modern-cicd-with-github-and-aws-codepipeline/backend.yml at main · aws-samples/modern-cicd-with-github-and-aws-codepipeline · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
AWSTemplateFormatVersion: "2010-09-09"
Description: CloudFormation template for Hotel App with DynamoDB and ECS.

Parameters:
  HotelName:
    Type: String
    Default: AWS Hotel
    Description: Enter a name for the Hotel. Default is AWS Hotel.
  Environment:
    Type: String
    Default: dev
    Description: Enter a name for the Environment. Default is dev, this is used later in the workshop to tag the environments


Resources:
  # DynamoDB Table for Rooms
  RoomsTable:
    Type: "AWS::DynamoDB::Table"
    Properties:
      TableName: !Sub "Rooms-${AWS::StackName}-${AWS::Region}"
      AttributeDefinitions:
        - AttributeName: "id"
          AttributeType: "N"
      KeySchema:
        - AttributeName: "id"
          KeyType: "HASH"
      ProvisionedThroughput:
        ReadCapacityUnits: 5
        WriteCapacityUnits: 5
      SSESpecification:
        SSEEnabled: true # Enable server-side encryption for the table

  # Sample Alarm - we will use this later to prove AWS CodePipeline Condition Gates
  DynamoDBReadCapacityAlarm:
    Type: "AWS::CloudWatch::Alarm"
    Properties:
      AlarmName: !Sub "HighReadCapacityAlarm-${AWS::StackName}-${AWS::Region}"
      AlarmDescription: "Alarm if DynamoDB read capacity exceeds 80% of provisioned units"
      Namespace: "AWS/DynamoDB"
      MetricName: "ConsumedReadCapacityUnits"
      Dimensions:
        - Name: "TableName"
          Value: !Ref RoomsTable
      Statistic: "Average"
      Period: 60
      EvaluationPeriods: 1
      Threshold: 4 # 80% of 5 ReadCapacityUnits
      ComparisonOperator: "GreaterThanThreshold"

  # VPC For Hosting ECS Cluster
  VPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsHostnames: true
      EnableDnsSupport: true
  PublicSubnet1:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      CidrBlock: 10.0.1.0/24
      AvailabilityZone: !Select [0, !GetAZs '']
      MapPublicIpOnLaunch: true
  PublicSubnet2:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      CidrBlock: 10.0.2.0/24
      AvailabilityZone: !Select [1, !GetAZs '']
      MapPublicIpOnLaunch: true
  InternetGateway:
    Type: AWS::EC2::InternetGateway
  VPCGatewayAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId: !Ref VPC
      InternetGatewayId: !Ref InternetGateway
  PublicRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC
  PublicRoute:
    Type: AWS::EC2::Route
    DependsOn: VPCGatewayAttachment
    Properties:
      RouteTableId: !Ref PublicRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref InternetGateway
  PublicSubnet1RouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref PublicSubnet1
      RouteTableId: !Ref PublicRouteTable
  PublicSubnet2RouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref PublicSubnet2
      RouteTableId: !Ref PublicRouteTable

  # IAM Roles for ECS Cluster
  ECSExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: ecs-tasks.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
  ECSTaskRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: ecs-tasks.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: DynamoDBAccess
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - dynamodb:PutItem
                  - dynamodb:GetItem
                  - dynamodb:Scan
                  - dynamodb:UpdateItem
                Resource: !GetAtt RoomsTable.Arn

Outputs:
  DynamoDBTableName:
    Description: "Name of the DynamoDB Table"
    Value: !Ref RoomsTable