nakada0907/forgejo-deployment
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
forgejo-deployment/infra/cfn/forgejo-cl.yaml
Daisuke 058d1be93f feat(ci/cd): Add artifact bucket and ECS deployment support 
- Create S3 artifact bucket with encryption and versioning
- Add ECR lifecycle policy to maintain maximum 5 images
- Add OutputArtifacts to build stage for deployment
- Add Deploy stage with ECS provider
- Update CodePipeline artifact store to use ArtifactBucket
- Replace hardcoded bucket names with parameterized references
- Add IAM permissions for ECS task definition and service management
- Add buildspec commands to generate image definitions file
2026-01-10 19:39:15 +09:00

313 lines
9.9 KiB
YAML
Raw Blame History

AWSTemplateFormatVersion: "2010-09-09"
Description: S3 -> CodePipeline -> CodeBuild(ARM) -> ECR pipeline for Forgejo
Parameters:
SourceBucketName:
Type: String
Default: forgejo-source-bucket
SourceObjectKey:
Type: String
Default: forgejo-source.zip
ArtifactBucketName:
Type: String
Default: forgejo-artifact-bucket
ForgejoRepositoryName:
Type: String
Default: forgejo-repository
Resources:
SourceBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub "${AWS::Region}-${AWS::AccountId}-${SourceBucketName}"
Tags:
- Key: Project
Value: Git-server
VersioningConfiguration:
Status: Enabled
NotificationConfiguration:
EventBridgeConfiguration:
EventBridgeEnabled: true
ArtifactBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub "${AWS::Region}-${AWS::AccountId}-${ArtifactBucketName}"
Tags:
- Key: Project
Value: Git-server
VersioningConfiguration:
Status: Enabled
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
ForgejoRepository:
Type: AWS::ECR::Repository
Properties:
RepositoryName: !Ref ForgejoRepositoryName
ImageScanningConfiguration:
ScanOnPush: true
LifecyclePolicy:
LifecyclePolicyText: |
{
"rules": [
{
"rulePriority": 1,
"description": "Expire images to keep maximum 5",
"selection": {
"tagStatus": "any",
"countType": "imageCountMoreThan",
"countNumber": 5
},
"action": {
"type": "expire"
}
}
]
}
CodeBuildRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: codebuild.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: CodeBuildPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: "*"
- Effect: Allow
Action:
- ecr:GetAuthorizationToken
Resource: "*"
- Effect: Allow
Action:
- ecr:BatchCheckLayerAvailability
- ecr:InitiateLayerUpload
- ecr:UploadLayerPart
- ecr:CompleteLayerUpload
- ecr:PutImage
Resource:
- !Sub "arn:aws:ecr:ap-northeast-1:${AWS::AccountId}:repository/forgejo-repository"
- Effect: Allow
Action:
- s3:GetObject
- s3:PutObject
- s3:ListBucket
Resource:
- !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${ArtifactBucketName}"
- !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${ArtifactBucketName}/*"
- !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${SourceBucketName}"
- !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${SourceBucketName}/*"
ForgejoBuildProject:
Type: AWS::CodeBuild::Project
Properties:
ServiceRole: !GetAtt CodeBuildRole.Arn
Artifacts:
Type: CODEPIPELINE
Environment:
Type: ARM_CONTAINER
ComputeType: BUILD_GENERAL1_MEDIUM
Image: aws/codebuild/amazonlinux2-aarch64-standard:3.0
PrivilegedMode: true
EnvironmentVariables:
- Name: ECR_REPOSITORY
Value: !Ref ForgejoRepositoryName
Source:
Type: CODEPIPELINE
TimeoutInMinutes: 30
CodePipelineRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: codepipeline.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: CodePipelinePolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:GetBucketAcl
- s3:GetObjectTagging
- s3:GetObjectVersionTagging
- s3:GetObject
- s3:GetObjectVersion
- s3:PutObject
- s3:ListBucket
- s3:GetBucketLocation
- s3:GetBucketVersioning
Resource:
- !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${ArtifactBucketName}"
- !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${ArtifactBucketName}/*"
- !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${SourceBucketName}"
- !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${SourceBucketName}/*"
- Effect: Allow
Action:
- codebuild:StartBuild
- codebuild:BatchGetBuilds
Resource:
- !Sub "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:build/*"
- !Sub "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/*"
- Effect: Allow
Action:
- codepipeline:PutApprovalResult
- codepipeline:StartPipelineExecution
Resource: !Sub "arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:*"
- Sid: TaskDefinitionPermissions
Effect: Allow
Action:
- ecs:DescribeTaskDefinition
- ecs:RegisterTaskDefinition
Resource:
- "*"
- Sid: ECSServicePermissions
Effect: Allow
Action:
- ecs:DescribeServices
- ecs:UpdateService
Resource:
- !Sub "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:service/*/*"
- Sid: ECSTagResource
Effect: Allow
Action:
- ecs:TagResource
Resource:
- !Sub "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/*:*"
Condition:
StringEquals:
ecs:CreateAction:
- RegisterTaskDefinition
- Sid: IamPassRolePermissions
Effect: Allow
Action:
- iam:PassRole
Resource:
- !Sub "arn:aws:iam::${AWS::AccountId}:role/*"
Condition:
StringEquals:
iam:PassedToService:
- ecs.amazonaws.com
- ecs-tasks.amazonaws.com
ForgejoPipeline:
Type: AWS::CodePipeline::Pipeline
Properties:
PipelineType: V2
RoleArn: !GetAtt CodePipelineRole.Arn
ArtifactStore:
Type: S3
Location: !Ref ArtifactBucket
Stages:
- Name: Source
Actions:
- Name: S3Source
ActionTypeId:
Category: Source
Owner: AWS
Provider: S3
Version: "1"
Configuration:
S3Bucket: !Ref SourceBucket
S3ObjectKey: !Ref SourceObjectKey
PollForSourceChanges: false
OutputArtifacts:
- Name: SourceOutput
- Name: Build
Actions:
- Name: BuildImage
ActionTypeId:
Category: Build
Owner: AWS
Provider: CodeBuild
Version: "1"
InputArtifacts:
- Name: SourceOutput
OutputArtifacts:
- Name: BuildOutput
Configuration:
ProjectName: !Ref ForgejoBuildProject
- Name: Deploy
Actions:
- Name: DeployECS
ActionTypeId:
Category: Deploy
Owner: AWS
Provider: ECS
Version: "1"
InputArtifacts:
- Name: BuildOutput
Configuration:
ClusterName: my-forgejo-cluster
ServiceName: forgejo-service
S3SourceChangeRule:
Type: AWS::Events::Rule
Properties:
Description: Trigger CodePipeline on S3 source update
EventPattern:
source:
- aws.s3
detail-type:
- Object Created
detail:
bucket:
name:
- !Ref SourceBucket
object:
key:
- !Ref SourceObjectKey
Targets:
- Arn: !Sub arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:${ForgejoPipeline}
RoleArn: !GetAtt EventBridgeInvokePipelineRole.Arn
Id: CodePipelineTarget
EventBridgeInvokePipelineRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: events.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: AllowStartPipeline
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- codepipeline:StartPipelineExecution
Resource: !Sub arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:${ForgejoPipeline}
Reference in a new issue View git blame Copy permalink