From 7afe099295f7bc087eb0123750dfa4038d24b07f Mon Sep 17 00:00:00 2001
From: Daisuke <nakada0907@outlook.com>
Date: Thu, 1 Jan 2026 17:14:38 +0900
Subject: [PATCH] infra(forgejo): add network and S3 CloudFormation stacks

Introduce dedicated CloudFormation templates for Forgejo networking
(EFS mount targets, ALB target group and listener rule) and S3 storage,
including bucket creation and scoped access policy.
---
 infra/cfn/forgejo-network.yaml | 79 ++++++++++++++++++++++++++++++
 infra/cfn/forgejo-s3.yaml      | 88 ++++++++++++++++++++++++++++++++++
 2 files changed, 167 insertions(+)
 create mode 100644 infra/cfn/forgejo-network.yaml
 create mode 100644 infra/cfn/forgejo-s3.yaml

diff --git a/infra/cfn/forgejo-network.yaml b/infra/cfn/forgejo-network.yaml
new file mode 100644
index 0000000..5093a5c
--- /dev/null
+++ b/infra/cfn/forgejo-network.yaml
@@ -0,0 +1,79 @@
+AWSTemplateFormatVersion: "2010-09-09"
+
+Resources:
+
+  EFSMountTarget0:
+    UpdateReplacePolicy: "Delete"
+    Type: "AWS::EFS::MountTarget"
+    DeletionPolicy: "Delete"
+    Properties:
+      SecurityGroups:
+      - "sg-0201d595f634128ba"
+      FileSystemId:
+        !ImportValue forgejo-efs-EFSFileSystemId
+      SubnetId: "subnet-004fa7ef9de2dfb34"
+
+  EFSMountTarget1:
+    UpdateReplacePolicy: "Delete"
+    Type: "AWS::EFS::MountTarget"
+    DeletionPolicy: "Delete"
+    Properties:
+      SecurityGroups:
+      - "sg-0201d595f634128ba"
+      FileSystemId:
+        !ImportValue forgejo-efs-EFSFileSystemId
+      SubnetId: "subnet-064c8fcfd627077ef"
+
+  ElasticLoadBalancingV2TargetGroupForgejo:
+    UpdateReplacePolicy: "Delete"
+    Type: "AWS::ElasticLoadBalancingV2::TargetGroup"
+    DeletionPolicy: "Delete"
+    Properties:
+      IpAddressType: "ipv4"
+      HealthCheckIntervalSeconds: 30
+      Matcher:
+        HttpCode: "200"
+      HealthCheckPath: "/"
+      Port: 3000
+      HealthCheckEnabled: true
+      ProtocolVersion: "HTTP1"
+      UnhealthyThresholdCount: 2
+      HealthCheckTimeoutSeconds: 5
+      Name: "forgejo-tg"
+      VpcId: "vpc-0b056d88428fb2a6a"
+      HealthyThresholdCount: 5
+      HealthCheckProtocol: "HTTP"
+      TargetType: "ip"
+      HealthCheckPort: "traffic-port"
+      Protocol: "HTTP"
+      Tags:
+      - Value: "Git-server"
+        Key: "Project"
+
+  ElasticLoadBalancingV2ListenerRuleForgejo:
+    UpdateReplacePolicy: "Delete"
+    Type: "AWS::ElasticLoadBalancingV2::ListenerRule"
+    DeletionPolicy: "Delete"
+    Properties:
+      Actions:
+      - Order: 1
+        TargetGroupArn:
+          Ref: "ElasticLoadBalancingV2TargetGroupForgejo"
+        Type: "forward"
+        ForwardConfig:
+          TargetGroupStickinessConfig:
+            Enabled: false
+            DurationSeconds: 3600
+          TargetGroups:
+          - TargetGroupArn:
+              Ref: "ElasticLoadBalancingV2TargetGroupForgejo"
+            Weight: 1
+      Priority: 1
+      Conditions:
+      - Values:
+        - "git.n-daisuke897.com"
+        HostHeaderConfig:
+          Values:
+          - "git.n-daisuke897.com"
+        Field: "host-header"
+      Transforms: []
diff --git a/infra/cfn/forgejo-s3.yaml b/infra/cfn/forgejo-s3.yaml
new file mode 100644
index 0000000..d6cf6e6
--- /dev/null
+++ b/infra/cfn/forgejo-s3.yaml
@@ -0,0 +1,88 @@
+AWSTemplateFormatVersion: "2010-09-09"
+
+Resources:
+
+  IAMUserForgejos3user:
+    UpdateReplacePolicy: "Delete"
+    Type: "AWS::IAM::User"
+    DeletionPolicy: "Delete"
+    Properties:
+      Path: "/"
+      ManagedPolicyArns:
+      - !Sub "arn:aws:iam::${AWS::AccountId}:policy/${IAMManagedPolicyForgejoS3Access}"
+      UserName: "forgejo-s3-user"
+      Tags:
+      - Value: "To access my s3 bucket from my forgejo server"
+        Key: "AKIA2CUNLLYJHX6J4YRV"
+      - Value: "Git-server"
+        Key: "Project"
+
+  IAMManagedPolicyForgejoS3Access:
+    UpdateReplacePolicy: "Delete"
+    Type: "AWS::IAM::ManagedPolicy"
+    DeletionPolicy: "Delete"
+    Properties:
+      ManagedPolicyName: "ForgejoS3AccessPolicy"
+      Path: "/"
+      Description: ""
+      Groups: []
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+        - Resource:
+            Fn::GetAtt:
+            - "S3BucketForgejo"
+            - "Arn"
+          Action:
+          - s3:ListBucket
+          - s3:ListBucketMultipartUploads
+          Effect: "Allow"
+          Sid: "ListBucket"
+        - Resource:
+           Fn::Join:
+           - "/"
+           - - Fn::GetAtt:
+               - "S3BucketForgejo"
+               - "Arn"
+             - "*"
+          Action:
+          - s3:GetObject
+          - s3:PutObject
+          - s3:DeleteObject
+          - s3:AbortMultipartUpload
+          Effect: "Allow"
+          Sid: "ObjectWriting"
+
+  S3BucketForgejo:
+    Type: "AWS::S3::Bucket"
+    DeletionPolicy: Retain
+    Properties:
+      AbacStatus: "Disabled"
+      PublicAccessBlockConfiguration:
+        RestrictPublicBuckets: true
+        IgnorePublicAcls: true
+        BlockPublicPolicy: true
+        BlockPublicAcls: true
+      BucketName: !Sub "forgejo-c4ee2e40-49f0-4487-be94-872b10dc3e46-${AWS::Region}"
+      OwnershipControls:
+        Rules:
+        - ObjectOwnership: "BucketOwnerEnforced"
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+        - BucketKeyEnabled: true
+          ServerSideEncryptionByDefault:
+            SSEAlgorithm: "AES256"
+      Tags:
+      - Value: "Git-server"
+        Key: "Project"
+
+Outputs:
+  ForgejoS3BucketName:
+    Value: !Ref S3BucketForgejo
+    Export:
+      Name: !Sub ${AWS::StackName}-BucketName
+
+  ForgejoS3BucketArn:
+    Value: !GetAtt S3BucketForgejo.Arn
+    Export:
+      Name: !Sub ${AWS::StackName}-BucketArn