feat(cicd): enable S3-triggered CodePipeline and align IAM/ECR integration

- enable EventBridge notifications on source S3 bucket
- trigger CodePipeline execution on source.zip updates
- fix artifact bucket ARN substitutions
- extend CodePipeline role permissions for S3, CodeBuild, and approvals
- allow Lambda to pull images from ECR via repository policy
- export ECR repository URI and reference it from Lambda

infra/cfn/template-blog-source-bucket.yaml

@@ -17,3 +17,6 @@ Resources:
           Value: Git-server
       VersioningConfiguration:
         Status: Enabled
+      NotificationConfiguration:
+        EventBridgeConfiguration:
+          EventBridgeEnabled: true

infra/cfn/template-codepipeline.yaml

@@ -77,8 +77,8 @@ Resources:
                   - s3:PutObject
                   - s3:ListBucket
                 Resource:
-                  - "arn:aws:s3:::codebuild-ap-northeast-1-692859919890-input-bucket"
+                  - !Sub "arn:aws:s3:::codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket"
-                  - "arn:aws:s3:::codebuild-ap-northeast-1-692859919890-input-bucket/*"
+                  - !Sub "arn:aws:s3:::codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket/*"
                   - "arn:aws:s3:::naputo-blog-source"
                   - "arn:aws:s3:::naputo-blog-source/*"
 
@@ -115,6 +115,9 @@ Resources:
               # Permissions for accessing the artifacts bucket
               - Effect: Allow
                 Action:
+                  - s3:GetBucketAcl
+                  - s3:GetObjectTagging
+                  - s3:GetObjectVersionTagging
                   - s3:GetObject
                   - s3:GetObjectVersion
                   - s3:PutObject
@@ -122,8 +125,8 @@ Resources:
                   - s3:GetBucketLocation
                   - s3:GetBucketVersioning
                 Resource:
-                  - "arn:aws:s3:::codebuild-ap-northeast-1-692859919890-input-bucket"
+                  - !Sub "arn:aws:s3:::codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket"
-                  - "arn:aws:s3:::codebuild-ap-northeast-1-692859919890-input-bucket/*"
+                  - !Sub "arn:aws:s3:::codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket/*"
                   - "arn:aws:s3:::naputo-blog-source"
                   - "arn:aws:s3:::naputo-blog-source/*"
               # Permissions for CloudFormation actions
@@ -141,12 +144,15 @@ Resources:
                 Action:
                   - codebuild:StartBuild
                   - codebuild:BatchGetBuilds
-                Resource: "*"
+                Resource:
+                  - !Sub "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:build/*"
+                  - !Sub "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/*"
               # Permissions for manual approval actions in CodePipeline
               - Effect: Allow
                 Action:
+                  - codepipeline:StartPipelineExecution
                   - codepipeline:PutApprovalResult
-                Resource: "*"
+                Resource: !Sub "arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:*"
 
   MyBlogPipeline:
     Type: AWS::CodePipeline::Pipeline
@@ -154,7 +160,7 @@ Resources:
       PipelineType: V2
       ArtifactStore:
         Type: S3
-        Location: "codebuild-ap-northeast-1-692859919890-input-bucket"
+        Location: !Sub "codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket"
       RoleArn: !GetAtt CodePipelineRole.Arn
       Tags:
         - Key: Project
@@ -173,6 +179,7 @@ Resources:
               Configuration:
                 S3Bucket: naputo-blog-source
                 S3ObjectKey: source.zip
+                PollForSourceChanges: false
               RunOrder: 1
         - Name: Build
           Actions:
@@ -214,3 +221,44 @@ Resources:
                 BucketName: !Ref WebsiteBucket
                 Extract: 'true'
               RunOrder: 1
+
+  S3SourceChangeRule:
+    Type: AWS::Events::Rule
+    Properties:
+      Description: Trigger CodePipeline on S3 source update
+      EventPattern:
+        source:
+          - aws.s3
+        detail-type:
+          - Object Created
+        detail:
+          bucket:
+            name:
+              - naputo-blog-source
+          object:
+            key:
+              - source.zip
+      Targets:
+        - Arn: !Sub arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:${MyBlogPipeline}
+          RoleArn: !GetAtt EventBridgeInvokePipelineRole.Arn
+          Id: CodePipelineTarget
+
+  EventBridgeInvokePipelineRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: events.amazonaws.com
+            Action: sts:AssumeRole
+      Policies:
+        - PolicyName: AllowStartPipeline
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Effect: Allow
+                Action:
+                  - codepipeline:StartPipelineExecution
+                Resource: !Sub arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:${MyBlogPipeline}

infra/cfn/template-container-repository.yaml

@@ -14,8 +14,21 @@ Resources:
       RepositoryName: !Ref RepositoryName
       ImageScanningConfiguration:
         ScanOnPush: true
+      RepositoryPolicyText:
+        Version: "2012-10-17"
+        Statement:
+          - Sid: AllowLambdaPullImage
+            Effect: Allow
+            Principal:
+              Service: lambda.amazonaws.com
+            Action:
+              - ecr:BatchGetImage
+              - ecr:BatchCheckLayerAvailability
+              - ecr:GetDownloadUrlForLayer
 
 Outputs:
   RepositoryUri:
     Description: URI of the ECR repository
     Value: !GetAtt Repository.RepositoryUri
+    Export:
+      Name: BlogDeployment-RepositoryUri

infra/cfn/template-lambda-function.yaml

@@ -28,6 +28,20 @@ Resources:
                 Action:
                   - s3:PutObject
                 Resource: arn:aws:s3:::naputo-blog-source/*
+        - PolicyName: LambdaEcrImagePullPolicy
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Effect: Allow
+                Action:
+                  - ecr:GetAuthorizationToken
+                Resource: "*"
+              - Effect: Allow
+                Action:
+                  - ecr:BatchGetImage
+                  - ecr:BatchCheckLayerAvailability
+                  - ecr:GetDownloadUrlForLayer
+                Resource: !Sub "arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/*"
       ManagedPolicyArns:
         - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
 
@@ -35,7 +49,11 @@ Resources:
     Type: AWS::Serverless::Function
     Properties:
       PackageType: Image
-      ImageUri: 692859919890.dkr.ecr.ap-northeast-1.amazonaws.com/blog-deployment:latest
+      ImageUri:
+        !Join
+          - ":"
+          - - !ImportValue BlogDeployment-RepositoryUri
+            - "latest"
       Timeout: 30
       MemorySize: 256
       Environment: