125 lines
2.8 KiB
TypeScript
125 lines
2.8 KiB
TypeScript
import * as pulumi from "@pulumi/pulumi";
|
|
import * as aws from "@pulumi/aws";
|
|
|
|
import * as fs from "fs";
|
|
|
|
import * as common from "./common";
|
|
|
|
import * as backend from "./backend";
|
|
import * as frontend from "./frontend";
|
|
|
|
const tags = common.tags;
|
|
const prefix = `${common.prefix}-deployment`;
|
|
|
|
|
|
// ---- role ----
|
|
const role = new aws.iam.Role(`${prefix}-role`, {
|
|
tags,
|
|
assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({ Service: "codebuild.amazonaws.com" }),
|
|
});
|
|
new aws.iam.RolePolicyAttachment(`${prefix}-policy-codebuild`, {
|
|
role: role.name,
|
|
policyArn: aws.iam.ManagedPolicies.AWSCodeBuildDeveloperAccess,
|
|
});
|
|
new aws.iam.RolePolicy(`${prefix}-role-policy-bucket`, {
|
|
role: role.name,
|
|
policy: pulumi.all([backend.bucket.arn, frontend.bucket.arn]).apply(([be, fe]) => JSON.stringify({
|
|
Version: "2012-10-17",
|
|
Statement: [
|
|
{
|
|
Effect: "Allow",
|
|
Action: [
|
|
"s3:GetObject",
|
|
"s3:PutObject",
|
|
"s3:DeleteObject"
|
|
],
|
|
Resource: [ `${be}/*`, `${fe}/*`, ],
|
|
},
|
|
{
|
|
Effect: "Allow",
|
|
Action: [
|
|
"s3:ListBucket",
|
|
],
|
|
Resource: [ be, fe, ],
|
|
},
|
|
]
|
|
})),
|
|
});
|
|
new aws.iam.RolePolicy(`${prefix}-role-policy-lambda`, {
|
|
role: role.name,
|
|
policy: pulumi.all([backend.lambda.arn]).apply(([lambda]) => JSON.stringify({
|
|
Version: "2012-10-17",
|
|
Statement: [
|
|
{
|
|
Effect: "Allow",
|
|
Action: [
|
|
"lambda:UpdateFunctionCode",
|
|
],
|
|
Resource: lambda,
|
|
},
|
|
]
|
|
})),
|
|
});
|
|
new aws.iam.RolePolicy(`${prefix}-role-policy-logs`, {
|
|
role: role.name,
|
|
policy: JSON.stringify({
|
|
Version: "2012-10-17",
|
|
Statement: [
|
|
{
|
|
Effect: "Allow",
|
|
Action: [
|
|
"logs:CreateLogGroup",
|
|
"logs:CreateLogStream",
|
|
"logs:PutLogEvents",
|
|
],
|
|
Resource: "*",
|
|
},
|
|
]
|
|
}),
|
|
});
|
|
|
|
|
|
// ---- codebuild ----
|
|
const codebuild = new aws.codebuild.Project(`${prefix}-codebuild`, {
|
|
tags,
|
|
source: {
|
|
type: "NO_SOURCE",
|
|
buildspec: fs.readFileSync("../buildspec.yml", "utf-8"),
|
|
},
|
|
environment: {
|
|
computeType: "BUILD_GENERAL1_SMALL",
|
|
image: "aws/codebuild/standard:7.0",
|
|
type: "LINUX_CONTAINER",
|
|
environmentVariables: [
|
|
{
|
|
name: "IMBUSY_REGION",
|
|
value: aws.config.region!,
|
|
},
|
|
{
|
|
name: "IMBUSY_BE_USERPOOL",
|
|
value: backend.userPool.id,
|
|
},
|
|
{
|
|
name: "IMBUSY_BE_USERPOOL_CLI",
|
|
value: backend.userPoolClient.id,
|
|
},
|
|
{
|
|
name: "IMBUSY_BE_LAMBDA",
|
|
value: backend.lambda.name,
|
|
},
|
|
{
|
|
name: "IMBUSY_BE_BUCKET",
|
|
value: backend.bucket.bucket,
|
|
},
|
|
{
|
|
name: "IMBUSY_FE_BUCKET",
|
|
value: frontend.bucket.bucket,
|
|
},
|
|
],
|
|
},
|
|
serviceRole: role.arn,
|
|
artifacts: {
|
|
type: "NO_ARTIFACTS",
|
|
},
|
|
});
|