python-github-template-do-not-use/codebuild-formation.yaml at development · CuriBio/python-github-template-do-not-use · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
AWSTemplateFormatVersion: 2010-09-09
Transform: "AWS::Serverless-2016-10-31"

# Adapted from: https://github.com/aws-samples/aws-codebuild-samples/blob/master/cloudformation/continuous-integration-pull-request-checks.yml

# Note (Eli 5/3/30): you must connect your AWS account to your github account using OAuth manually before this will work (one-time). To do so, just attempt to create a CodeBuild project through the console--you don't need to finish creating it, just get to the point where you've created the OAuth connection.

# to create: aws cloudformation deploy --stack-name=codebuild-CHANGE-THIS-TO-NAME-OF-PACKAGE-publish-to-pypi --parameter-overrides GithubRepoName=CHANGE-THIS-TO-NAME-OF-PACKAGE --template-file=codebuild-formation.yaml --capabilities CAPABILITY_NAMED_IAM

Description: Use CodeBuild to publish Github repos to PyPi using company PyPi credentials

Parameters:
  GithubRepoName:
    Description: A Github repository that contains the application code.
    Type: String


Resources:
  CodeBuildPolicy:
    Description: Setting IAM policy for service role for CodeBuild
    Properties:
      PolicyDocument:
        Statement:
          - Action:
              - logs:CreateLogGroup
              - logs:CreateLogStream
              - logs:PutLogEvents
            Effect: Allow
            Resource: "*"
          - Action:
              - ssm:GetParameters
            Effect: Allow
            Resource:
              - Fn::Join:
                  - "/"
                  - - "arn:aws:ssm:*:*:parameter/CodeBuild"
                    - "general"
                    - "*"
          - Action:
              - kms:Decrypt
            Effect: Allow
            Resource: "arn:aws:kms:*:*:alias/aws/ssm"

      PolicyName:
        Fn::Join:
          - "-"
          - - Ref: "AWS::StackName"
            - CodeBuildPolicy
      Roles:
        - Ref: "CodeBuildRole"
    Type: AWS::IAM::Policy

  CodeBuildProject:
    DependsOn:
      - CodeBuildPolicy
    Properties:
      Artifacts:
        Type: NO_ARTIFACTS
      BadgeEnabled: true
      Description:
        Fn::Join:
          - ""
          - - "CodeBuild Project for "
            - Ref: "AWS::StackName"
      Environment:
        ComputeType: BUILD_GENERAL1_SMALL
        Image: aws/codebuild/standard:4.0-20.09.14
        Type: LINUX_CONTAINER
        EnvironmentVariables:
          - Name: PUBLISH_TO_PYPI
            Type: PLAINTEXT
            Value: "0"
          - Name: PYTEST_RANDOMLY_SEED
            Type: PLAINTEXT
            Value: ""

      Name:
        Fn::Join:
          - "-"
          - - Ref: GithubRepoName
            - "publish-to-pypi"
      ServiceRole:
        Ref: "CodeBuildRole"
      Source:
        Auth:
          Type: "OAUTH"
        GitCloneDepth: 1

        ReportBuildStatus: True
        Location:
          Fn::Join:
            - ""
            - - "https://github.com/CuriBio/"
              - Ref: GithubRepoName
              - "/"
        Type: GITHUB

      QueuedTimeoutInMinutes: 10
      TimeoutInMinutes: 30
    Type: AWS::CodeBuild::Project

  CodeBuildRole:
    Description: Creating service role in IAM for AWS CodeBuild
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service: codebuild.amazonaws.com
      Path: /
      RoleName:
        Fn::Join:
          - "-"
          - - Ref: "AWS::StackName"
            - CodeBuild
    Type: AWS::IAM::Role