-
Notifications
You must be signed in to change notification settings - Fork 1
/
cloudformation.yml
168 lines (147 loc) · 4.89 KB
/
cloudformation.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
AWSTemplateFormatVersion: 2010-09-09
Parameters:
DatabaseAdminPassword:
Type: String
NoEcho: true
DatabaseReadPassword:
Type: String
NoEcho: true
VpcId:
Type: AWS::EC2::VPC::Id
PublicSubnetIds:
Type: CommaDelimitedList
PrivateSubnetIds:
Type: CommaDelimitedList
CidrIp:
Type: String
GithubBranch:
Type: String
Outputs:
BuildProject:
Value: !Ref CodeBuildProject
ClientSecurityGroupId:
Value: !Ref ClientSecurityGroup
DatabaseHost:
Value: !GetAtt DatabaseInstance.Endpoint.Address
Resources:
DatabaseInstance:
Type: AWS::RDS::DBInstance
Properties:
StorageType: gp3
AllocatedStorage: '50'
DBInstanceClass: db.t4g.medium
DBSubnetGroupName: !Ref DatabaseSubnetGroup
VPCSecurityGroups:
- !Ref DatabaseSecurityGroup
Engine: postgres
EngineVersion: '14.10'
MasterUsername: postgres
MasterUserPassword: !Ref DatabaseAdminPassword
Port: '5432'
PubliclyAccessible: true
DatabaseSubnetGroup:
Type: AWS::RDS::DBSubnetGroup
Properties:
DBSubnetGroupDescription: !Sub "Subnet Group for ${AWS::StackName} database"
SubnetIds: !Ref PublicSubnetIds
DatabaseSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: !Sub "Security group for ${AWS::StackName} database"
VpcId: !Ref VpcId
SecurityGroupIngress:
- IpProtocol: tcp
CidrIp: !Ref CidrIp
FromPort: 5432
ToPort: 5432
- IpProtocol: tcp
SourceSecurityGroupId: !Ref ClientSecurityGroup
FromPort: 5432
ToPort: 5432
ClientSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: !Sub "Security group for clients of ${AWS::StackName} database"
VpcId: !Ref VpcId
DatabaseSecret:
Type: AWS::SecretsManager::Secret
Properties:
Description: !Sub "${AWS::StackName} database credentials"
SecretString: !Sub '{"database_host": "${DatabaseInstance.Endpoint.Address}", "admin_user": "postgres", "admin_password": "${DatabaseAdminPassword}", "read_user": "pgstac_read", "read_password": "${DatabaseReadPassword}"}'
CodeBuildProject:
Type: AWS::CodeBuild::Project
Properties:
Environment:
ComputeType: BUILD_GENERAL1_SMALL
Type: LINUX_CONTAINER
Image: aws/codebuild/standard:5.0
EnvironmentVariables:
- Name: PGHOST
Type: SECRETS_MANAGER
Value: !Sub "${DatabaseSecret}:database_host"
- Name: PGPASSWORD
Type: SECRETS_MANAGER
Value: !Sub "${DatabaseSecret}:admin_password"
- Name: READ_PASSWORD
Type: SECRETS_MANAGER
Value: !Sub "${DatabaseSecret}:read_password"
ServiceRole: !Ref CodeBuildServiceRole
Source:
Type: GITHUB
Location: https://github.com/ASFHyP3/asf-stac.git
GitCloneDepth: 1
BuildSpec: apps/database/buildspec.yml
SourceVersion: !Ref GithubBranch
Artifacts:
Type: NO_ARTIFACTS
VpcConfig:
VpcId: !Ref VpcId
Subnets: !Ref PrivateSubnetIds
SecurityGroupIds:
- !Ref ClientSecurityGroup
CodeBuildLogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Sub "/aws/codebuild/${CodeBuildProject}"
RetentionInDays: 90
CodeBuildServiceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
Action: sts:AssumeRole
Principal:
Service: codebuild.amazonaws.com
Effect: Allow
Policies:
- PolicyName: policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- logs:CreateLogStream
- logs:PutLogEvents
Resource: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/*"
- Effect: Allow
Action:
- ec2:CreateNetworkInterface
- ec2:DescribeDhcpOptions
- ec2:DescribeNetworkInterfaces
- ec2:DeleteNetworkInterface
- ec2:DescribeSubnets
- ec2:DescribeSecurityGroups
- ec2:DescribeVpcs
Resource: "*"
- Effect: Allow
Action: secretsmanager:GetSecretValue
Resource: !Ref DatabaseSecret
- Effect: Allow
Action: ec2:CreateNetworkInterfacePermission
Resource: !Sub "arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/*"
Condition:
StringEquals:
ec2:AuthorizedService: codebuild.amazonaws.com
StringLike:
ec2:Subnet: !Sub "arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:subnet/*"