aws-samples · danluera · Oct 14, 2024 · Oct 14, 2024 · Oct 15, 2024 · Oct 15, 2024
diff --git a/amplify/backend/custom/sns/sns-cloudformation-template.json b/amplify/backend/custom/sns/sns-cloudformation-template.json
@@ -9,6 +9,7 @@
     "snsNotificationTopic": {
       "Type": "AWS::SNS::Topic",
       "Properties": {
+        "KmsMasterKeyId": "alias/aws/sns",
         "TopicName": {
           "Fn::Join": [
             "",

diff --git a/deployment/deploy.sh b/deployment/deploy.sh
@@ -25,61 +25,125 @@ fi
 
 cd ..
 
-aws codecommit create-repository --region $REGION --repository-name team-idc-app --repository-description "Temporary Elevated Access Management (TEAM) Application"
-git remote remove origin
-git remote add origin codecommit::$REGION://team-idc-app
-git push origin main
+if [ -z "$SECRET_NAME" ]; then
+  aws codecommit create-repository --region $REGION --repository-name team-idc-app --repository-description "Temporary Elevated Access Management (TEAM) Application"
+  git remote remove origin
+  git remote add origin codecommit::$REGION://team-idc-app
+  git push origin main
 
-cd ./deployment
-if [[ ! -z "$TAGS" ]]; then
-  if [[ ! -z "$UI_DOMAIN" ]]; then
-    aws cloudformation deploy --region $REGION --template-file template.yml \
-      --stack-name TEAM-IDC-APP \
-      --parameter-overrides \
-        Login=$IDC_LOGIN_URL \
-        CloudTrailAuditLogs=$CLOUDTRAIL_AUDIT_LOGS \
-        teamAdminGroup="$TEAM_ADMIN_GROUP" \
-        teamAuditGroup="$TEAM_AUDITOR_GROUP" \
-        tags="$TAGS" \
-        teamAccount="$TEAM_ACCOUNT" \
-        customAmplifyDomain="$UI_DOMAIN" \
-      --tags $TAGS \
-      --no-fail-on-empty-changeset --capabilities CAPABILITY_NAMED_IAM
+  cd ./deployment
+  if [[ ! -z "$TAGS" ]]; then
+    if [[ ! -z "$UI_DOMAIN" ]]; then
+      aws cloudformation deploy --region $REGION --template-file template.yml \
+        --stack-name TEAM-IDC-APP \
+        --parameter-overrides \
+          Login=$IDC_LOGIN_URL \
+          CloudTrailAuditLogs=$CLOUDTRAIL_AUDIT_LOGS \
+          teamAdminGroup="$TEAM_ADMIN_GROUP" \
+          teamAuditGroup="$TEAM_AUDITOR_GROUP" \
+          tags="$TAGS" \
+          teamAccount="$TEAM_ACCOUNT" \
+          customAmplifyDomain="$UI_DOMAIN" \
+        --tags $TAGS \
+        --no-fail-on-empty-changeset --capabilities CAPABILITY_NAMED_IAM
+    else
+      aws cloudformation deploy --region $REGION --template-file template.yml \
+        --stack-name TEAM-IDC-APP \
+        --parameter-overrides \
+          Login=$IDC_LOGIN_URL \
+          CloudTrailAuditLogs=$CLOUDTRAIL_AUDIT_LOGS \
+          teamAdminGroup="$TEAM_ADMIN_GROUP" \
+          teamAuditGroup="$TEAM_AUDITOR_GROUP" \
+          tags="$TAGS" \
+          teamAccount="$TEAM_ACCOUNT" \
+        --tags $TAGS \
+        --no-fail-on-empty-changeset --capabilities CAPABILITY_NAMED_IAM
+    fi
   else
-    aws cloudformation deploy --region $REGION --template-file template.yml \
-      --stack-name TEAM-IDC-APP \
-      --parameter-overrides \
-        Login=$IDC_LOGIN_URL \
-        CloudTrailAuditLogs=$CLOUDTRAIL_AUDIT_LOGS \
-        teamAdminGroup="$TEAM_ADMIN_GROUP" \
-        teamAuditGroup="$TEAM_AUDITOR_GROUP" \
-        tags="$TAGS" \
-        teamAccount="$TEAM_ACCOUNT" \
-      --tags $TAGS \
-      --no-fail-on-empty-changeset --capabilities CAPABILITY_NAMED_IAM
+    if [[ ! -z "$UI_DOMAIN" ]]; then
+      aws cloudformation deploy --region $REGION --template-file template.yml \
+        --stack-name TEAM-IDC-APP \
+        --parameter-overrides \
+          Login=$IDC_LOGIN_URL \
+          CloudTrailAuditLogs=$CLOUDTRAIL_AUDIT_LOGS \
+          teamAdminGroup="$TEAM_ADMIN_GROUP" \
+          teamAuditGroup="$TEAM_AUDITOR_GROUP" \
+          teamAccount="$TEAM_ACCOUNT" \
+          tags="$TAGS" \
+          customAmplifyDomain="$UI_DOMAIN" \
+        --no-fail-on-empty-changeset --capabilities CAPABILITY_NAMED_IAM
+    else
+      aws cloudformation deploy --region $REGION --template-file template.yml \
+        --stack-name TEAM-IDC-APP \
+        --parameter-overrides \
+          Login=$IDC_LOGIN_URL \
+          CloudTrailAuditLogs=$CLOUDTRAIL_AUDIT_LOGS \
+          teamAdminGroup="$TEAM_ADMIN_GROUP" \
+          teamAuditGroup="$TEAM_AUDITOR_GROUP" \
+          teamAccount="$TEAM_ACCOUNT" \
+        --no-fail-on-empty-changeset --capabilities CAPABILITY_NAMED_IAM
+    fi
   fi
 else
-  if [[ ! -z "$UI_DOMAIN" ]]; then
-    aws cloudformation deploy --region $REGION --template-file template.yml \
-      --stack-name TEAM-IDC-APP \
-      --parameter-overrides \
-        Login=$IDC_LOGIN_URL \
-        CloudTrailAuditLogs=$CLOUDTRAIL_AUDIT_LOGS \
-        teamAdminGroup="$TEAM_ADMIN_GROUP" \
-        teamAuditGroup="$TEAM_AUDITOR_GROUP" \
-        teamAccount="$TEAM_ACCOUNT" \
-        tags="$TAGS" \
-        customAmplifyDomain="$UI_DOMAIN" \
-      --no-fail-on-empty-changeset --capabilities CAPABILITY_NAMED_IAM
+  cd ./deployment
+  if [[ ! -z "$TAGS" ]]; then
+    if [[ ! -z "$UI_DOMAIN" ]]; then
+      aws cloudformation deploy --region $REGION --template-file template.yml \
+        --stack-name TEAM-IDC-APP \
+        --parameter-overrides \
+          Login=$IDC_LOGIN_URL \
+          CloudTrailAuditLogs=$CLOUDTRAIL_AUDIT_LOGS \
+          teamAdminGroup="$TEAM_ADMIN_GROUP" \
+          teamAuditGroup="$TEAM_AUDITOR_GROUP" \
+          tags="$TAGS" \
+          teamAccount="$TEAM_ACCOUNT" \
+          customAmplifyDomain="$UI_DOMAIN" \
+          customRepository="Yes" \
+          customRepositorySecretName="$SECRET_NAME" \
+        --tags $TAGS \
+        --no-fail-on-empty-changeset --capabilities CAPABILITY_NAMED_IAM
+    else
+      aws cloudformation deploy --region $REGION --template-file template.yml \
+        --stack-name TEAM-IDC-APP \
+        --parameter-overrides \
+          Login=$IDC_LOGIN_URL \
+          CloudTrailAuditLogs=$CLOUDTRAIL_AUDIT_LOGS \
+          teamAdminGroup="$TEAM_ADMIN_GROUP" \
+          teamAuditGroup="$TEAM_AUDITOR_GROUP" \
+          tags="$TAGS" \
+          teamAccount="$TEAM_ACCOUNT" \
+          customRepository="Yes" \
+          customRepositorySecretName="$SECRET_NAME" \
+        --tags $TAGS \
+        --no-fail-on-empty-changeset --capabilities CAPABILITY_NAMED_IAM
+    fi
   else
-    aws cloudformation deploy --region $REGION --template-file template.yml \
-      --stack-name TEAM-IDC-APP \
-      --parameter-overrides \
-        Login=$IDC_LOGIN_URL \
-        CloudTrailAuditLogs=$CLOUDTRAIL_AUDIT_LOGS \
-        teamAdminGroup="$TEAM_ADMIN_GROUP" \
-        teamAuditGroup="$TEAM_AUDITOR_GROUP" \
-        teamAccount="$TEAM_ACCOUNT" \
-      --no-fail-on-empty-changeset --capabilities CAPABILITY_NAMED_IAM
+    if [[ ! -z "$UI_DOMAIN" ]]; then
+      aws cloudformation deploy --region $REGION --template-file template.yml \
+        --stack-name TEAM-IDC-APP \
+        --parameter-overrides \
+          Login=$IDC_LOGIN_URL \
+          CloudTrailAuditLogs=$CLOUDTRAIL_AUDIT_LOGS \
+          teamAdminGroup="$TEAM_ADMIN_GROUP" \
+          teamAuditGroup="$TEAM_AUDITOR_GROUP" \
+          teamAccount="$TEAM_ACCOUNT" \
+          tags="$TAGS" \
+          customAmplifyDomain="$UI_DOMAIN" \
+          customRepository="Yes" \
+          customRepositorySecretName="$SECRET_NAME" \
+        --no-fail-on-empty-changeset --capabilities CAPABILITY_NAMED_IAM
+    else
+      aws cloudformation deploy --region $REGION --template-file template.yml \
+        --stack-name TEAM-IDC-APP \
+        --parameter-overrides \
+          Login=$IDC_LOGIN_URL \
+          CloudTrailAuditLogs=$CLOUDTRAIL_AUDIT_LOGS \
+          teamAdminGroup="$TEAM_ADMIN_GROUP" \
+          teamAuditGroup="$TEAM_AUDITOR_GROUP" \
+          teamAccount="$TEAM_ACCOUNT" \
+          customRepository="Yes" \
+          customRepositorySecretName="$SECRET_NAME" \
+        --no-fail-on-empty-changeset --capabilities CAPABILITY_NAMED_IAM
+    fi
   fi
 fi
diff --git a/deployment/destroy.sh b/deployment/destroy.sh
@@ -28,4 +28,6 @@ aws cloudformation delete-stack --region $REGION --stack-name $stackName
 
 aws cloudformation delete-stack --region $REGION --stack-name TEAM-IDC-APP
 
-aws codecommit delete-repository --region $REGION \--repository-name team-idc-app
+if [ -z "$SECRET_NAME" ]; then
+  aws codecommit delete-repository --region $REGION \--repository-name team-idc-app
+fi
diff --git a/deployment/parameters-mgmt-template.sh b/deployment/parameters-mgmt-template.sh
@@ -19,4 +19,9 @@ TEAM_ADMIN_GROUP="team_admin_group_name"
 TEAM_AUDITOR_GROUP="team_auditor_group_name"
 TAGS="project=iam-identity-center-team environment=prod"
 CLOUDTRAIL_AUDIT_LOGS=read_write
-UI_DOMAIN=portal.teamtest.online
+
+# Uncomment the next line only if you have a custom domain
+# UI_DOMAIN=portal.teamtest.online
+
+# Uncomment the next line only if you are using an external repo with an Access Token in lieu of AWS CodeCommit
+# SECRET_NAME=TEAM-IDC-APP
diff --git a/deployment/parameters-template.sh b/deployment/parameters-template.sh
@@ -24,3 +24,6 @@ CLOUDTRAIL_AUDIT_LOGS=arn:aws:cloudtrail:us-east-1:123456789101:eventdatastore/e
 
 # Uncomment the next line only if you have a custom domain
 # UI_DOMAIN=portal.teamtest.online
+
+# Uncomment the next line only if you are using an external repo with an Access Token in lieu of AWS CodeCommit
+# SECRET_NAME=TEAM-IDC-APP
diff --git a/deployment/template.yml b/deployment/template.yml
@@ -25,9 +25,21 @@ Parameters:
     Type: String
     Description: Custom domain for the TEAM application
     Default: ""
+  customRepository:
+    Type: String
+    Description: Use a custom repository for the TEAM application?
+    AllowedValues:
+      - 'Yes'
+      - 'No'
+    Default: 'No'
+  customRepositorySecretName:
+    Type: String
+    Description: Name of the secret in AWS Secrets Manager
+    Default: ''
 
 Conditions:
   IsEmptyCloudTrailAuditLogs: !Equals [!Ref CloudTrailAuditLogs, ""]
+  UseExternalRepo: !Equals [!Ref customRepository. 'Yes']
 
 Resources:
   TriggerAmplifyBuild:
@@ -63,7 +75,16 @@ Resources:
     Type: "AWS::Amplify::App"
     Properties:
       Name: TEAM-IDC-APP
-      Repository: !Sub https://git-codecommit.${AWS::Region}.amazonaws.com/v1/repos/team-idc-app
+      Repository: !if
+        - UseExternalRepo
+        - !Sub >-
+          {{resolve:secretsmanager:${customRepositorySecretName}:SecretString:url}}
+        - !Sub https://git-codecommit.${AWS::Region}.amazonaws.com/v1/repos/team-idc-app
+      AccessToken: !if
+        - UseExternalRepo
+        - !Sub >-
+          {{resolve:secretsmanager:${customRepositorySecretName}:SecretString:AccessToken}}
+        - !Ref 'AWS::NoValue'
       Description: Temporary Elevated Access Management Application
       CustomRules:
         - Source: /<*>