Daisuke
8cd30da394
- Align Dockerfile with AWS official documentation for provided runtime - Remove DefinitionBody from SAM template to avoid conflict with Events property - This enables SAM to automatically generate AWS::Lambda::Permission resource - Fixes 500 error when Forgejo webhook triggers API Gateway endpoint"
126 lines
3.5 KiB
YAML
126 lines
3.5 KiB
YAML
AWSTemplateFormatVersion: '2010-09-09'
|
|
Transform: AWS::Serverless-2016-10-31
|
|
|
|
Parameters:
|
|
StageName:
|
|
Type: String
|
|
Default: Prod
|
|
Description: Name of the API stage
|
|
|
|
SourceBucketName:
|
|
Type: String
|
|
Default: naputo-blog-source
|
|
Description: S3 bucket for blog source files
|
|
|
|
RepoURL:
|
|
Type: String
|
|
Default: "https://git.n-daisuke897.com/nakada0907/n-daisuke897-blog.git"
|
|
Description: Git repository URL
|
|
|
|
RepoBranch:
|
|
Type: String
|
|
Default: main
|
|
Description: Git repository branch
|
|
|
|
Resources:
|
|
|
|
MyLambdaRole:
|
|
Type: AWS::IAM::Role
|
|
Properties:
|
|
AssumeRolePolicyDocument:
|
|
Version: '2012-10-17'
|
|
Statement:
|
|
- Effect: Allow
|
|
Principal:
|
|
Service:
|
|
- lambda.amazonaws.com
|
|
Action: sts:AssumeRole
|
|
Policies:
|
|
- PolicyName: LambdaS3PutObjectPolicy
|
|
PolicyDocument:
|
|
Version: '2012-10-17'
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- s3:PutObject
|
|
- s3:GetObject
|
|
- s3:ListBucket
|
|
Resource:
|
|
- !Sub "arn:aws:s3:::${SourceBucketName}"
|
|
- !Sub "arn:aws:s3:::${SourceBucketName}/*"
|
|
- PolicyName: LambdaEcrImagePullPolicy
|
|
PolicyDocument:
|
|
Version: '2012-10-17'
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- ecr:GetAuthorizationToken
|
|
Resource: "*"
|
|
- Effect: Allow
|
|
Action:
|
|
- ecr:BatchGetImage
|
|
- ecr:BatchCheckLayerAvailability
|
|
- ecr:GetDownloadUrlForLayer
|
|
Resource:
|
|
Fn::ImportValue: BlogDeployment-RepositoryArn
|
|
ManagedPolicyArns:
|
|
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
|
|
|
|
MyLambdaFunction:
|
|
Type: AWS::Serverless::Function
|
|
Properties:
|
|
FunctionName: blog-deployment-webhook-handler
|
|
PackageType: Image
|
|
ImageUri: !Sub
|
|
- "${RepoUri}:latest"
|
|
- RepoUri: !ImportValue BlogDeployment-RepositoryUri
|
|
Timeout: 300
|
|
MemorySize: 512
|
|
Architectures:
|
|
- arm64
|
|
AutoPublishAlias: live
|
|
Environment:
|
|
Variables:
|
|
REPO_URL: !Ref RepoURL
|
|
REPO_BRANCH: !Ref RepoBranch
|
|
S3_BUCKET: !Ref SourceBucketName
|
|
S3_KEY: "source.zip"
|
|
WEBHOOK_SECRET:
|
|
Fn::Sub:
|
|
- "{{resolve:secretsmanager:${SecretArn}:SecretString:secretNumber:AWSCURRENT}}"
|
|
- SecretArn:
|
|
Fn::ImportValue: SecretForWebhook-ARN
|
|
Role: !GetAtt MyLambdaRole.Arn
|
|
Events:
|
|
ForgejoWebhook:
|
|
Type: Api
|
|
Properties:
|
|
RestApiId: !Ref MyApi
|
|
Path: /forgejo-webhook
|
|
Method: POST
|
|
|
|
MyApi:
|
|
Type: AWS::Serverless::Api
|
|
Properties:
|
|
Name: blog-deployment-webhook-api
|
|
StageName: !Ref StageName
|
|
EndpointConfiguration: REGIONAL
|
|
|
|
Outputs:
|
|
ApiEndpoint:
|
|
Description: API Gateway endpoint URL for webhook
|
|
Value: !Sub "https://${MyApi}.execute-api.${AWS::Region}.amazonaws.com/${StageName}/forgejo-webhook"
|
|
Export:
|
|
Name: !Sub "${AWS::StackName}-ApiEndpoint"
|
|
|
|
LambdaFunctionArn:
|
|
Description: Lambda function ARN
|
|
Value: !GetAtt MyLambdaFunction.Arn
|
|
Export:
|
|
Name: !Sub "${AWS::StackName}-LambdaArn"
|
|
|
|
LambdaFunctionName:
|
|
Description: Lambda function name
|
|
Value: !Ref MyLambdaFunction
|
|
Export:
|
|
Name: !Sub "${AWS::StackName}-LambdaName"
|