feat(infra/cfn): provision Forgejo ECS cluster, service, and task

Define ECS cluster with exports, service wired to ALB target group and deployment circuit
breaker, and task definition with IAM role, ARM64 runtime, EFS volumes, ports 3000/2222,
logging, and MinIO/S3 env config.

infra/cfn/forgejo-ecs-cluster.yaml

@@ -0,0 +1,33 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: ECS Cluster for Forgejo
+
+Parameters:
+
+  ClusterName:
+    Type: String
+    Default: my-forgejo-cluster
+    Description: Name of the ECS Cluster
+
+Resources:
+
+  ECSCluster:
+    Type: AWS::ECS::Cluster
+    Properties:
+      ClusterName: !Ref ClusterName
+      Tags:
+        - Key: Project
+          Value: Git-server
+
+Outputs:
+
+  ClusterArn:
+    Description: ARN of the ECS Cluster
+    Value: !GetAtt ECSCluster.Arn
+    Export:
+      Name: !Sub "${AWS::StackName}-ClusterArn"
+
+  ClusterName:
+    Description: Name of the ECS Cluster
+    Value: !Ref ClusterName
+    Export:
+      Name: !Sub "${AWS::StackName}-ClusterName"

infra/cfn/forgejo-ecs-service.yaml

@@ -0,0 +1,86 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: ECS Service for Forgejo
+
+Parameters:
+
+  ServiceName:
+    Type: String
+    Default: forgejo-service
+    Description: Name of the ECS Service
+
+  TaskDefinitionFamily:
+    Type: String
+    Default: forgejo-task
+    Description: Task definition family name
+
+  DesiredCount:
+    Type: Number
+    Default: 1
+    Description: Number of desired tasks
+
+  SubnetId1:
+    Type: String
+    Default: subnet-064c8fcfd627077ef
+    Description: First subnet ID for the service
+
+  SubnetId2:
+    Type: String
+    Default: subnet-004fa7ef9de2dfb34
+    Description: Second subnet ID for the service
+
+  SecurityGroupId:
+    Type: String
+    Default: sg-022a8622e7387dc70
+    Description: Security group ID for the service
+
+Resources:
+
+  ECSService:
+    Type: AWS::ECS::Service
+    Properties:
+      ServiceName: !Ref ServiceName
+      Cluster: !ImportValue forgejo-ecs-cluster-ClusterName
+      TaskDefinition: !Sub "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/${TaskDefinitionFamily}"
+      DesiredCount: !Ref DesiredCount
+      LaunchType: FARGATE
+      PlatformVersion: LATEST
+      NetworkConfiguration:
+        AwsvpcConfiguration:
+          Subnets:
+            - !Ref SubnetId1
+            - !Ref SubnetId2
+          SecurityGroups:
+            - !Ref SecurityGroupId
+          AssignPublicIp: ENABLED
+      LoadBalancers:
+        - TargetGroupArn: !ImportValue forgejo-network-TargetGroupArn
+          ContainerName: forgejo
+          ContainerPort: 3000
+      HealthCheckGracePeriodSeconds: 0
+      DeploymentConfiguration:
+        MaximumPercent: 100
+        MinimumHealthyPercent: 0
+        DeploymentCircuitBreaker:
+          Enable: true
+          Rollback: true
+      SchedulingStrategy: REPLICA
+      EnableECSManagedTags: true
+      PropagateTags: TASK_DEFINITION
+      EnableExecuteCommand: true
+      Tags:
+        - Key: Project
+          Value: Git-server
+
+Outputs:
+
+  ServiceArn:
+    Description: ARN of the ECS Service
+    Value: !Ref ECSService
+    Export:
+      Name: !Sub "${AWS::StackName}-ServiceArn"
+
+  ServiceName:
+    Description: Name of the ECS Service
+    Value: !GetAtt ECSService.Name
+    Export:
+      Name: !Sub "${AWS::StackName}-ServiceName"

infra/cfn/forgejo-ecs-task.yaml

@@ -0,0 +1,134 @@
+AWSTemplateFormatVersion: "2010-09-09"
+
+Parameters:
+
+  ForgejoRepositoryName:
+    Type: String
+    Default: forgejo-repository
+
+Resources:
+
+  IAMRoleECSTaskForgejoRole:
+    UpdateReplacePolicy: "Delete"
+    Type: "AWS::IAM::Role"
+    DeletionPolicy: "Delete"
+    Properties:
+      Path: "/"
+      MaxSessionDuration: 3600
+      RoleName: "ECSTaskForgejoRole"
+      Description: "Allows ECS tasks to call AWS services on your behalf."
+      Policies:
+      - PolicyDocument:
+          Version: "2012-10-17"
+          Statement:
+          - Resource: "*"
+            Action:
+            - "ssmmessages:CreateControlChannel"
+            - "ssmmessages:CreateDataChannel"
+            - "ssmmessages:OpenControlChannel"
+            - "ssmmessages:OpenDataChannel"
+            Effect: "Allow"
+            Sid: "ssmmessages"
+        PolicyName: "ForgejoSSM"
+      ManagedPolicyArns:
+        - !Sub "arn:aws:iam::${AWS::AccountId}:policy/ForgejoS3AccessPolicy"
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+        - Action: "sts:AssumeRole"
+          Effect: "Allow"
+          Principal:
+            Service: "ecs-tasks.amazonaws.com"
+          Sid: ""
+      Tags:
+      - Value: "Git-server"
+        Key: "Project"
+
+  ECSTaskDefinitionForgejo:
+    UpdateReplacePolicy: "Delete"
+    Type: "AWS::ECS::TaskDefinition"
+    DeletionPolicy: "Delete"
+    Properties:
+      TaskRoleArn:
+        Fn::GetAtt:
+        - "IAMRoleECSTaskForgejoRole"
+        - "Arn"
+      Memory: "512"
+      Cpu: "256"
+      RequiresCompatibilities:
+      - "FARGATE"
+      NetworkMode: "awsvpc"
+      ExecutionRoleArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/ecsTaskExecutionRole"
+      RuntimePlatform:
+        OperatingSystemFamily: "LINUX"
+        CpuArchitecture: "ARM64"
+      Volumes:
+      - EFSVolumeConfiguration:
+          FilesystemId:
+            !ImportValue forgejo-efs-EFSFileSystemId
+          TransitEncryption: "ENABLED"
+          RootDirectory: "/"
+          AuthorizationConfig:
+            IAM: "DISABLED"
+            AccessPointId:
+              !ImportValue forgejo-efs-EFSAccessPointConfig
+        Name: "forgejo-config-vol"
+      - EFSVolumeConfiguration:
+          FilesystemId:
+            !ImportValue forgejo-efs-EFSFileSystemId
+          TransitEncryption: "ENABLED"
+          RootDirectory: "/"
+          AuthorizationConfig:
+            IAM: "DISABLED"
+            AccessPointId:
+              !ImportValue forgejo-efs-EFSAccessPointData
+        Name: "forgejo-data-vol"
+      ContainerDefinitions:
+      - Memory: 512
+        Cpu: 0
+        Image: !Sub "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/${ForgejoRepositoryName}@sha256:3d64f3ae3d83dbd2e2ded6bcb6fe214c449ce15be540099621d2f7919232c406"
+        Essential: true
+        LogConfiguration:
+          Options:
+            awslogs-group: "/ecs/forgejo"
+            mode: "non-blocking"
+            max-buffer-size: "25m"
+            awslogs-create-group: "true"
+            awslogs-region: "ap-northeast-1"
+            awslogs-stream-prefix: "ecs"
+          LogDriver: "awslogs"
+        Name: "forgejo"
+        LinuxParameters:
+          InitProcessEnabled: true
+        MountPoints:
+        - ReadOnly: false
+          SourceVolume: "forgejo-data-vol"
+          ContainerPath: "/var/lib/gitea"
+        - ReadOnly: false
+          SourceVolume: "forgejo-config-vol"
+          ContainerPath: "/etc/gitea"
+        PortMappings:
+        - ContainerPort: 3000
+          AppProtocol: "http"
+          Protocol: "tcp"
+          Name: "forgejo-3000-tcp"
+        - ContainerPort: 2222
+          Protocol: "tcp"
+          Name: "forgejo-2222-ssh"
+        Environment:
+        - Value: "s3.amazonaws.com"
+          Name: "FORGEJO__STORAGE__MINIO_ENDPOINT"
+        - Value: "true"
+          Name: "FORGEJO__SERVICE__DISABLE_REGISTRATION"
+        - Value: "ap-northeast-1"
+          Name: "FORGEJO__STORAGE__MINIO_LOCATION"
+        - Value: "minio"
+          Name: "FORGEJO__STORAGE__STORAGE_TYPE"
+        - Value: "true"
+          Name: "FORGEJO__STORAGE__MINIO_USE_SSL"
+        - Value: !ImportValue forgejo-s3-BucketName
+          Name: "FORGEJO__STORAGE__MINIO_BUCKET"
+      Family: "forgejo-task"
+      Tags:
+      - Value: "Git-server"
+        Key: "Project"