-${AWS::Region}"
162+
Path: "/service-role/"
163+
PolicyDocument: !Sub |
164+
{
165+
"Version": "2012-10-17",
166+
"Statement": [
167+
{
168+
"Effect": "Allow",
169+
"Resource": [
170+
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}",
171+
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}:*",
172+
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-test-release",
173+
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-test-release:*",
174+
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-prod-release",
175+
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-prod-release:*"
176+
],
177+
"Action": [
178+
"logs:CreateLogGroup",
179+
"logs:CreateLogStream",
180+
"logs:PutLogEvents"
181+
]
182+
},
183+
{
184+
"Effect": "Allow",
185+
"Resource": [
186+
"arn:aws:s3:::codepipeline-${AWS::Region}-*"
187+
],
188+
"Action": [
189+
"s3:PutObject",
190+
"s3:GetObject",
191+
"s3:GetObjectVersion",
192+
"s3:GetBucketAcl",
193+
"s3:GetBucketLocation"
194+
]
195+
},
196+
{
197+
"Effect": "Allow",
198+
"Action": [
199+
"codebuild:CreateReportGroup",
200+
"codebuild:CreateReport",
201+
"codebuild:UpdateReport",
202+
"codebuild:BatchPutTestCases",
203+
"codebuild:BatchPutCodeCoverages"
204+
],
205+
"Resource": [
206+
"arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/${ProjectName}-*"
207+
]
208+
}
209+
]
210+
}
211+
212+
SecretsManagerPolicy:
213+
Type: "AWS::IAM::ManagedPolicy"
214+
Properties:
215+
ManagedPolicyName: !Sub "CryptoTools-SecretsManager-${ProjectName}-release"
216+
Path: "/service-role/"
217+
PolicyDocument: !Sub |
218+
{
219+
"Version": "2012-10-17",
220+
"Statement": [
221+
{
222+
"Effect": "Allow",
223+
"Resource": [
224+
"arn:aws:secretsmanager:us-west-2:587316601012:secret:npm/aws-crypto-tools-ci-bot/2FA-1CnXMl"
225+
],
226+
"Action": "secretsmanager:GetSecretValue"
227+
}
228+
]
229+
}
230+
231+
# There exist public AWS KMS CMKs that are used for testing
232+
# Take care with these CMKs they are **ONLY** for testing!!!
233+
CryptoToolsKMS:
234+
Type: "AWS::IAM::ManagedPolicy"
235+
Properties:
236+
ManagedPolicyName: !Sub "CrypotToolsKMSPolicy-${ProjectName}-${AWS::Region}-codebuild-${ProjectName}-service-role"
237+
Path: "/service-role/"
238+
PolicyDocument: !Sub |
239+
{
240+
"Version": "2012-10-17",
241+
"Statement": [
242+
{
243+
"Effect": "Allow",
244+
"Resource": [
245+
"arn:aws:kms:*:658956600833:key/*",
246+
"arn:aws:kms:*:658956600833:alias/*"
247+
],
248+
"Action": [
249+
"kms:Encrypt",
250+
"kms:Decrypt",
251+
"kms:GenerateDataKey"
252+
]
253+
}
254+
]
255+
}
256+

0 commit comments

Comments
 (0)