From 4987197113ca4ac21d42d30f2627d474d3932b61 Mon Sep 17 00:00:00 2001 From: Daisuke Date: Wed, 31 Dec 2025 13:27:25 +0900 Subject: [PATCH] Add EFS infrastructure for Forgejo (new CloudFormation stack) - Introduce forgejo-efs.yaml defining EFS FileSystem with encryption, lifecycle policies, and backup enabled - Add dedicated AccessPoints for /forgejo/data and /forgejo/config with POSIX ownership and tags - Include FileSystemPolicy enforcing mount-target-only access - Export EFS resource IDs for cross-stack referencing --- infra/cfn/forgejo-efs.yaml | 103 +++++++++++++++++++++++++++++++++++++ 1 file changed, 103 insertions(+) create mode 100755 infra/cfn/forgejo-efs.yaml diff --git a/infra/cfn/forgejo-efs.yaml b/infra/cfn/forgejo-efs.yaml new file mode 100755 index 0000000..a10443e --- /dev/null +++ b/infra/cfn/forgejo-efs.yaml @@ -0,0 +1,103 @@ +Parameters: + KmsKeyId: + Type: String + Description: "KMS key for EFS encryption" + +Resources: + EFSAccessPointData: + Type: "AWS::EFS::AccessPoint" + DeletionPolicy: Retain + Properties: + FileSystemId: !Ref EFSFileSystem + RootDirectory: + Path: "/forgejo/data" + CreationInfo: + OwnerGid: "1000" + Permissions: "750" + OwnerUid: "1000" + AccessPointTags: + - Value: "forgejo-data-ap" + Key: "Name" + - Value: "Git-server" + Key: "Project" + PosixUser: + Uid: "1000" + SecondaryGids: [] + Gid: "1000" + + EFSAccessPointConfig: + Type: "AWS::EFS::AccessPoint" + DeletionPolicy: Retain + Properties: + FileSystemId: !Ref EFSFileSystem + RootDirectory: + Path: "/forgejo/config" + CreationInfo: + OwnerGid: "1000" + Permissions: "750" + OwnerUid: "1000" + AccessPointTags: + - Value: "forgejo-config-ap" + Key: "Name" + - Value: "Git-server" + Key: "Project" + PosixUser: + Uid: "1000" + SecondaryGids: [] + Gid: "1000" + + EFSFileSystem: + Type: "AWS::EFS::FileSystem" + DeletionPolicy: Retain + Properties: + KmsKeyId: !Ref KmsKeyId + PerformanceMode: "generalPurpose" + Encrypted: true + FileSystemTags: + - Value: "forgejo-file-system" + Key: "Name" + - Value: "Git-server" + Key: "Project" + FileSystemPolicy: + Version: "2012-10-17" + Statement: + - Condition: + Bool: + elasticfilesystem:AccessedViaMountTarget: "true" + Resource: !Sub "arn:aws:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:file-system/fs-011efd71b198bacc7" + Action: + - "elasticfilesystem:ClientWrite" + - "elasticfilesystem:ClientMount" + Effect: "Allow" + Principal: + AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root" + Sid: "efs-statement-b87417f1-f7fd-4978-b642-9b3084238008" + Id: "efs-policy-wizard-c4d5acbb-f970-40a3-8938-87ca58cb6f1b" + FileSystemProtection: + ReplicationOverwriteProtection: "ENABLED" + LifecyclePolicies: + - TransitionToIA: "AFTER_30_DAYS" + - TransitionToArchive: "AFTER_90_DAYS" + ThroughputMode: "elastic" + BackupPolicy: + Status: "ENABLED" + +Outputs: + + EFSFileSystemId: + Description: "ID of the EFS File System" + Value: !Ref EFSFileSystem + Export: + Name: !Sub "${AWS::StackName}-EFSFileSystemId" + + AccessPointData: + Description: "Access Point for /forgejo/data" + Value: !Ref EFSAccessPointData + Export: + Name: !Sub "${AWS::StackName}-EFSAccessPointData" + + AccessPointConfig: + Description: "Access Point for /forgejo/config" + Value: !Ref EFSAccessPointConfig + Export: + Name: !Sub "${AWS::StackName}-EFSAccessPointConfig"