feat(cicd): enable S3-triggered CodePipeline and align IAM/ECR integration

- enable EventBridge notifications on source S3 bucket - trigger CodePipeline execution on source.zip updates - fix artifact bucket ARN substitutions - extend CodePipeline role permissions for S3, CodeBuild, and approvals - allow Lambda to pull images from ECR via repository policy - export ECR repository URI and reference it from Lambda
2026-01-01 11:18:26 +09:00 · 2026-01-01 11:18:26 +09:00 · 621b9f006e
commit 621b9f006e
parent 0c9a8feb9f
4 changed files with 97 additions and 15 deletions
--- a/infra/cfn/template-lambda-function.yaml
+++ b/infra/cfn/template-lambda-function.yaml
@ -16,7 +16,7 @@ Resources:
        Statement:
          - Effect: Allow
            Principal:
-              Service: 
+              Service:
                - lambda.amazonaws.com
            Action: sts:AssumeRole
      Policies:
@ -28,6 +28,20 @@ Resources:
                Action:
                  - s3:PutObject
                Resource: arn:aws:s3:::naputo-blog-source/*
+        - PolicyName: LambdaEcrImagePullPolicy
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Effect: Allow
+                Action:
+                  - ecr:GetAuthorizationToken
+                Resource: "*"
+              - Effect: Allow
+                Action:
+                  - ecr:BatchGetImage
+                  - ecr:BatchCheckLayerAvailability
+                  - ecr:GetDownloadUrlForLayer
+                Resource: !Sub "arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/*"
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

@ -35,7 +49,11 @@ Resources:
    Type: AWS::Serverless::Function
    Properties:
      PackageType: Image
-      ImageUri: 692859919890.dkr.ecr.ap-northeast-1.amazonaws.com/blog-deployment:latest
+      ImageUri:
+        !Join
+          - ":"
+          - - !ImportValue BlogDeployment-RepositoryUri
+            - "latest"
      Timeout: 30
      MemorySize: 256
      Environment:
@ -44,10 +62,10 @@ Resources:
          REPO_BRANCH: "main"
          S3_BUCKET: "naputo-blog-source"
          S3_KEY: "source.zip"
-          WEBHOOK_SECRET: 
+          WEBHOOK_SECRET:
            Fn::Sub:
              - "{{resolve:secretsmanager:${SecretArn}:SecretString:secretNumber:AWSCURRENT}}"
-              - SecretArn: 
+              - SecretArn:
                  Fn::ImportValue: SecretForWebhook-ARN
      Role: !GetAtt MyLambdaRole.Arn
      Events:
@ -85,4 +103,4 @@ Resources:
                '401':
                  description: "Unauthorized - Signature verification failed"
                '500':
-                  description: "Server error - Deployment process failed"
+                  description: "Server error - Deployment process failed"