feat(cicd): enable S3-triggered CodePipeline and align IAM/ECR integration
- enable EventBridge notifications on source S3 bucket - trigger CodePipeline execution on source.zip updates - fix artifact bucket ARN substitutions - extend CodePipeline role permissions for S3, CodeBuild, and approvals - allow Lambda to pull images from ECR via repository policy - export ECR repository URI and reference it from Lambda
This commit is contained in:
parent
0c9a8feb9f
commit
621b9f006e
4 changed files with 97 additions and 15 deletions
|
|
@ -16,4 +16,7 @@ Resources:
|
|||
- Key: Project
|
||||
Value: Git-server
|
||||
VersioningConfiguration:
|
||||
Status: Enabled
|
||||
Status: Enabled
|
||||
NotificationConfiguration:
|
||||
EventBridgeConfiguration:
|
||||
EventBridgeEnabled: true
|
||||
|
|
|
|||
|
|
@ -37,12 +37,12 @@ Resources:
|
|||
Effect: Allow
|
||||
Principal:
|
||||
Service: cloudfront.amazonaws.com
|
||||
Action:
|
||||
Action:
|
||||
- s3:GetObject
|
||||
Resource: !Sub "arn:aws:s3:::${WebsiteBucket}/*"
|
||||
Condition:
|
||||
StringEquals:
|
||||
AWS:SourceArn:
|
||||
AWS:SourceArn:
|
||||
Fn::Sub:
|
||||
- arn:aws:cloudfront::${AWS::AccountId}:distribution/${MyCloudFrontDistribution}
|
||||
- MyCloudFrontDistribution:
|
||||
|
|
@ -77,8 +77,8 @@ Resources:
|
|||
- s3:PutObject
|
||||
- s3:ListBucket
|
||||
Resource:
|
||||
- "arn:aws:s3:::codebuild-ap-northeast-1-692859919890-input-bucket"
|
||||
- "arn:aws:s3:::codebuild-ap-northeast-1-692859919890-input-bucket/*"
|
||||
- !Sub "arn:aws:s3:::codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket"
|
||||
- !Sub "arn:aws:s3:::codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket/*"
|
||||
- "arn:aws:s3:::naputo-blog-source"
|
||||
- "arn:aws:s3:::naputo-blog-source/*"
|
||||
|
||||
|
|
@ -115,6 +115,9 @@ Resources:
|
|||
# Permissions for accessing the artifacts bucket
|
||||
- Effect: Allow
|
||||
Action:
|
||||
- s3:GetBucketAcl
|
||||
- s3:GetObjectTagging
|
||||
- s3:GetObjectVersionTagging
|
||||
- s3:GetObject
|
||||
- s3:GetObjectVersion
|
||||
- s3:PutObject
|
||||
|
|
@ -122,8 +125,8 @@ Resources:
|
|||
- s3:GetBucketLocation
|
||||
- s3:GetBucketVersioning
|
||||
Resource:
|
||||
- "arn:aws:s3:::codebuild-ap-northeast-1-692859919890-input-bucket"
|
||||
- "arn:aws:s3:::codebuild-ap-northeast-1-692859919890-input-bucket/*"
|
||||
- !Sub "arn:aws:s3:::codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket"
|
||||
- !Sub "arn:aws:s3:::codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket/*"
|
||||
- "arn:aws:s3:::naputo-blog-source"
|
||||
- "arn:aws:s3:::naputo-blog-source/*"
|
||||
# Permissions for CloudFormation actions
|
||||
|
|
@ -141,12 +144,15 @@ Resources:
|
|||
Action:
|
||||
- codebuild:StartBuild
|
||||
- codebuild:BatchGetBuilds
|
||||
Resource: "*"
|
||||
Resource:
|
||||
- !Sub "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:build/*"
|
||||
- !Sub "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/*"
|
||||
# Permissions for manual approval actions in CodePipeline
|
||||
- Effect: Allow
|
||||
Action:
|
||||
- codepipeline:StartPipelineExecution
|
||||
- codepipeline:PutApprovalResult
|
||||
Resource: "*"
|
||||
Resource: !Sub "arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:*"
|
||||
|
||||
MyBlogPipeline:
|
||||
Type: AWS::CodePipeline::Pipeline
|
||||
|
|
@ -154,7 +160,7 @@ Resources:
|
|||
PipelineType: V2
|
||||
ArtifactStore:
|
||||
Type: S3
|
||||
Location: "codebuild-ap-northeast-1-692859919890-input-bucket"
|
||||
Location: !Sub "codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket"
|
||||
RoleArn: !GetAtt CodePipelineRole.Arn
|
||||
Tags:
|
||||
- Key: Project
|
||||
|
|
@ -173,6 +179,7 @@ Resources:
|
|||
Configuration:
|
||||
S3Bucket: naputo-blog-source
|
||||
S3ObjectKey: source.zip
|
||||
PollForSourceChanges: false
|
||||
RunOrder: 1
|
||||
- Name: Build
|
||||
Actions:
|
||||
|
|
@ -214,3 +221,44 @@ Resources:
|
|||
BucketName: !Ref WebsiteBucket
|
||||
Extract: 'true'
|
||||
RunOrder: 1
|
||||
|
||||
S3SourceChangeRule:
|
||||
Type: AWS::Events::Rule
|
||||
Properties:
|
||||
Description: Trigger CodePipeline on S3 source update
|
||||
EventPattern:
|
||||
source:
|
||||
- aws.s3
|
||||
detail-type:
|
||||
- Object Created
|
||||
detail:
|
||||
bucket:
|
||||
name:
|
||||
- naputo-blog-source
|
||||
object:
|
||||
key:
|
||||
- source.zip
|
||||
Targets:
|
||||
- Arn: !Sub arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:${MyBlogPipeline}
|
||||
RoleArn: !GetAtt EventBridgeInvokePipelineRole.Arn
|
||||
Id: CodePipelineTarget
|
||||
|
||||
EventBridgeInvokePipelineRole:
|
||||
Type: AWS::IAM::Role
|
||||
Properties:
|
||||
AssumeRolePolicyDocument:
|
||||
Version: '2012-10-17'
|
||||
Statement:
|
||||
- Effect: Allow
|
||||
Principal:
|
||||
Service: events.amazonaws.com
|
||||
Action: sts:AssumeRole
|
||||
Policies:
|
||||
- PolicyName: AllowStartPipeline
|
||||
PolicyDocument:
|
||||
Version: '2012-10-17'
|
||||
Statement:
|
||||
- Effect: Allow
|
||||
Action:
|
||||
- codepipeline:StartPipelineExecution
|
||||
Resource: !Sub arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:${MyBlogPipeline}
|
||||
|
|
|
|||
|
|
@ -14,8 +14,21 @@ Resources:
|
|||
RepositoryName: !Ref RepositoryName
|
||||
ImageScanningConfiguration:
|
||||
ScanOnPush: true
|
||||
RepositoryPolicyText:
|
||||
Version: "2012-10-17"
|
||||
Statement:
|
||||
- Sid: AllowLambdaPullImage
|
||||
Effect: Allow
|
||||
Principal:
|
||||
Service: lambda.amazonaws.com
|
||||
Action:
|
||||
- ecr:BatchGetImage
|
||||
- ecr:BatchCheckLayerAvailability
|
||||
- ecr:GetDownloadUrlForLayer
|
||||
|
||||
Outputs:
|
||||
RepositoryUri:
|
||||
Description: URI of the ECR repository
|
||||
Value: !GetAtt Repository.RepositoryUri
|
||||
Export:
|
||||
Name: BlogDeployment-RepositoryUri
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ Resources:
|
|||
Statement:
|
||||
- Effect: Allow
|
||||
Principal:
|
||||
Service:
|
||||
Service:
|
||||
- lambda.amazonaws.com
|
||||
Action: sts:AssumeRole
|
||||
Policies:
|
||||
|
|
@ -28,6 +28,20 @@ Resources:
|
|||
Action:
|
||||
- s3:PutObject
|
||||
Resource: arn:aws:s3:::naputo-blog-source/*
|
||||
- PolicyName: LambdaEcrImagePullPolicy
|
||||
PolicyDocument:
|
||||
Version: '2012-10-17'
|
||||
Statement:
|
||||
- Effect: Allow
|
||||
Action:
|
||||
- ecr:GetAuthorizationToken
|
||||
Resource: "*"
|
||||
- Effect: Allow
|
||||
Action:
|
||||
- ecr:BatchGetImage
|
||||
- ecr:BatchCheckLayerAvailability
|
||||
- ecr:GetDownloadUrlForLayer
|
||||
Resource: !Sub "arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/*"
|
||||
ManagedPolicyArns:
|
||||
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
|
||||
|
||||
|
|
@ -35,7 +49,11 @@ Resources:
|
|||
Type: AWS::Serverless::Function
|
||||
Properties:
|
||||
PackageType: Image
|
||||
ImageUri: 692859919890.dkr.ecr.ap-northeast-1.amazonaws.com/blog-deployment:latest
|
||||
ImageUri:
|
||||
!Join
|
||||
- ":"
|
||||
- - !ImportValue BlogDeployment-RepositoryUri
|
||||
- "latest"
|
||||
Timeout: 30
|
||||
MemorySize: 256
|
||||
Environment:
|
||||
|
|
@ -44,10 +62,10 @@ Resources:
|
|||
REPO_BRANCH: "main"
|
||||
S3_BUCKET: "naputo-blog-source"
|
||||
S3_KEY: "source.zip"
|
||||
WEBHOOK_SECRET:
|
||||
WEBHOOK_SECRET:
|
||||
Fn::Sub:
|
||||
- "{{resolve:secretsmanager:${SecretArn}:SecretString:secretNumber:AWSCURRENT}}"
|
||||
- SecretArn:
|
||||
- SecretArn:
|
||||
Fn::ImportValue: SecretForWebhook-ARN
|
||||
Role: !GetAtt MyLambdaRole.Arn
|
||||
Events:
|
||||
|
|
@ -85,4 +103,4 @@ Resources:
|
|||
'401':
|
||||
description: "Unauthorized - Signature verification failed"
|
||||
'500':
|
||||
description: "Server error - Deployment process failed"
|
||||
description: "Server error - Deployment process failed"
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue