feat(cicd): enable S3-triggered CodePipeline and align IAM/ECR integration

- enable EventBridge notifications on source S3 bucket - trigger CodePipeline execution on source.zip updates - fix artifact bucket ARN substitutions - extend CodePipeline role permissions for S3, CodeBuild, and approvals - allow Lambda to pull images from ECR via repository policy - export ECR repository URI and reference it from Lambda
2026-01-01 11:18:26 +09:00 · 2026-01-01 11:18:26 +09:00 · 621b9f006e
commit 621b9f006e
parent 0c9a8feb9f
4 changed files with 97 additions and 15 deletions
--- a/infra/cfn/template-codepipeline.yaml
+++ b/infra/cfn/template-codepipeline.yaml
@ -37,12 +37,12 @@ Resources:
            Effect: Allow
            Principal:
              Service: cloudfront.amazonaws.com
-            Action: 
+            Action:
              - s3:GetObject
            Resource: !Sub "arn:aws:s3:::${WebsiteBucket}/*"
            Condition:
              StringEquals:
-                AWS:SourceArn: 
+                AWS:SourceArn:
                  Fn::Sub:
                    - arn:aws:cloudfront::${AWS::AccountId}:distribution/${MyCloudFrontDistribution}
                    - MyCloudFrontDistribution:
@ -77,8 +77,8 @@ Resources:
                  - s3:PutObject
                  - s3:ListBucket
                Resource:
-                  - "arn:aws:s3:::codebuild-ap-northeast-1-692859919890-input-bucket"
-                  - "arn:aws:s3:::codebuild-ap-northeast-1-692859919890-input-bucket/*"
+                  - !Sub "arn:aws:s3:::codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket"
+                  - !Sub "arn:aws:s3:::codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket/*"
                  - "arn:aws:s3:::naputo-blog-source"
                  - "arn:aws:s3:::naputo-blog-source/*"

@ -115,6 +115,9 @@ Resources:
              # Permissions for accessing the artifacts bucket
              - Effect: Allow
                Action:
+                  - s3:GetBucketAcl
+                  - s3:GetObjectTagging
+                  - s3:GetObjectVersionTagging
                  - s3:GetObject
                  - s3:GetObjectVersion
                  - s3:PutObject
@ -122,8 +125,8 @@ Resources:
                  - s3:GetBucketLocation
                  - s3:GetBucketVersioning
                Resource:
-                  - "arn:aws:s3:::codebuild-ap-northeast-1-692859919890-input-bucket"
-                  - "arn:aws:s3:::codebuild-ap-northeast-1-692859919890-input-bucket/*"
+                  - !Sub "arn:aws:s3:::codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket"
+                  - !Sub "arn:aws:s3:::codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket/*"
                  - "arn:aws:s3:::naputo-blog-source"
                  - "arn:aws:s3:::naputo-blog-source/*"
              # Permissions for CloudFormation actions
@ -141,12 +144,15 @@ Resources:
                Action:
                  - codebuild:StartBuild
                  - codebuild:BatchGetBuilds
-                Resource: "*"
+                Resource:
+                  - !Sub "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:build/*"
+                  - !Sub "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/*"
              # Permissions for manual approval actions in CodePipeline
              - Effect: Allow
                Action:
+                  - codepipeline:StartPipelineExecution
                  - codepipeline:PutApprovalResult
-                Resource: "*"
+                Resource: !Sub "arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:*"

  MyBlogPipeline:
    Type: AWS::CodePipeline::Pipeline
@ -154,7 +160,7 @@ Resources:
      PipelineType: V2
      ArtifactStore:
        Type: S3
-        Location: "codebuild-ap-northeast-1-692859919890-input-bucket"
+        Location: !Sub "codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket"
      RoleArn: !GetAtt CodePipelineRole.Arn
      Tags:
        - Key: Project
@ -173,6 +179,7 @@ Resources:
              Configuration:
                S3Bucket: naputo-blog-source
                S3ObjectKey: source.zip
+                PollForSourceChanges: false
              RunOrder: 1
        - Name: Build
          Actions:
@ -214,3 +221,44 @@ Resources:
                BucketName: !Ref WebsiteBucket
                Extract: 'true'
              RunOrder: 1
+
+  S3SourceChangeRule:
+    Type: AWS::Events::Rule
+    Properties:
+      Description: Trigger CodePipeline on S3 source update
+      EventPattern:
+        source:
+          - aws.s3
+        detail-type:
+          - Object Created
+        detail:
+          bucket:
+            name:
+              - naputo-blog-source
+          object:
+            key:
+              - source.zip
+      Targets:
+        - Arn: !Sub arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:${MyBlogPipeline}
+          RoleArn: !GetAtt EventBridgeInvokePipelineRole.Arn
+          Id: CodePipelineTarget
+
+  EventBridgeInvokePipelineRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: events.amazonaws.com
+            Action: sts:AssumeRole
+      Policies:
+        - PolicyName: AllowStartPipeline
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Effect: Allow
+                Action:
+                  - codepipeline:StartPipelineExecution
+                Resource: !Sub arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:${MyBlogPipeline}