infra(forgejo): add network and S3 CloudFormation stacks

Introduce dedicated CloudFormation templates for Forgejo networking (EFS mount targets, ALB target group and listener rule) and S3 storage, including bucket creation and scoped access policy.
2026-01-01 17:14:38 +09:00 · 2026-01-01 17:14:38 +09:00 · 7afe099295
commit 7afe099295
parent 8da52108cf
2 changed files with 167 additions and 0 deletions
--- a/infra/cfn/forgejo-network.yaml
+++ b/infra/cfn/forgejo-network.yaml
@ -0,0 +1,79 @@
+AWSTemplateFormatVersion: "2010-09-09"
+
+Resources:
+
+  EFSMountTarget0:
+    UpdateReplacePolicy: "Delete"
+    Type: "AWS::EFS::MountTarget"
+    DeletionPolicy: "Delete"
+    Properties:
+      SecurityGroups:
+      - "sg-0201d595f634128ba"
+      FileSystemId:
+        !ImportValue forgejo-efs-EFSFileSystemId
+      SubnetId: "subnet-004fa7ef9de2dfb34"
+
+  EFSMountTarget1:
+    UpdateReplacePolicy: "Delete"
+    Type: "AWS::EFS::MountTarget"
+    DeletionPolicy: "Delete"
+    Properties:
+      SecurityGroups:
+      - "sg-0201d595f634128ba"
+      FileSystemId:
+        !ImportValue forgejo-efs-EFSFileSystemId
+      SubnetId: "subnet-064c8fcfd627077ef"
+
+  ElasticLoadBalancingV2TargetGroupForgejo:
+    UpdateReplacePolicy: "Delete"
+    Type: "AWS::ElasticLoadBalancingV2::TargetGroup"
+    DeletionPolicy: "Delete"
+    Properties:
+      IpAddressType: "ipv4"
+      HealthCheckIntervalSeconds: 30
+      Matcher:
+        HttpCode: "200"
+      HealthCheckPath: "/"
+      Port: 3000
+      HealthCheckEnabled: true
+      ProtocolVersion: "HTTP1"
+      UnhealthyThresholdCount: 2
+      HealthCheckTimeoutSeconds: 5
+      Name: "forgejo-tg"
+      VpcId: "vpc-0b056d88428fb2a6a"
+      HealthyThresholdCount: 5
+      HealthCheckProtocol: "HTTP"
+      TargetType: "ip"
+      HealthCheckPort: "traffic-port"
+      Protocol: "HTTP"
+      Tags:
+      - Value: "Git-server"
+        Key: "Project"
+
+  ElasticLoadBalancingV2ListenerRuleForgejo:
+    UpdateReplacePolicy: "Delete"
+    Type: "AWS::ElasticLoadBalancingV2::ListenerRule"
+    DeletionPolicy: "Delete"
+    Properties:
+      Actions:
+      - Order: 1
+        TargetGroupArn:
+          Ref: "ElasticLoadBalancingV2TargetGroupForgejo"
+        Type: "forward"
+        ForwardConfig:
+          TargetGroupStickinessConfig:
+            Enabled: false
+            DurationSeconds: 3600
+          TargetGroups:
+          - TargetGroupArn:
+              Ref: "ElasticLoadBalancingV2TargetGroupForgejo"
+            Weight: 1
+      Priority: 1
+      Conditions:
+      - Values:
+        - "git.n-daisuke897.com"
+        HostHeaderConfig:
+          Values:
+          - "git.n-daisuke897.com"
+        Field: "host-header"
+      Transforms: []
--- a/infra/cfn/forgejo-s3.yaml
+++ b/infra/cfn/forgejo-s3.yaml
@ -0,0 +1,88 @@
+AWSTemplateFormatVersion: "2010-09-09"
+
+Resources:
+
+  IAMUserForgejos3user:
+    UpdateReplacePolicy: "Delete"
+    Type: "AWS::IAM::User"
+    DeletionPolicy: "Delete"
+    Properties:
+      Path: "/"
+      ManagedPolicyArns:
+      - !Sub "arn:aws:iam::${AWS::AccountId}:policy/${IAMManagedPolicyForgejoS3Access}"
+      UserName: "forgejo-s3-user"
+      Tags:
+      - Value: "To access my s3 bucket from my forgejo server"
+        Key: "AKIA2CUNLLYJHX6J4YRV"
+      - Value: "Git-server"
+        Key: "Project"
+
+  IAMManagedPolicyForgejoS3Access:
+    UpdateReplacePolicy: "Delete"
+    Type: "AWS::IAM::ManagedPolicy"
+    DeletionPolicy: "Delete"
+    Properties:
+      ManagedPolicyName: "ForgejoS3AccessPolicy"
+      Path: "/"
+      Description: ""
+      Groups: []
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+        - Resource:
+            Fn::GetAtt:
+            - "S3BucketForgejo"
+            - "Arn"
+          Action:
+          - s3:ListBucket
+          - s3:ListBucketMultipartUploads
+          Effect: "Allow"
+          Sid: "ListBucket"
+        - Resource:
+           Fn::Join:
+           - "/"
+           - - Fn::GetAtt:
+               - "S3BucketForgejo"
+               - "Arn"
+             - "*"
+          Action:
+          - s3:GetObject
+          - s3:PutObject
+          - s3:DeleteObject
+          - s3:AbortMultipartUpload
+          Effect: "Allow"
+          Sid: "ObjectWriting"
+
+  S3BucketForgejo:
+    Type: "AWS::S3::Bucket"
+    DeletionPolicy: Retain
+    Properties:
+      AbacStatus: "Disabled"
+      PublicAccessBlockConfiguration:
+        RestrictPublicBuckets: true
+        IgnorePublicAcls: true
+        BlockPublicPolicy: true
+        BlockPublicAcls: true
+      BucketName: !Sub "forgejo-c4ee2e40-49f0-4487-be94-872b10dc3e46-${AWS::Region}"
+      OwnershipControls:
+        Rules:
+        - ObjectOwnership: "BucketOwnerEnforced"
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+        - BucketKeyEnabled: true
+          ServerSideEncryptionByDefault:
+            SSEAlgorithm: "AES256"
+      Tags:
+      - Value: "Git-server"
+        Key: "Project"
+
+Outputs:
+  ForgejoS3BucketName:
+    Value: !Ref S3BucketForgejo
+    Export:
+      Name: !Sub ${AWS::StackName}-BucketName
+
+  ForgejoS3BucketArn:
+    Value: !GetAtt S3BucketForgejo.Arn
+    Export:
+      Name: !Sub ${AWS::StackName}-BucketArn