pipeline.yaml

---
AWSTemplateFormatVersion: 2010-09-09


Description: >-
  Automated CI/CD pipeline for SATOSA on ECS


Metadata:
  AWS::CloudFormation::Interface:
    ParameterLabels:
      CertDcvMethod:
        default: Certificate Domain Control Validation Method
      CertificateArn:
        default: ACM Certificate ARN
      CertificateAuthorityArn:
        default: Private Certificate Authority ARN
      ClusterDesiredSize:
        default: ECS Cluster - Desired Size
      ClusterMaxSize:
        default: ECS Cluster - Maximum Size
      ClusterMinSize:
        default: ECS Cluster - Minimum Size
      CtLoggingPref:
        default: Certificate Transparency Logging
      DomainName:
        default: Domain Name
      EcsImageId:
        default: ECS Image ID
      GitRepoBranch:
        default: Git Repository Branch
      GitRepoId:
        default: Git Repository Identifier
      GitServer:
        default: Git Repository Hosting Provider
      HostedZoneId:
        default: Route 53 Hosted Zone ID
      Hostname:
        default: Hostname
      InstanceType:
        default: EC2 Instance Type
      LaunchType:
        default: ECS Launch Type
      PrivateSubnet1Cidr:
        default: New VPC Private Subnet 1 IPv4 Address
      PrivateSubnet1Id:
        default: Existing VPC Private Subnet 1 ID
      PrivateSubnet2Cidr:
        default: New VPC Private Subnet 2 IPv4 Address
      PrivateSubnet2Id:
        default: Existing VPC Private Subnet 2 ID
      PublicSubnet1Cidr:
        default: New VPC Public Subnet 1 IPv4 Address
      PublicSubnet1Id:
        default: Existing VPC Public Subnet 1 ID
      PublicSubnet2Cidr:
        default: New VPC Public Subnet 2 IPv4 Address
      PublicSubnet2Id:
        default: Existing VPC Public Subnet 2 ID
      S3EncryptionKeyArn:
        default: KMS Master Key ARN for S3 Server-side Encryption
      S3ServerSideEncryption:
        default: S3 Server-side Encryption
      SecretsManagerEncryptionKeyArn:
        default: Custom KMS Key ARN for Secrets Manager Encryption
      StackName:
        default: Service Stack Name
      VpcCidr:
        default: New VPC IPv4 CIDR Block
      VpcId:
        default: Existing VPC ID
      VpcType:
        default: New or Existing VPC

    ParameterGroups:
      - Label:
          default: CI/CD Configuration
        Parameters:
          - GitServer
          - GitRepoId
          - GitRepoBranch
          - S3ServerSideEncryption
          - S3EncryptionKeyArn
          - SecretsManagerEncryptionKeyArn
      - Label:
          default: Service Configuration
        Parameters:
          - StackName
          - Hostname
          - DomainName
          - HostedZoneId
          - CertificateArn
          - CertDcvMethod
          - CertificateAuthorityArn
          - CtLoggingPref
      - Label:
          default: Service Networking
        Parameters:
          - VpcType
          - VpcCidr
          - PublicSubnet1Cidr
          - PublicSubnet2Cidr
          - PrivateSubnet1Cidr
          - PrivateSubnet2Cidr
          - VpcId
          - PublicSubnet1Id
          - PublicSubnet2Id
          - PrivateSubnet1Id
          - PrivateSubnet2Id
      - Label:
          default: Service Hosting
        Parameters:
          - LaunchType
          - EcsImageId
          - InstanceType
          - ClusterMinSize
          - ClusterMaxSize
          - ClusterDesiredSize


Parameters:
  CertDcvMethod:
    Type: String
    Default: DNS
    Description: >-
      (Optional) When requesting a new service certificate, use DNS record- or confirmation email-based domain control validation (DCV).
      If using DNS DCV (the default) and if HostedZoneId is set, the CI/CD stack will handle this automatically.
      Otherwise, validation will require manual action by one of the domain's contacts.
      For more information, refer to https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate-dns.html (DNS) or https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate-email.html (EMAIL).
    AllowedValues:
      - DNS
      - EMAIL
  CertificateArn:
    Type: String
    Default: ''
    Description: >-
      (Optional) The service stack will use this certificate in AWS Certificate Manager (ACM).
      If left blank, the CI/CD stack will request a new ACM certificate on behalf of the service stack.
  CertificateAuthorityArn:
    Type: String
    Default: ''
    Description: >-
      (Optional) When requesting a new service certificate, issue it using the specified private ACM certificate authority (CA).
      Otherwise, the CI/CD stack will use the default public CA.
  ClusterDesiredSize:
    Type: Number
    Default: 2
    Description: >-
      When deploying ECS clusters on EC2, the stack will configure the Auto Scaling group to keep at least this many ECS container instances running at all times.
      It must greater than or equal to the cluster's minimum size and less than or equal to the cluster's maximum size.
  ClusterMaxSize:
    Type: Number
    Default: 2
    Description: >-
      When deploying ECS clusters on EC2, the stack will create the Auto Scaling group with no more than this many ECS container instances.
  ClusterMinSize:
    Type: Number
    Default: 2
    Description: >-
      When deploying ECS clusters on EC2, the stack will create the Auto Scaling group with at least this many ECS container instances.
  CtLoggingPref:
    Type: String
    Default: ENABLED
    Description: >-
      (Optional) When requesting a new service certificate, opt out of Certificate Transparency logging by setting this to DISABLED.
    AllowedValues:
      - ENABLED
      - DISABLED
  DomainName:
    Type: String
    Description: >-
      The domain name of the service, e.g., for "aai.example.com", the domain name would be "example.com".
  EcsImageId:
    Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Image::Id>
    Default: /aws/service/ecs/optimized-ami/amazon-linux-2/recommended/image_id
    Description: >-
      When deploying ECS clusters on EC2, the stack will create the Auto Scaling group with ECS container instances based on this Amazon Machine Image (AMI).
  GitRepoBranch:
    Type: String
    Default: main
    Description: >-
      The continuous delivery pipeline will watch for changes in this branch of the above repository, e.g., `main`, `production`.
  GitRepoId:
    Type: String
    Description: >-
      The continuous delivery pipeline will watch for source changes in this Git repository, e.g., `example/repo` (GitHub), `example-repo` (CodeCommit).
      Note that CodeCommit repositories MUST exist in the same partition/region/account as this stack.
  GitServer:
    Type: String
    Default: GitHub
    Description: >-
      The continuous delivery pipeline will connect to the specified service to access the Git repository specified below.
    AllowedValues:
      - Bitbucket
      - CodeCommit
      - GitHub
      - GitHubEnterpriseServer
  HostedZoneId:
    Type: String
    Default: ''
    Description: >-
      (Optional) If specified, the continuous delivery pipeline and service stack will create resource records for SATOSA in this Route 53 hosted zone.
      Note that the Route 53 hosted zone MUST exist in the same partition/account as this stack.
  Hostname:
    Type: String
    Description: >-
      The short name of the service, e.g., for "aai.example.com", the hostname would be "aai".
  InstanceType:
    Type: String
    Default: t3a.medium
    Description: >-
      When deploying ECS clusters on EC2, the stack will create the Auto Scaling group with ECS container instances based on this EC2 instance type.
  LaunchType:
    Type: String
    Default: FARGATE
    Description: >-
      The stack will deploy ECS-managed containers using Fargate or EC2.
      Selecting EC2 will create an Auto Scaling group of t3a.micro instances for the cluster.
      For more information on launch types, refer to https://docs.aws.amazon.com/AmazonECS/latest/developerguide/launch_types.html.
    AllowedValues:
      - EC2
      - FARGATE
  PrivateSubnet1Cidr:
    Type: String
    Default: 192.168.128.0/18
    Description: >-
      When creating a new VPC, the stack will use this subnet of the VPC's IPv4 CIDR block for the first private subnet.
  PrivateSubnet1Id:
    Type: String
    Default: ''
    Description: >-
      If using an existing VPC, the stack will use this subnet ID as the first private subnet.
  PrivateSubnet2Cidr:
    Type: String
    Default: 192.168.192.0/18
    Description: >-
      When creating a new VPC, the stack will use this subnet of the VPC's IPv4 CIDR block for the second private subnet.
  PrivateSubnet2Id:
    Type: String
    Default: ''
    Description: >-
      If using an existing VPC, the stack will use this subnet ID as the second private subnet.
  PublicSubnet1Cidr:
    Type: String
    Default: 192.168.0.0/18
    Description: >-
      When creating a new VPC, the stack will use this subnet of the VPC's IPv4 CIDR block for the first public subnet.
  PublicSubnet1Id:
    Type: String
    Default: ''
    Description: >-
      If using an existing VPC, the stack will use this subnet ID as the first public subnet.
  PublicSubnet2Cidr:
    Type: String
    Default: 192.168.64.0/18
    Description: >-
      When creating a new VPC, the stack will use this subnet of the VPC's IPv4 CIDR block for the second public subnet.
  PublicSubnet2Id:
    Type: String
    Default: ''
    Description: >-
      If using an existing VPC, the stack will use this subnet ID as the second public subnet.
  S3ServerSideEncryption:
    Type: String
    Default: SSE-S3
    Description: >-
      (Optional) The CI/CD stack will encrypt S3-backed storage with a key of this type.
      SSE-KMS costs more but enables key usage auditing and offers better control over key management.
    AllowedValues:
      - SSE-S3
      - SSE-KMS
  S3EncryptionKeyArn:
    Type: String
    Default: ''
    Description: >-
      (Optional; SSE-KMS only) The CI/CD stack will use this symmetric KMS master key to encrypt the S3 storage instead of the default.
  SecretsManagerEncryptionKeyArn:
    Type: String
    Default: ''
    Description: >-
      (Optional) The CI/CD stack will encrypt Secrets Manager secrets with a KMS key identified by this ARN instead of the default.
  StackName:
    Type: String
    Description: >-
      The continuous delivery pipeline will give this name to the CloudFormation stack that deploys SATOSA.
  VpcCidr:
    Type: String
    Default: 192.168.0.0/16
    Description: >-
      When creating a new VPC, the stack will use this IPv4 CIDR block.
  VpcId:
    Type: String
    Default: ''
    Description: >-
      If using an existing VPC, the stack will create resources in the VPC with this identifier.
  VpcType:
    Type: String
    Default: New
    Description: >-
      The stack will create a new VPC (the default) or deploy into an existing one.
    AllowedValues:
      - New
      - Existing


Conditions:
  FinishManualDcv:
    Fn::And:
      - Fn::Equals:
          - !Ref CertificateArn
          - ''
      - Fn::Or:
        - Fn::Equals:
            - !Ref CertDcvMethod
            - EMAIL
        - Fn::And:
            - Fn::Equals:
                - !Ref CertDcvMethod
                - DNS
            - Fn::Equals:
                - !Ref HostedZoneId
                - ''
  RequestCertificate:
    !Equals [ !Ref CertificateArn, '' ]
  WithCodeCommit:
    !Equals [ !Ref GitServer, CodeCommit ]
  WithCodeStarConnections:
    !Not [ !Equals [ !Ref GitServer, CodeCommit ] ]
  WithDefaultS3Encryption:
    !Equals [ !Ref S3ServerSideEncryption, SSE-S3 ]
  WithDefaultS3EncryptionKey:
    !Equals [ !Ref S3EncryptionKeyArn, '' ]
  WithSecretsManagerCustomKmsKey:
    !Not [ !Equals [ !Ref SecretsManagerEncryptionKeyArn, '' ] ]
  WithManualDnsDcv:
    Fn::And:
      - Fn::Equals:
          - !Ref CertificateArn
          - ''
      - Fn::And:
          - Fn::Equals:
              - !Ref CertDcvMethod
              - DNS
          - Fn::Equals:
              - !Ref HostedZoneId
              - ''
  WithPublicCertificateAuthority:
    !Equals [ !Ref CertificateAuthorityArn, '' ]

Resources:
  # put build enviornment in dedicated, separated network
  VPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsSupport: true
      EnableDnsHostnames: true
      Tags:
        - Key: Name
          Value: !Ref AWS::StackName
  InternetGateway:
    Type: AWS::EC2::InternetGateway
    Properties:
      Tags:
        - Key: Name
          Value: !Ref AWS::StackName
  InternetGatewayAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      InternetGatewayId: !Ref InternetGateway
      VpcId: !Ref VPC
  PublicSubnet1:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      AvailabilityZone: !Select [ 0, !GetAZs '' ]
      CidrBlock: 10.0.0.0/18
      MapPublicIpOnLaunch: true
      Tags:
        - Key: Name
          Value: !Sub ${AWS::StackName} Public Subnet (AZ1)
  PublicSubnet2:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      AvailabilityZone: !Select [ 1, !GetAZs  '' ]
      CidrBlock: 10.0.64.0/18
      MapPublicIpOnLaunch: true
      Tags:
        - Key: Name
          Value: !Sub ${AWS::StackName} Public Subnet (AZ2)
  PrivateSubnet1:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      AvailabilityZone: !Select [ 0, !GetAZs  '' ]
      CidrBlock: 10.0.128.0/18
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: !Sub ${AWS::StackName} Private Subnet (AZ1)
  PrivateSubnet2:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      AvailabilityZone: !Select [ 1, !GetAZs  '' ]
      CidrBlock: 10.0.192.0/18
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: !Sub ${AWS::StackName} Private Subnet (AZ2)
  NatGateway1EIP:
    Type: AWS::EC2::EIP
    DependsOn: InternetGatewayAttachment
    Properties:
      Domain: vpc
  NatGateway2EIP:
    Type: AWS::EC2::EIP
    DependsOn: InternetGatewayAttachment
    Properties:
      Domain: vpc
  NatGateway1:
    Type: AWS::EC2::NatGateway
    Properties:
      AllocationId: !GetAtt NatGateway1EIP.AllocationId
      SubnetId: !Ref PublicSubnet1
  NatGateway2:
    Type: AWS::EC2::NatGateway
    Properties:
      AllocationId: !GetAtt NatGateway2EIP.AllocationId
      SubnetId: !Ref PublicSubnet2
  PublicRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC
      Tags:
        - Key: Name
          Value: !Sub ${AWS::StackName} Public Routes
  DefaultPublicRoute:
    Type: AWS::EC2::Route
    DependsOn: InternetGatewayAttachment
    Properties:
      RouteTableId: !Ref PublicRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref InternetGateway
  PublicSubnet1RouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref PublicRouteTable
      SubnetId: !Ref PublicSubnet1
  PublicSubnet2RouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref PublicRouteTable
      SubnetId: !Ref PublicSubnet2
  PrivateRouteTable1:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC
      Tags:
        - Key: Name
          Value: !Sub ${AWS::StackName} Private Routes (AZ1)
  DefaultPrivateRoute1:
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref PrivateRouteTable1
      DestinationCidrBlock: 0.0.0.0/0
      NatGatewayId: !Ref NatGateway1
  PrivateSubnet1RouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref PrivateRouteTable1
      SubnetId: !Ref PrivateSubnet1
  PrivateRouteTable2:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC
      Tags:
        - Key: Name
          Value: !Sub ${AWS::StackName} Private Routes (AZ2)
  DefaultPrivateRoute2:
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref PrivateRouteTable2
      DestinationCidrBlock: 0.0.0.0/0
      NatGatewayId: !Ref NatGateway2
  PrivateSubnet2RouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref PrivateRouteTable2
      SubnetId: !Ref PrivateSubnet2
  NoIngressSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupName: no-ingress-sg
      GroupDescription: Security group with no ingress rule
      VpcId: !Ref VPC

  # pipeline stages/actions pass information via S3
  ArtifactBucket:
    Type: AWS::S3::Bucket
    DeletionPolicy: Retain
    Properties:
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - BucketKeyEnabled: true
            ServerSideEncryptionByDefault:
              SSEAlgorithm:
                Fn::If:
                  - WithDefaultS3Encryption
                  - AES256
                  - aws:kms
              KMSMasterKeyID:
                Fn::If:
                  - WithDefaultS3Encryption
                  - !Ref AWS::NoValue
                  - Fn::If:
                      - WithDefaultS3EncryptionKey
                      - !Sub arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3
                      - !Ref S3EncryptionKeyArn
      LifecycleConfiguration:
        Rules:
          - Id: RemoveOldArtifacts
            Status: Enabled
            ExpirationInDays: 30

  # ECS tasks pull container images from here
  ECRRepo:
    Type: AWS::ECR::Repository
    DeletionPolicy: Retain
    Properties:
      EncryptionConfiguration:  # same as S3 since that's its back end
        EncryptionType:
          Fn::If:
            - WithDefaultS3Encryption
            - AES256
            - KMS
        KmsKey:
          Fn::If:
            - WithDefaultS3Encryption
            - !Ref AWS::NoValue
            - Fn::If:
                - WithDefaultS3EncryptionKey
                - !Sub arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3
                - !Ref S3EncryptionKeyArn
      ImageScanningConfiguration:
        ScanOnPush: true
      LifecyclePolicy:
        LifecyclePolicyText: >-
          {
              "rules": [
                  {
                      "rulePriority": 1,
                      "description": "Remove old images",
                      "selection": {
                          "tagStatus": "any",
                          "countType": "sinceImagePushed",
                          "countUnit": "days",
                          "countNumber": 30
                      },
                      "action": {
                          "type": "expire"
                      }
                  }
              ]
          }

  # store secrets in AWS Secrets Manager; note that the initial value,
  # 030373bb-ddf8-44d6-8213-7c9ff2339316, indicates the secret
  # requires initialization, which happens at build time
  Saml2BackEndKeyPairSecret:
    Type: AWS::SecretsManager::Secret
    Properties:
      SecretString: 030373bb-ddf8-44d6-8213-7c9ff2339316
      KmsKeyId: !If [ WithSecretsManagerCustomKmsKey, !Ref SecretsManagerEncryptionKeyArn, !Ref AWS::NoValue ]
      Description: >-
        SATOSA's service provier back end will use this key-pair for SAML 2.0 request signing and response decryption.
  Saml2FrontEndKeyPairSecret:
    Type: AWS::SecretsManager::Secret
    Properties:
      SecretString: 030373bb-ddf8-44d6-8213-7c9ff2339316
      KmsKeyId: !If [ WithSecretsManagerCustomKmsKey, !Ref SecretsManagerEncryptionKeyArn, !Ref AWS::NoValue ]
      Description: >-
        SATOSA's identity provider front end will use this key-pair for SAML 2.0 response signing.

  # optionally request a certificate
  ServiceCertificate:
    Type: AWS::CertificateManager::Certificate
    Condition: RequestCertificate
    Properties:
      DomainName: !Sub ${Hostname}.${DomainName}
      ValidationMethod: !Ref CertDcvMethod
      DomainValidationOptions:
        Fn::If:
          - WithManualDnsDcv
          - !Ref AWS::NoValue
          -
            - DomainName: !Sub ${Hostname}.${DomainName}
              HostedZoneId: !Ref HostedZoneId
      CertificateAuthortityArn: !If [ WithPublicCertificateAuthority, !Ref AWS::NoValue, !Ref CertificateAuthorityArn ]
      CertificateTransparencyLoggingPreference: !Ref CtLoggingPref

  # run builds in a low-privilege service account
  CodeBuildServiceRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: !Sub codebuild.${AWS::URLSuffix}
            Action: sts:AssumeRole
      Policies:
        - PolicyName: Logging
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - logs:CreateLogGroup
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                Resource: '*'
        - PolicyName: BuildEnvProvisioning
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - ec2:CreateNetworkInterface
                  - ec2:DescribeDhcpOptions
                  - ec2:DescribeNetworkInterfaces
                  - ec2:DeleteNetworkInterface
                  - ec2:DescribeSubnets
                  - ec2:DescribeSecurityGroups
                  - ec2:DescribeVpcs
                Resource: '*'
              - Effect: Allow
                Action: ec2:CreateNetworkInterfacePermission
                Condition:
                  StringEquals:
                    'ec2:AuthorizedService': !Sub codebuild.${AWS::URLSuffix}
                    'ec2:Subnet':
                      - !Sub arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:subnet/${PrivateSubnet1}
                      - !Sub arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:subnet/${PrivateSubnet2}
                Resource: !Sub arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/*
        - PolicyName: ArtifactStaging
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - s3:GetObject
                  - s3:PutObject
                  - s3:GetObjectVersion
                Resource: !Sub ${ArtifactBucket.Arn}/*
              - Effect: Allow
                Action: ecr:GetAuthorizationToken
                Resource:  '*'
              - Effect: Allow
                Action:
                  - ecr:GetDownloadUrlForLayer
                  - ecr:BatchGetImage
                  - ecr:BatchCheckLayerAvailability
                  - ecr:PutImage
                  - ecr:InitiateLayerUpload
                  - ecr:UploadLayerPart
                  - ecr:CompleteLayerUpload
                Resource: !GetAtt ECRRepo.Arn
        - PolicyName: KeymatHandling
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - secretsmanager:GetSecretValue
                  - secretsmanager:PutSecretValue
                Resource:
                  - !Ref Saml2BackEndKeyPairSecret
                  - !Ref Saml2FrontEndKeyPairSecret
  SecretsManagerCustomKmsKeyPolicy:
    Type: AWS::IAM::Policy
    Condition: WithSecretsManagerCustomKmsKey
    Properties:
      PolicyName: !Sub ${AWS::StackName}-SecretsManagerCustomKmsKeyPolicy
      Roles:
        - !Ref CodeBuildServiceRole
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Actions:
              - kms:Decrypt
              - kms:Encrypt
            Resource: !Ref SecretsManagerEncryptionKeyArn

  # deploy build servers in the private VPC, which works around
  # problems accessing Docker Hub anonymously
  CodeBuildProject:
    Type: AWS::CodeBuild::Project
    DependsOn: CodeBuildServiceRole
    Properties:
      ServiceRole: !Ref CodeBuildServiceRole
      VpcConfig:
        VpcId: !Ref VPC
        Subnets:
          - !Ref PrivateSubnet1
          - !Ref PrivateSubnet2
        SecurityGroupIds:
          - !Ref NoIngressSecurityGroup
      Artifacts:
        Type: CODEPIPELINE
      Source:
        Type: CODEPIPELINE
        BuildSpec: .awscodepipeline/buildspec.yaml
      Environment:
        ComputeType: BUILD_GENERAL1_SMALL
        Image: aws/codebuild/amazonlinux2-x86_64-standard:4.0
        Type: LINUX_CONTAINER
        PrivilegedMode: true
        EnvironmentVariables:
          # buildspec variables
          - Name: REPOSITORY_URI
            Value: !GetAtt ECRRepo.RepositoryUri
          # template config variables
          - Name: CertificateArn
            Value: !If [ RequestCertificate, !Ref ServiceCertificate, !Ref CertificateArn ]
          - Name: ClusterDesiredSize
            Value: !Ref ClusterDesiredSize
          - Name: ClusterMaxSize
            Value: !Ref ClusterMaxSize
          - Name: ClusterMinSize
            Value: !Ref ClusterMinSize
          - Name: DomainName
            Value: !Ref DomainName
          - Name: EcrPrivateRepoArn
            Value: !GetAtt ECRRepo.Arn
          - Name: EcsImageId
            Value: !Ref EcsImageId
          - Name: HostedZoneId
            Value: !Ref HostedZoneId
          - Name: Hostname
            Value: !Ref Hostname
          - Name: InstanceType
            Value: !Ref InstanceType
          - Name: LaunchType
            Value: !Ref LaunchType
          - Name: PrivateSubnet1Cidr
            Value: !Ref PrivateSubnet1Cidr
          - Name: PrivateSubnet1Id
            Value: !Ref PrivateSubnet1Id
          - Name: PrivateSubnet2Cidr
            Value: !Ref PrivateSubnet2Cidr
          - Name: PrivateSubnet2Id
            Value: !Ref PrivateSubnet2Id
          - Name: PublicSubnet1Cidr
            Value: !Ref PublicSubnet1Cidr
          - Name: PublicSubnet1Id
            Value: !Ref PublicSubnet1Id
          - Name: PublicSubnet2Cidr
            Value: !Ref PublicSubnet2Cidr
          - Name: PublicSubnet2Id
            Value: !Ref PublicSubnet2Id
          - Name: Saml2BackEndKeyPairSecretArn
            Value: !Ref Saml2BackEndKeyPairSecret
          - Name: Saml2FrontEndKeyPairSecretArn
            Value: !Ref Saml2FrontEndKeyPairSecret
          - Name: SecretsManagerEncryptionKeyArn
            Value: !Ref SecretsManagerEncryptionKeyArn
          - Name: VpcCidr
            Value: !Ref VpcCidr
          - Name: VpcId
            Value: !Ref VpcId
          - Name: VpcType
            Value: !Ref VpcType

  # optionally connect to a third-party Git repo host
  GitRepoConnector:
    Type: AWS::CodeStarConnections::Connection
    Condition: WithCodeStarConnections
    Properties:
      ConnectionName: !Ref AWS::StackName
      ProviderType: !Ref GitServer

  CodePipelineServiceRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: !Sub codepipeline.${AWS::URLSuffix}
            Action: sts:AssumeRole
  CloudFormationActionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: !Sub cloudformation.${AWS::URLSuffix}
            Action: sts:AssumeRole
      # TODO: restrict this role's access to only what's needed
      ManagedPolicyArns:
        -  arn:aws:iam::aws:policy/AdministratorAccess
  CodePipelineServiceRolePolicy:
    Type: AWS::IAM::Policy
    DependsOn:
      - CodePipelineServiceRole
      - CloudFormationActionRole
    Properties:
      PolicyName: !Sub ${AWS::StackName}-CodePipelineServiceRolePolicy
      Roles:
        - !Ref CodePipelineServiceRole
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Fn::If:
              - WithCodeCommit
              - Sid: DownloadSourceCodeCommit
                Effect: Allow
                Action:
                  - codecommit:CancelUploadArchive
                  - codecommit:GetBranch
                  - codecommit:GetCommit
                  - codecommit:GetUploadArchiveStatus
                  - codecommit:UploadArchive
                Resource: !Sub arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${GitRepoId}
              - Sid: DownloadSourceThirdParty
                Effect: Allow
                Action: codestar-connections:UseConnection
                Resource: !Ref GitRepoConnector
          - Sid: ManageArtifacts
            Effect: Allow
            Action: s3:*
            Resource:
              - !Sub ${ArtifactBucket.Arn}/*
              - !GetAtt ArtifactBucket.Arn
          - Sid: InvokeCodeBuild
            Effect: Allow
            Action:
              - codebuild:StartBuild
              - codebuild:BatchGetBuilds
            Resource: !GetAtt CodeBuildProject.Arn
          - Sid: ManageCfnStacks
            Effect: Allow
            Action:
              - cloudformation:CreateStack
              - cloudformation:DeleteStack
              - cloudformation:DescribeStacks
              - cloudformation:UpdateStack
            Resource:
              - !Sub arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${StackName}/*
          # cf. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html
          - Sid: PassRolesToActions
            Effect: Allow
            Action:
              # - iam:GetRole
              - iam:PassRole
            Resource:
              - !GetAtt CodeBuildServiceRole.Arn
              - !GetAtt CloudFormationActionRole.Arn
  Pipeline:
    Type: AWS::CodePipeline::Pipeline
    DependsOn:
      - ArtifactBucket
      - CloudFormationActionRole
      - CodePipelineServiceRole
      - CodePipelineServiceRolePolicy
    Properties:
      RoleArn: !GetAtt CodePipelineServiceRole.Arn
      ArtifactStore:
        Type: S3
        Location: !Ref ArtifactBucket
      # cf. https://docs.aws.amazon.com/codepipeline/latest/userguide/action-reference.html
      Stages:
        - Name: Source
          Actions:
            - Name: Source
              ActionTypeId:
                Category: Source
                Owner: AWS
                Provider: !If [ WithCodeCommit, CodeCommit, CodeStarSourceConnection ]
                Version: 1
              Configuration:
                Fn::If:
                  - WithCodeCommit
                  - RepositoryName: !Ref GitRepoId
                    BranchName: !Ref GitRepoBranch
                    PollForSourceChanges: false
                  - ConnectionArn: !Ref GitRepoConnector
                    FullRepositoryId: !Ref GitRepoId
                    BranchName: !Ref GitRepoBranch
              RunOrder: 1
              OutputArtifacts:
                - Name: SourceArtifact
        - Name: Build
          Actions:
            - Name: Build
              ActionTypeId:
                Category: Build
                Owner: AWS
                Provider: CodeBuild
                Version: 1
              Configuration:
                ProjectName: !Ref CodeBuildProject
              InputArtifacts:
                - Name: SourceArtifact
              OutputArtifacts:
                - Name: BuildArtifact
              RunOrder: 2
        - Name: Deploy
          Actions:
            - Name: Deploy
              ActionTypeId:
                Category: Deploy
                Owner: AWS
                Provider: CloudFormation
                Version: 1
              Configuration:
                StackName: !Ref StackName
                # don't delete and replace stacks in a failed state as
                # that would also delete their logs, which must be
                # preserved in regulated environments
                ActionMode: CREATE_UPDATE
                Capabilities: CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND
                RoleArn: !GetAtt CloudFormationActionRole.Arn
                TemplatePath: BuildArtifact::service.yaml
                TemplateConfiguration: BuildArtifact::config.json
              InputArtifacts:
                - Name: BuildArtifact
              RunOrder: 3

  # keep the service up to date by rebuilding and redeploying it
  # weekly even when the configuration doesn't change
  PipelineWeeklyRefreshRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: !Sub events.${AWS::URLSuffix}
            Action: sts:AssumeRole
      Policies:
        - PolicyName: InvokePipeline
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action: codepipeline:StartPipelineExecution
                Resource: !Sub arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${Pipeline}
  PipelineWeeklyRefreshRule:
    Type: AWS::Events::Rule
    Properties:
      ScheduleExpression: cron(0 0 ? * 1 *)
      Targets:
        - Arn: !Sub arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:${Pipeline}
          RoleArn: !GetAtt PipelineWeeklyRefreshRole.Arn
          Id: codepipeline-AppPipeline

  # EventBridge detects changes to the CodeCommit repository and
  # triggers the continuous delivery pipeline, similar to CodeStar
  # Connections and third-party Git repository hosting services;
  # cf. https://aws.amazon.com/blogs/devops/build-serverless-aws-codecommit-workflows-using-amazon-cloudwatch-events-and-jgit,
  # https://github.com/awslabs/serverless-codecommit-examples
  CodeCommitRepoConnectorRole:
    Type: AWS::IAM::Role
    Condition: WithCodeCommit
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: !Sub events.${AWS::URLSuffix}
            Action: sts:AssumeRole
      Policies:
        - PolicyName: CodeCommitRepoConnector
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action: codepipeline:StartPipelineExecution
                Resource: !Sub arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${Pipeline}
  CodeCommitRepoConnectorEventRule:
    Type: AWS::Events::Rule
    Condition: WithCodeCommit
    Properties:
      EventPattern:
        source:
          - aws.codecommit
        detail-type:
          - CodeCommit Repository State Change
        resources:
          - !Sub arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${GitRepoId}
        detail:
          event:
            - referenceCreated
            - referenceUpdated
          referenceType:
            - branch
          referenceName:
            - !Ref GitRepoBranch
      Targets:
        - Id: !Ref Pipeline
          Arn: !Sub arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${Pipeline}
          RoleArn: !GetAtt CodeCommitRepoConnectorRole.Arn


Outputs:                        # sorted alphabetically by output key name in the web console
  ArtifactBucket:
    Value: !Ref ArtifactBucket
    Description: >-
      This is the name of the bucket that contains artifacts generated by each pipeline stage.
      Use the bucket's name in an AWS CLI query similar to the following to determine the key of the latest build artifact:
      aws s3api list-objects --bucket $ARTIFACT_BUCKET --query 'Contents[?contains(Key, `BuildArtif`)] | sort_by(@,& LastModified)[-1].Key' --output text

  ArtifactBucketUrl:
    Value: !Sub https://s3.console.aws.amazon.com/s3/buckets/${ArtifactBucket}?region=${AWS::Region}&tab=objects
    Description: >-
      Access the build artifacts here, specifically the service's CloudFormation template and template configuration file.

  CertificateArn:
    Condition: FinishManualDcv
    Value: !Ref ServiceCertificate
    Description: >-
      This stack requested this certificate using manual DCV and will not be able to deploy the service until the certificate is issued.

  CertManagerUrl:
    Condition: FinishManualDcv
    Value: !Sub https://console.aws.amazon.com/acm/home?region=${AWS::Region}#/certificates/list
    Description: >-
      This stack requested the certificate listed above using manual domain control validation (DCV).
      Complete the DCV process by creating the appropriate DNS resource records or by responding to the confirmation email.
      For more information, refer to https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate-dns.html (DNS) or https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate-email.html (EMAIL).

  CloudFormationActionRoleArn:
    Value: !GetAtt CloudFormationActionRole.Arn
    Description: >-
      The pipeline uses this IAM role to deploy/update the service.

  CodeStarConnectionsUrl:
    Condition: WithCodeStarConnections
    Value: !Sub https://console.aws.amazon.com/codesuite/settings/connections?region=${AWS::Region}
    Description: >-
      This stack was connected to a third-party Git repository hosting service.
      Manually complete the connection setup using the CodeStar Connections console.
      For more information, refer to https://docs.aws.amazon.com/dtconsole/latest/userguide/welcome-connections.html.

  EcrRepo:
    Value: !Ref ECRRepo
    Description: >-
      This is the name of the private container image repository.
      Use the repository's name in an AWS CLI query similar to the following to determine the tag of the most recently built image:
      aws ecr describe-images --repository-name $ECR_REPO_NAME --query 'sort_by(imageDetails,& imagePushedAt)[-1].imageTags[0]' --output text

  EcrRepoUrl:
    Value: !Sub https://console.aws.amazon.com/ecr/repositories/private/${AWS::AccountId}/${ECRRepo}?region=${AWS::Region}
    Description: >-
      Access the private container image repository here.

  PipelineUrl:
    Value: !Sub https://console.aws.amazon.com/codepipeline/home?region=${AWS::Region}#/view/${Pipeline}
    Description: >-
      Access the CI/CD pipline here.

  Saml2BackEndKeyPairSecretArn:
    Value: !Ref Saml2BackEndKeyPairSecret
    Description: >-
      SATOSA's service provier back end will use this X.509 key-pair for SAML 2.0 request signing and response decryption.
      The secret must be a JSON object with two keys, `certificate` and `key`, and their corresponding values in PEM format.

  Saml2FrontEndKeyPairSecretArn:
    Value: !Ref Saml2FrontEndKeyPairSecret
    Description: >-
      SATOSA's identity provider front end will use this X.509 key-pair for SAML 2.0 response signing.
      The secret must be a JSON object with two keys, `certificate` and `key`, and their corresponding values in PEM format.