AWSTemplateFormatVersion: '2010-09-09' Description: > StoreCon CI/CD Pipeline アーキテクチャ CodePipeline + CodeBuild + ECR + ECS Fargate (STG/PRD) + ALB の フルマネージド継続的デリバリーパイプラインテンプレート(教育・参照用) # ============================================================ # Parameters # ============================================================ Parameters: EnvironmentName: Type: String Default: dev AllowedValues: [dev, stg, prod] Description: デプロイ対象環境(dev / stg / prod) # TODO: 実運用時に変更してください VpcCIDR: Type: String Default: "10.0.0.0/16" Description: VPC の CIDR ブロック # TODO: 実運用時に変更してください PublicSubnet1CIDR: Type: String Default: "10.0.1.0/24" # TODO: 実運用時に変更してください PublicSubnet2CIDR: Type: String Default: "10.0.2.0/24" # TODO: 実運用時に変更してください PrivateSubnet1CIDR: Type: String Default: "10.0.11.0/24" # TODO: 実運用時に変更してください PrivateSubnet2CIDR: Type: String Default: "10.0.12.0/24" # TODO: 実運用時に変更してください(GitHubリポジトリ名等) SourceRepo: Type: String Default: "storcon-app" Description: CodeCommit / CodeStar Connection のリポジトリ名 # TODO: 実運用時に変更してください ContainerPort: Type: Number Default: 8080 Description: アプリケーションコンテナのリスニングポート # TODO: 実運用時に変更してください(Fargate タスクの CPU/メモリ) TaskCpu: Type: String Default: "256" AllowedValues: ["256", "512", "1024", "2048", "4096"] # TODO: 実運用時に変更してください TaskMemory: Type: String Default: "512" AllowedValues: ["512", "1024", "2048", "4096"] # TODO: 実運用時に変更してください(承認通知先メールアドレス) ApprovalEmail: Type: String Default: "ops-team@example.com" # ============================================================ # Resources # ============================================================ Resources: # ---------------------------------------------------------- # VPC / ネットワーク定義(ECS Fargate 用) # ---------------------------------------------------------- StorConVPC: Type: AWS::EC2::VPC Properties: CidrBlock: !Ref VpcCIDR EnableDnsSupport: true EnableDnsHostnames: true Tags: - Key: Name Value: !Sub "${EnvironmentName}-storcon-vpc" InternetGateway: Type: AWS::EC2::InternetGateway AttachGateway: Type: AWS::EC2::VPCGatewayAttachment Properties: VpcId: !Ref StorConVPC InternetGatewayId: !Ref InternetGateway # パブリックサブネット(ALB 配置用) PublicSubnet1: Type: AWS::EC2::Subnet Properties: VpcId: !Ref StorConVPC CidrBlock: !Ref PublicSubnet1CIDR AvailabilityZone: !Select [0, !GetAZs ""] MapPublicIpOnLaunch: true Tags: - Key: Name Value: !Sub "${EnvironmentName}-public-subnet-1" PublicSubnet2: Type: AWS::EC2::Subnet Properties: VpcId: !Ref StorConVPC CidrBlock: !Ref PublicSubnet2CIDR AvailabilityZone: !Select [1, !GetAZs ""] MapPublicIpOnLaunch: true Tags: - Key: Name Value: !Sub "${EnvironmentName}-public-subnet-2" # プライベートサブネット(ECS タスク配置用) PrivateSubnet1: Type: AWS::EC2::Subnet Properties: VpcId: !Ref StorConVPC CidrBlock: !Ref PrivateSubnet1CIDR AvailabilityZone: !Select [0, !GetAZs ""] Tags: - Key: Name Value: !Sub "${EnvironmentName}-private-subnet-1" PrivateSubnet2: Type: AWS::EC2::Subnet Properties: VpcId: !Ref StorConVPC CidrBlock: !Ref PrivateSubnet2CIDR AvailabilityZone: !Select [1, !GetAZs ""] Tags: - Key: Name Value: !Sub "${EnvironmentName}-private-subnet-2" # ---------------------------------------------------------- # KMS キー(ログ・アーティファクト暗号化用) # ---------------------------------------------------------- PipelineKMSKey: Type: AWS::KMS::Key Properties: Description: StoreCon CI/CD Pipeline 暗号化キー EnableKeyRotation: true # 年次自動ローテーション KeyPolicy: Version: "2012-10-17" Statement: - Sid: AllowRootAccount Effect: Allow Principal: AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root" Action: "kms:*" Resource: "*" PipelineKMSKeyAlias: Type: AWS::KMS::Alias Properties: AliasName: !Sub "alias/${EnvironmentName}-storcon-pipeline" TargetKeyId: !Ref PipelineKMSKey # ---------------------------------------------------------- # S3 バケット(パイプラインアーティファクト保存用) # ---------------------------------------------------------- ArtifactBucket: Type: AWS::S3::Bucket Properties: # TODO: 実運用時に変更してください(バケット名は全世界でユニーク) BucketName: !Sub "${EnvironmentName}-storcon-artifacts-${AWS::AccountId}" BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: aws:kms KMSMasterKeyID: !Ref PipelineKMSKey VersioningConfiguration: Status: Enabled PublicAccessBlockConfiguration: BlockPublicAcls: true BlockPublicPolicy: true IgnorePublicAcls: true RestrictPublicBuckets: true LifecycleConfiguration: Rules: - Id: ExpireOldArtifacts Status: Enabled ExpirationInDays: 90 # TODO: 実運用時に保持期間を調整してください # ---------------------------------------------------------- # ECR リポジトリ(コンテナイメージ格納) # ---------------------------------------------------------- StorConECRRepository: Type: AWS::ECR::Repository Properties: RepositoryName: !Sub "${EnvironmentName}/storcon-app" ImageScanningConfiguration: ScanOnPush: true # プッシュ時に脆弱性スキャンを自動実行 EncryptionConfiguration: EncryptionType: KMS KmsKey: !Ref PipelineKMSKey ImageTagMutability: IMMUTABLE # タグの上書きを禁止(再現性確保) LifecyclePolicy: LifecyclePolicyText: | { "rules": [{ "rulePriority": 1, "description": "最新10イメージのみ保持", "selection": { "tagStatus": "untagged", "countType": "imageCountMoreThan", "countNumber": 10 }, "action": { "type": "expire" } }] } # ---------------------------------------------------------- # CloudWatch Log Groups # ---------------------------------------------------------- CodeBuildLogGroup: Type: AWS::Logs::LogGroup Properties: LogGroupName: !Sub "/codebuild/${EnvironmentName}-storcon-build" RetentionInDays: 30 # TODO: 実運用時に保持期間を調整してください KmsKeyId: !GetAtt PipelineKMSKey.Arn ECSTaskLogGroup: Type: AWS::Logs::LogGroup Properties: LogGroupName: !Sub "/ecs/${EnvironmentName}-storcon-app" RetentionInDays: 30 KmsKeyId: !GetAtt PipelineKMSKey.Arn # ---------------------------------------------------------- # IAM Role: CodeBuild 実行ロール # ---------------------------------------------------------- CodeBuildServiceRole: Type: AWS::IAM::Role Properties: RoleName: !Sub "${EnvironmentName}-storcon-codebuild-role" AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: codebuild.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/AmazonECR_FullAccess # ECR プッシュ用 Policies: - PolicyName: CodeBuildBasePolicy PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Resource: !GetAtt CodeBuildLogGroup.Arn - Effect: Allow Action: - s3:GetObject - s3:PutObject Resource: !Sub "${ArtifactBucket.Arn}/*" - Effect: Allow Action: - kms:GenerateDataKey - kms:Decrypt Resource: !GetAtt PipelineKMSKey.Arn # ---------------------------------------------------------- # IAM Role: ECS タスク実行ロール(最小権限) # ---------------------------------------------------------- ECSTaskExecutionRole: Type: AWS::IAM::Role Properties: RoleName: !Sub "${EnvironmentName}-storcon-ecs-task-execution-role" AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: ecs-tasks.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy Policies: - PolicyName: ECRPullPolicy PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - ecr:GetDownloadUrlForLayer - ecr:BatchGetImage - ecr:GetAuthorizationToken Resource: "*" - Effect: Allow Action: - kms:Decrypt Resource: !GetAtt PipelineKMSKey.Arn # ---------------------------------------------------------- # IAM Role: CodePipeline 実行ロール # ---------------------------------------------------------- CodePipelineServiceRole: Type: AWS::IAM::Role Properties: RoleName: !Sub "${EnvironmentName}-storcon-codepipeline-role" AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: codepipeline.amazonaws.com Action: sts:AssumeRole Policies: - PolicyName: CodePipelinePolicy PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - codebuild:BatchGetBuilds - codebuild:StartBuild Resource: !GetAtt StorConBuildProject.Arn - Effect: Allow Action: - ecs:DescribeServices - ecs:DescribeTaskDefinition - ecs:DescribeTasks - ecs:ListTasks - ecs:RegisterTaskDefinition - ecs:UpdateService Resource: "*" - Effect: Allow Action: - s3:GetObject - s3:PutObject Resource: !Sub "${ArtifactBucket.Arn}/*" - Effect: Allow Action: - kms:GenerateDataKey - kms:Decrypt Resource: !GetAtt PipelineKMSKey.Arn - Effect: Allow Action: - sns:Publish Resource: !Ref ApprovalSNSTopic - Effect: Allow Action: - iam:PassRole Resource: !GetAtt ECSTaskExecutionRole.Arn # ---------------------------------------------------------- # CodeBuild プロジェクト(ビルド & テスト & Docker イメージ作成) # ---------------------------------------------------------- StorConBuildProject: Type: AWS::CodeBuild::Project Properties: Name: !Sub "${EnvironmentName}-storcon-build" Description: StoreCon アプリケーションのビルド、テスト、コンテナイメージ作成 ServiceRole: !GetAtt CodeBuildServiceRole.Arn EncryptionKey: !Ref PipelineKMSKey Environment: Type: LINUX_CONTAINER ComputeType: BUILD_GENERAL1_SMALL # TODO: 実運用時にプロジェクト規模に合わせて変更 Image: aws/codebuild/standard:7.0 PrivilegedMode: true # Docker デーモン利用のため有効化 EnvironmentVariables: - Name: ECR_REPO_URI Value: !GetAtt StorConECRRepository.RepositoryUri - Name: AWS_ACCOUNT_ID Value: !Ref AWS::AccountId Source: Type: CODEPIPELINE BuildSpec: | version: 0.2 phases: install: runtime-versions: java: corretto17 # TODO: 実運用時にアプリの言語/バージョンに合わせて変更 pre_build: commands: - echo "ECR ログイン中..." - aws ecr get-login-password --region $AWS_DEFAULT_REGION | docker login --username AWS --password-stdin $ECR_REPO_URI - COMMIT_HASH=$(echo $CODEBUILD_RESOLVED_SOURCE_VERSION | cut -c 1-7) build: commands: - echo "ビルド & テスト実行中..." - ./gradlew build test # TODO: 実運用時にビルドコマンドを変更 - echo "Docker イメージビルド中..." - docker build -t $ECR_REPO_URI:$COMMIT_HASH . - docker push $ECR_REPO_URI:$COMMIT_HASH post_build: commands: - printf '[{"name":"storcon-app","imageUri":"%s"}]' $ECR_REPO_URI:$COMMIT_HASH > imagedefinitions.json artifacts: files: - imagedefinitions.json Artifacts: Type: CODEPIPELINE LogsConfig: CloudWatchLogs: Status: ENABLED GroupName: !Ref CodeBuildLogGroup # ---------------------------------------------------------- # ECS クラスター # ---------------------------------------------------------- StorConECSCluster: Type: AWS::ECS::Cluster Properties: ClusterName: !Sub "${EnvironmentName}-storcon-cluster" ClusterSettings: - Name: containerInsights Value: enabled # Container Insights でメトリクス収集 # ---------------------------------------------------------- # ECS タスク定義(STG / PRD 共通ベース) # ---------------------------------------------------------- StorConTaskDefinition: Type: AWS::ECS::TaskDefinition Properties: Family: !Sub "${EnvironmentName}-storcon-app" Cpu: !Ref TaskCpu Memory: !Ref TaskMemory NetworkMode: awsvpc RequiresCompatibilities: [FARGATE] ExecutionRoleArn: !GetAtt ECSTaskExecutionRole.Arn ContainerDefinitions: - Name: storcon-app # TODO: 実運用時に初期イメージを更新してください(デプロイ時に上書きされます) Image: !Sub "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/${StorConECRRepository.RepositoryName}:latest" PortMappings: - ContainerPort: !Ref ContainerPort Protocol: tcp LogConfiguration: LogDriver: awslogs Options: awslogs-group: !Ref ECSTaskLogGroup awslogs-region: !Ref AWS::Region awslogs-stream-prefix: ecs Essential: true # ---------------------------------------------------------- # ALB + TargetGroup(STG 用) # ---------------------------------------------------------- ALBSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: ALB セキュリティグループ(HTTP/HTTPS 許可) VpcId: !Ref StorConVPC SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: "0.0.0.0/0" # TODO: 実運用時に社内 IP 等に制限してください - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: "0.0.0.0/0" StgALB: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: Name: !Sub "${EnvironmentName}-storcon-stg-alb" Scheme: internet-facing Subnets: - !Ref PublicSubnet1 - !Ref PublicSubnet2 SecurityGroups: - !Ref ALBSecurityGroup LoadBalancerAttributes: - Key: access_logs.s3.enabled Value: "false" # TODO: 実運用時は true にしてアクセスログを有効化してください StgTargetGroup: Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: Name: !Sub "${EnvironmentName}-storcon-stg-tg" Port: !Ref ContainerPort Protocol: HTTP VpcId: !Ref StorConVPC TargetType: ip # Fargate は ip タイプを使用 HealthCheckPath: "/health" # TODO: 実運用時にヘルスチェックパスを変更してください HealthCheckIntervalSeconds: 30 StgALBListener: Type: AWS::ElasticLoadBalancingV2::Listener Properties: LoadBalancerArn: !Ref StgALB Port: 80 Protocol: HTTP DefaultActions: - Type: forward TargetGroupArn: !Ref StgTargetGroup # PRD 用 ALB + TargetGroup PrdALB: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: Name: !Sub "${EnvironmentName}-storcon-prd-alb" Scheme: internet-facing Subnets: - !Ref PublicSubnet1 - !Ref PublicSubnet2 SecurityGroups: - !Ref ALBSecurityGroup PrdTargetGroup: Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: Name: !Sub "${EnvironmentName}-storcon-prd-tg" Port: !Ref ContainerPort Protocol: HTTP VpcId: !Ref StorConVPC TargetType: ip HealthCheckPath: "/health" PrdALBListener: Type: AWS::ElasticLoadBalancingV2::Listener Properties: LoadBalancerArn: !Ref PrdALB Port: 80 Protocol: HTTP DefaultActions: - Type: forward TargetGroupArn: !Ref PrdTargetGroup # ---------------------------------------------------------- # ECS Fargate サービス(STG) # ---------------------------------------------------------- ECSSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: ECS タスク セキュリティグループ(ALB からのトラフィックのみ許可) VpcId: !Ref StorConVPC SecurityGroupIngress: - IpProtocol: tcp FromPort: !Ref ContainerPort ToPort: !Ref ContainerPort SourceSecurityGroupId: !Ref ALBSecurityGroup StgECSService: Type: AWS::ECS::Service DependsOn: StgALBListener Properties: ServiceName: !Sub "${EnvironmentName}-storcon-stg-service" Cluster: !Ref StorConECSCluster TaskDefinition: !Ref StorConTaskDefinition LaunchType: FARGATE DesiredCount: 1 # TODO: 実運用時に適切なタスク数に変更してください NetworkConfiguration: AwsvpcConfiguration: Subnets: - !Ref PrivateSubnet1 - !Ref PrivateSubnet2 SecurityGroups: - !Ref ECSSecurityGroup AssignPublicIp: DISABLED # プライベートサブネット配置のため無効 LoadBalancers: - ContainerName: storcon-app ContainerPort: !Ref ContainerPort TargetGroupArn: !Ref StgTargetGroup DeploymentConfiguration: MinimumHealthyPercent: 50 MaximumPercent: 200 # ECS Fargate サービス(PRD) PrdECSService: Type: AWS::ECS::Service DependsOn: PrdALBListener Properties: ServiceName: !Sub "${EnvironmentName}-storcon-prd-service" Cluster: !Ref StorConECSCluster TaskDefinition: !Ref StorConTaskDefinition LaunchType: FARGATE DesiredCount: 2 # TODO: 実運用時に適切なタスク数に変更してください(本番は2以上推奨) NetworkConfiguration: AwsvpcConfiguration: Subnets: - !Ref PrivateSubnet1 - !Ref PrivateSubnet2 SecurityGroups: - !Ref ECSSecurityGroup AssignPublicIp: DISABLED LoadBalancers: - ContainerName: storcon-app ContainerPort: !Ref ContainerPort TargetGroupArn: !Ref PrdTargetGroup DeploymentConfiguration: MinimumHealthyPercent: 100 # 本番はゼロダウンタイムを維持 MaximumPercent: 200 # ---------------------------------------------------------- # SNS Topic(手動承認通知) # ---------------------------------------------------------- ApprovalSNSTopic: Type: AWS::SNS::Topic Properties: TopicName: !Sub "${EnvironmentName}-storcon-approval" KmsMasterKeyId: !Ref PipelineKMSKey Subscription: - Protocol: email Endpoint: !Ref ApprovalEmail # TODO: 実運用時に承認担当者のメールに変更してください # ---------------------------------------------------------- # CodePipeline(Source → Build → STG Deploy → Approval → PRD Deploy) # ---------------------------------------------------------- StorConPipeline: Type: AWS::CodePipeline::Pipeline Properties: Name: !Sub "${EnvironmentName}-storcon-pipeline" RoleArn: !GetAtt CodePipelineServiceRole.Arn ArtifactStore: Type: S3 Location: !Ref ArtifactBucket EncryptionKey: Type: KMS Id: !Ref PipelineKMSKey Stages: # ステージ1: ソースコード取得 # TODO: 実運用時に CodeStar Connection (GitHub等) または CodeCommit に変更してください - Name: Source Actions: - Name: SourceAction ActionTypeId: Category: Source Owner: AWS Provider: CodeCommit Version: "1" OutputArtifacts: - Name: SourceOutput Configuration: RepositoryName: !Ref SourceRepo BranchName: main # TODO: 実運用時に監視ブランチを変更してください PollForSourceChanges: false # ステージ2: ビルド & テスト - Name: Build Actions: - Name: BuildAction ActionTypeId: Category: Build Owner: AWS Provider: CodeBuild Version: "1" InputArtifacts: - Name: SourceOutput OutputArtifacts: - Name: BuildOutput Configuration: ProjectName: !Ref StorConBuildProject # ステージ3: STG 環境へデプロイ - Name: DeployToStaging Actions: - Name: DeployStgAction ActionTypeId: Category: Deploy Owner: AWS Provider: ECS Version: "1" InputArtifacts: - Name: BuildOutput Configuration: ClusterName: !Ref StorConECSCluster ServiceName: !Ref StgECSService FileName: imagedefinitions.json # ステージ4: 手動承認(STG 確認後に本番リリースを承認) - Name: ManualApproval Actions: - Name: ApprovalAction ActionTypeId: Category: Approval Owner: AWS Provider: Manual Version: "1" Configuration: NotificationArn: !Ref ApprovalSNSTopic CustomData: "STG 環境での動作確認が完了したら承認してください" ExternalEntityLink: !Sub "http://${StgALB.DNSName}" # STG 確認 URL # ステージ5: PRD 環境へデプロイ - Name: DeployToProduction Actions: - Name: DeployPrdAction ActionTypeId: Category: Deploy Owner: AWS Provider: ECS Version: "1" InputArtifacts: - Name: BuildOutput Configuration: ClusterName: !Ref StorConECSCluster ServiceName: !Ref PrdECSService FileName: imagedefinitions.json # ============================================================ # Outputs # ============================================================ Outputs: VPCId: Description: StoreCon VPC ID Value: !Ref StorConVPC Export: Name: !Sub "${EnvironmentName}-StorConVPCId" ECRRepositoryUri: Description: ECR リポジトリ URI(コンテナイメージのプッシュ先) Value: !GetAtt StorConECRRepository.RepositoryUri Export: Name: !Sub "${EnvironmentName}-StorConECRUri" ECSClusterArn: Description: ECS クラスター ARN Value: !GetAtt StorConECSCluster.Arn Export: Name: !Sub "${EnvironmentName}-StorConECSClusterArn" StgALBEndpoint: Description: STG 環境 ALB の DNS 名 Value: !Sub "http://${StgALB.DNSName}" Export: Name: !Sub "${EnvironmentName}-StorConStgEndpoint" PrdALBEndpoint: Description: PRD 環境 ALB の DNS 名 Value: !Sub "http://${PrdALB.DNSName}" Export: Name: !Sub "${EnvironmentName}-StorConPrdEndpoint" PipelineArn: Description: CodePipeline ARN Value: !Sub "arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:${StorConPipeline}" ArtifactBucketName: Description: パイプラインアーティファクト S3 バケット名 Value: !Ref ArtifactBucket ApprovalTopicArn: Description: 手動承認通知 SNS Topic ARN Value: !Ref ApprovalSNSTopic