forgejo-deployment/infra/cfn/forgejo-s3.yaml

AWSTemplateFormatVersion: "2010-09-09"

Resources:

  IAMUserForgejos3user:
    UpdateReplacePolicy: "Delete"
    Type: "AWS::IAM::User"
    DeletionPolicy: "Delete"
    Properties:
      Path: "/"
      ManagedPolicyArns:
      - !Sub "arn:aws:iam::${AWS::AccountId}:policy/${IAMManagedPolicyForgejoS3Access}"
      UserName: "forgejo-s3-user"
      Tags:
      - Value: "To access my s3 bucket from my forgejo server"
        Key: "AKIA2CUNLLYJHX6J4YRV"
      - Value: "Git-server"
        Key: "Project"

  IAMManagedPolicyForgejoS3Access:
    UpdateReplacePolicy: "Delete"
    Type: "AWS::IAM::ManagedPolicy"
    DeletionPolicy: "Delete"
    Properties:
      ManagedPolicyName: "ForgejoS3AccessPolicy"
      Path: "/"
      Description: ""
      Groups: []
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
        - Resource:
            Fn::GetAtt:
            - "S3BucketForgejo"
            - "Arn"
          Action:
          - s3:ListBucket
          - s3:ListBucketMultipartUploads
          Effect: "Allow"
          Sid: "ListBucket"
        - Resource:
           Fn::Join:
           - "/"
           - - Fn::GetAtt:
               - "S3BucketForgejo"
               - "Arn"
             - "*"
          Action:
          - s3:GetObject
          - s3:PutObject
          - s3:DeleteObject
          - s3:AbortMultipartUpload
          Effect: "Allow"
          Sid: "ObjectWriting"

  S3BucketForgejo:
    Type: "AWS::S3::Bucket"
    DeletionPolicy: Retain
    Properties:
      AbacStatus: "Disabled"
      PublicAccessBlockConfiguration:
        RestrictPublicBuckets: true
        IgnorePublicAcls: true
        BlockPublicPolicy: true
        BlockPublicAcls: true
      BucketName: !Sub "forgejo-c4ee2e40-49f0-4487-be94-872b10dc3e46-${AWS::Region}"
      OwnershipControls:
        Rules:
        - ObjectOwnership: "BucketOwnerEnforced"
      BucketEncryption:
        ServerSideEncryptionConfiguration:
        - BucketKeyEnabled: true
          ServerSideEncryptionByDefault:
            SSEAlgorithm: "AES256"
      Tags:
      - Value: "Git-server"
        Key: "Project"

Outputs:
  ForgejoS3BucketName:
    Value: !Ref S3BucketForgejo
    Export:
      Name: !Sub ${AWS::StackName}-BucketName

  ForgejoS3BucketArn:
    Value: !GetAtt S3BucketForgejo.Arn
    Export:
      Name: !Sub ${AWS::StackName}-BucketArn