fix envvars

packages/app/docker/codebuild/buildspec-image.yml

@@ -3,13 +3,12 @@ env:
   variables:
     DOCKER_BUILDKIT: 1
     BUILD_NUM: 0
-    SECRETS_NAME: ''
     IMAGE_NAME: weseek/growi
     TAG_VERSION: latest
     TAG_SUFFIX: amd64
   secrets-manager:
-    DOCKER_REGISTRY_PASSWORD: ${SECRETS_NAME}:DOCKER_REGISTRY_PASSWORD
-    DOCKER_REGISTRY_ON_GITHUB_PASSWORD: ${SECRETS_NAME}:DOCKER_REGISTRY_ON_GITHUB_PASSWORD
+    DOCKER_REGISTRY_PASSWORD: growi/official-image-builder:DOCKER_REGISTRY_PASSWORD
+    DOCKER_REGISTRY_ON_GITHUB_PASSWORD: growi/official-image-builder:DOCKER_REGISTRY_ON_GITHUB_PASSWORD
 phases:
   pre_build:
     commands:

packages/app/docker/codebuild/buildspec-manifest.yml

@@ -2,13 +2,12 @@ version: 0.2
 env:
   variables:
     BUILD_NUM: 0
-    SECRETS_NAME: ''
     IMAGE_HOST: ''
     IMAGE_NAME: weseek/growi
     TAG_VERSION: latest
     SECRETS_JSON_KEY: DOCKER_REGISTRY_PASSWORD # DOCKER_REGISTRY_PASSWORD or DOCKER_REGISTRY_ON_GITHUB_PASSWORD
   secrets-manager:
-    DOCKER_REGISTRY_PASSWORD: ${SECRETS_NAME}:${SECRETS_JSON_KEY}
+    DOCKER_REGISTRY_PASSWORD: growi/official-image-builder:$SECRETS_JSON_KEY
 phases:
   pre_build:
     commands:

packages/app/docker/codebuild/buildspec.yml

@@ -1,4 +1,7 @@
 version: 0.2
+env:
+  variables:
+    BUILD_NUM: 0
 batch:
   fast-fail: true
   build-graph:
@@ -9,8 +12,7 @@ batch:
         image: aws/codebuild/standard:6.0
         type: LINUX_CONTAINER
         variables:
-          BUILD_NUM: ${CODEBUILD_BUILD_NUMBER}
-          SECRETS_NAME: ${SECRETS_NAME}
+          BUILD_NUM: $CODEBUILD_BUILD_NUMBER
           TAG_SUFFIX: amd64
     - identifier: build_arm64
       buildspec: packages/app/docker/codebuild/buildspec-image.yml
@@ -18,16 +20,14 @@ batch:
         image: aws/codebuild/amazonlinux2-aarch64-standard:2.0
         type: ARM_CONTAINER
         variables:
-          BUILD_NUM: ${CODEBUILD_BUILD_NUMBER}
-          SECRETS_NAME: ${SECRETS_NAME}
+          BUILD_NUM: $CODEBUILD_BUILD_NUMBER
           TAG_SUFFIX: arm64
     # create manifest
     - identifier: create_manifest_dockerhub
       buildspec: packages/app/docker/codebuild/buildspec-manifest.yml
       env:
         variables:
-          BUILD_NUM: ${CODEBUILD_BUILD_NUMBER}
-          SECRETS_NAME: ${SECRETS_NAME}
+          BUILD_NUM: $CODEBUILD_BUILD_NUMBER
           SECRETS_JSON_KEY: DOCKER_REGISTRY_PASSWORD
       depend-on:
         - build_amd64
@@ -36,8 +36,7 @@ batch:
       buildspec: packages/app/docker/codebuild/buildspec-manifest.yml
       env:
         variables:
-          BUILD_NUM: ${CODEBUILD_BUILD_NUMBER}
-          SECRETS_NAME: ${SECRETS_NAME}
+          BUILD_NUM: $CODEBUILD_BUILD_NUMBER
           SECRETS_JSON_KEY: DOCKER_REGISTRY_ON_GITHUB_PASSWORD
       depend-on:
         - build_amd64

packages/app/docker/codebuild/main.tf

@@ -134,11 +134,6 @@ resource "aws_codebuild_project" "codebuild" {
     image                       = "aws/codebuild/standard:6.0"
     type                        = "LINUX_CONTAINER"
     privileged_mode             = true
-
-    environment_variable {
-      name  = "SECRETS_NAME"
-      value = "${aws_secretsmanager_secret.secret.name}"
-    }
   }
 
   source {

packages/app/docker/codebuild/terraform.tfstate

@@ -1,7 +1,7 @@
 {
   "version": 4,
   "terraform_version": "1.3.7",
-  "serial": 57,
+  "serial": 61,
   "lineage": "7413839f-c67c-02f5-4933-fcb84251bb29",
   "outputs": {},
   "resources": [
@@ -141,10 +141,13 @@
             "inline_policy": [
               {
                 "name": "terraform-20230112203526188400000001",
-                "policy": "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Resource\": [\n        \"*\"\n      ],\n      \"Action\": [\n        \"logs:CreateLogGroup\",\n        \"logs:CreateLogStream\",\n        \"logs:PutLogEvents\"\n      ]\n    },\n    {\n      \"Effect\": \"Allow\",\n      \"Action\": [\n        \"s3:*\"\n      ],\n      \"Resource\": [\n        \"arn:aws:s3:::growi-official-image-builder-cache\",\n        \"arn:aws:s3:::growi-official-image-builder-cache/*\"\n      ]\n    },\n    {\n      \"Effect\": \"Allow\",\n      \"Action\": [\n        \"codebuild:StartBuild\",\n        \"codebuild:StopBuild\",\n        \"codebuild:RetryBuild\",\n        \"codebuild:CreateReportGroup\",\n        \"codebuild:CreateReport\",\n        \"codebuild:UpdateReport\",\n        \"codebuild:BatchPutTestCases\",\n        \"codebuild:BatchPutCodeCoverages\"\n      ],\n      \"Resource\": [\n        \"*\"\n      ]\n    }\n  ]\n}\n"
+                "policy": "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Resource\": [\n        \"*\"\n      ],\n      \"Action\": [\n        \"logs:CreateLogGroup\",\n        \"logs:CreateLogStream\",\n        \"logs:PutLogEvents\"\n      ]\n    },\n    {\n      \"Effect\": \"Allow\",\n      \"Action\": [\n        \"s3:*\"\n      ],\n      \"Resource\": [\n        \"arn:aws:s3:::growi-official-image-builder-cache\",\n        \"arn:aws:s3:::growi-official-image-builder-cache/*\"\n      ]\n    },\n    {\n      \"Effect\": \"Allow\",\n      \"Action\": [\n        \"secretsmanager:GetResourcePolicy\",\n        \"secretsmanager:GetSecretValue\",\n        \"secretsmanager:DescribeSecret\",\n        \"secretsmanager:ListSecretVersionIds\"\n      ],\n      \"Resource\": [\n        \"arn:aws:secretsmanager:ap-northeast-1:259692501178:secret:growi/official-image-builder-9sraQN\"\n      ]\n    },\n    {\n      \"Effect\": \"Allow\",\n      \"Action\": [\n        \"codebuild:StartBuild\",\n        \"codebuild:StopBuild\",\n        \"codebuild:RetryBuild\",\n        \"codebuild:CreateReportGroup\",\n        \"codebuild:CreateReport\",\n        \"codebuild:UpdateReport\",\n        \"codebuild:BatchPutTestCases\",\n        \"codebuild:BatchPutCodeCoverages\"\n      ],\n      \"Resource\": [\n        \"*\"\n      ]\n    }\n  ]\n}\n"
               }
             ],
-            "managed_policy_arns": [],
+            "managed_policy_arns": [
+              "arn:aws:iam::259692501178:policy/service-role/CodeBuildBasePolicy-growi-official-image-builder-ap-northeast-1",
+              "arn:aws:iam::259692501178:policy/service-role/CodeBuildSecretsManagerPolicy-growi-official-image-builder-ap-northeast-1"
+            ],
             "max_session_duration": 3600,
             "name": "growi-official-image-builder",
             "name_prefix": "",