feat(ci/cd): Add artifact bucket and ECS deployment support

- Create S3 artifact bucket with encryption and versioning
- Add ECR lifecycle policy to maintain maximum 5 images
- Add OutputArtifacts to build stage for deployment
- Add Deploy stage with ECS provider
- Update CodePipeline artifact store to use ArtifactBucket
- Replace hardcoded bucket names with parameterized references
- Add IAM permissions for ECS task definition and service management
- Add buildspec commands to generate image definitions file

ci/buildspec.yml

@@ -16,3 +16,6 @@ phases:
       - set -e
       - docker push ${REPOSITORY_URI}:${GIT_TAG}
       - docker push ${REPOSITORY_URI}:latest
+      - printf '[{"name":"forgejo","imageUri":"%s"}]' $REPOSITORY_URI:$GIT_TAG > imagedefinitions.json
+artifacts:
+    files: imagedefinitions.json

infra/cfn/forgejo-cl.yaml

@@ -10,6 +10,10 @@ Parameters:
     Type: String
     Default: forgejo-source.zip
 
+  ArtifactBucketName:
+    Type: String
+    Default: forgejo-artifact-bucket
+
   ForgejoRepositoryName:
     Type: String
     Default: forgejo-repository
@@ -29,12 +33,49 @@ Resources:
         EventBridgeConfiguration:
           EventBridgeEnabled: true
 
+  ArtifactBucket:
+    Type: AWS::S3::Bucket
+    Properties:
+      BucketName: !Sub "${AWS::Region}-${AWS::AccountId}-${ArtifactBucketName}"
+      Tags:
+        - Key: Project
+          Value: Git-server
+      VersioningConfiguration:
+        Status: Enabled
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: AES256
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: true
+        BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
+
   ForgejoRepository:
     Type: AWS::ECR::Repository
     Properties:
       RepositoryName: !Ref ForgejoRepositoryName
       ImageScanningConfiguration:
         ScanOnPush: true
+      LifecyclePolicy:
+        LifecyclePolicyText: |
+          {
+            "rules": [
+              {
+                "rulePriority": 1,
+                "description": "Expire images to keep maximum 5",
+                "selection": {
+                  "tagStatus": "any",
+                  "countType": "imageCountMoreThan",
+                  "countNumber": 5
+                },
+                "action": {
+                  "type": "expire"
+                }
+              }
+            ]
+          }
 
   CodeBuildRole:
     Type: AWS::IAM::Role
@@ -76,8 +117,8 @@ Resources:
                   - s3:PutObject
                   - s3:ListBucket
                 Resource:
-                  - !Sub "arn:aws:s3:::codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket"
-                  - !Sub "arn:aws:s3:::codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket/*"
+                  - !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${ArtifactBucketName}"
+                  - !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${ArtifactBucketName}/*"
                   - !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${SourceBucketName}"
                   - !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${SourceBucketName}/*"
 
@@ -127,8 +168,8 @@ Resources:
                   - s3:GetBucketLocation
                   - s3:GetBucketVersioning
                 Resource:
-                  - !Sub "arn:aws:s3:::codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket"
-                  - !Sub "arn:aws:s3:::codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket/*"
+                  - !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${ArtifactBucketName}"
+                  - !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${ArtifactBucketName}/*"
                   - !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${SourceBucketName}"
                   - !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${SourceBucketName}/*"
               - Effect: Allow
@@ -143,6 +184,41 @@ Resources:
                   - codepipeline:PutApprovalResult
                   - codepipeline:StartPipelineExecution
                 Resource: !Sub "arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:*"
+              - Sid: TaskDefinitionPermissions
+                Effect: Allow
+                Action:
+                  - ecs:DescribeTaskDefinition
+                  - ecs:RegisterTaskDefinition
+                Resource:
+                  - "*"
+              - Sid: ECSServicePermissions
+                Effect: Allow
+                Action:
+                  - ecs:DescribeServices
+                  - ecs:UpdateService
+                Resource:
+                  - !Sub "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:service/*/*"
+              - Sid: ECSTagResource
+                Effect: Allow
+                Action:
+                  - ecs:TagResource
+                Resource:
+                  - !Sub "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/*:*"
+                Condition:
+                  StringEquals:
+                    ecs:CreateAction:
+                      - RegisterTaskDefinition
+              - Sid: IamPassRolePermissions
+                Effect: Allow
+                Action:
+                  - iam:PassRole
+                Resource:
+                  - !Sub "arn:aws:iam::${AWS::AccountId}:role/*"
+                Condition:
+                  StringEquals:
+                    iam:PassedToService:
+                      - ecs.amazonaws.com
+                      - ecs-tasks.amazonaws.com
 
   ForgejoPipeline:
     Type: AWS::CodePipeline::Pipeline
@@ -151,7 +227,7 @@ Resources:
       RoleArn: !GetAtt CodePipelineRole.Arn
       ArtifactStore:
         Type: S3
-        Location: !Sub "codebuild-ap-northeast-1-${AWS::AccountId}-input-bucket"
+        Location: !Ref ArtifactBucket
       Stages:
         - Name: Source
           Actions:
@@ -177,8 +253,23 @@ Resources:
                 Version: "1"
               InputArtifacts:
                 - Name: SourceOutput
+              OutputArtifacts:
+                - Name: BuildOutput
               Configuration:
                 ProjectName: !Ref ForgejoBuildProject
+        - Name: Deploy
+          Actions:
+            - Name: DeployECS
+              ActionTypeId:
+                Category: Deploy
+                Owner: AWS
+                Provider: ECS
+                Version: "1"
+              InputArtifacts:
+                - Name: BuildOutput
+              Configuration:
+                ClusterName: my-forgejo-cluster
+                ServiceName: forgejo-service
 
   S3SourceChangeRule:
     Type: AWS::Events::Rule