AWSTemplateFormatVersion: "2010-09-09" Description: S3 -> CodePipeline -> CodeBuild(ARM) -> ECR pipeline for Forgejo Parameters: SourceBucketName: Type: String Default: forgejo-source-bucket SourceObjectKey: Type: String Default: forgejo-source.zip ForgejoRepositoryName: Type: String Default: forgejo-repository Resources: # S3 Bucket (Source) SourceBucket: Type: AWS::S3::Bucket Properties: BucketName: !Sub "ap-northeast-1-${AWS::AccountId}-${SourceBucketName}" Tags: - Key: Project Value: Git-server VersioningConfiguration: Status: Enabled # ECR Repository ForgejoRepository: Type: AWS::ECR::Repository Properties: RepositoryName: !Ref ForgejoRepositoryName ImageScanningConfiguration: ScanOnPush: true # IAM Role for CodeBuild CodeBuildRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: codebuild.amazonaws.com Action: sts:AssumeRole Policies: - PolicyName: CodeBuildPolicy PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Resource: "*" - Effect: Allow Action: - ecr:GetAuthorizationToken Resource: "*" - Effect: Allow Action: - ecr:BatchCheckLayerAvailability - ecr:InitiateLayerUpload - ecr:UploadLayerPart - ecr:CompleteLayerUpload - ecr:PutImage Resource: - !Sub "arn:aws:ecr:ap-northeast-1:${AWS::AccountId}:repository/forgejo-repository" - Effect: Allow Action: - s3:GetObject - s3:PutObject - s3:ListBucket Resource: - !Sub "arn:aws:s3:::codebuild-ap-northeast-1-${AWS::AccountId}-input-bucket" - !Sub "arn:aws:s3:::codebuild-ap-northeast-1-${AWS::AccountId}-input-bucket/*" - !Sub "arn:aws:s3:::ap-northeast-1-${AWS::AccountId}-${SourceBucketName}" - !Sub "arn:aws:s3:::ap-northeast-1-${AWS::AccountId}-${SourceBucketName}/*" # CodeBuild Project (ARM) ForgejoBuildProject: Type: AWS::CodeBuild::Project Properties: ServiceRole: !GetAtt CodeBuildRole.Arn Artifacts: Type: CODEPIPELINE Environment: Type: ARM_CONTAINER ComputeType: BUILD_GENERAL1_MEDIUM Image: aws/codebuild/amazonlinux2-aarch64-standard:3.0 PrivilegedMode: true EnvironmentVariables: - Name: ECR_REPOSITORY Value: !Ref ForgejoRepositoryName Source: Type: CODEPIPELINE TimeoutInMinutes: 30 # IAM Role for CodePipeline CodePipelineRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: codepipeline.amazonaws.com Action: sts:AssumeRole Policies: - PolicyName: CodePipelinePolicy PolicyDocument: Version: '2012-10-17' Statement: # Permissions for accessing the artifacts bucket - Effect: Allow Action: - s3:GetObject - s3:GetObjectVersion - s3:PutObject - s3:ListBucket - s3:GetBucketLocation - s3:GetBucketVersioning Resource: - !Sub "arn:aws:s3:::codebuild-ap-northeast-1-${AWS::AccountId}-input-bucket" - !Sub "arn:aws:s3:::codebuild-ap-northeast-1-${AWS::AccountId}-input-bucket/*" - !Sub "arn:aws:s3:::ap-northeast-1-${AWS::AccountId}-${SourceBucketName}" - !Sub "arn:aws:s3:::ap-northeast-1-${AWS::AccountId}-${SourceBucketName}/*" # Permissions for CodeBuild (if used) - Effect: Allow Action: - codebuild:StartBuild - codebuild:BatchGetBuilds Resource: "*" # Permissions for manual approval actions in CodePipeline - Effect: Allow Action: - codepipeline:PutApprovalResult Resource: "*" # CodePipeline ForgejoPipeline: Type: AWS::CodePipeline::Pipeline Properties: PipelineType: V2 RoleArn: !GetAtt CodePipelineRole.Arn ArtifactStore: Type: S3 Location: !Sub "codebuild-ap-northeast-1-${AWS::AccountId}-input-bucket" Stages: - Name: Source Actions: - Name: S3Source ActionTypeId: Category: Source Owner: AWS Provider: S3 Version: "1" Configuration: S3Bucket: !Ref SourceBucket S3ObjectKey: !Ref SourceObjectKey PollForSourceChanges: true OutputArtifacts: - Name: SourceOutput - Name: Build Actions: - Name: BuildImage ActionTypeId: Category: Build Owner: AWS Provider: CodeBuild Version: "1" InputArtifacts: - Name: SourceOutput Configuration: ProjectName: !Ref ForgejoBuildProject