Add explicit Forgejo deployment structure with artifact build pipeline
- Introduce clear directory separation for docker, infra, ci, and config - Add CloudFormation pipeline for S3 → CodeBuild → ECR - Implement explicit artifact build script for flat deployment zip - Provide example runtime configuration and ignore secrets
This commit is contained in:
commit
46ec47aa2d
8 changed files with 323 additions and 0 deletions
181
infra/cfn/forgejo.yaml
Normal file
181
infra/cfn/forgejo.yaml
Normal file
|
|
@ -0,0 +1,181 @@
|
|||
AWSTemplateFormatVersion: "2010-09-09"
|
||||
Description: S3 -> CodePipeline -> CodeBuild(ARM) -> ECR pipeline for Forgejo
|
||||
|
||||
Parameters:
|
||||
SourceBucketName:
|
||||
Type: String
|
||||
Default: forgejo-source-bucket
|
||||
|
||||
SourceObjectKey:
|
||||
Type: String
|
||||
Default: forgejo-source.zip
|
||||
|
||||
ForgejoRepositoryName:
|
||||
Type: String
|
||||
Default: forgejo-repository
|
||||
|
||||
Resources:
|
||||
|
||||
# S3 Bucket (Source)
|
||||
SourceBucket:
|
||||
Type: AWS::S3::Bucket
|
||||
Properties:
|
||||
BucketName: !Sub "ap-northeast-1-${AWS::AccountId}-${SourceBucketName}"
|
||||
Tags:
|
||||
- Key: Project
|
||||
Value: Git-server
|
||||
VersioningConfiguration:
|
||||
Status: Enabled
|
||||
|
||||
# ECR Repository
|
||||
ForgejoRepository:
|
||||
Type: AWS::ECR::Repository
|
||||
Properties:
|
||||
RepositoryName: !Ref ForgejoRepositoryName
|
||||
ImageScanningConfiguration:
|
||||
ScanOnPush: true
|
||||
|
||||
# IAM Role for CodeBuild
|
||||
CodeBuildRole:
|
||||
Type: AWS::IAM::Role
|
||||
Properties:
|
||||
AssumeRolePolicyDocument:
|
||||
Version: "2012-10-17"
|
||||
Statement:
|
||||
- Effect: Allow
|
||||
Principal:
|
||||
Service: codebuild.amazonaws.com
|
||||
Action: sts:AssumeRole
|
||||
Policies:
|
||||
- PolicyName: CodeBuildPolicy
|
||||
PolicyDocument:
|
||||
Version: "2012-10-17"
|
||||
Statement:
|
||||
- Effect: Allow
|
||||
Action:
|
||||
- logs:CreateLogGroup
|
||||
- logs:CreateLogStream
|
||||
- logs:PutLogEvents
|
||||
Resource: "*"
|
||||
- Effect: Allow
|
||||
Action:
|
||||
- ecr:GetAuthorizationToken
|
||||
Resource: "*"
|
||||
- Effect: Allow
|
||||
Action:
|
||||
- ecr:BatchCheckLayerAvailability
|
||||
- ecr:InitiateLayerUpload
|
||||
- ecr:UploadLayerPart
|
||||
- ecr:CompleteLayerUpload
|
||||
- ecr:PutImage
|
||||
Resource:
|
||||
- !Sub "arn:aws:ecr:ap-northeast-1:${AWS::AccountId}:repository/forgejo-repository"
|
||||
- Effect: Allow
|
||||
Action:
|
||||
- s3:GetObject
|
||||
- s3:PutObject
|
||||
- s3:ListBucket
|
||||
Resource:
|
||||
- !Sub "arn:aws:s3:::codebuild-ap-northeast-1-${AWS::AccountId}-input-bucket"
|
||||
- !Sub "arn:aws:s3:::codebuild-ap-northeast-1-${AWS::AccountId}-input-bucket/*"
|
||||
- !Sub "arn:aws:s3:::ap-northeast-1-${AWS::AccountId}-${SourceBucketName}"
|
||||
- !Sub "arn:aws:s3:::ap-northeast-1-${AWS::AccountId}-${SourceBucketName}/*"
|
||||
|
||||
|
||||
# CodeBuild Project (ARM)
|
||||
ForgejoBuildProject:
|
||||
Type: AWS::CodeBuild::Project
|
||||
Properties:
|
||||
ServiceRole: !GetAtt CodeBuildRole.Arn
|
||||
Artifacts:
|
||||
Type: CODEPIPELINE
|
||||
Environment:
|
||||
Type: ARM_CONTAINER
|
||||
ComputeType: BUILD_GENERAL1_MEDIUM
|
||||
Image: aws/codebuild/amazonlinux2-aarch64-standard:3.0
|
||||
PrivilegedMode: true
|
||||
EnvironmentVariables:
|
||||
- Name: ECR_REPOSITORY
|
||||
Value: !Ref ForgejoRepositoryName
|
||||
Source:
|
||||
Type: CODEPIPELINE
|
||||
TimeoutInMinutes: 30
|
||||
|
||||
# IAM Role for CodePipeline
|
||||
CodePipelineRole:
|
||||
Type: AWS::IAM::Role
|
||||
Properties:
|
||||
AssumeRolePolicyDocument:
|
||||
Version: "2012-10-17"
|
||||
Statement:
|
||||
- Effect: Allow
|
||||
Principal:
|
||||
Service: codepipeline.amazonaws.com
|
||||
Action: sts:AssumeRole
|
||||
Policies:
|
||||
- PolicyName: CodePipelinePolicy
|
||||
PolicyDocument:
|
||||
Version: '2012-10-17'
|
||||
Statement:
|
||||
# Permissions for accessing the artifacts bucket
|
||||
- Effect: Allow
|
||||
Action:
|
||||
- s3:GetObject
|
||||
- s3:GetObjectVersion
|
||||
- s3:PutObject
|
||||
- s3:ListBucket
|
||||
- s3:GetBucketLocation
|
||||
- s3:GetBucketVersioning
|
||||
Resource:
|
||||
- !Sub "arn:aws:s3:::codebuild-ap-northeast-1-${AWS::AccountId}-input-bucket"
|
||||
- !Sub "arn:aws:s3:::codebuild-ap-northeast-1-${AWS::AccountId}-input-bucket/*"
|
||||
- !Sub "arn:aws:s3:::ap-northeast-1-${AWS::AccountId}-${SourceBucketName}"
|
||||
- !Sub "arn:aws:s3:::ap-northeast-1-${AWS::AccountId}-${SourceBucketName}/*"
|
||||
# Permissions for CodeBuild (if used)
|
||||
- Effect: Allow
|
||||
Action:
|
||||
- codebuild:StartBuild
|
||||
- codebuild:BatchGetBuilds
|
||||
Resource: "*"
|
||||
# Permissions for manual approval actions in CodePipeline
|
||||
- Effect: Allow
|
||||
Action:
|
||||
- codepipeline:PutApprovalResult
|
||||
Resource: "*"
|
||||
|
||||
# CodePipeline
|
||||
ForgejoPipeline:
|
||||
Type: AWS::CodePipeline::Pipeline
|
||||
Properties:
|
||||
PipelineType: V2
|
||||
RoleArn: !GetAtt CodePipelineRole.Arn
|
||||
ArtifactStore:
|
||||
Type: S3
|
||||
Location: !Sub "codebuild-ap-northeast-1-${AWS::AccountId}-input-bucket"
|
||||
Stages:
|
||||
- Name: Source
|
||||
Actions:
|
||||
- Name: S3Source
|
||||
ActionTypeId:
|
||||
Category: Source
|
||||
Owner: AWS
|
||||
Provider: S3
|
||||
Version: "1"
|
||||
Configuration:
|
||||
S3Bucket: !Ref SourceBucket
|
||||
S3ObjectKey: !Ref SourceObjectKey
|
||||
PollForSourceChanges: true
|
||||
OutputArtifacts:
|
||||
- Name: SourceOutput
|
||||
- Name: Build
|
||||
Actions:
|
||||
- Name: BuildImage
|
||||
ActionTypeId:
|
||||
Category: Build
|
||||
Owner: AWS
|
||||
Provider: CodeBuild
|
||||
Version: "1"
|
||||
InputArtifacts:
|
||||
- Name: SourceOutput
|
||||
Configuration:
|
||||
ProjectName: !Ref ForgejoBuildProject
|
||||
Loading…
Add table
Add a link
Reference in a new issue