Commit 013af21e authored by ethiraj krishnamanaidu's avatar ethiraj krishnamanaidu
Browse files

Merge branch 'trusted-ado-codemerge' into 'master'

ado codemerge

See merge request !1
parents 4f4b1403 2dd7708c
# Copyright © Amazon Web Services
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
AWSTemplateFormatVersion: 2010-09-09
Description: >
This CloudFormation template deploys a KMS key store, which we use for storing our
shared secrets, including the keys to our private Maven repositories on S3 and
Azure DevOps.
Parameters:
Environment:
Description: The name of the environment.
Type: String
AllowedValues:
- dev
- uat
- prod
ConstraintDescription: Environment can only be "dev/uat/prod".
Default: dev
DeploymentRegion:
Description: The AWS region to deploy the resources to.
Type: String
Default: us-east-1
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: !Ref VpcCIDR
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: !Sub ${Environment}-vpc
- Key: Environment
Value: !Ref Environment
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: !Sub ${Environment}-internet-gateway
- Key: Environment
Value: !Ref Environment
InternetGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId: !Ref InternetGateway
VpcId: !Ref VPC
PublicSubnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
AvailabilityZone: !Select [ 0, !GetAZs '' ]
CidrBlock: !Ref PublicSubnet1CIDR
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: !Sub ${Environment}-public-subnet-az1
- Key: Environment
Value: !Ref Environment
PublicSubnet2:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
AvailabilityZone: !Select [ 1, !GetAZs '' ]
CidrBlock: !Ref PublicSubnet2CIDR
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: !Sub ${Environment}-public-subnet-az2
- Key: Environment
Value: !Ref Environment
PrivateSubnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
AvailabilityZone: !Select [ 0, !GetAZs '' ]
CidrBlock: !Ref PrivateSubnet1CIDR
MapPublicIpOnLaunch: false
Tags:
- Key: Name
Value: !Sub ${Environment}-private-subnet-az1
- Key: Environment
Value: !Ref Environment
PrivateSubnet2:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
AvailabilityZone: !Select [ 1, !GetAZs '' ]
CidrBlock: !Ref PrivateSubnet2CIDR
MapPublicIpOnLaunch: false
Tags:
- Key: Name
Value: !Sub ${Environment}-private-subnet-az2
- Key: Environment
Value: !Ref Environment
NatGateway1EIP:
Type: AWS::EC2::EIP
DependsOn: InternetGatewayAttachment
Properties:
Domain: vpc
NatGateway2EIP:
Type: AWS::EC2::EIP
DependsOn: InternetGatewayAttachment
Properties:
Domain: vpc
NatGateway1:
Type: AWS::EC2::NatGateway
Properties:
AllocationId: !GetAtt NatGateway1EIP.AllocationId
SubnetId: !Ref PublicSubnet1
Tags:
- Key: Name
Value: !Sub ${Environment}-nat-gateway-az1
- Key: Environment
Value: !Ref Environment
NatGateway2:
Type: AWS::EC2::NatGateway
Properties:
AllocationId: !GetAtt NatGateway2EIP.AllocationId
SubnetId: !Ref PublicSubnet2
Tags:
- Key: Name
Value: !Sub ${Environment}-nat-gateway-az2
- Key: Environment
Value: !Ref Environment
PublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: !Sub ${Environment}-public-routes
- Key: Environment
Value: !Ref Environment
DefaultPublicRoute:
Type: AWS::EC2::Route
DependsOn: InternetGatewayAttachment
Properties:
RouteTableId: !Ref PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
PublicSubnet1RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PublicRouteTable
SubnetId: !Ref PublicSubnet1
PublicSubnet2RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PublicRouteTable
SubnetId: !Ref PublicSubnet2
PrivateRouteTable1:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: !Sub ${Environment}-private-routes-az1
- Key: Environment
Value: !Ref Environment
DefaultPrivateRoute1:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref PrivateRouteTable1
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId: !Ref NatGateway1
PrivateSubnet1RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PrivateRouteTable1
SubnetId: !Ref PrivateSubnet1
PrivateRouteTable2:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: !Sub ${Environment}-private-routes-az2
- Key: Environment
Value: !Ref Environment
DefaultPrivateRoute2:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref PrivateRouteTable2
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId: !Ref NatGateway2
PrivateSubnet2RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PrivateRouteTable2
SubnetId: !Ref PrivateSubnet2
CodeBuildSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: !Sub "${Environment}codebuild-sg"
GroupDescription: "This is the security group that all of our CodeBuild instances will be placed into."
VpcId: !Ref VPC
SecurityGroupSelfIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref CodeBuildSecurityGroup
IpProtocol: "tcp"
FromPort: "0"
ToPort: "65535"
SourceSecurityGroupId: !Ref "CodeBuildSecurityGroup"
Outputs:
VPC:
Description: A reference to the created VPC
Value: !Ref VPC
Export:
Name: !Sub ${Environment}-OSDU-VPC
PublicSubnets:
Description: A list of the public subnets
Value: !Join [ ",", [ !Ref PublicSubnet1, !Ref PublicSubnet2 ]]
PrivateSubnets:
Description: A list of the private subnets
Value: !Join [ ",", [ !Ref PrivateSubnet1, !Ref PrivateSubnet2 ]]
PublicSubnet1:
Description: A reference to the public subnet in the first availability zone
Value: !Ref PublicSubnet1
Export:
Name: !Sub ${Environment}-OSDU-PublicSubnet-AZ1
PublicSubnet2:
Description: A reference to the public subnet in the second availability zone
Value: !Ref PublicSubnet2
Export:
Name: !Sub ${Environment}-OSDU-PublicSubnet-AZ2
PrivateSubnet1:
Description: A reference to the private subnet in the first availability zone
Value: !Ref PrivateSubnet1
Export:
Name: !Sub ${Environment}-OSDU-PrivateSubnet-AZ1
PrivateSubnet2:
Description: A reference to the private subnet in the second availability zone
Value: !Ref PrivateSubnet2
Export:
Name: !Sub ${Environment}-OSDU-PrivateSubnet-AZ2
CodeBuildSecurityGroup:
Description: This security group allows ingress for Postgres SQL and itself
Value: !Ref CodeBuildSecurityGroup
Export:
Name: !Sub ${Environment}-OSDU-CodeBuildSecurityGroup
# Copyright © Amazon Web Services
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
AWSTemplateFormatVersion: 2010-09-09
Description:
......
# Copyright © Amazon Web Services
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
AWSTemplateFormatVersion: 2010-09-09
Description: >
......@@ -27,9 +41,9 @@ Parameters:
Default: barclay.walsh@parivedasolutions.com
CodeCommitRepositoryName:
Description: The name of the Code Commit Repository that the CodePipeline source is connected to.
Description: The name of the CodeCommit Repository that the CodePipeline source is connected to.
Type: String
Default: aws-osdu-util
Default: os-core-lib-aws
CodeCommitBranchName:
Description: The name of the Code Commit branch that the CodePipeline source is connected to.
......@@ -39,19 +53,19 @@ Parameters:
MasterStackName:
Description: The name of the master stack that is being deployed by the CodePipeline.
Type: String
Default: aws-osdu-util-master-stack
Default: os-core-lib-aws-master-stack
MasterTemplateName:
Description: The name of the master template that is called when creating the master stack.
Type: String
Default: CloudFormation/Master/aws-osdu-util-master.yml
Default: CloudFormation/Master/os-core-lib-aws-master.yml
Resources:
S3BucketCloudFormation:
Type: 'AWS::S3::Bucket'
DeletionPolicy: Delete
Properties:
BucketName: !Sub ${Environment}-aws-osdu-util-cloudformation-scripts
BucketName: !Sub ${Environment}-${AWS::AccountId}-osdu-cloudformation-scripts
CloudFormationS3BucketPolicy:
Type: AWS::S3::BucketPolicy
......@@ -135,7 +149,7 @@ Resources:
Subscription:
- Endpoint: !Ref SNSNotificationEmail
Protocol: email
TopicName: !Sub '${Environment}-AWS-OSDU-Util-Deployment-CodePipeline-Failed'
TopicName: !Sub '${Environment}-OS-Core-Lib-AWS-Deployment-CodePipeline-Failed'
EventRuleCodePipelineFailed:
Type: AWS::Events::Rule
......@@ -150,7 +164,7 @@ Resources:
state:
- "FAILED"
pipeline:
- !Sub '${Environment}-AWS-OSDU-Util-Resources-CodePipeline'
- !Sub '${Environment}-OS-Core-Lib-AWS-Resources-CodePipeline'
Name: !Sub ${Environment}-CodePipelineEventRule-${CodeCommitRepositoryName}
Targets:
......@@ -169,7 +183,7 @@ Resources:
ArtifactStore:
Location: !Ref ArtifactStoreBucket
Type: S3
Name: !Sub '${Environment}-OSDU-AWS-OSDU-Util-CodePipeline'
Name: !Sub '${Environment}-OSDU-OS-Core-Lib-AWS-CodePipeline'
RoleArn: !GetAtt [PipelineRole, Arn]
Stages:
- Name: Source
......@@ -252,13 +266,10 @@ Resources:
Value: !Ref DeploymentRegion
- Name: CFN_S3_BUCKET
Type: PLAINTEXT
Value: !Sub ${Environment}-aws-osdu-util-cloudformation-scripts
- Name: VSTS_FEED_USER
Type: PLAINTEXT
Value: '{{resolve:secretsmanager:dev-VSTSFeedToken:SecretString:vsts_feed_user}}'
- Name: VSTS_FEED_TOKEN
Value: !Ref S3BucketCloudFormation
- Name: M2_REPO_S3_BUCKET
Type: PLAINTEXT
Value: '{{resolve:secretsmanager:dev-VSTSFeedToken:SecretString:vsts_feed_token}}'
Value: !Sub "${Environment}-${AWS::AccountId}-persistent-maven-m2-bucket"
PrivilegedMode: false
Source:
BuildSpec: ./buildspec.yml
......@@ -269,15 +280,10 @@ Resources:
Location: !Sub ${CachingBucket}/${Environment}
TimeoutInMinutes: 15
CodeDeployApplication:
Type: AWS::CodeDeploy::Application
Properties:
ApplicationName: !Sub ${Environment}-aws-osdu-util-code-deploy
ComputePlatform: ECS
CFNRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub ${Environment}-CloudFormationRole
AssumeRolePolicyDocument:
Statement:
- Action: ['sts:AssumeRole']
......@@ -287,7 +293,7 @@ Resources:
Version: '2012-10-17'
Path: /
Policies:
- PolicyName: !Sub CloudFormationRole-${CodeCommitRepositoryName}
- PolicyName: !Sub ${Environment}-CloudFormationRole-Policy
PolicyDocument:
Version: '2012-10-17'
Statement:
......@@ -382,14 +388,25 @@ Resources:
- 'route53:*'
- 'route53domains:*'
- 'elasticache:*'
- 'ecr:*'
- 'codedeploy:*'
- 'elasticloadbalancing:*'
- 'ecs:*'
- 'servicediscovery:CreatePrivateDnsNamespace'
- 'servicediscovery:CreateService'
- 'servicediscovery:GetNamespace'
- 'servicediscovery:GetOperation'
- 'servicediscovery:GetService'
- 'servicediscovery:ListNamespaces'
- 'servicediscovery:ListServices'
- 'servicediscovery:UpdateService'
- 'servicediscovery:DeleteService'
Effect: Allow
Resource: '*'
CodeBuildRole:
Type: "AWS::IAM::Role"
Type: AWS::IAM::Role
Properties:
RoleName: !Sub CodeBuildRole-${CodeCommitRepositoryName}
RoleName: !Sub ${Environment}-CodeBuildRole
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
......@@ -403,7 +420,7 @@ Resources:
Path: /service-role/
Policies:
-
PolicyName: !Sub CodeBuildNestedCFNAccessPolicy-${CodeCommitRepositoryName}
PolicyName: !Sub ${Environment}-CodeBuildNestedCFN-AccessPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
......@@ -430,21 +447,11 @@ Resources:
- "codecommit:Get*"
- "codecommit:GitPull"
Resource:
- !Sub arn:aws:codecommit:${AWS::Region}:${AWS::AccountId}:${CodeCommitRepositoryName}
- '*'
-
Effect: "Allow"
Action:
- "ec2:Describe*"
- "ec2:Get*"
- "ec2:Search*"
- "ec2:*Vpc*"
- "ec2:*Gateway"
- "ec2:*Tags"
- "ec2:*Subnet*"
- "ec2:*Route*"
- "ec2:*SecurityGroup"
- "ec2:allocate*"
- "ec2:release*"
- "ec2:*"
- "cloudformation:ValidateTemplate"
- "elasticloadbalancing:Describe*"
- "autoscaling:Describe*"
......@@ -453,6 +460,9 @@ Resources:
- "logs:Describe*"
- "logs:Get*"
- "tag:Get*"
- "ecr:*"
- "codedeploy:*"
- "ecs:*"
Resource:
- "*"
-
......@@ -490,6 +500,7 @@ Resources:
PipelineRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub ${Environment}-CodePipelineRole
AssumeRolePolicyDocument:
Statement:
- Action: ['sts:AssumeRole']
......@@ -499,7 +510,7 @@ Resources:
Version: '2012-10-17'
Path: /
Policies:
- PolicyName: !Sub CodePipelineAccess-${CodeCommitRepositoryName}
- PolicyName: !Sub ${Environment}-CodePipeline-AccessPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
......@@ -547,3 +558,28 @@ Resources:
- "codebuild:*"
Resource:
- Fn::Sub: arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/*
Outputs:
S3BucketCloudFormation:
Description: The name of the S3 bucket where each OSDU service's CloudFormation templates are copied for deployment.
Value: !Ref S3BucketCloudFormation
Export:
Name: !Sub ${Environment}-S3BucketCloudFormation
CodeBuildRoleArn:
Description: The ARN of the role used by the CodeBuild projects.
Value: !GetAtt CodeBuildRole.Arn
Export:
Name: !Sub ${Environment}-CodeBuildRoleArn
CFNRoleArn:
Description: The ARN of the role used by CloudFormation templates run from the automated pipeline.
Value: !GetAtt CFNRole.Arn
Export:
Name: !Sub ${Environment}-CFNRoleArn
PipelineRoleArn:
Description: The ARN of the role used by each OSDU service's CodePipeline.
Value: !GetAtt PipelineRole.Arn
Export:
Name: !Sub ${Environment}-PipelineRoleArn
# Copyright © Amazon Web Services
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
AWSTemplateFormatVersion: 2010-09-09
Description: >
Creates all shared AWS resources used by OSDU. Requires having previously setup the
......@@ -18,13 +32,10 @@ Parameters:
Type: String
Default: us-east-1
ChildTemplateBasePath:
Description: >-
The base path for where child CloudFormation templates are located – can be relative or absolute, e.g.
https://s3.amazonaws.com/dev-osdu-cloudformation-scripts/Automated/
CodeCommitRepositoryName:
Description: The name of the CodeCommit Repository that the CodePipeline source is connected to.
Type: String
AllowedPattern: '^https:\/\/s3.amazonaws.com\/.*\/$'
Default: https://s3.amazonaws.com/dev-osdu-cloudformation-scripts/Automated/
Default: os-core-lib-aws
VpcCIDR:
Description: Please enter the IP range (CIDR notation) for this VPC.
......@@ -57,8 +68,13 @@ Resources:
VpcStack:
Type: 'AWS::CloudFormation::Stack'
DeletionPolicy: Retain
Properties:
TemplateURL: !Join [ '', [ !Ref ChildTemplateBasePath, vpc.yml ] ]
TemplateURL: !Sub
- https://s3.amazonaws.com/${CloudFormationS3Bucket}/${CodeCommitRepositoryName}/Automated/${CFNTemplateFilename}
- CloudFormationS3Bucket: !ImportValue
'Fn::Sub': '${Environment}-S3BucketCloudFormation'
CFNTemplateFilename: vpc.yml
Parameters:
Environment: !Ref Environment
DeploymentRegion: !Ref DeploymentRegion
......
......@@ -2,7 +2,7 @@
"Parameters" : {
"Environment" : "dev",
"DeploymentRegion" : "us-east-1",
"ChildTemplateBasePath" : "https://s3.amazonaws.com/dev-aws-osdu-util-cloudformation-scripts/Automated/",
"CodeCommitRepositoryName" : "os-core-lib-aws",
"VpcCIDR" : "10.192.0.0/16",
"PublicSubnet1CIDR" : "10.192.10.0/24",
"PrivateSubnet1CIDR" : "10.192.20.0/24",
......
......@@ -2,7 +2,7 @@
"Parameters" : {
"Environment" : "prod",
"DeploymentRegion" : "us-east-1",
"ChildTemplateBasePath" : "https://s3.amazonaws.com/prod-aws-osdu-util-cloudformation-scripts/Automated/",
"CodeCommitRepositoryName" : "os-core-lib-aws",
"VpcCIDR" : "10.192.0.0/16",
"PublicSubnet1CIDR" : "10.192.10.0/24",
"PrivateSubnet1CIDR" : "10.192.20.0/24",
......
......@@ -2,7 +2,7 @@
"Parameters" : {
"Environment" : "uat",
"DeploymentRegion" : "us-east-1",
"ChildTemplateBasePath" : "https://s3.amazonaws.com/uat-aws-osdu-util-cloudformation-scripts/Automated/",
"CodeCommitRepositoryName" : "os-core-lib-aws",
"VpcCIDR" : "10.192.0.0/16",
"PublicSubnet1CIDR" : "10.192.10.0/24"