def _project_key(project: Config) -> kms.Key:
"""Construct the AWS CMK that will be used to protect project resources.
:param project: Source project
:return: Constructed key
"""
policy = AWS.PolicyDocument(
Version="2012-10-17",
Statement=[
AWS.Statement(
Effect=AWS.Allow,
Principal=AWS.Principal("AWS", account_arn("iam", "root")),
Action=[
KMS.Encrypt,
KMS.Decrypt,
KMS.ReEncrypt,
KMS.GenerateDataKey,
KMS.GenerateDataKeyWithoutPlaintext,
KMS.DescribeKey,
KMS.GetKeyPolicy,
],
Resource=["*"],
),
# TODO: Change admin statement to some other principal?
AWS.Statement(
Effect=AWS.Allow,
Principal=AWS.Principal("AWS", account_arn("iam", "root")),
Action=[
KMS.GetKeyPolicy,
KMS.PutKeyPolicy,
KMS.ScheduleKeyDeletion,
KMS.CancelKeyDeletion,
KMS.CreateAlias,
KMS.DeleteAlias,
KMS.UpdateAlias,
KMS.DescribeKey,
KMS.EnableKey,
KMS.DisableKey,
KMS.GetKeyRotationStatus,
KMS.EnableKeyRotation,
KMS.DisableKeyRotation,
KMS.ListKeyPolicies,
KMS.ListResourceTags,
KMS.TagResource,
KMS.UntagResource,
],
Resource=["*"],
),
],
)
return kms.Key(
resource_name(kms.Key, "Stack"),
Enabled=True,
EnableKeyRotation=False,
KeyPolicy=policy,
Tags=project_tags(project),
)
def __init__(self, parameters):
super(StackSetRole, self).__init__()
self.AdministrationRole = iam.Role(
"AdministrationRole",
RoleName="AWSCloudFormationStackSetAdministrationRole",
Path="/",
AssumeRolePolicyDocument=aws.Policy(
Version="2012-10-17",
Statement=[
aws.Statement(
Action=[aws.Action("sts", "AssumeRole")],
Effect=aws.Allow,
Principal=aws.Principal(
"Service", "cloudformation.amazonaws.com"
)
)
],
),
Policies=[
iam.Policy(
PolicyName="AssumeRole-AWSCloudFormationStackSetExecutionRole",
PolicyDocument=aws.Policy(
Version="2012-10-17",
Statement=[
aws.Statement(
Action=[aws.Action("sts", "AssumeRole")],
Effect=aws.Allow,
Resource=["arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole"],
)
]
),
)
]
)
self.ExecutionRole = iam.Role(
"ExecutionRole",
RoleName="AWSCloudFormationStackSetExecutionRole",
Path="/",
ManagedPolicyArns=["arn:aws:iam::aws:policy/AdministratorAccess"],
AssumeRolePolicyDocument=aws.Policy(
Version="2012-10-17",
Statement=[
aws.Statement(
Action=[aws.Action("sts", "AssumeRole")],
Effect=aws.Allow,
Principal=aws.Principal(
"AWS", Ref(parameters.AdministratorAccountId)
)
)
]
)
)
def _build_template(self, template):
t = template
if self.principals == "*":
principal_title = "*"
else:
principal_title = "Service"
role = t.add_resource(
iam.Role(self.name,
AssumeRolePolicyDocument=aws.Policy(Statement=[
aws.Statement(Action=[awacs.sts.AssumeRole],
Effect=aws.Allow,
Principal=aws.Principal(
principal_title, self.principals))
]),
Path="/",
Policies=[],
ManagedPolicyArns=[]))
for p in self.policies:
p._bind_role(t, role)
for m in self.managed_policies:
role.ManagedPolicyArns.append(m)
t.add_output([
Output('{}Role'.format(self.name), Value=Ref(role)),
Output('{}RoleArn'.format(self.name), Value=GetAtt(role, "Arn"))
])
return t
def _public_broadcast(topic: sns.Topic) -> Dict:
return dict(
Sid="PublicBroadcast",
Effect=AWS.Allow,
Principal=AWS.Principal("*"),
Action=["SNS:Receive", "SNS:Subscribe"],
Resource=topic.ref(),
Condition=dict(StringEquals={"SNS:Protocol": ["lambda", "sqs"]}),
)
def _assume_policy(service: str) -> AWS.PolicyDocument:
return AWS.PolicyDocument(Statement=[
AWS.Statement(
Principal=AWS.Principal("Service", make_service_domain_name(
service)),
Effect=AWS.Allow,
Action=[STS.AssumeRole],
)
])
def _service_assume_role(service: str) -> AWS.Policy:
"""Build and return the IAM AssumeRolePolicy for use in service roles."""
return AWS.Policy(Statement=[
AWS.Statement(
Effect=AWS.Allow,
Action=[STS.AssumeRole],
Principal=AWS.Principal("Service",
["{}.amazonaws.com".format(service)]),
)
])
def generate_role_template(
command: str,
actions: list,
role_name: str,
path: str,
assuming_account_id: str,
assuming_resource: str,
output_format: str,
) -> str:
t = troposphere.Template()
t.description = f"Role used to run the {command} command"
t.add_resource(
iam.Role(
title="role",
RoleName=role_name,
Path=path,
Policies=[
iam.Policy(
PolicyName=f"{command}-permissions",
PolicyDocument=aws.PolicyDocument(
Version="2012-10-17",
Id=f"{command}-permissions",
Statement=[
aws.Statement(
Sid="1",
Effect=aws.Allow,
Action=actions,
Resource=["*"],
),
],
),
)
],
AssumeRolePolicyDocument=aws.Policy(
Version="2012-10-17",
Id="AllowAssume",
Statement=[
aws.Statement(
Sid="1",
Effect=aws.Allow,
Principal=aws.Principal("AWS", [
IAM_ARN(assuming_resource, "", assuming_account_id)
]),
Action=[awacs_sts.AssumeRole],
),
],
),
))
if output_format == "json":
return t.to_json()
else:
return t.to_yaml()
def generate_role_template(
command: str,
actions: list,
role_name: str,
path: str,
assuming_account_id: str,
assuming_resource: str,
additional_statements: list = [],
) -> troposphere.Template:
t = troposphere.Template()
t.description = f"Role used to run the {command} command"
role = iam.Role(
title="role",
RoleName=role_name,
Path=path,
Policies=[
iam.Policy(
PolicyName=f"{command}-permissions",
PolicyDocument=aws.PolicyDocument(
Version="2012-10-17",
Id=f"{command}-permissions",
Statement=[
aws.Statement(Sid="1",
Effect=aws.Allow,
Action=actions,
Resource=["*"])
] + additional_statements,
),
)
],
AssumeRolePolicyDocument=aws.Policy(
Version="2012-10-17",
Id="AllowAssume",
Statement=[
aws.Statement(
Sid="1",
Effect=aws.Allow,
Principal=aws.Principal(
"AWS",
[IAM_ARN(assuming_resource, "", assuming_account_id)]),
Action=[awacs_sts.AssumeRole],
)
],
),
)
t.add_resource(role)
t.add_output(troposphere.Output("RoleName", Value=troposphere.Ref(role)))
t.add_output(
troposphere.Output("RoleArn", Value=troposphere.GetAtt(role, "Arn")))
return t
def build_subscription(self, t, topic):
policy = t.add_resource(
iam.Role(
"{}SlackSNSRole".format(self.name),
AssumeRolePolicyDocument=aws.Policy(Statement=[
aws.Statement(Action=[awacs.sts.AssumeRole],
Effect=aws.Allow,
Principal=aws.Principal(
"Service", ["lambda.amazonaws.com"]))
]),
Path="/",
Policies=[
iam.Policy(
PolicyName='snspublic',
PolicyDocument=aws.PolicyDocument(Statement=[
aws.Statement(Effect=aws.Allow,
Action=[
awacs.sns.Publish,
awacs.logs.PutLogEvents,
awacs.logs.CreateLogGroup,
awacs.logs.CreateLogStream,
],
Resource=["*"])
]))
],
ManagedPolicyArns=[
# "arn:aws:iam::aws:policy/AdministratorAccess"
]))
code = ["import sys"]
# make lambda function
fn = t.add_resource(
awslambda.Function('{}SlackTopicFN'.format(self.name),
Handler='index.handle',
Runtime='python3.6',
Role=GetAtt(policy, "Arn"),
Code=awslambda.Code(ZipFile=Join("", code))))
t.add_resource(
awslambda.Permission('{}LambdaPerm'.format(self.name),
Action='lambda:InvokeFunction',
FunctionName=GetAtt(fn, "Arn"),
SourceArn=Ref(topic),
Principal="sns.amazonaws.com"))
return ("lambda", GetAtt(fn, "Arn"))
def _codebuild_role(artifacts_bucket: Parameter, resources_bucket: Parameter,
cmk: Parameter) -> iam.Role:
"""Construct a role for use by CodeBuild.
:param artifacts_bucket: Artifacts bucket parameter
:param resources_bucket: Resources bucket parameter
:param cmk: KMS CMK parameter
:return: Constructed Role
"""
assume_policy = AWS.PolicyDocument(Statement=[
AWS.Statement(
Principal=AWS.Principal(
"Service", make_service_domain_name(CODEBUILD.prefix)),
Effect=AWS.Allow,
Action=[STS.AssumeRole],
)
])
policy = AWS.PolicyDocument(Statement=[
AWS.Statement(
Effect=AWS.Allow,
Action=[
LOGS.CreateLogGroup, LOGS.CreateLogStream, LOGS.PutLogEvents
],
Resource=[account_arn(service_prefix=LOGS.prefix, resource="*")],
),
AWS.Statement(
Effect=AWS.Allow,
Action=[S3.GetObject, S3.GetObjectVersion, S3.PutObject],
Resource=[
Sub(f"${{{artifacts_bucket.title}}}/*"),
Sub(f"${{{resources_bucket.title}}}/*")
],
),
AWS.Statement(Effect=AWS.Allow,
Action=[KMS.Encrypt, KMS.Decrypt, KMS.GenerateDataKey],
Resource=[cmk.ref()]),
])
return iam.Role(
resource_name(iam.Role, "CodeBuild"),
AssumeRolePolicyDocument=assume_policy,
Policies=[
iam.Policy(PolicyName=_policy_name("CodeBuild"),
PolicyDocument=policy)
],
)
def _cloudformation_role() -> iam.Role:
"""Construct a role for use by CloudFormation.
:return: Constructed Role
"""
assume_policy = AWS.PolicyDocument(Statement=[
AWS.Statement(
Principal=AWS.Principal(
"Service", make_service_domain_name(CLOUDFORMATION.prefix)),
Effect=AWS.Allow,
Action=[STS.AssumeRole],
)
])
# TODO: Figure out how to scope this down without breaking IAM
# IAM policies break if there is a * in certain fields,
# so this does not work:
# arn:PARTITION:*:REGION:ACCOUNT:*
#
# _desired_policy = AWS.PolicyDocument(
# Statement=[
# AWS.Statement(
# Effect=AWS.Allow,
# Action=[AWS.Action("*")],
# Resource=[
# account_arn(service_prefix="*", resource="*"),
# account_arn(service_prefix=S3.prefix, resource="*"),
# account_arn(service_prefix=IAM.prefix, resource="*"),
# ],
# )
# ]
# )
policy = AWS.PolicyDocument(Statement=[
AWS.Statement(
Effect=AWS.Allow, Action=[AWS.Action("*")], Resource=["*"])
])
return iam.Role(
resource_name(iam.Role, "CloudFormation"),
AssumeRolePolicyDocument=assume_policy,
Policies=[
iam.Policy(PolicyName=_policy_name("CloudFormation"),
PolicyDocument=policy)
],
)
def _owner_policy(topic: sns.Topic) -> Dict:
return dict(
Sid="OwnerPolicy",
Effect=AWS.Allow,
Principal=AWS.Principal("*"),
Action=[
"SNS:Publish",
"SNS:RemovePermission",
"SNS:SetTopicAttributes",
"SNS:DeleteTopic",
"SNS:ListSubscriptionsByTopic",
"SNS:GetTopicAttributes",
"SNS:Receive",
"SNS:AddPermission",
"SNS:Subscribe",
],
Resource=topic.ref(),
Condition=dict(StringEquals={"AWS:SourceOwner": AccountId}),
)
def __init__(self, parameters, groups):
"""
:type parameters Parameters
:type groups Groups
"""
super(RolesAndPolicies, self).__init__()
self.EC2Baseline = iam.Role(
"EC2Baseline",
AssumeRolePolicyDocument=aws.Policy(
Version="2012-10-17",
Statement=[
aws.Statement(Action=[aws.Action("sts", "AssumeRole")],
Effect=aws.Allow,
Principal=aws.Principal(
"Service", "ec2.amazonaws.com"))
],
))
self.LambdaBasicExecution = iam.Role(
"LambdaBasicExecution",
AssumeRolePolicyDocument=aws.Policy(
Version="2012-10-17",
Statement=[
aws.Statement(Action=[aws.Action("sts", "AssumeRole")],
Effect=aws.Allow,
Principal=aws.Principal(
"Service", "lambda.amazonaws.com"))
],
),
)
self.ECSClusterServiceRole = iam.Role(
"ECSClusterServiceRole",
Policies=[
iam.Policy(
PolicyName=Join("", [Ref(AWS_STACK_NAME), "-ecs-service"]),
PolicyDocument=aws.Policy(
Version="2012-10-17",
Statement=[
aws.Statement(
Action=[
aws.Action(
"ec2",
"AuthorizeSecurityGroupIngress"),
aws.Action("ec2", "Describe*"),
aws.Action(
"elasticloadbalancing",
"DeregisterInstancesFromLoadBalancer"),
aws.Action("elasticloadbalancing",
"Describe*"),
aws.Action(
"elasticloadbalancing",
"RegisterInstancesWithLoadBalancer"),
aws.Action("elasticloadbalancing",
"DeregisterTargets"),
aws.Action("elasticloadbalancing",
"DescribeTargetGroups"
), # todo: remove
aws.Action("elasticloadbalancing",
"DescribeTargetHealth"
), # todo: remove
aws.Action("elasticloadbalancing",
"RegisterTargets"),
],
Resource=["*"],
Effect=aws.Allow)
]))
],
AssumeRolePolicyDocument=aws.Policy(
Version="2012-10-17",
Statement=[
aws.Statement(Action=[aws.Action("sts", "AssumeRole")],
Effect=aws.Allow,
Principal=aws.Principal(
"Service", "ecs.amazonaws.com"))
],
))
self.ForceMFA = iam.ManagedPolicy(
"ForceMFA",
PolicyDocument=aws.Policy(
Version="2012-10-17",
Statement=[
aws.Statement(Sid="AllowAllUsersToListAccounts",
Action=[
aws.Action("iam", "ListAccountAliases"),
aws.Action("iam", "ListUsers"),
aws.Action("iam", "GetAccountSummary"),
],
Resource=["*"],
Effect=aws.Allow),
aws.Statement(
Sid=
"AllowIndividualUserToSeeAndManageOnlyTheirOwnAccountInformation",
Action=[
aws.Action("iam", "ChangePassword"),
aws.Action("iam", "CreateAccessKey"),
aws.Action("iam", "CreateLoginProfile"),
aws.Action("iam", "DeleteAccessKey"),
aws.Action("iam", "DeleteLoginProfile"),
aws.Action("iam", "GetAccountPasswordPolicy"),
aws.Action("iam", "GetLoginProfile"),
aws.Action("iam", "ListAccessKeys"),
aws.Action("iam", "UpdateAccessKey"),
aws.Action("iam", "UpdateLoginProfile"),
aws.Action("iam", "ListSigningCertificates"),
aws.Action("iam", "DeleteSigningCertificate"),
aws.Action("iam", "UpdateSigningCertificate"),
aws.Action("iam", "UploadSigningCertificate"),
aws.Action("iam", "ListSSHPublicKeys"),
aws.Action("iam", "GetSSHPublicKey"),
aws.Action("iam", "DeleteSSHPublicKey"),
aws.Action("iam", "UpdateSSHPublicKey"),
aws.Action("iam", "UploadSSHPublicKey"),
],
Resource=[
Join("", [
"arn:aws:iam::", AccountId,
":user/${aws:username}"
])
],
Effect=aws.Allow),
aws.Statement(
Sid="AllowIndividualUserToListOnlyTheirOwnMFA",
Action=[
aws.Action("iam", "ListVirtualMFADevices"),
aws.Action("iam", "ListMFADevices"),
],
Resource=[
Join("", ["arn:aws:iam::", AccountId, ":mfa/*"]),
Join("", [
"arn:aws:iam::", AccountId,
":user/${aws:username}"
])
],
Effect=aws.Allow),
aws.Statement(
Sid=
"AllowIndividualUserToDeactivateOnlyTheirOwnMFAOnlyWhenUsingMFA",
Action=[
aws.Action("iam", "DeactivateMFADevice"),
],
Condition=aws.Condition(
aws.Bool("aws:MultiFactorAuthPresent", True)),
Resource=[
Join("", [
"arn:aws:iam::", AccountId,
":mfa/${aws:username}"
]),
Join("", [
"arn:aws:iam::", AccountId,
":user/${aws:username}"
])
],
Effect=aws.Allow),
aws.Statement(
Sid="BlockAnyAccessOtherThanAboveUnlessSignedInWithMFA",
Condition=aws.Condition(
aws.BoolIfExists("aws:MultiFactorAuthPresent",
False)),
NotAction=[
aws.Action("iam", "*"),
],
Resource=["*"],
Effect=aws.Deny),
],
),
Description="Forces MFA usage on all users in assigned groups",
Groups=[
Ref(groups.AWSEngineers.title),
Ref(groups.ReadOnlyUsers.title),
],
)
self.FullAdministrator = iam.ManagedPolicy(
"FullAdministrator",
PolicyDocument=aws.Policy(Version="2012-10-17",
Statement=[
aws.Statement(
Action=[aws.Action("*")],
Resource=["*"],
Effect=aws.Allow)
]),
Description="Allows full access to all AWS",
Groups=[
Ref(groups.AWSEngineers.title),
],
)
self.CIDeploymentPolicy = iam.ManagedPolicy(
"CIDeploymentPolicy",
PolicyDocument=aws.Policy(
Version="2012-10-17",
Statement=[
aws.Statement(Action=[
aws.Action("cloudformation", "DescribeStacks"),
aws.Action("cloudformation", "DescribeStackEvents"),
aws.Action("cloudformation", "DescribeStackResources"),
aws.Action("cloudformation", "DescribeChangeSet"),
aws.Action("cloudformation", "GetTemplate"),
aws.Action("cloudformation", "GetTemplateSummary"),
aws.Action("cloudformation", "List*"),
aws.Action("cloudformation", "PreviewStackUpdate"),
aws.Action("cloudformation", "CancelUpdateStack"),
aws.Action("cloudformation", "ContinueUpdateRollback"),
aws.Action("cloudformation", "CreateChangeSet"),
aws.Action("cloudformation", "CreateStack"),
aws.Action("cloudformation", "CreateUploadBucket"),
aws.Action("cloudformation", "ExecuteChangeSet"),
aws.Action("cloudformation", "SignalResource"),
aws.Action("cloudformation", "UpdateStack"),
aws.Action("cloudformation", "ValidateTemplate"),
aws.Action("cloudformation", "SetStackPolicy"),
aws.Action("ecs", "Describe*"),
aws.Action("ecs", "RegisterTaskDefinition"),
aws.Action("ecs", "UpdateService"),
aws.Action("ecs", "List*"),
aws.Action("ecs", "DeregisterTaskDefinition"),
aws.Action("ecs", "DiscoverPollEndpoint"),
aws.Action("ecs", "Poll"),
aws.Action("ecr", "DescribeRepositories"),
aws.Action("ecr", "ListImages"),
aws.Action("ecr", "BatchCheckLayerAvailability"),
aws.Action("ecr", "BatchGetImage"),
aws.Action("ecr", "GetAuthorizationToken"),
aws.Action("ecr", "GetDownloadUrlForLayer"),
aws.Action("ecr", "GetRepositoryPolicy"),
aws.Action("ecr", "CompleteLayerUpload"),
aws.Action("ecr", "InitiateLayerUpload"),
aws.Action("ecr", "PutImage"),
aws.Action("ecr", "UploadLayerPart"),
aws.Action("logs", "Describe*"),
],
Resource=["*"],
Effect=aws.Allow)
]),
Description="Allows access to cloudformation for CircleCI",
Groups=[
Ref(groups.CIDeploymentServices.title),
],
)
self.S3Administrator = iam.ManagedPolicy(
"S3Administrator",
PolicyDocument=aws.Policy(Version="2012-10-17",
Statement=[
aws.Statement(Action=[
aws.Action("s3", "*"),
],
Resource=["*"],
Effect=aws.Allow)
]),
Description="Allows full management of S3",
Groups=[Ref(groups.AWSEngineers.title)],
Users=[],
)
self.LoggingAndMonitoring = iam.ManagedPolicy(
"LoggingAndMonitoring",
PolicyDocument=aws.Policy(
Version="2012-10-17",
Statement=[
aws.Statement(Action=[
aws.Action("cloudwatch", "GetMetricStatistics"),
aws.Action("cloudwatch", "ListMetrics"),
aws.Action("cloudwatch", "PutMetricData"),
aws.Action("ec2", "DescribeTags"),
aws.Action("logs", "CreateLogGroup"),
aws.Action("logs", "CreateLogStream"),
aws.Action("logs", "DescribeLogGroups"),
aws.Action("logs", "DescribeLogStreams"),
aws.Action("logs", "PutLogEvents"),
aws.Action("sns", "Publish"),
],
Resource=["*"],
Effect=aws.Allow)
]),
Description=
"Allows ingestion of logs and metrics into CloudWatch and publishing to SNS topics",
Roles=[Ref(self.EC2Baseline)],
)
def generate_codepipeline_template(
codepipeline_role_name: str,
codepipeline_role_path: str,
codebuild_role_name: str,
codebuild_role_path: str,
ssm_parameter_prefix: str,
scm_provider: str,
scm_connection_arn: str,
scm_full_repository_id: str,
scm_branch_name: str,
scm_bucket_name: str,
scm_object_key: str,
scm_skip_creation_of_repo: str,
migrate_role_arn: str,
) -> troposphere.Template:
version = pkg_resources.get_distribution("aws-organized").version
t = troposphere.Template()
t.set_description(
"CICD template that runs aws organized migrate for the given branch of the given repo"
)
project_name = "AWSOrganized-Migrate"
bucket_name = scm_bucket_name
if scm_provider.lower(
) == "codecommit" and scm_skip_creation_of_repo is False:
t.add_resource(
codecommit.Repository("Repository",
RepositoryName=scm_full_repository_id))
if scm_provider.lower() == "s3" and scm_skip_creation_of_repo is False:
bucket_name = (
scm_bucket_name if scm_bucket_name else
troposphere.Sub("aws-organized-pipeline-source-${AWS::AccountId}"))
t.add_resource(
s3.Bucket(
"Source",
BucketName=bucket_name,
VersioningConfiguration=s3.VersioningConfiguration(
Status="Enabled"),
BucketEncryption=s3.BucketEncryption(
ServerSideEncryptionConfiguration=[
s3.ServerSideEncryptionRule(
ServerSideEncryptionByDefault=s3.
ServerSideEncryptionByDefault(
SSEAlgorithm="AES256"))
]),
))
artifact_store = t.add_resource(
s3.Bucket(
"ArtifactStore",
VersioningConfiguration=s3.VersioningConfiguration(
Status="Enabled"),
BucketEncryption=s3.BucketEncryption(
ServerSideEncryptionConfiguration=[
s3.ServerSideEncryptionRule(
ServerSideEncryptionByDefault=s3.
ServerSideEncryptionByDefault(SSEAlgorithm="AES256"))
]),
))
codepipeline_role = t.add_resource(
iam.Role(
"CodePipelineRole",
RoleName=codepipeline_role_name,
Path=codepipeline_role_path,
ManagedPolicyArns=["arn:aws:iam::aws:policy/AdministratorAccess"],
AssumeRolePolicyDocument=aws.PolicyDocument(
Version="2012-10-17",
Statement=[
aws.Statement(
Effect=aws.Allow,
Action=[awacs_sts.AssumeRole],
Principal=aws.Principal(
"Service", ["codepipeline.amazonaws.com"]),
)
],
),
))
codebuild_role = t.add_resource(
iam.Role(
"CodeBuildRole",
RoleName=codebuild_role_name,
Path=codebuild_role_path,
ManagedPolicyArns=["arn:aws:iam::aws:policy/AdministratorAccess"],
AssumeRolePolicyDocument=aws.PolicyDocument(
Version="2012-10-17",
Statement=[
aws.Statement(
Effect=aws.Allow,
Action=[awacs_sts.AssumeRole],
Principal=aws.Principal("Service",
["codebuild.amazonaws.com"]),
)
],
),
))
version_parameter = ssm.Parameter(
"versionparameter",
Name=f"{ssm_parameter_prefix}/version",
Type="String",
Value=version,
)
t.add_resource(version_parameter)
project = t.add_resource(
codebuild.Project(
"AWSOrganizedMigrate",
Artifacts=codebuild.Artifacts(Type="CODEPIPELINE"),
Environment=codebuild.Environment(
ComputeType="BUILD_GENERAL1_SMALL",
Image="aws/codebuild/standard:4.0",
Type="LINUX_CONTAINER",
EnvironmentVariables=[
{
"Name": "MIGRATE_ROLE_ARN",
"Type": "PLAINTEXT",
"Value": migrate_role_arn,
},
{
"Name": "Version",
"Type": "PARAMETER_STORE",
"Value": troposphere.Ref(version_parameter),
},
{
"Name": "SSM_PARAMETER_PREFIX",
"Type": "PLAINTEXT",
"Value": ssm_parameter_prefix,
},
],
),
Name=project_name,
ServiceRole=troposphere.GetAtt(codebuild_role, "Arn"),
Source=codebuild.Source(
Type="CODEPIPELINE",
BuildSpec=yaml.safe_dump(
dict(
version="0.2",
phases=dict(
install={
"runtime-versions":
dict(python="3.8"),
"commands":
["pip install aws-organized==${Version}"],
},
build={
"commands": [
"aws-organized migrate --ssm-parameter-prefix $SSM_PARAMETER_PREFIX $MIGRATE_ROLE_ARN"
]
},
),
artifacts=dict(files=["environment"]),
)),
),
))
source_actions = dict(
codecommit=codepipeline.Actions(
Name="SourceAction",
ActionTypeId=codepipeline.ActionTypeId(Category="Source",
Owner="AWS",
Version="1",
Provider="CodeCommit"),
OutputArtifacts=[
codepipeline.OutputArtifacts(Name="SourceOutput")
],
Configuration={
"RepositoryName": scm_full_repository_id,
"BranchName": scm_branch_name,
"PollForSourceChanges": "true",
},
RunOrder="1",
),
codestarsourceconnection=codepipeline.Actions(
Name="SourceAction",
ActionTypeId=codepipeline.ActionTypeId(
Category="Source",
Owner="AWS",
Version="1",
Provider="CodeStarSourceConnection",
),
OutputArtifacts=[
codepipeline.OutputArtifacts(Name="SourceOutput")
],
Configuration={
"ConnectionArn": scm_connection_arn,
"FullRepositoryId": scm_full_repository_id,
"BranchName": scm_branch_name,
"OutputArtifactFormat": "CODE_ZIP",
},
RunOrder="1",
),
s3=codepipeline.Actions(
Name="SourceAction",
ActionTypeId=codepipeline.ActionTypeId(Category="Source",
Owner="AWS",
Version="1",
Provider="S3"),
OutputArtifacts=[
codepipeline.OutputArtifacts(Name="SourceOutput")
],
Configuration={
"S3Bucket": bucket_name,
"S3ObjectKey": scm_object_key,
"PollForSourceChanges": True,
},
RunOrder="1",
),
).get(scm_provider.lower())
t.add_resource(
codepipeline.Pipeline(
"Pipeline",
RoleArn=troposphere.GetAtt(codepipeline_role, "Arn"),
Stages=[
codepipeline.Stages(Name="Source", Actions=[source_actions]),
codepipeline.Stages(
Name="Migrate",
Actions=[
codepipeline.Actions(
Name="Migrate",
InputArtifacts=[
codepipeline.InputArtifacts(
Name="SourceOutput")
],
ActionTypeId=codepipeline.ActionTypeId(
Category="Build",
Owner="AWS",
Version="1",
Provider="CodeBuild",
),
Configuration={
"ProjectName": troposphere.Ref(project),
"PrimarySource": "SourceAction",
},
RunOrder="1",
)
],
),
],
ArtifactStore=codepipeline.ArtifactStore(
Type="S3", Location=troposphere.Ref(artifact_store)),
))
return t
def __init__(self, parameters, vpc, loadbalancer):
"""
:type parameters Parameters
:type vpc VPC
:type loadbalancer LoadBalancer
"""
super(EC2, self).__init__()
# Ec2 instance
self.instance_role = iam.Role(
"InstanceRole",
AssumeRolePolicyDocument=aws.Policy(Statement=[
aws.Statement(Effect=aws.Allow,
Action=[sts.AssumeRole],
Principal=aws.Principal("Service",
["ec2.amazonaws.com"]))
]),
Path="/",
)
self.instance_role_policy = iam.PolicyType(
"InstanceRolePolicy",
PolicyName=Join("-", [Ref("AWS::StackName"), "instance-policy"]),
PolicyDocument=aws.Policy(Statement=[
aws.Statement(Effect=aws.Allow,
Action=[
aws.Action("logs", "CreateLogGroup"),
aws.Action("logs", "CreateLogStream"),
aws.Action("logs", "PutLogEvents"),
aws.Action("logs", "DescribeLogStreams"),
],
Resource=["arn:aws:logs:*:*:*"])
]),
Roles=[Ref(self.instance_role)])
self.instance_profile = iam.InstanceProfile(
"InstanceProfile", Path="/", Roles=[Ref(self.instance_role)])
self.launch_configuration = autoscaling.LaunchConfiguration(
"LaunchConfiguration",
ImageId=FindInMap("AMIMap", Ref(AWS_REGION), "AMI"),
InstanceType=Ref(parameters.ec2_instance_type),
KeyName=Ref(parameters.key_pair),
InstanceMonitoring=True,
SecurityGroups=[
GetAtt(loadbalancer.instance_security_group, "GroupId"),
],
IamInstanceProfile=Ref(self.instance_profile),
)
self.auto_scaling_group = autoscaling.AutoScalingGroup(
"AutoScalingGroup",
LaunchConfigurationName=Ref(self.launch_configuration),
MinSize=1,
DesiredCapacity=1,
MaxSize=10,
HealthCheckType='ELB',
HealthCheckGracePeriod=300,
VPCZoneIdentifier=[
Ref(vpc.public_subnet_1),
Ref(vpc.public_subnet_2)
],
LoadBalancerNames=[Ref(loadbalancer.load_balancer)],
Tags=[autoscaling.Tag("Name", Ref("AWS::StackName"), True)],
UpdatePolicy=policies.UpdatePolicy(
AutoScalingRollingUpdate=policies.AutoScalingRollingUpdate(
PauseTime="PT30S",
MinInstancesInService=1,
MaxBatchSize=10,
WaitOnResourceSignals=False)),
TerminationPolicies=[
'OldestLaunchConfiguration', 'ClosestToNextInstanceHour',
'Default'
],
MetricsCollection=[
autoscaling.MetricsCollection(Granularity="1Minute")
])
self.scale_up_policy = autoscaling.ScalingPolicy(
"ScaleUPPolicy",
AdjustmentType='ChangeInCapacity',
AutoScalingGroupName=Ref(self.auto_scaling_group),
PolicyType='StepScaling',
MetricAggregationType='Average',
StepAdjustments=[
autoscaling.StepAdjustments(MetricIntervalLowerBound=0,
ScalingAdjustment=1)
],
)
self.scale_down_policy = autoscaling.ScalingPolicy(
"ScaleDOWNPolicy",
AdjustmentType='ChangeInCapacity',
AutoScalingGroupName=Ref(self.auto_scaling_group),
PolicyType='StepScaling',
MetricAggregationType='Average',
StepAdjustments=[
autoscaling.StepAdjustments(MetricIntervalUpperBound=0,
ScalingAdjustment=-1)
],
)
self.ec2_high_cpu_usage_alarm = cloudwatch.Alarm(
"EC2HighCPUUsageAlarm",
ActionsEnabled=True,
AlarmActions=[Ref(self.scale_up_policy)],
ComparisonOperator='GreaterThanThreshold',
Dimensions=[
cloudwatch.MetricDimension(Name='AutoScalingGroupName',
Value=Ref(self.auto_scaling_group))
],
EvaluationPeriods=3,
MetricName='CPUUtilization',
Namespace='AWS/EC2',
Period=300,
Statistic='Average',
Threshold='70',
)
self.ec2_low_cpu_usage_alarm = cloudwatch.Alarm(
"EC2LowCPUUsageAlarm",
ActionsEnabled=True,
AlarmActions=[Ref(self.scale_down_policy)],
ComparisonOperator='LessThanThreshold',
Dimensions=[
cloudwatch.MetricDimension(Name='AutoScalingGroupName',
Value=Ref(self.auto_scaling_group))
],
EvaluationPeriods=3,
MetricName='CPUUtilization',
Namespace='AWS/EC2',
Period=300,
Statistic='Average',
Threshold='20',
)
))
param_lambda_file_name = template.add_parameter(
Parameter(
"LambdaFileName",
Type="String",
Description=
"Name of the ZIP file with lambda function sources inside S3 bucket"))
lambda_role = template.add_resource(
iam.Role(
"LambaRole",
AssumeRolePolicyDocument=aws.Policy(Statement=[
aws.Statement(Effect=aws.Allow,
Action=[sts.AssumeRole],
Principal=aws.Principal("Service",
["lambda.amazonaws.com"]))
]),
Policies=[
iam.Policy(
PolicyName="LambdaPolicy",
PolicyDocument=aws.Policy(Statement=[
aws.Statement(Effect=aws.Allow,
Action=[
aws.Action("logs", "CreateLogGroup"),
aws.Action("logs", "CreateLogStream"),
aws.Action("logs", "PutLogEvents"),
],
Resource=["arn:aws:logs:*:*:*"])
]))
]))
# S3 bucket
s3bucket = t.add_resource(
s3.Bucket(
"StrongjobsS3Bucket",
BucketName="strongjobs",
AccessControl=s3.Private,
))
# Access management things
serviceRole = t.add_resource(
iam.Role("StrongjobsServiceRole",
AssumeRolePolicyDocument=aws.Policy(Statement=[
aws.Statement(Effect=aws.Allow,
Action=[sts.AssumeRole],
Principal=aws.Principal(
"Service", ["codedeploy.amazonaws.com"])),
aws.Statement(Effect=aws.Allow,
Action=[sts.AssumeRole],
Principal=aws.Principal("Service",
["ec2.amazonaws.com"])),
], ),
ManagedPolicyArns=[
"arn:aws:iam::aws:policy/AmazonS3FullAccess",
"arn:aws:iam::aws:policy/service-role/"
"AWSCodeDeployRole"
]))
IAMInstanceProfile = t.add_resource(
iam.InstanceProfile("StrongjobsInstanceProfile", Roles=[Ref(serviceRole)]))
# Launch configuration
launchConfiguration = t.add_resource(
]))
event = t.add_resource(
events.Rule("EventsRule",
Condition="IsMaster",
EventPattern={"source": ["aws.guardduty"]},
State="ENABLED",
Targets=[events.Target(
Arn=Ref(snstopic),
Id="sns",
)]))
# Allow events to send notifications to SNS
t.add_resource(
sns.TopicPolicy(
"SNSTopicPolicy",
Condition="IsMaster",
PolicyDocument=aws.Policy(Statement=[
aws.Statement(
Effect=aws.Allow,
Action=[
aws.Action("sns", "Publish"),
],
Principal=aws.Principal("Service", "events.amazonaws.com"),
Resource=[Ref(snstopic)],
),
]),
Topics=[Ref(snstopic)]))
print(t.to_json())
# IDs like 'KWP-xxxxxx'
jicketloopmode = "singleshot"
# Execution Role
# ================
lambdaexecutionrole = iam.Role("APILambdaExecutionRole")
lambdaexecutionrole.AssumeRolePolicyDocument = aws_awacs.PolicyDocument(
Version="2012-10-17",
Id="S3-Account-Permissions",
Statement=[
aws_awacs.Statement(
Sid="1",
Effect=aws_awacs.Allow,
Principal=aws_awacs.Principal("Service", "lambda.amazonaws.com"),
Action=[aws_awacs.Action("sts", "AssumeRole")]
)
],
)
lambdaexecutionrole.RoleName = "GeolocatorLambdaExecutionRole"
lambdaexecutionrole.ManagedPolicyArns = []
lambdaexecutionrole.Policies = [iam.Policy(
PolicyName="LambdaExecutionPolicy",
PolicyDocument=aws_awacs.PolicyDocument(
Version="2012-10-17",
Statement=[
]
)
)]
def _codepipeline_role(artifacts_bucket: Parameter,
resources_bucket: Parameter,
cmk: Parameter) -> iam.Role:
"""Construct a role for use by CodePipeline.
:param artifacts_bucket: Artifacts bucket parameter
:param resources_bucket: Resources bucket parameter
:param cmk: KMS CMK parameter
:return: Constructed Role
"""
assume_policy = AWS.PolicyDocument(Statement=[
AWS.Statement(
Principal=AWS.Principal(
"Service", make_service_domain_name(CODEPIPELINE.prefix)),
Effect=AWS.Allow,
Action=[STS.AssumeRole],
)
])
policy = AWS.PolicyDocument(Statement=[
AWS.Statement(
Effect=AWS.Allow,
Action=[S3.GetBucketVersioning, S3.PutBucketVersioning],
Resource=[artifacts_bucket.ref(),
resources_bucket.ref()],
),
AWS.Statement(
Effect=AWS.Allow,
Action=[S3.GetObject, S3.PutObject],
Resource=[
Sub(f"${{{artifacts_bucket.title}}}/*"),
Sub(f"${{{resources_bucket.title}}}/*")
],
),
AWS.Statement(Effect=AWS.Allow,
Action=[KMS.Encrypt, KMS.Decrypt, KMS.GenerateDataKey],
Resource=[cmk.ref()]),
AWS.Statement(
Effect=AWS.Allow,
Action=[CLOUDWATCH.Action("*")],
Resource=[
account_arn(service_prefix=CLOUDWATCH.prefix, resource="*")
],
),
AWS.Statement(
Effect=AWS.Allow,
Action=[IAM.PassRole],
Resource=[
account_arn(service_prefix=IAM.prefix, resource="role/*")
],
),
AWS.Statement(
Effect=AWS.Allow,
Action=[LAMBDA.InvokeFunction, LAMBDA.ListFunctions],
Resource=[account_arn(service_prefix=LAMBDA.prefix, resource="*")],
),
AWS.Statement(
Effect=AWS.Allow,
Action=[
CLOUDFORMATION.CreateStack,
CLOUDFORMATION.DeleteStack,
CLOUDFORMATION.DescribeStacks,
CLOUDFORMATION.UpdateStack,
CLOUDFORMATION.CreateChangeSet,
CLOUDFORMATION.DeleteChangeSet,
CLOUDFORMATION.DescribeChangeSet,
CLOUDFORMATION.ExecuteChangeSet,
CLOUDFORMATION.SetStackPolicy,
CLOUDFORMATION.ValidateTemplate,
],
Resource=[
account_arn(service_prefix=CLOUDFORMATION.prefix, resource="*")
],
),
AWS.Statement(
Effect=AWS.Allow,
Action=[CODEBUILD.BatchGetBuilds, CODEBUILD.StartBuild],
Resource=[
account_arn(service_prefix=CODEBUILD.prefix, resource="*")
],
),
])
return iam.Role(
resource_name(iam.Role, "CodePipeline"),
AssumeRolePolicyDocument=assume_policy,
Policies=[
iam.Policy(PolicyName=_policy_name("CodePipeline"),
PolicyDocument=policy)
],
)
import troposphere
from awacs import aws
from troposphere import awslambda
from troposphere import cloudformation
from troposphere import iam
_ROLE = iam.Role(
title="LambdaRole",
AssumeRolePolicyDocument=aws.PolicyDocument(
Statement=[
aws.Statement(
Action=[aws.Action("sts", "AssumeRole")],
Effect="Allow",
Principal=aws.Principal(
principal="Service", resources=["lambda.amazonaws.com"]
),
)
]
),
ManagedPolicyArns=[
"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
],
RoleName="cloudformation-kubernetes-lambda",
)
with open("cloudformation/lambda_function/index.py") as in_file:
_CODE = awslambda.Code(ZipFile=in_file.read())
_LAMBDA = awslambda.Function(
title="Lambda",
Code=_CODE,
def generate_codepipeline_template(
codepipeline_role_name: str,
codepipeline_role_path: str,
codebuild_role_name: str,
codebuild_role_path: str,
output_format: str,
migrate_role_arn: str,
) -> str:
t = troposphere.Template()
t.set_description(
"CICD template that runs aws organized migrate for the given branch of the given repo"
)
project_name = "AWSOrganized-Migrate"
repository_name = "AWS-Organized-environment"
repo = t.add_resource(
codecommit.Repository("Repository", RepositoryName=repository_name))
artifact_store = t.add_resource(
s3.Bucket(
"ArtifactStore",
BucketEncryption=s3.BucketEncryption(
ServerSideEncryptionConfiguration=[
s3.ServerSideEncryptionRule(
ServerSideEncryptionByDefault=s3.
ServerSideEncryptionByDefault(SSEAlgorithm="AES256"))
]),
))
codepipeline_role = t.add_resource(
iam.Role(
"CodePipelineRole",
RoleName=codepipeline_role_name,
Path=codepipeline_role_path,
ManagedPolicyArns=[
"arn:aws:iam::aws:policy/AdministratorAccess",
],
Policies=[
iam.Policy(
PolicyName=f"executionpermissions",
PolicyDocument=aws.PolicyDocument(
Version="2012-10-17",
Id=f"executionpermissions",
Statement=[
aws.Statement(
Sid="1",
Effect=aws.Allow,
Action=[
awscd_codecommit.GitPull,
awscd_codecommit.GetBranch,
awscd_codecommit.GetCommit,
awscd_codecommit.UploadArchive,
],
Resource=[troposphere.GetAtt(repo, "Arn")],
),
aws.Statement(
Sid="2",
Effect=aws.Allow,
Action=[
awacs_s3.GetBucketPolicy,
awacs_s3.GetBucketVersioning,
awacs_s3.ListBucket,
],
Resource=[
troposphere.GetAtt(artifact_store, "Arn")
],
),
aws.Statement(
Sid="3",
Effect=aws.Allow,
Action=[
awacs_s3.GetObject,
awacs_s3.GetObjectVersion,
],
Resource=[
troposphere.Join(":", [
troposphere.GetAtt(
artifact_store, 'Arn'), "*"
])
],
),
aws.Statement(
Sid="4",
Effect=aws.Allow,
Action=[
awacs_s3.ListAllMyBuckets,
],
Resource=[
troposphere.Join(":", [
"arn",
troposphere.Partition,
"s3:::*",
])
],
),
# aws.Statement(
# Sid="5",
# Effect=aws.Allow,
# Action=[
# aws.Action("s3", "*")
# ],
# Resource=[
# troposphere.Join(":", [
# troposphere.GetAtt(artifact_store, 'Arn'),
# "*"
# ])
# ],
# ),
# aws.Statement(
# Sid="6",
# Effect=aws.Allow,
# Action=[
# aws.Action("s3", "*")
# ],
# Resource=[
# troposphere.GetAtt(artifact_store, 'Arn')
# ],
# ),
],
),
)
],
AssumeRolePolicyDocument=aws.PolicyDocument(
Version="2012-10-17",
Statement=[
aws.Statement(
Effect=aws.Allow,
Action=[awacs_sts.AssumeRole],
Principal=aws.Principal(
"Service", ["codepipeline.amazonaws.com"]),
),
],
),
))
codebuild_role = t.add_resource(
iam.Role(
"CodeBuildRole",
RoleName=codebuild_role_name,
Path=codebuild_role_path,
ManagedPolicyArns=[
"arn:aws:iam::aws:policy/AdministratorAccess",
],
Policies=[
iam.Policy(
PolicyName=f"executionpermissions",
PolicyDocument=aws.PolicyDocument(
Version="2012-10-17",
Id=f"executionpermissions",
Statement=[
aws.Statement(
Sid="1",
Effect=aws.Allow,
Action=[
awacs_logs.CreateLogGroup,
awacs_logs.CreateLogStream,
awacs_logs.PutLogEvents,
],
Resource=[
# "arn:aws:logs:eu-west-1:669925765091:log-group:/aws/codebuild/examplecodebuild",
# "arn:aws:logs:eu-west-1:669925765091:log-group:/aws/codebuild/examplecodebuild:*",
{
"Fn::Sub": [
f"arn:${{AWS::Partition}}:logs:${{AWS::Region}}:${{AWS::AccountId}}:log-group:/aws/codebuild/{project_name}",
{},
]
},
{
"Fn::Sub": [
f"arn:${{AWS::Partition}}:logs:${{AWS::Region}}:${{AWS::AccountId}}:log-group:/aws/codebuild/{project_name}:*",
{},
]
},
],
),
aws.Statement(
Sid="2",
Effect=aws.Allow,
Action=[
awacs_s3.PutObject,
awacs_s3.GetObject,
awacs_s3.GetObjectVersion,
awacs_s3.GetBucketAcl,
awacs_s3.GetBucketLocation,
],
Resource=[
# "arn:aws:s3:::codepipeline-eu-west-1-*",
{
"Fn::Sub": [
f"arn:${{AWS::Partition}}:s3:::codepipeline-${{AWS::Region}}-*",
{},
]
},
],
),
aws.Statement(
Sid="3",
Effect=aws.Allow,
Action=[
awacs_codebuild.CreateReportGroup,
awacs_codebuild.CreateReport,
awacs_codebuild.UpdateReport,
awacs_codebuild.BatchPutTestCases,
awacs_codebuild.BatchPutCodeCoverages,
],
Resource=[
# "arn:aws:codebuild:eu-west-1:669925765091:report-group/examplecodebuild-*",
{
"Fn::Sub": [
f"arn:${{AWS::Partition}}:codebuild:${{AWS::Region}}:${{AWS::AccountId}}:report-group/{project_name}-*",
{},
]
},
],
),
aws.Statement(Sid="4",
Effect=aws.Allow,
Action=[awacs_sts.AssumeRole],
Resource=[migrate_role_arn]),
# aws.Statement(
# Sid="5",
# Effect=aws.Allow,
# Action=[
# aws.Action("s3", "*")
# ],
# Resource=[
# troposphere.Join(":", [
# troposphere.GetAtt(artifact_store, 'Arn'),
# "*"
# ])
# ],
# ),
# aws.Statement(
# Sid="6",
# Effect=aws.Allow,
# Action=[
# aws.Action("s3", "*")
# ],
# Resource=[
# troposphere.GetAtt(artifact_store, 'Arn')
# ],
# ),
],
),
)
],
AssumeRolePolicyDocument=aws.PolicyDocument(
Version="2012-10-17",
Statement=[
aws.Statement(
Effect=aws.Allow,
Action=[awacs_sts.AssumeRole],
Principal=aws.Principal("Service",
["codebuild.amazonaws.com"]),
),
],
),
))
project = t.add_resource(
codebuild.Project(
"AWSOrganizedMigrate",
Artifacts=codebuild.Artifacts(Type="CODEPIPELINE"),
Environment=codebuild.Environment(
ComputeType="BUILD_GENERAL1_SMALL",
Image="aws/codebuild/standard:4.0",
Type="LINUX_CONTAINER",
EnvironmentVariables=[{
"Name": "MIGRATE_ROLE_ARN",
"Type": "PLAINTEXT",
"Value": migrate_role_arn,
}]),
Name=project_name,
ServiceRole=troposphere.GetAtt(codebuild_role, "Arn"),
Source=codebuild.Source(
Type="CODEPIPELINE",
BuildSpec=yaml.safe_dump(
dict(
version="0.2",
phases=dict(
install={
"runtime-versions": dict(python="3.8"),
"commands": [
"pip install aws-organized",
],
},
build={
"commands": [
"aws-organized migrate $(MIGRATE_ROLE_ARN)",
],
},
),
artifacts=dict(files=[
"environment",
], ),
)),
),
))
source_actions = codepipeline.Actions(
Name="SourceAction",
ActionTypeId=codepipeline.ActionTypeId(
Category="Source",
Owner="AWS",
Version="1",
Provider="CodeCommit",
),
OutputArtifacts=[codepipeline.OutputArtifacts(Name="SourceOutput")],
Configuration={
"RepositoryName": repository_name,
"BranchName": "master",
"PollForSourceChanges": "true",
},
RunOrder="1",
)
pipeline = t.add_resource(
codepipeline.Pipeline(
"Pipeline",
RoleArn=troposphere.GetAtt(codepipeline_role, "Arn"),
Stages=[
codepipeline.Stages(
Name="Source",
Actions=[source_actions],
),
codepipeline.Stages(
Name="Migrate",
Actions=[
codepipeline.Actions(
Name="Migrate",
InputArtifacts=[
codepipeline.InputArtifacts(
Name="SourceOutput")
],
ActionTypeId=codepipeline.ActionTypeId(
Category="Build",
Owner="AWS",
Version="1",
Provider="CodeBuild",
),
Configuration={
"ProjectName": troposphere.Ref(project),
"PrimarySource": "SourceAction",
},
RunOrder="1",
)
],
),
],
ArtifactStore=codepipeline.ArtifactStore(
Type="S3", Location=troposphere.Ref(artifact_store)),
))
if output_format == "json":
return t.to_json()
else:
return t.to_yaml()
