-
Notifications
You must be signed in to change notification settings - Fork 1
/
cfn.yml
150 lines (145 loc) · 4.38 KB
/
cfn.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
Parameters:
KmsKeyArn:
Type: String
Cluster:
Type: String
SubnetIds:
Type: List<AWS::EC2::Subnet::Id>
ImageSuffix:
Type: String
Resources:
CodeBuildProject:
Type: AWS::CodeBuild::Project
Properties:
ServiceRole: !GetAtt CodeBuildRole.Arn
Artifacts:
Type: NO_ARTIFACTS
Environment:
Type: LINUX_CONTAINER
ComputeType: BUILD_GENERAL1_SMALL
Image: !Sub ghcr.io/glassechidna/cbactions:worker-${ImageSuffix}
Source:
Type: NO_SOURCE
BuildSpec: |
version: 0.2
env:
exported-variables:
- RUNNER_EXITCODE
phases:
build:
commands:
- entrypoint
- export RUNNER_EXITCODE=$(cat /tmp/cbactions_exitcode.txt)
CodeBuildRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Action: sts:AssumeRole
Principal:
Service: codebuild.amazonaws.com
Policies:
- PolicyName: AllowLogs
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action: kms:Decrypt
Resource: !Ref KmsKeyArn
- Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Effect: Allow
Resource:
- !Sub arn:aws:logs:*:${AWS::AccountId}:log-group:/aws/codebuild/*
- !Sub arn:aws:logs:*:${AWS::AccountId}:log-group:/aws/codebuild/*:*
TaskDefinition:
Type: AWS::ECS::TaskDefinition
Properties:
Family: cbactions
TaskRoleArn: !Ref TaskRole
Volumes: []
Cpu: 512
Memory: 1024
NetworkMode: awsvpc
ExecutionRoleArn: !Ref ExecutionRole
ContainerDefinitions:
- Name: cbactions
Image: !Sub ghcr.io/glassechidna/cbactions:listener-${ImageSuffix}
Environment:
- Name: AWS_REGION
Value: !Ref AWS::Region
- Name: CODEBUILD_PROJECT_NAME
Value: !Ref CodeBuildProject
- Name: KMS_KEY_ARN
Value: !Ref KmsKeyArn
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-create-group: "true"
awslogs-region: !Ref AWS::Region
awslogs-group: cbactions
awslogs-stream-prefix: cbactions
TaskRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [ecs-tasks.amazonaws.com]
Action: sts:AssumeRole
Policies:
- PolicyName: AllowThings
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action: kms:Encrypt
Resource: !Ref KmsKeyArn
- Effect: Allow
Action:
- codebuild:StartBuild
- codebuild:BatchGetBuilds
Resource: !GetAtt CodeBuildProject.Arn
- Effect: Allow
Action:
- ssm:GetParameter*
- ssm:PutParameter
Resource:
- !Sub arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/cbactions
- !Sub arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/cbactions/*
ExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Action: sts:AssumeRole
Principal:
Service: [ecs-tasks.amazonaws.com]
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
Policies:
- PolicyName: AllowLogGroupCreate
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action: logs:CreateLogGroup
Resource: "*"
#
# Service:
# Type: AWS::ECS::Service
# Properties:
# ServiceName: cbactions
# Cluster: !Ref Cluster
# TaskDefinition: !Ref TaskDefinition
# DesiredCount: 1
# LaunchType: FARGATE
# NetworkConfiguration:
# AwsvpcConfiguration:
# AssignPublicIp: ENABLED
# Subnets: !Ref SubnetIds