diff --git a/ci/buildspec.yml b/ci/buildspec.yml index 0c1b314..37b41cf 100644 --- a/ci/buildspec.yml +++ b/ci/buildspec.yml @@ -16,3 +16,6 @@ phases: - set -e - docker push ${REPOSITORY_URI}:${GIT_TAG} - docker push ${REPOSITORY_URI}:latest + - printf '[{"name":"forgejo","imageUri":"%s"}]' $REPOSITORY_URI:$GIT_TAG > imagedefinitions.json +artifacts: + files: imagedefinitions.json diff --git a/infra/cfn/forgejo-cl.yaml b/infra/cfn/forgejo-cl.yaml index 0712008..ec1142a 100644 --- a/infra/cfn/forgejo-cl.yaml +++ b/infra/cfn/forgejo-cl.yaml @@ -10,6 +10,10 @@ Parameters: Type: String Default: forgejo-source.zip + ArtifactBucketName: + Type: String + Default: forgejo-artifact-bucket + ForgejoRepositoryName: Type: String Default: forgejo-repository @@ -29,12 +33,49 @@ Resources: EventBridgeConfiguration: EventBridgeEnabled: true + ArtifactBucket: + Type: AWS::S3::Bucket + Properties: + BucketName: !Sub "${AWS::Region}-${AWS::AccountId}-${ArtifactBucketName}" + Tags: + - Key: Project + Value: Git-server + VersioningConfiguration: + Status: Enabled + BucketEncryption: + ServerSideEncryptionConfiguration: + - ServerSideEncryptionByDefault: + SSEAlgorithm: AES256 + PublicAccessBlockConfiguration: + BlockPublicAcls: true + BlockPublicPolicy: true + IgnorePublicAcls: true + RestrictPublicBuckets: true + ForgejoRepository: Type: AWS::ECR::Repository Properties: RepositoryName: !Ref ForgejoRepositoryName ImageScanningConfiguration: ScanOnPush: true + LifecyclePolicy: + LifecyclePolicyText: | + { + "rules": [ + { + "rulePriority": 1, + "description": "Expire images to keep maximum 5", + "selection": { + "tagStatus": "any", + "countType": "imageCountMoreThan", + "countNumber": 5 + }, + "action": { + "type": "expire" + } + } + ] + } CodeBuildRole: Type: AWS::IAM::Role @@ -76,8 +117,8 @@ Resources: - s3:PutObject - s3:ListBucket Resource: - - !Sub "arn:aws:s3:::codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket" - - !Sub "arn:aws:s3:::codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket/*" + - !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${ArtifactBucketName}" + - !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${ArtifactBucketName}/*" - !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${SourceBucketName}" - !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${SourceBucketName}/*" @@ -127,8 +168,8 @@ Resources: - s3:GetBucketLocation - s3:GetBucketVersioning Resource: - - !Sub "arn:aws:s3:::codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket" - - !Sub "arn:aws:s3:::codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket/*" + - !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${ArtifactBucketName}" + - !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${ArtifactBucketName}/*" - !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${SourceBucketName}" - !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${SourceBucketName}/*" - Effect: Allow @@ -143,6 +184,41 @@ Resources: - codepipeline:PutApprovalResult - codepipeline:StartPipelineExecution Resource: !Sub "arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:*" + - Sid: TaskDefinitionPermissions + Effect: Allow + Action: + - ecs:DescribeTaskDefinition + - ecs:RegisterTaskDefinition + Resource: + - "*" + - Sid: ECSServicePermissions + Effect: Allow + Action: + - ecs:DescribeServices + - ecs:UpdateService + Resource: + - !Sub "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:service/*/*" + - Sid: ECSTagResource + Effect: Allow + Action: + - ecs:TagResource + Resource: + - !Sub "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/*:*" + Condition: + StringEquals: + ecs:CreateAction: + - RegisterTaskDefinition + - Sid: IamPassRolePermissions + Effect: Allow + Action: + - iam:PassRole + Resource: + - !Sub "arn:aws:iam::${AWS::AccountId}:role/*" + Condition: + StringEquals: + iam:PassedToService: + - ecs.amazonaws.com + - ecs-tasks.amazonaws.com ForgejoPipeline: Type: AWS::CodePipeline::Pipeline @@ -151,7 +227,7 @@ Resources: RoleArn: !GetAtt CodePipelineRole.Arn ArtifactStore: Type: S3 - Location: !Sub "codebuild-ap-northeast-1-${AWS::AccountId}-input-bucket" + Location: !Ref ArtifactBucket Stages: - Name: Source Actions: @@ -177,8 +253,23 @@ Resources: Version: "1" InputArtifacts: - Name: SourceOutput + OutputArtifacts: + - Name: BuildOutput Configuration: ProjectName: !Ref ForgejoBuildProject + - Name: Deploy + Actions: + - Name: DeployECS + ActionTypeId: + Category: Deploy + Owner: AWS + Provider: ECS + Version: "1" + InputArtifacts: + - Name: BuildOutput + Configuration: + ClusterName: my-forgejo-cluster + ServiceName: forgejo-service S3SourceChangeRule: Type: AWS::Events::Rule