From 1f6192d6c0d5c45d20b39a90a88a57f4805b6b88 Mon Sep 17 00:00:00 2001 From: Kevin BEAUGRAND Date: Thu, 8 Jun 2023 16:37:52 +0200 Subject: [PATCH] Fix #2080 - Update AWS template deployment and CI --- .github/workflows/publish.yml | 3 +- templates/aws/awsdeploy.yml | 58 ++--------------------------------- 2 files changed, 5 insertions(+), 56 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index db69407ce..9cefa5ec9 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -140,7 +140,8 @@ jobs: - name: Update IoTHub Portal docker image tag in awsdeploy.yml working-directory: arm-templates/templates/aws - run: sed -i 's/\${AWS::AccountId}.dkr.ecr.\${AWS::Region}.amazonaws.com\/iot-hub-portal:latest/public.ecr.aws\/cgi-fr\/iothub-portal:${{ fromJSON(steps.version.outputs.json).labels['org.opencontainers.image.version'] }}/g' awsdeploy.yml + run: | + sed -i 's/public.ecr.aws\/cgi-fr\/iothub-portal:latest/public.ecr.aws\/cgi-fr\/iothub-portal:${{ fromJSON(steps.version.outputs.json).labels['org.opencontainers.image.version'] }}/g' awsdeploy.yml - name: Generate ARM file working-directory: arm-templates/templates/azure diff --git a/templates/aws/awsdeploy.yml b/templates/aws/awsdeploy.yml index ab400fb3b..706341a42 100644 --- a/templates/aws/awsdeploy.yml +++ b/templates/aws/awsdeploy.yml @@ -454,56 +454,7 @@ Resources: - - Fn::Sub: "arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:" - Ref: "AWS::StackName" - "-*" - - PolicyName: AmazonElasticContainerRegistryPublicReadOnly - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "ecr-public:GetAuthorizationToken" - - "sts:GetServiceBearerToken" - - "ecr-public:BatchCheckLayerAvailability" - - "ecr-public:GetRepositoryPolicy" - - "ecr-public:DescribeRepositories" - - "ecr-public:DescribeRegistries" - - "ecr-public:DescribeImages" - - "ecr-public:DescribeImageTags" - - "ecr-public:GetRepositoryCatalogData" - - "ecr-public:GetRegistryCatalogData" - Resource: "*" - - PolicyName: AWSAppRunnerFullAccess - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: "iam:CreateServiceLinkedRole" - Resource: "arn:aws:iam::*:role/aws-service-role/apprunner.amazonaws.com/AWSServiceRoleForAppRunner" - Condition: - StringLike: - iam:AWSServiceName: "apprunner.amazonaws.com" - - Effect: Allow - Action: "iam:PassRole" - Resource: "*" - Condition: - StringLike: - iam:PassedToService: "apprunner.amazonaws.com" - - Sid: AppRunnerAdminAccess - Effect: Allow - Action: "apprunner:*" - Resource: "*" - - PolicyName: AWSAppRunnerServicePolicyForECRAccess - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "ecr:GetDownloadUrlForLayer" - - "ecr:BatchGetImage" - - "ecr:DescribeImages" - - "ecr:GetAuthorizationToken" - - "ecr:BatchCheckLayerAvailability" - Resource: "*" - + AppRunnerSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: @@ -572,9 +523,6 @@ Resources: Ref: AppRunnerServiceVPCConnector SourceConfiguration: AutoDeploymentsEnabled: false - AuthenticationConfiguration: - AccessRoleArn: - Fn::GetAtt: InstanceRole.Arn ImageRepository: ImageConfiguration: Port: 80 @@ -634,8 +582,8 @@ Resources: - Name: CloudProvider Value: AWS ImageIdentifier: - Fn::Sub: "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/iot-hub-portal:latest" - ImageRepositoryType: ECR + Fn::Sub: "public.ecr.aws/cgi-fr/iothub-portal:latest" + ImageRepositoryType: ECR_PUBLIC Tags: - Key: Name Value: