From 8140c89e3a9dd75e984ce3b2f0ac51ac49d02acc Mon Sep 17 00:00:00 2001 From: Daisuke Date: Fri, 2 Jan 2026 18:16:57 +0900 Subject: [PATCH 1/2] chore(infra/cfn): add Forgejo network CloudFormation resources Add EFS MountTargets (two subnets), an ALB Target Group for Forgejo (port 3000, health checks), and a Listener Rule for host git.n-daisuke897.com; export the TargetGroup ARN. No application-level configuration changes. --- infra/cfn/forgejo-network.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/infra/cfn/forgejo-network.yaml b/infra/cfn/forgejo-network.yaml index 5093a5c..01cc151 100644 --- a/infra/cfn/forgejo-network.yaml +++ b/infra/cfn/forgejo-network.yaml @@ -77,3 +77,11 @@ Resources: - "git.n-daisuke897.com" Field: "host-header" Transforms: [] + +Outputs: + + TargetGroupArn: + Description: ARN of the Forgejo target group + Value: !Ref ElasticLoadBalancingV2TargetGroupForgejo + Export: + Name: !Sub "${AWS::StackName}-TargetGroupArn" From 1998d1cf032a9a11278cbc1def2872e75a47bd78 Mon Sep 17 00:00:00 2001 From: Daisuke Date: Fri, 2 Jan 2026 18:20:02 +0900 Subject: [PATCH 2/2] feat(infra/cfn): provision Forgejo ECS cluster, service, and task Define ECS cluster with exports, service wired to ALB target group and deployment circuit breaker, and task definition with IAM role, ARM64 runtime, EFS volumes, ports 3000/2222, logging, and MinIO/S3 env config. --- infra/cfn/forgejo-ecs-cluster.yaml | 33 +++++++ infra/cfn/forgejo-ecs-service.yaml | 86 ++++++++++++++++++ infra/cfn/forgejo-ecs-task.yaml | 134 +++++++++++++++++++++++++++++ 3 files changed, 253 insertions(+) create mode 100644 infra/cfn/forgejo-ecs-cluster.yaml create mode 100644 infra/cfn/forgejo-ecs-service.yaml create mode 100644 infra/cfn/forgejo-ecs-task.yaml diff --git a/infra/cfn/forgejo-ecs-cluster.yaml b/infra/cfn/forgejo-ecs-cluster.yaml new file mode 100644 index 0000000..5c7f46e --- /dev/null +++ b/infra/cfn/forgejo-ecs-cluster.yaml @@ -0,0 +1,33 @@ +AWSTemplateFormatVersion: "2010-09-09" +Description: ECS Cluster for Forgejo + +Parameters: + + ClusterName: + Type: String + Default: my-forgejo-cluster + Description: Name of the ECS Cluster + +Resources: + + ECSCluster: + Type: AWS::ECS::Cluster + Properties: + ClusterName: !Ref ClusterName + Tags: + - Key: Project + Value: Git-server + +Outputs: + + ClusterArn: + Description: ARN of the ECS Cluster + Value: !GetAtt ECSCluster.Arn + Export: + Name: !Sub "${AWS::StackName}-ClusterArn" + + ClusterName: + Description: Name of the ECS Cluster + Value: !Ref ClusterName + Export: + Name: !Sub "${AWS::StackName}-ClusterName" diff --git a/infra/cfn/forgejo-ecs-service.yaml b/infra/cfn/forgejo-ecs-service.yaml new file mode 100644 index 0000000..6401f5c --- /dev/null +++ b/infra/cfn/forgejo-ecs-service.yaml @@ -0,0 +1,86 @@ +AWSTemplateFormatVersion: "2010-09-09" +Description: ECS Service for Forgejo + +Parameters: + + ServiceName: + Type: String + Default: forgejo-service + Description: Name of the ECS Service + + TaskDefinitionFamily: + Type: String + Default: forgejo-task + Description: Task definition family name + + DesiredCount: + Type: Number + Default: 1 + Description: Number of desired tasks + + SubnetId1: + Type: String + Default: subnet-064c8fcfd627077ef + Description: First subnet ID for the service + + SubnetId2: + Type: String + Default: subnet-004fa7ef9de2dfb34 + Description: Second subnet ID for the service + + SecurityGroupId: + Type: String + Default: sg-022a8622e7387dc70 + Description: Security group ID for the service + +Resources: + + ECSService: + Type: AWS::ECS::Service + Properties: + ServiceName: !Ref ServiceName + Cluster: !ImportValue forgejo-ecs-cluster-ClusterName + TaskDefinition: !Sub "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/${TaskDefinitionFamily}" + DesiredCount: !Ref DesiredCount + LaunchType: FARGATE + PlatformVersion: LATEST + NetworkConfiguration: + AwsvpcConfiguration: + Subnets: + - !Ref SubnetId1 + - !Ref SubnetId2 + SecurityGroups: + - !Ref SecurityGroupId + AssignPublicIp: ENABLED + LoadBalancers: + - TargetGroupArn: !ImportValue forgejo-network-TargetGroupArn + ContainerName: forgejo + ContainerPort: 3000 + HealthCheckGracePeriodSeconds: 0 + DeploymentConfiguration: + MaximumPercent: 100 + MinimumHealthyPercent: 0 + DeploymentCircuitBreaker: + Enable: true + Rollback: true + SchedulingStrategy: REPLICA + EnableECSManagedTags: true + PropagateTags: TASK_DEFINITION + EnableExecuteCommand: true + Tags: + - Key: Project + Value: Git-server + +Outputs: + + ServiceArn: + Description: ARN of the ECS Service + Value: !Ref ECSService + Export: + Name: !Sub "${AWS::StackName}-ServiceArn" + + ServiceName: + Description: Name of the ECS Service + Value: !GetAtt ECSService.Name + Export: + Name: !Sub "${AWS::StackName}-ServiceName" diff --git a/infra/cfn/forgejo-ecs-task.yaml b/infra/cfn/forgejo-ecs-task.yaml new file mode 100644 index 0000000..2ec664b --- /dev/null +++ b/infra/cfn/forgejo-ecs-task.yaml @@ -0,0 +1,134 @@ +AWSTemplateFormatVersion: "2010-09-09" + +Parameters: + + ForgejoRepositoryName: + Type: String + Default: forgejo-repository + +Resources: + + IAMRoleECSTaskForgejoRole: + UpdateReplacePolicy: "Delete" + Type: "AWS::IAM::Role" + DeletionPolicy: "Delete" + Properties: + Path: "/" + MaxSessionDuration: 3600 + RoleName: "ECSTaskForgejoRole" + Description: "Allows ECS tasks to call AWS services on your behalf." + Policies: + - PolicyDocument: + Version: "2012-10-17" + Statement: + - Resource: "*" + Action: + - "ssmmessages:CreateControlChannel" + - "ssmmessages:CreateDataChannel" + - "ssmmessages:OpenControlChannel" + - "ssmmessages:OpenDataChannel" + Effect: "Allow" + Sid: "ssmmessages" + PolicyName: "ForgejoSSM" + ManagedPolicyArns: + - !Sub "arn:aws:iam::${AWS::AccountId}:policy/ForgejoS3AccessPolicy" + AssumeRolePolicyDocument: + Version: "2012-10-17" + Statement: + - Action: "sts:AssumeRole" + Effect: "Allow" + Principal: + Service: "ecs-tasks.amazonaws.com" + Sid: "" + Tags: + - Value: "Git-server" + Key: "Project" + + ECSTaskDefinitionForgejo: + UpdateReplacePolicy: "Delete" + Type: "AWS::ECS::TaskDefinition" + DeletionPolicy: "Delete" + Properties: + TaskRoleArn: + Fn::GetAtt: + - "IAMRoleECSTaskForgejoRole" + - "Arn" + Memory: "512" + Cpu: "256" + RequiresCompatibilities: + - "FARGATE" + NetworkMode: "awsvpc" + ExecutionRoleArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/ecsTaskExecutionRole" + RuntimePlatform: + OperatingSystemFamily: "LINUX" + CpuArchitecture: "ARM64" + Volumes: + - EFSVolumeConfiguration: + FilesystemId: + !ImportValue forgejo-efs-EFSFileSystemId + TransitEncryption: "ENABLED" + RootDirectory: "/" + AuthorizationConfig: + IAM: "DISABLED" + AccessPointId: + !ImportValue forgejo-efs-EFSAccessPointConfig + Name: "forgejo-config-vol" + - EFSVolumeConfiguration: + FilesystemId: + !ImportValue forgejo-efs-EFSFileSystemId + TransitEncryption: "ENABLED" + RootDirectory: "/" + AuthorizationConfig: + IAM: "DISABLED" + AccessPointId: + !ImportValue forgejo-efs-EFSAccessPointData + Name: "forgejo-data-vol" + ContainerDefinitions: + - Memory: 512 + Cpu: 0 + Image: !Sub "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/${ForgejoRepositoryName}@sha256:3d64f3ae3d83dbd2e2ded6bcb6fe214c449ce15be540099621d2f7919232c406" + Essential: true + LogConfiguration: + Options: + awslogs-group: "/ecs/forgejo" + mode: "non-blocking" + max-buffer-size: "25m" + awslogs-create-group: "true" + awslogs-region: "ap-northeast-1" + awslogs-stream-prefix: "ecs" + LogDriver: "awslogs" + Name: "forgejo" + LinuxParameters: + InitProcessEnabled: true + MountPoints: + - ReadOnly: false + SourceVolume: "forgejo-data-vol" + ContainerPath: "/var/lib/gitea" + - ReadOnly: false + SourceVolume: "forgejo-config-vol" + ContainerPath: "/etc/gitea" + PortMappings: + - ContainerPort: 3000 + AppProtocol: "http" + Protocol: "tcp" + Name: "forgejo-3000-tcp" + - ContainerPort: 2222 + Protocol: "tcp" + Name: "forgejo-2222-ssh" + Environment: + - Value: "s3.amazonaws.com" + Name: "FORGEJO__STORAGE__MINIO_ENDPOINT" + - Value: "true" + Name: "FORGEJO__SERVICE__DISABLE_REGISTRATION" + - Value: "ap-northeast-1" + Name: "FORGEJO__STORAGE__MINIO_LOCATION" + - Value: "minio" + Name: "FORGEJO__STORAGE__STORAGE_TYPE" + - Value: "true" + Name: "FORGEJO__STORAGE__MINIO_USE_SSL" + - Value: !ImportValue forgejo-s3-BucketName + Name: "FORGEJO__STORAGE__MINIO_BUCKET" + Family: "forgejo-task" + Tags: + - Value: "Git-server" + Key: "Project"