Created
May 30, 2020 09:15
-
-
Save sakamaki-kazuyoshi/1d682ace9c486417521f5618647d737f to your computer and use it in GitHub Desktop.
CodePipeline to deploy from S3 to EC2.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AWSTemplateFormatVersion: '2010-09-09' | |
| # ------------------------------------------------------------# | |
| # Input Parameters | |
| # ------------------------------------------------------------# | |
| Parameters: | |
| ProjectName: | |
| Type: String | |
| Default: 'test' | |
| EC2KeyPair: | |
| Type: AWS::EC2::KeyPair::KeyName | |
| SecurityGroupInboudRule: | |
| Type: String | |
| Default: '0.0.0.0/0' | |
| Description: Please input inbound rules for CodeDeploy Agent server. | |
| SourceS3ObjectKey: | |
| Type: String | |
| Default: 'SampleApp_Linux.zip' | |
| Description: Please input Source file name of CodePipeline. | |
| Resources: | |
| # ------------------------------------------------------------# | |
| # S3 Bucket | |
| # ------------------------------------------------------------# | |
| CodePipelineSourceBucket: | |
| Type: 'AWS::S3::Bucket' | |
| Properties: | |
| BucketName: !Sub ${ProjectName}-code-pipe-line-source-${AWS::AccountId} | |
| VersioningConfiguration: | |
| Status: Enabled | |
| CodePipelineArtifactBucket: | |
| Type: 'AWS::S3::Bucket' | |
| Properties: | |
| BucketName: !Sub ${ProjectName}-code-pipe-line-artifact-${AWS::AccountId} | |
| # ------------------------------------------------------------# | |
| # IAM | |
| # ------------------------------------------------------------# | |
| CodeDeployDeployAgentRole: | |
| Type: "AWS::IAM::Role" | |
| Properties: | |
| AssumeRolePolicyDocument: | |
| Version: "2012-10-17" | |
| Statement: | |
| - | |
| Effect: "Allow" | |
| Principal: | |
| Service: | |
| - "ec2.amazonaws.com" | |
| Action: | |
| - "sts:AssumeRole" | |
| Path: "/" | |
| ManagedPolicyArns: | |
| - arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforAWSCodeDeploy | |
| RoleName: !Sub ${ProjectName}-web-role | |
| CodeDeployDeployAgentInstanceProfile: | |
| Type: "AWS::IAM::InstanceProfile" | |
| Properties: | |
| Path: "/" | |
| Roles: | |
| - !Ref CodeDeployDeployAgentRole | |
| InstanceProfileName: !Sub ${ProjectName}-web-role | |
| CodeDeployServiceRole: | |
| Type: "AWS::IAM::Role" | |
| Properties: | |
| AssumeRolePolicyDocument: | |
| Version: "2012-10-17" | |
| Statement: | |
| - | |
| Effect: "Allow" | |
| Principal: | |
| Service: | |
| - "codedeploy.amazonaws.com" | |
| Action: | |
| - "sts:AssumeRole" | |
| Path: "/" | |
| ManagedPolicyArns: | |
| - arn:aws:iam::aws:policy/service-role/AWSCodeDeployRole | |
| RoleName: !Sub ${ProjectName}-CodeDeploy-role | |
| CodePipelineServiceRole: | |
| Type: "AWS::IAM::Role" | |
| Properties: | |
| AssumeRolePolicyDocument: | |
| Version: "2012-10-17" | |
| Statement: | |
| - | |
| Effect: "Allow" | |
| Principal: | |
| Service: | |
| - "codepipeline.amazonaws.com" | |
| Action: | |
| - "sts:AssumeRole" | |
| Path: "/" | |
| RoleName: !Sub ${ProjectName}-CodePipeline-role | |
| CodePipelineManagedPolicy: | |
| Type: AWS::IAM::ManagedPolicy | |
| Properties: | |
| ManagedPolicyName: AWSCodePipelineServiceRolePolicy | |
| Description: Policy used in trust relationship with CodePipeline | |
| Path: / | |
| PolicyDocument: | |
| Version: '2012-10-17' | |
| Statement: | |
| - Effect: Allow | |
| Resource: '*' | |
| Action: 'iam:PassRole' | |
| Condition: | |
| StringEqualsIfExists: | |
| "iam:PassedToService": | |
| - "cloudformation.amazonaws.com" | |
| - "elasticbeanstalk.amazonaws.com" | |
| - "ec2.amazonaws.com" | |
| - "ecs-tasks.amazonaws.com" | |
| - Effect: Allow | |
| Resource: '*' | |
| Action: | |
| - "codecommit:CancelUploadArchive" | |
| - "codecommit:GetBranch" | |
| - "codecommit:GetCommit" | |
| - "codecommit:GetUploadArchiveStatus" | |
| - "codecommit:UploadArchive" | |
| - Effect: Allow | |
| Resource: '*' | |
| Action: | |
| - "codedeploy:CreateDeployment" | |
| - "codedeploy:GetApplication" | |
| - "codedeploy:GetApplicationRevision" | |
| - "codedeploy:GetDeployment" | |
| - "codedeploy:GetDeploymentConfig" | |
| - "codedeploy:RegisterApplicationRevision" | |
| - Effect: Allow | |
| Resource: '*' | |
| Action: | |
| - "codestar-connections:UseConnection" | |
| - Effect: Allow | |
| Resource: '*' | |
| Action: | |
| - "elasticbeanstalk:*" | |
| - "ec2:*" | |
| - "elasticloadbalancing:*" | |
| - "autoscaling:*" | |
| - "cloudwatch:*" | |
| - "s3:*" | |
| - "sns:*" | |
| - "cloudformation:*" | |
| - "rds:*" | |
| - "sqs:*" | |
| - "ecs:*" | |
| - Effect: Allow | |
| Resource: '*' | |
| Action: | |
| - "lambda:InvokeFunction" | |
| - "lambda:ListFunctions" | |
| - Effect: Allow | |
| Resource: '*' | |
| Action: | |
| - "opsworks:CreateDeployment" | |
| - "opsworks:DescribeApps" | |
| - "opsworks:DescribeCommands" | |
| - "opsworks:DescribeDeployments" | |
| - "opsworks:DescribeInstances" | |
| - "opsworks:DescribeStacks" | |
| - "opsworks:UpdateApp" | |
| - "opsworks:UpdateStack" | |
| - Effect: Allow | |
| Resource: '*' | |
| Action: | |
| - "cloudformation:CreateStack" | |
| - "cloudformation:DeleteStack" | |
| - "cloudformation:DescribeStacks" | |
| - "cloudformation:UpdateStack" | |
| - "cloudformation:CreateChangeSet" | |
| - "cloudformation:DeleteChangeSet" | |
| - "cloudformation:DescribeChangeSet" | |
| - "cloudformation:ExecuteChangeSet" | |
| - "cloudformation:SetStackPolicy" | |
| - "cloudformation:ValidateTemplate" | |
| - Effect: Allow | |
| Resource: '*' | |
| Action: | |
| - "codebuild:BatchGetBuilds" | |
| - "codebuild:StartBuild" | |
| - Effect: Allow | |
| Resource: '*' | |
| Action: | |
| - "devicefarm:ListProjects" | |
| - "devicefarm:ListDevicePools" | |
| - "devicefarm:GetRun" | |
| - "devicefarm:GetUpload" | |
| - "devicefarm:CreateUpload" | |
| - "devicefarm:ScheduleRun" | |
| - Effect: Allow | |
| Resource: '*' | |
| Action: | |
| - "servicecatalog:ListProvisioningArtifacts" | |
| - "servicecatalog:CreateProvisioningArtifact" | |
| - "servicecatalog:DescribeProvisioningArtifact" | |
| - "servicecatalog:DeleteProvisioningArtifact" | |
| - "servicecatalog:UpdateProduct" | |
| - Effect: Allow | |
| Resource: '*' | |
| Action: | |
| - "cloudformation:ValidateTemplate" | |
| - Effect: Allow | |
| Resource: '*' | |
| Action: | |
| - "ecr:DescribeImages" | |
| - Effect: Allow | |
| Resource: '*' | |
| Action: | |
| - "states:DescribeExecution" | |
| - "states:DescribeStateMachine" | |
| - "states:StartExecution" | |
| Roles: | |
| - !Ref CodePipelineServiceRole | |
| # ------------------------------------------------------------# | |
| # VPC | |
| # ------------------------------------------------------------# | |
| VPC: | |
| Type: 'AWS::EC2::VPC' | |
| Properties: | |
| CidrBlock: 10.0.0.0/16 | |
| EnableDnsSupport: 'true' | |
| EnableDnsHostnames: 'true' | |
| InstanceTenancy: default | |
| Tags: | |
| - Key: Name | |
| Value: !Sub ${ProjectName}-vpc | |
| # ------------------------------------------------------------# | |
| # Internet Gateway | |
| # ------------------------------------------------------------# | |
| InternetGateway: | |
| Type: 'AWS::EC2::InternetGateway' | |
| Properties: | |
| Tags: | |
| - Key: Name | |
| Value: !Sub ${ProjectName}-igw | |
| VPCGatewayAttachment: | |
| Type: 'AWS::EC2::VPCGatewayAttachment' | |
| Properties: | |
| InternetGatewayId: !Ref InternetGateway | |
| VpcId: !Ref VPC | |
| # ------------------------------------------------------------# | |
| # Subnet | |
| # ------------------------------------------------------------# | |
| PublicSubnetA: | |
| Type: 'AWS::EC2::Subnet' | |
| Properties: | |
| VpcId: !Ref VPC | |
| AvailabilityZone: 'ap-northeast-1a' | |
| CidrBlock: 10.0.1.0/24 | |
| MapPublicIpOnLaunch: 'true' | |
| Tags: | |
| - Key: Name | |
| Value: !Sub ${ProjectName}-public-subnet01 | |
| PublicSubnetC: | |
| Type: 'AWS::EC2::Subnet' | |
| Properties: | |
| VpcId: !Ref VPC | |
| AvailabilityZone: 'ap-northeast-1c' | |
| CidrBlock: 10.0.2.0/24 | |
| MapPublicIpOnLaunch: 'true' | |
| Tags: | |
| - Key: Name | |
| Value: !Sub ${ProjectName}-public-subnet02 | |
| # ------------------------------------------------------------# | |
| # RouteTable | |
| # ------------------------------------------------------------# | |
| PublicRouteTable: | |
| Type: 'AWS::EC2::RouteTable' | |
| Properties: | |
| VpcId: !Ref VPC | |
| Tags: | |
| - Key: Name | |
| Value: !Sub ${ProjectName}-public-rtb | |
| RouteAddInternetGateway: | |
| Type: 'AWS::EC2::Route' | |
| Properties: | |
| DestinationCidrBlock: 0.0.0.0/0 | |
| GatewayId: !Ref InternetGateway | |
| RouteTableId: !Ref PublicRouteTable | |
| AssociatePublicSubnetAToPublicRouteTable: | |
| Type: 'AWS::EC2::SubnetRouteTableAssociation' | |
| Properties: | |
| RouteTableId: !Ref PublicRouteTable | |
| SubnetId: !Ref PublicSubnetA | |
| AssociatePublicSubnetCToPublicRouteTable: | |
| Type: 'AWS::EC2::SubnetRouteTableAssociation' | |
| Properties: | |
| RouteTableId: !Ref PublicRouteTable | |
| SubnetId: !Ref PublicSubnetC | |
| # ------------------------------------------------------------# | |
| # Securitygroup | |
| # ------------------------------------------------------------# | |
| CodeDeployDeployAgentSecuritygroup: | |
| Type: AWS::EC2::SecurityGroup | |
| Properties: | |
| GroupName: !Sub ${ProjectName}-codedeploy-agent-sg | |
| GroupDescription: !Sub ${ProjectName}-codedeploy-agent-sg | |
| Tags: | |
| - Key: Name | |
| Value: !Sub ${ProjectName}-codedeploy-agent-sg | |
| VpcId: !Ref VPC | |
| SecurityGroupIngress: | |
| - IpProtocol: tcp | |
| FromPort: '22' | |
| ToPort: '22' | |
| CidrIp: !Sub ${SecurityGroupInboudRule} | |
| - IpProtocol: tcp | |
| FromPort: '80' | |
| ToPort: '80' | |
| CidrIp: !Sub ${SecurityGroupInboudRule} | |
| # ------------------------------------------------------------# | |
| # EC2 | |
| # ------------------------------------------------------------# | |
| CodeDeployDeployAgentInstance: | |
| Type: "AWS::EC2::Instance" | |
| Properties: | |
| AvailabilityZone: ap-northeast-1a | |
| ImageId: ami-0a1c2ec61571737db #AL2 | |
| InstanceType: t3.micro | |
| KeyName: !Ref EC2KeyPair | |
| BlockDeviceMappings: | |
| - DeviceName: /dev/xvda | |
| Ebs: | |
| VolumeType: gp2 | |
| VolumeSize: 8 | |
| NetworkInterfaces: | |
| - AssociatePublicIpAddress: "true" | |
| DeviceIndex: "0" | |
| GroupSet: | |
| - Ref: CodeDeployDeployAgentSecuritygroup | |
| SubnetId: | |
| Ref: PublicSubnetA | |
| IamInstanceProfile: !Ref CodeDeployDeployAgentInstanceProfile | |
| Tags: | |
| - Key: Name | |
| Value: !Sub ${ProjectName}-codedeploy-agent | |
| UserData: | |
| Fn::Base64: | | |
| #!/bin/bash | |
| yum -y update | |
| yum install -y ruby | |
| yum install -y wget | |
| cd /home/ec2-user | |
| wget https://aws-codedeploy-ap-northeast-1.s3.ap-northeast-1.amazonaws.com/latest/install | |
| chmod +x ./install | |
| ./install auto | |
| # ------------------------------------------------------------# | |
| # CodeDeploy | |
| # ------------------------------------------------------------# | |
| CodeDeployApplication: | |
| Type: AWS::CodeDeploy::Application | |
| Properties: | |
| ApplicationName: !Sub ${ProjectName}-application | |
| ComputePlatform: Server | |
| CodeDeployDeploymentGroup: | |
| Type: AWS::CodeDeploy::DeploymentGroup | |
| Properties: | |
| ApplicationName: !Ref CodeDeployApplication | |
| DeploymentGroupName: !Sub ${ProjectName}-deployment-group | |
| DeploymentStyle: | |
| DeploymentOption: WITHOUT_TRAFFIC_CONTROL | |
| DeploymentType: IN_PLACE | |
| Ec2TagFilters: | |
| - Key: Name | |
| Value: !Sub ${ProjectName}-codedeploy-agent | |
| Type: KEY_AND_VALUE | |
| DeploymentConfigName: CodeDeployDefault.OneAtATime | |
| ServiceRoleArn: !GetAtt CodeDeployServiceRole.Arn | |
| # ------------------------------------------------------------# | |
| # CodePipeline | |
| # ------------------------------------------------------------# | |
| CodePipeline: | |
| Type: AWS::CodePipeline::Pipeline | |
| Properties: | |
| Name: !Sub ${ProjectName}-pipeline | |
| Stages: | |
| - Name: Source | |
| Actions: | |
| - Name: SourceAction | |
| ActionTypeId: | |
| Category: Source | |
| Owner: AWS | |
| Version: 1 | |
| Provider: S3 | |
| OutputArtifacts: | |
| - Name: SourceArtifact | |
| Configuration: | |
| S3Bucket: !Ref CodePipelineSourceBucket | |
| S3ObjectKey: !Ref SourceS3ObjectKey | |
| RunOrder: 1 | |
| - Name: Deploy | |
| Actions: | |
| - Name: DeployAction | |
| InputArtifacts: | |
| - Name: SourceArtifact | |
| ActionTypeId: | |
| Category: Deploy | |
| Owner: AWS | |
| Version: 1 | |
| Provider: CodeDeploy | |
| Configuration: | |
| ApplicationName: !Ref CodeDeployApplication | |
| DeploymentGroupName: !Ref CodeDeployDeploymentGroup | |
| RunOrder: 1 | |
| ArtifactStore: | |
| Type: S3 | |
| Location: !Ref CodePipelineArtifactBucket | |
| RestartExecutionOnUpdate: false | |
| RoleArn: !GetAtt CodePipelineServiceRole.Arn |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment