Update cloudformation

README.md

@@ -1,12 +1,8 @@
 [![Build Status](https://samhstn.com/badge)](https://console.aws.amazon.com/codesuite/codebuild/projects/Push)
 
-# samhstn.com
+# [samhstn.com](https://samhstn.com)
 
-[samhstn.com](http://samhstn.com)
-
-### What
-
-My personal website
+### My personal website
 
 ### Quick start
 

infra/README.md

@@ -9,15 +9,13 @@ IAM user name: admin
 
 The password will be given to you by whoever ran the steps described in [AWS base setup](./base/README.md).
 
-This must be updated after the first login.
-
-To access our Route53 domain configuraion, we will need to switch roles. This can be done in the top right dropdown.
+For our Route53 configuration, we use this role:
 
 Account: samhstn-base
 Role: SamhstnBase
 Display Name: base
 
-For admin access to the `[email protected]` account, we need to switch roles to:
+For everything else we use this role:
 
 Account: samhstn
 Role: Admin
@@ -61,9 +59,9 @@ For the next steps we will assume that this environment variable will have been
 
 ### Domain
 
-Ensure we have purchased your domain from [`Route53`](https://console.aws.amazon.com/route53) with the route account.
+Ensure we have purchased our domain from [`Route53`](https://console.aws.amazon.com/route53) with the route account.
 
-To see your purchased domains, with the `samhstn-base` profile, run:
+To see our purchased domains, run:
 
 ```bash
 aws route53 list-hosted-zones --query 'HostedZones[*].Name' --output text
@@ -77,7 +75,7 @@ We will need to create a Github personal access token for `aws` to use.
 
 + Go to your [Github personal access tokens](https://github.com/settings/tokens).
 + Click `Generate new token`.
-+ Give the `token` a description of `Full repo access`.
++ Give the `token` a description of `samhstn`.
 + Tick the `repo` scope.
 + Tick the `admin:repo_hook` scope.
 + Click Generate token.
@@ -86,7 +84,7 @@ Now set this token as an environment variable called `SAMHSTN_PA_TOKEN`.
 
 ### Configure our Ssl certificate
 
-Assuming the `samhstn-admin` role, run the following commands:
+Run the following commands:
 
 ```bash
 aws cloudformation create-stack \
@@ -97,37 +95,7 @@ aws cloudformation wait stack-create-complete --stack-name acm
 
 We will now need to add a `CNAME` record set as described in the acm console.
 
-This can be done with the commands:
-
-```bash
-CERTIFICATE_ARN=$(\
-  aws acm list-certificates \
-    --query 'CertificateSummaryList[?DomainName == `samhstn.com`].CertificateArn | [0]' \
-    --output text\
-)
-HOSTED_ZONE_ID=$(\
-  AWS_DEFAULT_PROFILE=samhstn-base aws route53 list-hosted-zones \
-    --query 'HostedZones[?Name == `samhstn.com.`].Id | [0]' \
-    --output text\
-)
-RECORD_SET_NAME=$(\
-  aws acm describe-certificate \
-    --certificate-arn $CERTIFICATE_ARN \
-    --query 'Certificate.DomainValidationOptions[0].ResourceRecord.Name' \
-    --output text\
-)
-RECORD_SET_VALUE=$(\
-  aws acm describe-certificate \
-    --certificate-arn $CERTIFICATE_ARN \
-    --query 'Certificate.DomainValidationOptions[0].ResourceRecord.Value' \
-    --output text\
-)
-AWS_DEFAULT_PROFILE=samhstn-base aws route53 change-resource-record-sets \
-  --hosted-zone-id $HOSTED_ZONE_ID \
-  --change-batch "{\"Changes\": [{\"Action\": \"CREATE\", \"ResourceRecordSet\": {\"Name\": \"$RECORD_SET_NAME\", \"Type\": \"CNAME\", \"TTL\": 300, \"ResourceRecords\": [{\"Value\": \"$RECORD_SET_VALUE\"}]}}]}"
-```
-
-Or we can visit the `Route53` console as the samhstn-base `base` role and add a `CNAME` record set as described in the acm console for the samhstn `admin` role.
+This can be done by visiting the `Route53` console as the `samhstn-base` role and add a `CNAME` record set as described in the acm console for the samhstn `admin` role.
 
 This takes around 30 minutes to complete.
 
@@ -213,7 +181,7 @@ Run the following command to build our pipeline stack:
 ```bash
 aws cloudformation create-stack \
  --stack-name master-pipeline \
- --template-body file://infra/master_pipeline.yaml \
+ --template-body file://infra/master-pipeline.yaml \
  --parameters ParameterKey=GithubPAToken,ParameterValue=$SAMHSTN_PA_TOKEN \
  --capabilities CAPABILITY_NAMED_IAM
 aws cloudformation wait stack-create-complete --stack-name master-pipeline

infra/buildspecs/build.yaml

@@ -3,6 +3,22 @@ version: 0.2
 phases:
   build:
     commands:
+      - |
+      STACKS=(acm s3 cloudfront codebuild master-pipeline)
+      for stack in $STACKS;do
+        if diff --ignore-blank-lines $FILE <(
+          aws cloudformation get-template --stack-name $stack --query TemplateBody --output text
+        );then
+          aws cloudformation update-stack \
+            --stack-name $stack \
+            --template-body file://infra/$stack.yaml \
+            --capabilities CAPABILITY_NAMED_IAM \
+            --parameters ParameterKey=GithubPAToken,UsePreviousValue=true
+          aws cloudformation wait stack-update-complete --stack-name $stack
+        else
+          echo "Template $stack is up to date!"
+        fi
+      done
       - aws s3 sync static s3://samhstn.com --delete --exclude badge
       - |
         CODEBUILD_BADGE_URL=$(\

infra/codebuild.yaml

@@ -41,6 +41,7 @@ Resources:
           PolicyDocument:
             Version: 2012-10-17
             Statement:
+              # todo: add separate test and build roles
               - Effect: Allow
                 Action:
                   - logs:CreateLogGroup
@@ -91,6 +92,13 @@ Resources:
                   - s3:PutObject
                   - s3:DeleteObject
                 Resource: arn:aws:s3:::samhstn.com/*
+              - Effect: Allow
+                Action:
+                  - cloudformation:ValidateTemplate
+                  - cloudformation:GetTemplate
+                  - cloudformation:CreateStack
+                  - cloudformation:UpdateStack
+                Resource: "*"
 
   Push:
     Type: AWS::CodeBuild::Project