Daisuke
1998d1cf03
Define ECS cluster with exports, service wired to ALB target group and deployment circuit breaker, and task definition with IAM role, ARM64 runtime, EFS volumes, ports 3000/2222, logging, and MinIO/S3 env config.
134 lines
4.2 KiB
YAML
134 lines
4.2 KiB
YAML
AWSTemplateFormatVersion: "2010-09-09"
|
|
|
|
Parameters:
|
|
|
|
ForgejoRepositoryName:
|
|
Type: String
|
|
Default: forgejo-repository
|
|
|
|
Resources:
|
|
|
|
IAMRoleECSTaskForgejoRole:
|
|
UpdateReplacePolicy: "Delete"
|
|
Type: "AWS::IAM::Role"
|
|
DeletionPolicy: "Delete"
|
|
Properties:
|
|
Path: "/"
|
|
MaxSessionDuration: 3600
|
|
RoleName: "ECSTaskForgejoRole"
|
|
Description: "Allows ECS tasks to call AWS services on your behalf."
|
|
Policies:
|
|
- PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Resource: "*"
|
|
Action:
|
|
- "ssmmessages:CreateControlChannel"
|
|
- "ssmmessages:CreateDataChannel"
|
|
- "ssmmessages:OpenControlChannel"
|
|
- "ssmmessages:OpenDataChannel"
|
|
Effect: "Allow"
|
|
Sid: "ssmmessages"
|
|
PolicyName: "ForgejoSSM"
|
|
ManagedPolicyArns:
|
|
- !Sub "arn:aws:iam::${AWS::AccountId}:policy/ForgejoS3AccessPolicy"
|
|
AssumeRolePolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Action: "sts:AssumeRole"
|
|
Effect: "Allow"
|
|
Principal:
|
|
Service: "ecs-tasks.amazonaws.com"
|
|
Sid: ""
|
|
Tags:
|
|
- Value: "Git-server"
|
|
Key: "Project"
|
|
|
|
ECSTaskDefinitionForgejo:
|
|
UpdateReplacePolicy: "Delete"
|
|
Type: "AWS::ECS::TaskDefinition"
|
|
DeletionPolicy: "Delete"
|
|
Properties:
|
|
TaskRoleArn:
|
|
Fn::GetAtt:
|
|
- "IAMRoleECSTaskForgejoRole"
|
|
- "Arn"
|
|
Memory: "512"
|
|
Cpu: "256"
|
|
RequiresCompatibilities:
|
|
- "FARGATE"
|
|
NetworkMode: "awsvpc"
|
|
ExecutionRoleArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/ecsTaskExecutionRole"
|
|
RuntimePlatform:
|
|
OperatingSystemFamily: "LINUX"
|
|
CpuArchitecture: "ARM64"
|
|
Volumes:
|
|
- EFSVolumeConfiguration:
|
|
FilesystemId:
|
|
!ImportValue forgejo-efs-EFSFileSystemId
|
|
TransitEncryption: "ENABLED"
|
|
RootDirectory: "/"
|
|
AuthorizationConfig:
|
|
IAM: "DISABLED"
|
|
AccessPointId:
|
|
!ImportValue forgejo-efs-EFSAccessPointConfig
|
|
Name: "forgejo-config-vol"
|
|
- EFSVolumeConfiguration:
|
|
FilesystemId:
|
|
!ImportValue forgejo-efs-EFSFileSystemId
|
|
TransitEncryption: "ENABLED"
|
|
RootDirectory: "/"
|
|
AuthorizationConfig:
|
|
IAM: "DISABLED"
|
|
AccessPointId:
|
|
!ImportValue forgejo-efs-EFSAccessPointData
|
|
Name: "forgejo-data-vol"
|
|
ContainerDefinitions:
|
|
- Memory: 512
|
|
Cpu: 0
|
|
Image: !Sub "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/${ForgejoRepositoryName}@sha256:3d64f3ae3d83dbd2e2ded6bcb6fe214c449ce15be540099621d2f7919232c406"
|
|
Essential: true
|
|
LogConfiguration:
|
|
Options:
|
|
awslogs-group: "/ecs/forgejo"
|
|
mode: "non-blocking"
|
|
max-buffer-size: "25m"
|
|
awslogs-create-group: "true"
|
|
awslogs-region: "ap-northeast-1"
|
|
awslogs-stream-prefix: "ecs"
|
|
LogDriver: "awslogs"
|
|
Name: "forgejo"
|
|
LinuxParameters:
|
|
InitProcessEnabled: true
|
|
MountPoints:
|
|
- ReadOnly: false
|
|
SourceVolume: "forgejo-data-vol"
|
|
ContainerPath: "/var/lib/gitea"
|
|
- ReadOnly: false
|
|
SourceVolume: "forgejo-config-vol"
|
|
ContainerPath: "/etc/gitea"
|
|
PortMappings:
|
|
- ContainerPort: 3000
|
|
AppProtocol: "http"
|
|
Protocol: "tcp"
|
|
Name: "forgejo-3000-tcp"
|
|
- ContainerPort: 2222
|
|
Protocol: "tcp"
|
|
Name: "forgejo-2222-ssh"
|
|
Environment:
|
|
- Value: "s3.amazonaws.com"
|
|
Name: "FORGEJO__STORAGE__MINIO_ENDPOINT"
|
|
- Value: "true"
|
|
Name: "FORGEJO__SERVICE__DISABLE_REGISTRATION"
|
|
- Value: "ap-northeast-1"
|
|
Name: "FORGEJO__STORAGE__MINIO_LOCATION"
|
|
- Value: "minio"
|
|
Name: "FORGEJO__STORAGE__STORAGE_TYPE"
|
|
- Value: "true"
|
|
Name: "FORGEJO__STORAGE__MINIO_USE_SSL"
|
|
- Value: !ImportValue forgejo-s3-BucketName
|
|
Name: "FORGEJO__STORAGE__MINIO_BUCKET"
|
|
Family: "forgejo-task"
|
|
Tags:
|
|
- Value: "Git-server"
|
|
Key: "Project"
|