fixes #78 - adds LogGroup to CodeBuild projects

techthoughts2 · May 5, 2024 · 274757d · 274757d
1 parent 26c67c6
commit 274757d
Show file tree

Hide file tree

Showing 8 changed files with 361 additions and 63 deletions.
diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
@@ -5,6 +5,14 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.5.0]
+
+- Catesta template module changes
+    - CI/CD Changes:
+        - AWS:
+            - Each CodeBuild project now has its own `AWS::Logs::LogGroup` created with a configurable retention policy.
+            - Minor changes to formatting in CFNs to satisfy new `cfn-lint` requirements.
+
 ## [2.4.0]
 
 - Catesta template module changes

diff --git a/docs/Catesta.md b/docs/Catesta.md
@@ -2,7 +2,7 @@
 Module Name: Catesta
 Module Guid: 6796b193-9013-468a-b022-837749af2d06
 Download Help Link: NA
-Help Version: 2.4.0
+Help Version: 2.5.0
 Locale: en-US
 ---
 

diff --git a/src/Catesta/Catesta.psd1 b/src/Catesta/Catesta.psd1
@@ -12,7 +12,7 @@
     RootModule        = 'Catesta.psm1'
 
     # Version number of this module.
-    ModuleVersion     = '2.4.0'
+    ModuleVersion     = '2.5.0'
 
     # Supported PSEditions
     # CompatiblePSEditions = @()

diff --git a/src/Catesta/Resources/AWS/CloudFormation/PowerShellCodeBuildCC.yml b/src/Catesta/Resources/AWS/CloudFormation/PowerShellCodeBuildCC.yml
@@ -31,6 +31,11 @@ Parameters:
     Default: 30
     Description: The number of minutes before a CodeBuild build will timeout.
 
+  LogRetentionInDays:
+    Type: Number
+    Default: 30
+    Description: The number of days to retain the CodeBuild logs.
+
   PrimaryBranchName:
     Type: String
     Default: main
@@ -102,6 +107,7 @@ Metadata:
         Parameters:
           - CodeBuildBadgeEnabled
           - CodeBuildTimeoutInMinutes
+          - LogRetentionInDays
           # - CodeBuildEnvironment
           # - CodeBuildComputeType
           # - BuildSpecFile
@@ -119,6 +125,8 @@ Metadata:
         default: Badge Enabled
       CodeBuildTimeoutInMinutes:
         default: Timeout in Minutes
+      LogRetentionInDays:
+        default: Log Retention in Days
       PrimaryBranchName:
         default: Primary Branch Name
       # CodeBuildEnvironment:
@@ -165,7 +173,7 @@ Resources:
         IgnorePublicAcls: true
         RestrictPublicBuckets: true
       Tags:
-        - Key: Purpose
+        - Key: Service
           Value: CodeCommitRepositoryName
 
   S3BucketDevelopmentBuilds:
@@ -194,7 +202,7 @@ Resources:
         IgnorePublicAcls: true
         RestrictPublicBuckets: true
       Tags:
-        - Key: Purpose
+        - Key: Service
           Value: CodeCommitRepositoryName
 
   # The IAM Role CodeBuild will run the container as
@@ -222,7 +230,35 @@ Resources:
                   - logs:CreateLogStream
                   - logs:PutLogEvents
                 Resource:
-                  - '*'
+<%
+    if ($PLASTER_PARAM_AWSOptions -eq 'ps') {
+@'
+                  - Fn::GetAtt:
+                    - CodeBuildpsProjectLogGroup
+                    - Arn
+'@
+    }
+%>
+
+<%
+    if ($PLASTER_PARAM_AWSOptions -eq 'pwshcore') {
+@'
+                  - Fn::GetAtt:
+                    - CodeBuildpwshcoreProjectLogGroup
+                    - Arn
+'@
+    }
+%>
+
+<%
+    if ($PLASTER_PARAM_AWSOptions -eq 'pwsh') {
+@'
+                  - Fn::GetAtt:
+                    - CodeBuildpwshProjectLogGroup
+                    - Arn
+'@
+    }
+%>
         - PolicyName: CodePipelineS3
           PolicyDocument:
             Version: '2012-10-17'
@@ -292,16 +328,16 @@ Resources:
               - sts:AssumeRole
       Path: /
       ManagedPolicyArns:
-        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
-        - arn:aws:iam::aws:policy/AWSCodeBuildDeveloperAccess
+        - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
+        - !Sub arn:${AWS::Partition}:iam::aws:policy/AWSCodeBuildDeveloperAccess
 
   # An SNS Topic used for CodeBuild status updates
   # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sns-topic.html
   SNSTopicForCodeBuildUpdates:
     Type: AWS::SNS::Topic
     Properties:
       Tags:
-        - Key: Purpose
+        - Key: Service
           Value: CodeCommitRepositoryName
 
   # The SNS Topic Policy
@@ -354,7 +390,7 @@ Resources:
       RepositoryDescription: !Ref CodeCommitRepositoryDescription
       RepositoryName: !Ref CodeCommitRepositoryName
       Tags:
-        - Key: Purpose
+        - Key: Service
           Value: CodeCommitRepositoryName
       Triggers:
 <%
@@ -398,8 +434,25 @@ Resources:
 <%
     if ($PLASTER_PARAM_AWSOptions -eq 'ps') {
 @'
+
+  CodeBuildpsProjectLogGroup:
+    Type: AWS::Logs::LogGroup
+    DeletionPolicy: Delete
+    UpdateReplacePolicy: Retain
+    Properties:
+      LogGroupName:
+        Fn::Sub: ${CodeCommitRepositoryName}-windows-powershell
+      RetentionInDays: !Ref LogRetentionInDays
+      Tags:
+      - Key: Service
+        Value: !Ref CodeCommitRepositoryName
+
   # Windows PowerShell CodeBuild
   # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-codebuild-project.html
+  # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codebuild-project-webhookfilter.html
+  # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codebuild-project-environment.html
+  # https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-available.html
+  # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codebuild-project-source.html
   CodeBuildProjectWPS:
     Type: AWS::CodeBuild::Project
     Properties:
@@ -418,6 +471,11 @@ Resources:
           - Name: s3_prefix
             Value: placeholder
             Type: PLAINTEXT
+      LogsConfig:
+        CloudWatchLogs:
+          GroupName:
+            Ref: CodeBuildpsProjectLogGroup
+          Status: ENABLED
       Name:
         !Join
         - '-'
@@ -429,10 +487,8 @@ Resources:
         Location: !Sub 'https://git-codecommit.${AWS::Region}.amazonaws.com/v1/repos/${CodeCommitRepositoryName}'
         BuildSpec: buildspec_powershell_windows.yml
       Tags:
-        - Key: Purpose
-          Value: CodeCommitRepositoryName
         - Key: Service
-          Value: PowerShellBuildPipeline
+          Value: CodeCommitRepositoryName
       TimeoutInMinutes: !Ref CodeBuildTimeoutInMinutes
 '@
     }
@@ -441,8 +497,25 @@ Resources:
 <%
     if ($PLASTER_PARAM_AWSOptions -eq 'pwshcore') {
 @'
+
+  CodeBuildpwshcoreProjectLogGroup:
+    Type: AWS::Logs::LogGroup
+    DeletionPolicy: Delete
+    UpdateReplacePolicy: Retain
+    Properties:
+      LogGroupName:
+        Fn::Sub: ${CodeCommitRepositoryName}-windows-pwsh
+      RetentionInDays: !Ref LogRetentionInDays
+      Tags:
+      - Key: Service
+        Value: !Ref CodeCommitRepositoryName
+
   # Windows Pwsh CodeBuild
   # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-codebuild-project.html
+  # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codebuild-project-webhookfilter.html
+  # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codebuild-project-environment.html
+  # https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-available.html
+  # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codebuild-project-source.html
   CodeBuildProjectWPwsh:
     Type: AWS::CodeBuild::Project
     Properties:
@@ -461,6 +534,11 @@ Resources:
           - Name: s3_prefix
             Value: placeholder
             Type: PLAINTEXT
+      LogsConfig:
+        CloudWatchLogs:
+          GroupName:
+            Ref: CodeBuildpwshcoreProjectLogGroup
+          Status: ENABLED
       Name:
         !Join
         - '-'
@@ -472,10 +550,8 @@ Resources:
         Location: !Sub 'https://git-codecommit.${AWS::Region}.amazonaws.com/v1/repos/${CodeCommitRepositoryName}'
         BuildSpec: buildspec_pwsh_windows.yml
       Tags:
-        - Key: Purpose
-          Value: CodeCommitRepositoryName
         - Key: Service
-          Value: PowerShellBuildPipeline
+          Value: CodeCommitRepositoryName
       TimeoutInMinutes: !Ref CodeBuildTimeoutInMinutes
 '@
     }
@@ -484,9 +560,25 @@ Resources:
 <%
     if ($PLASTER_PARAM_AWSOptions -eq 'pwsh') {
 @'
+
+  CodeBuildpwshProjectLogGroup:
+    Type: AWS::Logs::LogGroup
+    DeletionPolicy: Delete
+    UpdateReplacePolicy: Retain
+    Properties:
+      LogGroupName:
+        Fn::Sub: ${CodeCommitRepositoryName}-linux-pwsh
+      RetentionInDays: !Ref LogRetentionInDays
+      Tags:
+      - Key: Service
+        Value: !Ref CodeCommitRepositoryName
+
   # Linux Pwsh CodeBuild
   # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-codebuild-project.html
+  # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codebuild-project-webhookfilter.html
+  # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codebuild-project-environment.html
   # https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-available.html
+  # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codebuild-project-source.html
   CodeBuildProjectLPwsh:
     Type: AWS::CodeBuild::Project
     Properties:
@@ -505,6 +597,11 @@ Resources:
           - Name: s3_prefix
             Value: placeholder
             Type: PLAINTEXT
+      LogsConfig:
+        CloudWatchLogs:
+          GroupName:
+            Ref: CodeBuildpwshProjectLogGroup
+          Status: ENABLED
       Name:
         !Join
         - '-'
@@ -516,10 +613,8 @@ Resources:
         Location: !Sub 'https://git-codecommit.${AWS::Region}.amazonaws.com/v1/repos/${CodeCommitRepositoryName}'
         BuildSpec: buildspec_pwsh_linux.yml
       Tags:
-        - Key: Purpose
-          Value: CodeCommitRepositoryName
         - Key: Service
-          Value: PowerShellBuildPipeline
+          Value: CodeCommitRepositoryName
       TimeoutInMinutes: !Ref CodeBuildTimeoutInMinutes
 '@
     }
@@ -599,7 +694,7 @@ Resources:
           PrimaryBranchName: !Ref PrimaryBranchName
       Role: !GetAtt CodeCommitTriggeredLambdaFunctionIAMRole.Arn
       Tags:
-        - Key: Purpose
+        - Key: Service
           Value: CodeCommitRepositoryName
       Code:
         ZipFile: |
@@ -676,7 +771,7 @@ Resources:
       LogGroupName: !Sub '/aws/lambda/${CodeCommitTriggeredLambdaWPS}'
       RetentionInDays: 60
       Tags:
-        - Key: Purpose
+        - Key: Service
           Value: CodeCommitRepositoryName
 '@
     }
@@ -704,7 +799,7 @@ Resources:
           PrimaryBranchName: !Ref PrimaryBranchName
       Role: !GetAtt CodeCommitTriggeredLambdaFunctionIAMRole.Arn
       Tags:
-        - Key: Purpose
+        - Key: Service
           Value: CodeCommitRepositoryName
       Code:
         ZipFile: |
@@ -781,7 +876,7 @@ Resources:
       LogGroupName: !Sub '/aws/lambda/${CodeCommitTriggeredLambdaWPwsh}'
       RetentionInDays: 60
       Tags:
-        - Key: Purpose
+        - Key: Service
           Value: CodeCommitRepositoryName
 '@
     }
@@ -809,7 +904,7 @@ Resources:
           PrimaryBranchName: !Ref PrimaryBranchName
       Role: !GetAtt CodeCommitTriggeredLambdaFunctionIAMRole.Arn
       Tags:
-        - Key: Purpose
+        - Key: Service
           Value: CodeCommitRepositoryName
       Code:
         ZipFile: |
@@ -886,7 +981,7 @@ Resources:
       LogGroupName: !Sub '/aws/lambda/${CodeCommitTriggeredLambdaL}'
       RetentionInDays: 60
       Tags:
-        - Key: Purpose
+        - Key: Service
           Value: CodeCommitRepositoryName
 '@
     }
@@ -962,6 +1057,10 @@ Outputs:
   CodeBuildProjectWPS:
     Description: The name of the PS Windows CodeBuild Project.
     Value: !Ref CodeBuildProjectWPS
+
+  CodeBuildProjectWPSURL:
+    Description: PS Windows CodeBuild URL
+    Value: !Sub "https://console.aws.amazon.com/codebuild/home?region=${AWS::Region}#/projects/${CodeBuildProjectWPS}/view"
 '@
     }
 %>
@@ -971,6 +1070,10 @@ Outputs:
   CodeBuildProjectWPwsh:
     Description: The name of the pwsh Windows CodeBuild Project.
     Value: !Ref CodeBuildProjectWPwsh
+
+  CodeBuildProjectWPwshURL:
+    Description: pwsh Windows CodeBuild URL
+    Value: !Sub "https://console.aws.amazon.com/codebuild/home?region=${AWS::Region}#/projects/${CodeBuildProjectWPwsh}/view"
 '@
     }
 %>
@@ -980,6 +1083,10 @@ Outputs:
   CodeBuildProjectLPwsh:
     Description: The name of the PS Linux CodeBuild Project.
     Value: !Ref CodeBuildProjectLPwsh
+
+  CodeBuildProjectLPwshURL:
+    Description: PS Linux CodeBuild URL
+    Value: !Sub "https://console.aws.amazon.com/codebuild/home?region=${AWS::Region}#/projects/${CodeBuildProjectLPwsh}/view"
 '@
     }
 %>