-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathcfn-app-runner.yaml
71 lines (68 loc) · 1.93 KB
/
cfn-app-runner.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
Parameters:
GitHubOrg:
Type: String
RepositoryName:
Type: String
ImageTag:
Type: String
Port:
Type: Number
Cpu:
Type: Number
AllowedValues:
- 1024
- 2048
Memory:
Type: Number
AllowedValues:
- 2048
- 3072
- 4096
Resources:
Role:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub quinntainer-app-${GitHubOrg}-${RepositoryName}
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Action: sts:AssumeRole
Principal:
Service: "build.apprunner.amazonaws.com"
PermissionsBoundary: !Sub arn:aws:iam::${AWS::AccountId}:policy/quinntainer-boundary-${GitHubOrg}-${RepositoryName}
Policies:
- PolicyName: ecr-policy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- ecr:GetAuthorizationToken
Resource: '*'
- Effect: Allow
Action:
- ecr:DescribeImages
- ecr:BatchGetImage
- ecr:BatchCheckLayerAvailability
- ecr:GetDownloadUrlForLayer
Resource:
- !Sub arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/${GitHubOrg}/${RepositoryName}
App:
Type: AWS::AppRunner::Service
Properties:
ServiceName: !Sub ${GitHubOrg}-${RepositoryName}
SourceConfiguration:
AuthenticationConfiguration:
AccessRoleArn: !GetAtt Role.Arn
AutoDeploymentsEnabled: false
ImageRepository:
ImageIdentifier: !Sub "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/${GitHubOrg}/${RepositoryName}:${ImageTag}"
ImageRepositoryType: ECR
ImageConfiguration:
Port: !Ref Port
InstanceConfiguration:
Cpu: !Ref Cpu
Memory: !Ref Memory
Outputs:
AppUrl:
Value: !GetAtt App.ServiceUrl