deploy.yml

Resources:
  ProjectRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service: codebuild.amazonaws.com
        Version: "2012-10-17"
      ManagedPolicyArns:
        - Fn::Join:
            - ""
            - - "arn:"
              - Ref: AWS::Partition
              - :iam::aws:policy/AdministratorAccess
  ProjectRoleDefaultPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action:
              - logs:CreateLogGroup
              - logs:CreateLogStream
              - logs:PutLogEvents
            Effect: Allow
            Resource:
              - Fn::Join:
                  - ""
                  - - "arn:"
                    - Ref: AWS::Partition
                    - ":logs:"
                    - Ref: AWS::Region
                    - ":"
                    - Ref: AWS::AccountId
                    - :log-group:/aws/codebuild/
                    - Ref: Project
                    - :*
              - Fn::Join:
                  - ""
                  - - "arn:"
                    - Ref: AWS::Partition
                    - ":logs:"
                    - Ref: AWS::Region
                    - ":"
                    - Ref: AWS::AccountId
                    - :log-group:/aws/codebuild/
                    - Ref: Project
          - Action:
              - codebuild:BatchPutCodeCoverages
              - codebuild:BatchPutTestCases
              - codebuild:CreateReport
              - codebuild:CreateReportGroup
              - codebuild:UpdateReport
            Effect: Allow
            Resource:
              Fn::Join:
                - ""
                - - "arn:"
                  - Ref: AWS::Partition
                  - ":codebuild:"
                  - Ref: AWS::Region
                  - ":"
                  - Ref: AWS::AccountId
                  - :report-group/
                  - Ref: Project
                  - -*
        Version: "2012-10-17"
      PolicyName: ProjectRoleDefaultPolicy
      Roles:
        - Ref: ProjectRole
  Project:
    Type: AWS::CodeBuild::Project
    Properties:
      Artifacts:
        Type: NO_ARTIFACTS
      Cache:
        Type: NO_CACHE
      EncryptionKey: alias/aws/s3
      Environment:
        ComputeType: BUILD_GENERAL1_SMALL
        Image: aws/codebuild/standard:7.0
        ImagePullCredentialsType: CODEBUILD
        PrivilegedMode: true
        Type: LINUX_CONTAINER
      ServiceRole:
        Fn::GetAtt:
          - ProjectRole
          - Arn
      Source:
        BuildSpec: |-
          {
            "version": "0.2",
            "phases": {
              "install": {
                "runtime-versions": {
                  "nodejs": "18"
                },
                "commands": [
                  "npm i -g aws-cdk"
                ],
                "on-failure": "ABORT"
              },
              "build": {
                "commands": [
                  "git clone https://github.com/aws-samples/bedrock-claude-chat.git",
                  "cd bedrock-claude-chat/cdk",
                  "npm ci",
                  "cdk bootstrap",
                  "cdk deploy --require-approval never --all"
                ]
              }
            }
          }
        Type: NO_SOURCE
Outputs:
  ProjectName:
    Value:
      Ref: Project