This repository was archived by the owner on Jan 6, 2026. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathcodepipeline.yaml
More file actions
1122 lines (1023 loc) · 34.5 KB
/
codepipeline.yaml
File metadata and controls
1122 lines (1023 loc) · 34.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
#############################################################################################
# File: codepipeline.yaml
# Description: Automated, CloudFormation-based, multi-stage CI/CD pipeline with integrated security and compliance.
# Author: Haitam Bidiouane (@sch0penheimer)
# Last Modified: 21/09/2025
#
# This template provisions a secure CI/CD pipeline using AWS services, integrating:
# - Code & container security scanning (Snyk, Clair/ECR, OWASP ZAP)
# - Compliance monitoring (AWS CloudTrail, AWS CloudWatch)
# - Automated deployment to ECS clusters
# - Security best practices: Secrets Detection, SAST, SCA, DAST, IAM least privilege, audit logging
#
# Sections:
# - Parameters: Pipeline configuration and secrets
# - Metadata: CloudFormation UI grouping and labels
# - Resources: All AWS resources for pipeline, security, and compliance
# - Outputs: Useful ARNs and resource names for integration and monitoring
#############################################################################################
AWSTemplateFormatVersion: "2010-09-09"
Description: >
A fully automated AWS DevSecOps Hybrid CI/CD platform that provisions secure platform infrastructure using
Terraform and orchestrates a multi-stage CodePipeline via CloudFormation, integrating code
and container security scanning, centralized artifact storage with encryption, compliance monitoring,
and automated deployment to ECS clusters. The solution enforces security best practices at every stage,
including secrets detection, SCA, SAST, DAST, RASP, IAM least privilege, and audit logging, providing production-grade
application delivery with integrated security and compliance.
##-- Parameters Section --##
Parameters:
#-- Terraform Platform/Infra Related Parameters --#
StagingECSCluster:
Description: ECS Cluster for Staging
Type: String
StagingECSService:
Description: ECS Staging Service Name
Type: String
StagingECSTaskDefinition:
Description: ECS Task Definition for Staging
Type: String
StagingASGName:
Description: Auto Scaling Group Name for Staging (for instance, to fetch the instances' IPs for DAST testing)
Type: String
ProdECSTaskDefinition:
Description: ECS Task Definition for Production
Type: String
ProdECSCluster:
Description: ECS Cluster for Production
Type: String
ProdECSService:
Description: ECS Production Service Name
Type: String
EcrRegistryName:
Description: ECR Registry Name
Type: String
PipelineArtifactS3Bucket:
Description: S3 Bucket for CodePipeline Artifacts
Type: String
LambdaS3Bucket:
Description: S3 Bucket of the Lambda Package/ZIP
Type: String
LambdaS3Key:
Description: S3 Key for Lambda Package/ZIP
Type: String
LambdaHandler:
Description: Name of the Lambda Handler
Type: String
VpcId:
Description: VPC ID for internal staging access
Type: String
PrivateSubnetIds:
Description: Private subnet IDs for CodeBuild VPC access
Type: CommaDelimitedList
CodeBuildSecurityGroupId:
Description: Security Group ID for CodeBuild DAST project
Type: String
AppURLForDAST:
Description: Application URL to run the Dynamic Application Security Testing / Pen Testing
Type: String
#-- CloudFormation Services Related Parameters --#
GitProviderType:
Description: Git Repository provider type
Type: String
AllowedValues:
- GitHub
- GitLab
- Bitbucket
FullGitRepositoryId:
Description: Full Git Repository ID (owner/repository-name for GitHub, group/repository-name for GitLab)
Type: String
BranchName:
Description: Main Branch Name
Type: String
Default: main
SnykAPIKey:
Description: Snyk API Key
Type: String
NoEcho: true
PipelineNotificationMail:
Description: SNS notifications Email Address for every Pipeline Change
Type: String
PipelineManualApproverMail:
Description: Manual Approval / DevOps Administrator Email Address
Type: String
DockerHubUsername:
Description: Docker Hub Username (for pull limits)
Type: String
DockerHubPassword:
Description: Docker Hub Password (for pull limits)
Type: String
NoEcho: true
##-- Metadata Section for CloudFormation UI Grouping--##
Metadata:
'AWS::CloudFormation::Interface':
ParameterGroups:
- Label:
default: Infrastructure & Codebase Related Parameters
Parameters:
- GitProviderType
- FullGitRepositoryId
- BranchName
- EcrRegistryName
- StagingECSCluster
- ProdECSCluster
- StagingECSService
- ProdECSService
- StagingECSTaskDefinition
- ProdECSTaskDefinition
- StagingASGName
- VpcId
- PrivateSubnetIds
- CodeBuildSecurityGroupId
- Label:
default: Static Application Security Testing (SAST) Related Parameters
Parameters:
- SnykAPIKey
- Label:
default: Dynamic Application Security Testing (DAST) Related Parameters
Parameters:
- AppURLForDAST
- Label:
default: Lambda Function Related Parameters
Parameters:
- LambdaS3Bucket
- LambdaS3Key
- LambdaHandler
- Label: Docker Hub Authentication (For Pull Limits) Related Parameters
Parameters:
- DockerHubUsername
- DockerHubPassword
- Label:
default: Contact & Approval Notifications Related Parameters
Parameters:
- PipelineNotificationMail
- PipelineManualApproverMail
ParameterLabels:
GitProviderType:
default: Git Repository Provider Type
FullGitRepositoryId:
default: Full Git Repository ID (owner/repo-name)
BranchName:
default: Main Branch Name
SnykAPIKey:
default: Snyk API Key
AppURLForDAST:
default: App URL for DAST (Staging)
LambdaS3Bucket:
default: S3 Bucket Name of the Lambda Package
LambdaS3Key:
default: S3 Bucket Key of the Lambda Package
LambdaHandler:
default: Lambda Function Handler
EcrRegistryName:
default: ECR Repository Name
StagingECSCluster:
default: Staging ECS Cluster Name
ProdECSCluster:
default: Production ECS Cluster Name
StagingECSService:
default: Staging ECS Service Name
ProdECSService:
default: Production ECS Service Name
StagingECSTaskDefinition:
default: ECS Task Definition for Staging
ProdECSTaskDefinition:
default: ECS Task Definition for Production
StagingASGName:
default: Auto Scaling Group Name for Staging
VpcId:
default: VPC ID for internal staging access
PrivateSubnetIds:
default: Private Subnet IDs for CodeBuild VPC access
CodeBuildSecurityGroupId:
default: Security Group ID for CodeBuild DAST project
PipelineNotificationMail:
default: Email for Pipeline Notifications
PipelineManualApproverMail:
default: Email for Approval Notifications
DockerHubUsername:
default: Docker Hub Username (for pull limits)
DockerHubPassword:
default: Docker Hub Password (for pull limits)
##-- Resources Section --##
Resources:
#- System Manager (SSM) Parameters for Secure Secrets/Config Storage -#
SSMSnykAPIKey:
Type: 'AWS::SSM::Parameter'
Properties:
Name: !Sub ${AWS::StackName}-Snyk-API-Key
Type: String
Value: !Ref SnykAPIKey
SSMAppURL:
Type: 'AWS::SSM::Parameter'
Properties:
Name: !Sub ${AWS::StackName}-App-URL
Type: String
Value: !Ref AppURLForDAST
SSMDockerHubPassword:
Type: 'AWS::SSM::Parameter'
Properties:
Name: !Sub ${AWS::StackName}-DockerHub-Password
Type: String
Value: !Ref DockerHubPassword
#- CodeConnections Git Repo Connection -#
CodeConnection:
Type: AWS::CodeStarConnections::Connection
Properties:
ConnectionName: !Sub ${AWS::StackName}-conn
ProviderType: !Ref GitProviderType
Tags:
- Key: pipeline-name
Value: !Sub ${AWS::StackName}-pipeline
#- CloudWatch Log Group for pipeline logs -#
PipelineCloudWatchLogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Sub ${AWS::StackName}-pipeline-logs
RetentionInDays: 7
#- KMS Key for pipeline encryption -#
PipelineKMSKey:
Type: AWS::KMS::Key
Properties:
Description: KMS Key for General Pipeline-Related Encryption
Enabled: true
EnableKeyRotation: true
KeyPolicy:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:root'
Action:
- 'kms:Create*'
- 'kms:Describe*'
- 'kms:Enable*'
- 'kms:List*'
- 'kms:Put*'
- 'kms:Update*'
- 'kms:Revoke*'
- 'kms:Disable*'
- 'kms:Get*'
- 'kms:Delete*'
- 'kms:ScheduleKeyDeletion'
- 'kms:CancelKeyDeletion'
Resource: '*'
- Effect: Allow
Principal:
Service:
- codepipeline.amazonaws.com
- !Sub logs.${AWS::Region}.amazonaws.com
- codebuild.amazonaws.com
Action:
- 'kms:Encrypt'
- 'kms:Decrypt'
- 'kms:ReEncrypt*'
- 'kms:GenerateDataKey*'
- 'kms:CreateGrant'
- 'kms:ListGrants'
- 'kms:DescribeKey'
Resource: '*'
- Effect: Allow
Principal:
AWS:
- !GetAtt PipelineServiceRole.Arn
- !GetAtt CodeBuildServiceRole.Arn
Action:
- 'kms:Encrypt'
- 'kms:Decrypt'
- 'kms:ReEncrypt*'
- 'kms:GenerateDataKey*'
- 'kms:CreateGrant'
- 'kms:ListGrants'
- 'kms:DescribeKey'
Resource: '*'
Tags:
- Key: pipeline-name
Value: !Sub ${AWS::StackName}-pipeline
#- SNS Topics for notifications -#
ManualApprovalTopic:
Type: AWS::SNS::Topic
Properties:
DisplayName: PipelineManualApprovalTopic
Subscription:
- Endpoint: !Ref PipelineManualApproverMail
Protocol: "email"
TopicName: !Sub ${AWS::StackName}-pipeline-manual-approval-topic
Tags:
- Key: pipeline-name
Value: !Sub ${AWS::StackName}-pipeline
PipelineTopic:
Type: AWS::SNS::Topic
Properties:
DisplayName: PipelineStageChangeNotificationTopic
Subscription:
- Endpoint: !Ref PipelineNotificationMail
Protocol: "email"
TopicName: !Sub ${AWS::StackName}-pipeline-change-topic
Tags:
- Key: pipeline-name
Value: !Sub ${AWS::StackName}-pipeline
CloudTrailTopic:
Type: AWS::SNS::Topic
Properties:
DisplayName: CloudTrailNotificationTopic
Subscription:
- Endpoint: !Ref PipelineNotificationMail
Protocol: "email"
TopicName: !Sub ${AWS::StackName}-cloudtrail-notifications-topic
Tags:
- Key: pipeline-name
Value: !Sub ${AWS::StackName}-pipeline
#- Main Lambda Function (for Security Hub Import) -#
LambdaSHImport:
Type: 'AWS::Lambda::Function'
Properties:
FunctionName: ImportToSecurityHub
Handler: !Ref LambdaHandler
Role: !GetAtt LambdaExecutionRole.Arn
Runtime: python3.9
Code:
S3Bucket: !Ref LambdaS3Bucket
S3Key: !Ref LambdaS3Key
Environment:
Variables:
S3_ARTIFACT_BUCKET_NAME: !Ref PipelineArtifactS3Bucket
AWS_PARTITION: aws
Timeout: 10
Tags:
- Key: pipeline-name
Value: !Sub ${AWS::StackName}-pipeline
#- CloudWatch Event (aka 'AWS EventBridge') Role for automatic CodePipeline execution -#
CloudWatchEventRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- events.amazonaws.com
Action: 'sts:AssumeRole'
Path: /
Policies:
- PolicyName: cwe-pipeline-execution
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: 'codepipeline:StartPipelineExecution'
Resource: !Sub 'arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${AWS::StackName}-pipeline'
#- CloudWatch Event Rule for CodeConnections -#
CloudWatchEventRule:
Type: 'AWS::Events::Rule'
Properties:
EventPattern:
source:
- aws.codestar-connections
detail-type:
- CodeStar Source Connection State Change
detail:
state:
- AVAILABLE
Targets:
- Arn: !Sub 'arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${AWS::StackName}-pipeline'
RoleArn: !GetAtt CloudWatchEventRole.Arn
Id: codepipeline-AppPipeline
#- CloudWatch Event Rule for SNS notifications for pipeline state change -#
CloudWatchPipelineEventRule:
Type: 'AWS::Events::Rule'
Properties:
EventPattern:
source:
- aws.codepipeline
detail-type:
- CodePipeline Stage Execution State Change
Targets:
- Arn: !Ref PipelineTopic
Id: "PipelineNotifications"
#- CloudTrail S3 Bucket & Resources -#
CloudTrailBucket:
Type: AWS::S3::Bucket
DeletionPolicy: Delete
Properties:
BucketName: !Sub ${AWS::StackName}-cloudtrail-bucket
Tags:
- Key: pipeline-name
Value: !Sub ${AWS::StackName}-pipeline
CloudTrailBucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref CloudTrailBucket
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AWSCloudTrailAclCheck
Effect: Allow
Principal:
Service: 'cloudtrail.amazonaws.com'
Action: 's3:GetBucketAcl'
Resource: !Sub 'arn:${AWS::Partition}:s3:::${CloudTrailBucket}'
- Sid: AWSCloudTrailWrite
Effect: Allow
Principal:
Service: 'cloudtrail.amazonaws.com'
Action: 's3:PutObject'
Resource: !Sub 'arn:${AWS::Partition}:s3:::${CloudTrailBucket}/AWSLogs/${AWS::AccountId}/*'
Condition:
StringEquals:
's3:x-amz-acl': 'bucket-owner-full-control'
- Sid: AllowSSLRequestsOnly
Effect: Deny
Principal: '*'
Action: 's3:*'
Resource: !Join
- ''
- - !GetAtt
- CloudTrailBucket
- Arn
- /*
Condition:
Bool:
'aws:SecureTransport': false
TrailLogGroup:
Type: 'AWS::Logs::LogGroup'
Properties:
LogGroupName: !Sub ${AWS::StackName}-cloudtrail-logs
RetentionInDays: 14
Tags:
- Key: pipeline-name
Value: !Sub ${AWS::StackName}-pipeline
TrailLogGroupRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AssumeRole1
Effect: Allow
Principal:
Service: 'cloudtrail.amazonaws.com'
Action: 'sts:AssumeRole'
Policies:
- PolicyName: 'cloudtrail-logs-policy'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
- 'logs:DescribeLogStreams'
- 'logs:DescribeLogGroups'
Resource:
- !GetAtt TrailLogGroup.Arn
Tags:
- Key: pipeline-name
Value: !Sub ${AWS::StackName}-pipeline
Trail:
DependsOn:
- CloudTrailBucketPolicy
- TrailLogGroup
- TrailLogGroupRole
Type: AWS::CloudTrail::Trail
Properties:
S3BucketName: !Ref CloudTrailBucket
IncludeGlobalServiceEvents: true
IsLogging: true
IsMultiRegionTrail: true
EnableLogFileValidation: true
CloudWatchLogsLogGroupArn: !GetAtt TrailLogGroup.Arn
CloudWatchLogsRoleArn: !GetAtt TrailLogGroupRole.Arn
Tags:
- Key: pipeline-name
Value: !Sub ${AWS::StackName}-pipeline
#- CloudWatch Metric Filters (Start, Stop, Update, Delete) and Alarms -#
PipelineStateChangeMetricFilter:
Type: 'AWS::Logs::MetricFilter'
Properties:
FilterPattern: '{ ($.eventName = "StartPipelineExecution") || ($.eventName = "StopPipelineExecution") || ($.eventName = "UpdatePipeline") || ($.eventName = "DeletePipeline") }'
LogGroupName: !Ref TrailLogGroup
MetricTransformations:
- MetricName: "pipelineEvent"
MetricNamespace: "CloudTrailMetrics"
MetricValue: "1"
PipelineStateChangeAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmName: !Sub ${AWS::StackName}-CloudTrailPipelineEventChange
AlarmDescription: "An alarm when CloudTrail receives an event from CodePipeline"
MetricName: "pipelineEvent"
AlarmActions:
- !Ref CloudTrailTopic
ComparisonOperator: "GreaterThanThreshold"
EvaluationPeriods: 1
Threshold: 0
Namespace: "CloudTrailMetrics"
Statistic: "Sum"
Period: 1800
CodeBuildChangeMetricFilter:
Type: 'AWS::Logs::MetricFilter'
Properties:
FilterPattern: '{ (($.eventSource = "codebuild.amazonaws.com") && (($.eventName = "CreateProject") || ($.eventName = "DeleteProject"))) }'
LogGroupName: !Ref TrailLogGroup
MetricTransformations:
- MetricName: "codebuildEvent"
MetricNamespace: "CloudTrailMetrics"
MetricValue: "1"
CodeBuildStateChangeAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmName: !Sub ${AWS::StackName}-CloudTrailCodebuildEventChange
AlarmDescription: "Alarm when cloudtrail receives an state change event from codebuild"
MetricName: "codebuildEvent"
AlarmActions:
- !Ref CloudTrailTopic
ComparisonOperator: "GreaterThanThreshold"
EvaluationPeriods: 1
Threshold: 0
Namespace: "CloudTrailMetrics"
Statistic: "Sum"
Period: 1800
##-- CI/CD CodePipeline --##
AppPipeline:
Type: 'AWS::CodePipeline::Pipeline'
Properties:
Name: !Sub ${AWS::StackName}-pipeline
RoleArn: !GetAtt PipelineServiceRole.Arn
Stages:
#- 1) Source Code Checkout Stage -#
- Name: Source-Checkout-Stage
Actions:
- Name: Source-Code-Checkout-Action
ActionTypeId:
Category: Source
Owner: AWS
Version: '1'
Provider: CodeStarSourceConnection
OutputArtifacts:
- Name: SourceCodeArtifactOutput
Configuration:
ConnectionArn: !Ref CodeConnection
FullRepositoryId: !Ref FullGitRepositoryId
BranchName: !Ref BranchName
DetectChanges: true
RunOrder: 1
#- 2) Secret Analysis (using Git-Secrets) Stage -#
- Name: Secrets-Analysis-Stage
Actions:
- Name: Secret-Analysis-Action
InputArtifacts:
- Name: SourceCodeArtifactOutput
ActionTypeId:
Category: Build
Owner: AWS
Version: '1'
Provider: CodeBuild
OutputArtifacts:
- Name: SecretAnalysisOutputArtifacts
Configuration:
ProjectName: !Ref SecretsAnalysisBuildProject
RunOrder: 2
#- 3) Snyk SAST + Clair SCA & Staging Deployment Stage -#
- Name: SAST-SCA-Analysis-and-Staging-Stage
Actions:
#- 3.1. Snyk SAST Analysis Action -#
- Name: Snyk-SAST-Analysis-Action
InputArtifacts:
- Name: SourceCodeArtifactOutput
ActionTypeId:
Category: Build
Owner: AWS
Version: '1'
Provider: CodeBuild
OutputArtifacts:
- Name: SASTArtifacts
Configuration:
ProjectName: !Ref SnykSASTBuildProject
RunOrder: 3
#- 3.2. Clair ECR SCA Analysis + Staging Action -#
- Name: Clair-SCA-Analysis-and-Staging-Action
InputArtifacts:
- Name: SourceCodeArtifactOutput
ActionTypeId:
Category: Build
Owner: AWS
Version: '1'
Provider: CodeBuild
OutputArtifacts:
- Name: ClairSASTArtifacts
Configuration:
ProjectName: !Ref ClairSCAStagingBuildProject
RunOrder: 4
#- 4) DAST Stage -#
- Name: DAST-Analysis-Stage
Actions:
- Name: DAST-Analysis-Action
InputArtifacts:
- Name: SourceCodeArtifactOutput
ActionTypeId:
Category: Test
Owner: AWS
Version: '1'
Provider: CodeBuild
Configuration:
ProjectName: !Ref OwaspDASTBuildProject
RunOrder: 5
#- 5) Manual Approval Stage -#
- Name: Manual-Approval-Stage
Actions:
- Name: Approval-Required-Action
ActionTypeId:
Category: Approval
Owner: AWS
Version: '1'
Provider: Manual
Configuration:
CustomData: No critical Vulnerabilities Detected. Production Deployment is ready, but a manual approval is needed.
ExternalEntityLink: !Sub https://console.amazonaws.com/codesuite/codepipeline/pipelines/${AWS::StackName}/general?region=${AWS::Region}
NotificationArn: !Ref ManualApprovalTopic
RunOrder: 6
#- 6) Production Deployment Stage -#
- Name: Production-Deployment-Stage
Actions:
- Name: Production-BlueGreen-Deployment-Action
InputArtifacts:
- Name: SourceCodeArtifactOutput
ActionTypeId:
Category: Build
Owner: AWS
Version: '1'
Provider: CodeBuild
Configuration:
ProjectName: !Ref ProductionBlueGreenBuildProject
RunOrder: 7
ArtifactStore:
Type: S3
Location: !Ref PipelineArtifactS3Bucket
EncryptionKey:
Id: !GetAtt PipelineKMSKey.Arn
Type: KMS
Tags:
- Key: pipeline-name
Value: !Sub ${AWS::StackName}-pipeline
##-- CodeBuild Projects --##
#- 1. Secrets Analysis (Git-Secrets) Build Project -#
SecretsAnalysisBuildProject:
Type: AWS::CodeBuild::Project
Properties:
Description: Git-Secrets Secret Detection/Analysis Build Project
Artifacts:
Type: CODEPIPELINE
EncryptionKey: !GetAtt PipelineKMSKey.Arn
Environment:
ComputeType: BUILD_GENERAL1_SMALL
Image: aws/codebuild/standard:5.0
Type: LINUX_CONTAINER
EnvironmentVariables:
- Name: GIT_REPOSITORY_ID
Value: !Ref FullGitRepositoryId
- Name: GIT_CODECONNECTION_ARN
Value: !Ref CodeConnection
- Name: GIT_PROVIDER_TYPE
Value: !Ref GitProviderType
- Name: AWS_DEFAULT_REGION
Value: !Ref AWS::Region
- Name: CODE_BRANCH_NAME
Value: !Ref BranchName
PrivilegedMode: true
ServiceRole: !Ref CodeBuildServiceRole
Source:
Type: CODEPIPELINE
BuildSpec: buildspecs/1-secretsanalysis-buildspec.yml
LogsConfig:
CloudWatchLogs:
GroupName: !Ref PipelineCloudWatchLogGroup
Status: ENABLED
StreamName: SecretAnalysis
QueuedTimeoutInMinutes: 10
Tags:
- Key: pipeline-name
Value: !Sub ${AWS::StackName}-pipeline
#- 2. Snyk SAST Build Project -#
SnykSASTBuildProject:
Type: AWS::CodeBuild::Project
Properties:
Description: Static Application Security Testing (SAST) Build Project using Snyk
Artifacts:
Type: CODEPIPELINE
EncryptionKey: !GetAtt PipelineKMSKey.Arn
Environment:
ComputeType: BUILD_GENERAL1_SMALL
Image: aws/codebuild/standard:5.0
Type: LINUX_CONTAINER
EnvironmentVariables:
- Name: SNYK_API_KEY
Type: PARAMETER_STORE
Value: !Ref SSMSnykAPIKey
- Name: ECR_REPO_NAME
Value: !Ref EcrRegistryName
- Name: ECR_REPO_URI
Value: !Sub ${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/${EcrRegistryName}
- Name: AWS_DEFAULT_REGION
Value: !Ref AWS::Region
- Name: LAMBDA_FUNCTION_NAME
Value: !Ref LambdaSHImport
- Name: DOCKERFILE_NAME
Value: Dockerfile
- Name: DOCKERHUB_USERNAME
Value: !Ref DockerHubUsername
- Name: DOCKERHUB_PASSWORD
Type: PARAMETER_STORE
Value: !Ref SSMDockerHubPassword
PrivilegedMode: true
ServiceRole: !Ref CodeBuildServiceRole
Source:
Type: CODEPIPELINE
BuildSpec: buildspecs/2-snyk-sast-buildspec.yml
LogsConfig:
CloudWatchLogs:
GroupName: !Ref PipelineCloudWatchLogGroup
Status: ENABLED
StreamName: SnykSASTAnalysis
QueuedTimeoutInMinutes: 10
Tags:
- Key: pipeline-name
Value: !Sub ${AWS::StackName}-pipeline
#- 3. Clair SCA + Staging Build Project -#
ClairSCAStagingBuildProject:
Type: AWS::CodeBuild::Project
Properties:
Description: SCA (Software Composition Analysis) via Clair + Staging Build Project
Artifacts:
Type: CODEPIPELINE
EncryptionKey: !GetAtt PipelineKMSKey.Arn
Environment:
ComputeType: BUILD_GENERAL1_SMALL
Image: aws/codebuild/standard:5.0
Type: LINUX_CONTAINER
EnvironmentVariables:
- Name: ECR_REPO_NAME
Value: !Ref EcrRegistryName
- Name: ECR_REPO_URI
Value: !Sub ${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/${EcrRegistryName}
- Name: TAG
Value: latest
- Name: AWS_DEFAULT_REGION
Value: !Ref AWS::Region
- Name: ASG_NAME
Value: !Ref StagingASGName
- Name: ECS_CLUSTER_NAME
Value: !Ref StagingECSCluster
- Name: ECS_SERVICE_NAME
Value: !Ref StagingECSService
- Name: ECS_TASK_DEFINITION
Value: !Ref StagingECSTaskDefinition
- Name: LAMBDA_FUNCTION_NAME
Value: !Ref LambdaSHImport
PrivilegedMode: true
ServiceRole: !Ref CodeBuildServiceRole
Source:
Type: CODEPIPELINE
BuildSpec: buildspecs/3-clair-sca-staging-buildspec.yml
LogsConfig:
CloudWatchLogs:
GroupName: !Ref PipelineCloudWatchLogGroup
Status: ENABLED
StreamName: ECRSASTAnalysis
QueuedTimeoutInMinutes: 10
Tags:
- Key: pipeline-name
Value: !Sub ${AWS::StackName}-pipeline
#- 4. OWASP DAST Build Project (Needs the Security Group to access the staging ECS Cluster
# + VPC Id & Private Subnet Ids to run internally and resolve internal IPs / DNS names) -#
OwaspDASTBuildProject:
Type: AWS::CodeBuild::Project
Properties:
Description: Dynamic Code Analysis Build Project
Artifacts:
Type: CODEPIPELINE
EncryptionKey: !GetAtt PipelineKMSKey.Arn
Environment:
ComputeType: BUILD_GENERAL1_SMALL
Image: aws/codebuild/standard:5.0
Type: LINUX_CONTAINER
PrivilegedMode: true
EnvironmentVariables:
- Name: APPLICATION_URL
Type: PARAMETER_STORE
Value: !Ref SSMAppURL
- Name: ASG_NAME
Value: !Ref StagingASGName
- Name: LAMBDA_FUNCTION_NAME
Value: !Ref LambdaSHImport
ServiceRole: !Ref CodeBuildServiceRole
VpcConfig:
VpcId: !Ref VpcId
Subnets: !Ref PrivateSubnetIds
SecurityGroupIds:
- !Ref CodeBuildSecurityGroupId
Source:
Type: CODEPIPELINE
BuildSpec: buildspecs/4-owasp-zap-dast-buildspec.yml
LogsConfig:
CloudWatchLogs:
GroupName: !Ref PipelineCloudWatchLogGroup
Status: ENABLED
StreamName: DASTAnalysis
QueuedTimeoutInMinutes: 20
Tags:
- Key: pipeline-name
Value: !Sub ${AWS::StackName}-pipeline
#- 5. Production Blue/Green Deployment Build Project -#
ProductionBlueGreenBuildProject:
Type: AWS::CodeBuild::Project
Properties:
Description: Production Blue/Green Deployment using ECS Service Updates
Artifacts:
Type: CODEPIPELINE
EncryptionKey: !GetAtt PipelineKMSKey.Arn
Environment:
ComputeType: BUILD_GENERAL1_SMALL
Image: aws/codebuild/standard:5.0
Type: LINUX_CONTAINER
EnvironmentVariables:
- Name: ECR_REPO_URI
Value: !Sub ${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/${EcrRegistryName}
- Name: ECS_CLUSTER_NAME
Value: !Ref ProdECSCluster
- Name: ECS_TASK_DEFINITION
Value: !Ref ProdECSTaskDefinition
- Name: ECS_SERVICE_NAME
Value: !Ref ProdECSService
- Name: AWS_DEFAULT_REGION
Value: !Ref AWS::Region
PrivilegedMode: true
ServiceRole: !Ref CodeBuildServiceRole
VpcConfig:
VpcId: !Ref VpcId
Subnets: !Ref PrivateSubnetIds
SecurityGroupIds:
- !Ref CodeBuildSecurityGroupId
Source:
Type: CODEPIPELINE
BuildSpec: buildspecs/5-prod-bluegreen-buildspec.yml
LogsConfig:
CloudWatchLogs:
GroupName: !Ref PipelineCloudWatchLogGroup
Status: ENABLED
StreamName: ProductionDeployment
QueuedTimeoutInMinutes: 30
Tags:
- Key: pipeline-name
Value: !Sub ${AWS::StackName}-pipeline
#- IAM Roles -#
CodeBuildServiceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: sts:AssumeRole
Principal:
Service:
- codebuild.amazonaws.com
Policies:
- PolicyName: SecurityCodeAnalysisPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: iam:PassRole
Resource: '*'
- Effect: Allow
Action:
- iam:PassRole
- logs:*
- s3:*
- cloudformation:*
- cloudwatch:*
- cloudtrail:*
- codebuild:*
- codepipeline:*
- ssm:*
- lambda:*
- kms:*
- ecr:*
- ecs:*