Merge pull request #289 from code-dot-org/create-codepipeline

Create codepipeline for pr builds and Test env.

Author: cat5inthecradle

.ruby-version

@@ -1 +1 @@
-2.7.2
+2.7.6

cicd/1-setup/setup.template.yml renamed to cicd/1-setup/cicd-dependencies.template.yml

@@ -13,19 +13,37 @@ Resources:
   # This role will be used by CodeBuild to execute the CI build. Here we have
   # the common policy rules required. Since we may want to create multiple
   # codebuild projects for different branches, we can append policies when those
-  # stack resources are created (in "2-cicd")
+  # stack resources are created (in "2-cicd/cicd.template.yml")
   JavabuilderCodeBuildRole:
     Type: AWS::IAM::Role
     Properties:
       AssumeRolePolicyDocument:
         Statement:
           - Action: ['sts:AssumeRole']
             Effect: Allow
-            Principal: {Service: [codebuild.amazonaws.com]}
+            Principal:
+              Service:
+                - codebuild.amazonaws.com
+                - codepipeline.amazonaws.com
         Version: '2012-10-17'
       Path: /service-role/
       PermissionsBoundary: !ImportValue IAM-DevPermissions
       Policies:
+        - PolicyName: JavabuilderPassRole
+          PolicyDocument:
+            Statement:
+              - Effect: Allow
+                Action: iam:PassRole
+                Resource: !Sub arn:aws:iam::${AWS::AccountId}:role/admin/CloudFormationService
+        - PolicyName: JavabuilderCodePipelinePolicy
+          PolicyDocument:
+            Statement:
+              - Effect: Allow
+                Action:
+                  - "cloudformation:DescribeStacks"
+                  - "cloudformation:CreateStack"
+                  - "cloudformation:UpdateStack"
+                Resource: "*"
         - PolicyName: CodeBuildResourcesAccess
           PolicyDocument:
             Statement:
@@ -45,10 +63,15 @@ Resources:
               - Effect: Allow
                 Action:
                   - s3:PutObject
+                  - s3:PutObjectAcl
                   - s3:GetObject
                   - s3:GetObjectVersion
                 Resource:
                   - !Sub arn:aws:s3:::${ArtifactStore}/*
+              - Effect: Allow
+                Action: codestar-connections:UseConnection
+                Resource:
+                  - !Sub arn:aws:codestar-connections:us-east-1:${AWS::AccountId}:connection/*
 
 Outputs:
   JavabuilderCodeBuildArtifactBucket:

cicd/1-setup/deploy-cicd-dependencies.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+echo Deploying Javabuilder CICD Dependencies
+
+# Create/Update the Javabuilder setup/dependencies stack. This is manually created and maintained, and does not require elevated permissions
+
+TEMPLATE_FILE=cicd/1-setup/cicd-dependencies.template.yml
+
+echo Validating cloudformation template...
+aws cloudformation validate-template \
+  --template-body file://${TEMPLATE_FILE} \
+  | cat
+
+ACCOUNT=$(aws sts get-caller-identity --query "Account" --output text)
+
+read -r -p "Would you like to deploy this template to AWS account $ACCOUNT? [y/N] " response
+if [[ "$response" =~ ^([yY][eE][sS]|[yY])$ ]]
+then
+  echo Updating cloudformation stack...
+  aws cloudformation deploy \
+    --stack-name javabuilder-cicd-deps \
+    --template-file ${TEMPLATE_FILE} \
+    --capabilities CAPABILITY_IAM \
+    "$@"
+
+  echo Complete!
+else
+  echo Exiting...
+fi
+
+