cfn: switch Forgejo pipeline to EventBridge-triggered S3 source
- Rename forgejo.yaml to forgejo-cl.yaml - Make S3 bucket and IAM ARNs region-agnostic - Disable CodePipeline S3 polling - Enable S3 → EventBridge notifications - Add EventBridge rule and IAM role to trigger pipeline on object creation - Tighten IAM permissions for CodeBuild and CodePipeline - Normalize file mode for forgejo-efs.yaml
This commit is contained in:
parent
4987197113
commit
8da52108cf
2 changed files with 62 additions and 21 deletions
|
|
@ -16,18 +16,19 @@ Parameters:
|
|||
|
||||
Resources:
|
||||
|
||||
# S3 Bucket (Source)
|
||||
SourceBucket:
|
||||
Type: AWS::S3::Bucket
|
||||
Properties:
|
||||
BucketName: !Sub "ap-northeast-1-${AWS::AccountId}-${SourceBucketName}"
|
||||
BucketName: !Sub "${AWS::Region}-${AWS::AccountId}-${SourceBucketName}"
|
||||
Tags:
|
||||
- Key: Project
|
||||
Value: Git-server
|
||||
VersioningConfiguration:
|
||||
Status: Enabled
|
||||
NotificationConfiguration:
|
||||
EventBridgeConfiguration:
|
||||
EventBridgeEnabled: true
|
||||
|
||||
# ECR Repository
|
||||
ForgejoRepository:
|
||||
Type: AWS::ECR::Repository
|
||||
Properties:
|
||||
|
|
@ -35,7 +36,6 @@ Resources:
|
|||
ImageScanningConfiguration:
|
||||
ScanOnPush: true
|
||||
|
||||
# IAM Role for CodeBuild
|
||||
CodeBuildRole:
|
||||
Type: AWS::IAM::Role
|
||||
Properties:
|
||||
|
|
@ -76,13 +76,12 @@ Resources:
|
|||
- s3:PutObject
|
||||
- s3:ListBucket
|
||||
Resource:
|
||||
- !Sub "arn:aws:s3:::codebuild-ap-northeast-1-${AWS::AccountId}-input-bucket"
|
||||
- !Sub "arn:aws:s3:::codebuild-ap-northeast-1-${AWS::AccountId}-input-bucket/*"
|
||||
- !Sub "arn:aws:s3:::ap-northeast-1-${AWS::AccountId}-${SourceBucketName}"
|
||||
- !Sub "arn:aws:s3:::ap-northeast-1-${AWS::AccountId}-${SourceBucketName}/*"
|
||||
- !Sub "arn:aws:s3:::codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket"
|
||||
- !Sub "arn:aws:s3:::codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket/*"
|
||||
- !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${SourceBucketName}"
|
||||
- !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${SourceBucketName}/*"
|
||||
|
||||
|
||||
# CodeBuild Project (ARM)
|
||||
ForgejoBuildProject:
|
||||
Type: AWS::CodeBuild::Project
|
||||
Properties:
|
||||
|
|
@ -101,7 +100,6 @@ Resources:
|
|||
Type: CODEPIPELINE
|
||||
TimeoutInMinutes: 30
|
||||
|
||||
# IAM Role for CodePipeline
|
||||
CodePipelineRole:
|
||||
Type: AWS::IAM::Role
|
||||
Properties:
|
||||
|
|
@ -117,9 +115,11 @@ Resources:
|
|||
PolicyDocument:
|
||||
Version: '2012-10-17'
|
||||
Statement:
|
||||
# Permissions for accessing the artifacts bucket
|
||||
- Effect: Allow
|
||||
Action:
|
||||
- s3:GetBucketAcl
|
||||
- s3:GetObjectTagging
|
||||
- s3:GetObjectVersionTagging
|
||||
- s3:GetObject
|
||||
- s3:GetObjectVersion
|
||||
- s3:PutObject
|
||||
|
|
@ -127,23 +127,23 @@ Resources:
|
|||
- s3:GetBucketLocation
|
||||
- s3:GetBucketVersioning
|
||||
Resource:
|
||||
- !Sub "arn:aws:s3:::codebuild-ap-northeast-1-${AWS::AccountId}-input-bucket"
|
||||
- !Sub "arn:aws:s3:::codebuild-ap-northeast-1-${AWS::AccountId}-input-bucket/*"
|
||||
- !Sub "arn:aws:s3:::ap-northeast-1-${AWS::AccountId}-${SourceBucketName}"
|
||||
- !Sub "arn:aws:s3:::ap-northeast-1-${AWS::AccountId}-${SourceBucketName}/*"
|
||||
# Permissions for CodeBuild (if used)
|
||||
- !Sub "arn:aws:s3:::codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket"
|
||||
- !Sub "arn:aws:s3:::codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket/*"
|
||||
- !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${SourceBucketName}"
|
||||
- !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${SourceBucketName}/*"
|
||||
- Effect: Allow
|
||||
Action:
|
||||
- codebuild:StartBuild
|
||||
- codebuild:BatchGetBuilds
|
||||
Resource: "*"
|
||||
# Permissions for manual approval actions in CodePipeline
|
||||
Resource:
|
||||
- !Sub "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:build/*"
|
||||
- !Sub "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/*"
|
||||
- Effect: Allow
|
||||
Action:
|
||||
- codepipeline:PutApprovalResult
|
||||
Resource: "*"
|
||||
- codepipeline:StartPipelineExecution
|
||||
Resource: !Sub "arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:*"
|
||||
|
||||
# CodePipeline
|
||||
ForgejoPipeline:
|
||||
Type: AWS::CodePipeline::Pipeline
|
||||
Properties:
|
||||
|
|
@ -164,7 +164,7 @@ Resources:
|
|||
Configuration:
|
||||
S3Bucket: !Ref SourceBucket
|
||||
S3ObjectKey: !Ref SourceObjectKey
|
||||
PollForSourceChanges: true
|
||||
PollForSourceChanges: false
|
||||
OutputArtifacts:
|
||||
- Name: SourceOutput
|
||||
- Name: Build
|
||||
|
|
@ -179,3 +179,44 @@ Resources:
|
|||
- Name: SourceOutput
|
||||
Configuration:
|
||||
ProjectName: !Ref ForgejoBuildProject
|
||||
|
||||
S3SourceChangeRule:
|
||||
Type: AWS::Events::Rule
|
||||
Properties:
|
||||
Description: Trigger CodePipeline on S3 source update
|
||||
EventPattern:
|
||||
source:
|
||||
- aws.s3
|
||||
detail-type:
|
||||
- Object Created
|
||||
detail:
|
||||
bucket:
|
||||
name:
|
||||
- !Ref SourceBucket
|
||||
object:
|
||||
key:
|
||||
- !Ref SourceObjectKey
|
||||
Targets:
|
||||
- Arn: !Sub arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:${ForgejoPipeline}
|
||||
RoleArn: !GetAtt EventBridgeInvokePipelineRole.Arn
|
||||
Id: CodePipelineTarget
|
||||
|
||||
EventBridgeInvokePipelineRole:
|
||||
Type: AWS::IAM::Role
|
||||
Properties:
|
||||
AssumeRolePolicyDocument:
|
||||
Version: '2012-10-17'
|
||||
Statement:
|
||||
- Effect: Allow
|
||||
Principal:
|
||||
Service: events.amazonaws.com
|
||||
Action: sts:AssumeRole
|
||||
Policies:
|
||||
- PolicyName: AllowStartPipeline
|
||||
PolicyDocument:
|
||||
Version: '2012-10-17'
|
||||
Statement:
|
||||
- Effect: Allow
|
||||
Action:
|
||||
- codepipeline:StartPipelineExecution
|
||||
Resource: !Sub arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:${ForgejoPipeline}
|
||||
0
infra/cfn/forgejo-efs.yaml
Executable file → Normal file
0
infra/cfn/forgejo-efs.yaml
Executable file → Normal file
Loading…
Add table
Add a link
Reference in a new issue