Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix #2080 - Update AWS template deployment and CI
Browse files Browse the repository at this point in the history
kbeaugrand committed Jun 22, 2023
1 parent e91771f commit 1f6192d
Showing 2 changed files with 5 additions and 56 deletions.
3 changes: 2 additions & 1 deletion .github/workflows/publish.yml
Original file line number Diff line number Diff line change
@@ -140,7 +140,8 @@ jobs:

- name: Update IoTHub Portal docker image tag in awsdeploy.yml
working-directory: arm-templates/templates/aws
run: sed -i 's/\${AWS::AccountId}.dkr.ecr.\${AWS::Region}.amazonaws.com\/iot-hub-portal:latest/public.ecr.aws\/cgi-fr\/iothub-portal:${{ fromJSON(steps.version.outputs.json).labels['org.opencontainers.image.version'] }}/g' awsdeploy.yml
run: |
sed -i 's/public.ecr.aws\/cgi-fr\/iothub-portal:latest/public.ecr.aws\/cgi-fr\/iothub-portal:${{ fromJSON(steps.version.outputs.json).labels['org.opencontainers.image.version'] }}/g' awsdeploy.yml
- name: Generate ARM file
working-directory: arm-templates/templates/azure
58 changes: 3 additions & 55 deletions templates/aws/awsdeploy.yml
Original file line number Diff line number Diff line change
@@ -454,56 +454,7 @@ Resources:
- - Fn::Sub: "arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:"
- Ref: "AWS::StackName"
- "-*"
- PolicyName: AmazonElasticContainerRegistryPublicReadOnly
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "ecr-public:GetAuthorizationToken"
- "sts:GetServiceBearerToken"
- "ecr-public:BatchCheckLayerAvailability"
- "ecr-public:GetRepositoryPolicy"
- "ecr-public:DescribeRepositories"
- "ecr-public:DescribeRegistries"
- "ecr-public:DescribeImages"
- "ecr-public:DescribeImageTags"
- "ecr-public:GetRepositoryCatalogData"
- "ecr-public:GetRegistryCatalogData"
Resource: "*"
- PolicyName: AWSAppRunnerFullAccess
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action: "iam:CreateServiceLinkedRole"
Resource: "arn:aws:iam::*:role/aws-service-role/apprunner.amazonaws.com/AWSServiceRoleForAppRunner"
Condition:
StringLike:
iam:AWSServiceName: "apprunner.amazonaws.com"
- Effect: Allow
Action: "iam:PassRole"
Resource: "*"
Condition:
StringLike:
iam:PassedToService: "apprunner.amazonaws.com"
- Sid: AppRunnerAdminAccess
Effect: Allow
Action: "apprunner:*"
Resource: "*"
- PolicyName: AWSAppRunnerServicePolicyForECRAccess
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "ecr:GetDownloadUrlForLayer"
- "ecr:BatchGetImage"
- "ecr:DescribeImages"
- "ecr:GetAuthorizationToken"
- "ecr:BatchCheckLayerAvailability"
Resource: "*"


AppRunnerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
@@ -572,9 +523,6 @@ Resources:
Ref: AppRunnerServiceVPCConnector
SourceConfiguration:
AutoDeploymentsEnabled: false
AuthenticationConfiguration:
AccessRoleArn:
Fn::GetAtt: InstanceRole.Arn
ImageRepository:
ImageConfiguration:
Port: 80
@@ -634,8 +582,8 @@ Resources:
- Name: CloudProvider
Value: AWS
ImageIdentifier:
Fn::Sub: "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/iot-hub-portal:latest"
ImageRepositoryType: ECR
Fn::Sub: "public.ecr.aws/cgi-fr/iothub-portal:latest"
ImageRepositoryType: ECR_PUBLIC
Tags:
- Key: Name
Value:

0 comments on commit 1f6192d

Please sign in to comment.