cfn: switch Forgejo pipeline to EventBridge-triggered S3 source
- Rename forgejo.yaml to forgejo-cl.yaml - Make S3 bucket and IAM ARNs region-agnostic - Disable CodePipeline S3 polling - Enable S3 → EventBridge notifications - Add EventBridge rule and IAM role to trigger pipeline on object creation - Tighten IAM permissions for CodeBuild and CodePipeline - Normalize file mode for forgejo-efs.yaml
This commit is contained in:
parent
4987197113
commit
8da52108cf
2 changed files with 62 additions and 21 deletions
|
|
@ -16,18 +16,19 @@ Parameters:
|
||||||
|
|
||||||
Resources:
|
Resources:
|
||||||
|
|
||||||
# S3 Bucket (Source)
|
|
||||||
SourceBucket:
|
SourceBucket:
|
||||||
Type: AWS::S3::Bucket
|
Type: AWS::S3::Bucket
|
||||||
Properties:
|
Properties:
|
||||||
BucketName: !Sub "ap-northeast-1-${AWS::AccountId}-${SourceBucketName}"
|
BucketName: !Sub "${AWS::Region}-${AWS::AccountId}-${SourceBucketName}"
|
||||||
Tags:
|
Tags:
|
||||||
- Key: Project
|
- Key: Project
|
||||||
Value: Git-server
|
Value: Git-server
|
||||||
VersioningConfiguration:
|
VersioningConfiguration:
|
||||||
Status: Enabled
|
Status: Enabled
|
||||||
|
NotificationConfiguration:
|
||||||
|
EventBridgeConfiguration:
|
||||||
|
EventBridgeEnabled: true
|
||||||
|
|
||||||
# ECR Repository
|
|
||||||
ForgejoRepository:
|
ForgejoRepository:
|
||||||
Type: AWS::ECR::Repository
|
Type: AWS::ECR::Repository
|
||||||
Properties:
|
Properties:
|
||||||
|
|
@ -35,7 +36,6 @@ Resources:
|
||||||
ImageScanningConfiguration:
|
ImageScanningConfiguration:
|
||||||
ScanOnPush: true
|
ScanOnPush: true
|
||||||
|
|
||||||
# IAM Role for CodeBuild
|
|
||||||
CodeBuildRole:
|
CodeBuildRole:
|
||||||
Type: AWS::IAM::Role
|
Type: AWS::IAM::Role
|
||||||
Properties:
|
Properties:
|
||||||
|
|
@ -76,13 +76,12 @@ Resources:
|
||||||
- s3:PutObject
|
- s3:PutObject
|
||||||
- s3:ListBucket
|
- s3:ListBucket
|
||||||
Resource:
|
Resource:
|
||||||
- !Sub "arn:aws:s3:::codebuild-ap-northeast-1-${AWS::AccountId}-input-bucket"
|
- !Sub "arn:aws:s3:::codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket"
|
||||||
- !Sub "arn:aws:s3:::codebuild-ap-northeast-1-${AWS::AccountId}-input-bucket/*"
|
- !Sub "arn:aws:s3:::codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket/*"
|
||||||
- !Sub "arn:aws:s3:::ap-northeast-1-${AWS::AccountId}-${SourceBucketName}"
|
- !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${SourceBucketName}"
|
||||||
- !Sub "arn:aws:s3:::ap-northeast-1-${AWS::AccountId}-${SourceBucketName}/*"
|
- !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${SourceBucketName}/*"
|
||||||
|
|
||||||
|
|
||||||
# CodeBuild Project (ARM)
|
|
||||||
ForgejoBuildProject:
|
ForgejoBuildProject:
|
||||||
Type: AWS::CodeBuild::Project
|
Type: AWS::CodeBuild::Project
|
||||||
Properties:
|
Properties:
|
||||||
|
|
@ -101,7 +100,6 @@ Resources:
|
||||||
Type: CODEPIPELINE
|
Type: CODEPIPELINE
|
||||||
TimeoutInMinutes: 30
|
TimeoutInMinutes: 30
|
||||||
|
|
||||||
# IAM Role for CodePipeline
|
|
||||||
CodePipelineRole:
|
CodePipelineRole:
|
||||||
Type: AWS::IAM::Role
|
Type: AWS::IAM::Role
|
||||||
Properties:
|
Properties:
|
||||||
|
|
@ -117,9 +115,11 @@ Resources:
|
||||||
PolicyDocument:
|
PolicyDocument:
|
||||||
Version: '2012-10-17'
|
Version: '2012-10-17'
|
||||||
Statement:
|
Statement:
|
||||||
# Permissions for accessing the artifacts bucket
|
|
||||||
- Effect: Allow
|
- Effect: Allow
|
||||||
Action:
|
Action:
|
||||||
|
- s3:GetBucketAcl
|
||||||
|
- s3:GetObjectTagging
|
||||||
|
- s3:GetObjectVersionTagging
|
||||||
- s3:GetObject
|
- s3:GetObject
|
||||||
- s3:GetObjectVersion
|
- s3:GetObjectVersion
|
||||||
- s3:PutObject
|
- s3:PutObject
|
||||||
|
|
@ -127,23 +127,23 @@ Resources:
|
||||||
- s3:GetBucketLocation
|
- s3:GetBucketLocation
|
||||||
- s3:GetBucketVersioning
|
- s3:GetBucketVersioning
|
||||||
Resource:
|
Resource:
|
||||||
- !Sub "arn:aws:s3:::codebuild-ap-northeast-1-${AWS::AccountId}-input-bucket"
|
- !Sub "arn:aws:s3:::codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket"
|
||||||
- !Sub "arn:aws:s3:::codebuild-ap-northeast-1-${AWS::AccountId}-input-bucket/*"
|
- !Sub "arn:aws:s3:::codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket/*"
|
||||||
- !Sub "arn:aws:s3:::ap-northeast-1-${AWS::AccountId}-${SourceBucketName}"
|
- !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${SourceBucketName}"
|
||||||
- !Sub "arn:aws:s3:::ap-northeast-1-${AWS::AccountId}-${SourceBucketName}/*"
|
- !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${SourceBucketName}/*"
|
||||||
# Permissions for CodeBuild (if used)
|
|
||||||
- Effect: Allow
|
- Effect: Allow
|
||||||
Action:
|
Action:
|
||||||
- codebuild:StartBuild
|
- codebuild:StartBuild
|
||||||
- codebuild:BatchGetBuilds
|
- codebuild:BatchGetBuilds
|
||||||
Resource: "*"
|
Resource:
|
||||||
# Permissions for manual approval actions in CodePipeline
|
- !Sub "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:build/*"
|
||||||
|
- !Sub "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/*"
|
||||||
- Effect: Allow
|
- Effect: Allow
|
||||||
Action:
|
Action:
|
||||||
- codepipeline:PutApprovalResult
|
- codepipeline:PutApprovalResult
|
||||||
Resource: "*"
|
- codepipeline:StartPipelineExecution
|
||||||
|
Resource: !Sub "arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:*"
|
||||||
|
|
||||||
# CodePipeline
|
|
||||||
ForgejoPipeline:
|
ForgejoPipeline:
|
||||||
Type: AWS::CodePipeline::Pipeline
|
Type: AWS::CodePipeline::Pipeline
|
||||||
Properties:
|
Properties:
|
||||||
|
|
@ -164,7 +164,7 @@ Resources:
|
||||||
Configuration:
|
Configuration:
|
||||||
S3Bucket: !Ref SourceBucket
|
S3Bucket: !Ref SourceBucket
|
||||||
S3ObjectKey: !Ref SourceObjectKey
|
S3ObjectKey: !Ref SourceObjectKey
|
||||||
PollForSourceChanges: true
|
PollForSourceChanges: false
|
||||||
OutputArtifacts:
|
OutputArtifacts:
|
||||||
- Name: SourceOutput
|
- Name: SourceOutput
|
||||||
- Name: Build
|
- Name: Build
|
||||||
|
|
@ -179,3 +179,44 @@ Resources:
|
||||||
- Name: SourceOutput
|
- Name: SourceOutput
|
||||||
Configuration:
|
Configuration:
|
||||||
ProjectName: !Ref ForgejoBuildProject
|
ProjectName: !Ref ForgejoBuildProject
|
||||||
|
|
||||||
|
S3SourceChangeRule:
|
||||||
|
Type: AWS::Events::Rule
|
||||||
|
Properties:
|
||||||
|
Description: Trigger CodePipeline on S3 source update
|
||||||
|
EventPattern:
|
||||||
|
source:
|
||||||
|
- aws.s3
|
||||||
|
detail-type:
|
||||||
|
- Object Created
|
||||||
|
detail:
|
||||||
|
bucket:
|
||||||
|
name:
|
||||||
|
- !Ref SourceBucket
|
||||||
|
object:
|
||||||
|
key:
|
||||||
|
- !Ref SourceObjectKey
|
||||||
|
Targets:
|
||||||
|
- Arn: !Sub arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:${ForgejoPipeline}
|
||||||
|
RoleArn: !GetAtt EventBridgeInvokePipelineRole.Arn
|
||||||
|
Id: CodePipelineTarget
|
||||||
|
|
||||||
|
EventBridgeInvokePipelineRole:
|
||||||
|
Type: AWS::IAM::Role
|
||||||
|
Properties:
|
||||||
|
AssumeRolePolicyDocument:
|
||||||
|
Version: '2012-10-17'
|
||||||
|
Statement:
|
||||||
|
- Effect: Allow
|
||||||
|
Principal:
|
||||||
|
Service: events.amazonaws.com
|
||||||
|
Action: sts:AssumeRole
|
||||||
|
Policies:
|
||||||
|
- PolicyName: AllowStartPipeline
|
||||||
|
PolicyDocument:
|
||||||
|
Version: '2012-10-17'
|
||||||
|
Statement:
|
||||||
|
- Effect: Allow
|
||||||
|
Action:
|
||||||
|
- codepipeline:StartPipelineExecution
|
||||||
|
Resource: !Sub arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:${ForgejoPipeline}
|
||||||
0
infra/cfn/forgejo-efs.yaml
Executable file → Normal file
0
infra/cfn/forgejo-efs.yaml
Executable file → Normal file
Loading…
Add table
Add a link
Reference in a new issue