[英]Terraform: Codepipeline not triggered on upload to s3 source bucket
I am trying to trigger the codepipeline on upload to s3 using terraform.我正在尝试使用 terraform 在上传到 s3 时触发代码管道。
Use case - So a terraform code for various resources will be pushed as a zip file to the source bucket which will trigger a pipeline.用例 - 因此,各种资源的 terraform 代码将作为 zip 文件推送到源存储桶,这将触发管道。 This pipeline will run terraform apply for the zip file.
此管道将运行 terraform 申请 zip 文件。 So in order to run the pipeline I am setting up a trigger
所以为了运行管道,我设置了一个触发器
Here is what I have done.这是我所做的。
After doing all this still, my pipeline is not triggered on upload of new bucket.在完成所有这些之后,上传新存储桶时不会触发我的管道。
I was reading this docs and it had particular statement about sending trail events to eventbridge rule which I think is the cause but I can't find the option to add through console.我正在阅读此文档,它有关于将跟踪事件发送到 eventbridge 规则的特定声明,我认为这是原因,但我找不到通过控制台添加的选项。
AWS CloudTrail is a service that logs and filters events on your Amazon S3 source bucket.
AWS CloudTrail 是一项记录和筛选 Amazon S3 源存储桶上的事件的服务。 The trail sends the filtered source changes to the Amazon CloudWatch Events rule.
该跟踪将过滤后的源更改发送到 Amazon CloudWatch Events 规则。 The Amazon CloudWatch Events rule detects the source change and then starts your pipeline.
Amazon CloudWatch Events 规则检测源更改,然后启动您的管道。
https://docs.aws.amazon.com/codepipeline/latest/userguide/create-cloudtrail-S3-source.html https://docs.aws.amazon.com/codepipeline/latest/userguide/create-cloudtrail-S3-source.html
Here is my event ridge rule这是我的事件岭规则
resource "aws_cloudwatch_event_rule" "xxxx-pipeline-event" {
name = "xxxx-ci-cd-pipeline-event"
description = "Cloud watch event when zip is uploaded to s3"
event_pattern = <<EOF
{
"source": ["aws.s3"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["s3.amazonaws.com"],
"eventName": ["PutObject", "CompleteMultipartUpload", "CopyObject"],
"requestParameters": {
"bucketName": ["xxxxx-ci-cd-zip"],
"key": ["app.zip"]
}
}
}
EOF
}
resource "aws_cloudwatch_event_target" "code-pipeline" {
rule = aws_cloudwatch_event_rule.XXXX-pipeline-event.name
target_id = "SendToCodePipeline"
arn = aws_codepipeline.cicd_pipeline.arn
role_arn = aws_iam_role.pipeline_role.arn
}
Event bridge role permissions terraform code事件桥角色权限 terraform 代码
data "aws_iam_policy_document" "event_bridge_role" {
statement {
actions = ["sts:AssumeRole"]
effect = "Allow"
principals {
type = "Service"
identifiers = ["events.amazonaws.com"]
}
}
}
resource "aws_iam_role" "pipeline_event_role" {
name = "xxxxx-pipeline-event-bridge-role"
assume_role_policy = data.aws_iam_policy_document.event_bridge_role.json
}
data "aws_iam_policy_document" "pipeline_event_role_policy" {
statement {
sid = ""
actions = ["codepipeline:StartPipelineExecution"]
resources = ["${aws_codepipeline.cicd_pipeline.arn}"]
effect = "Allow"
}
}
resource "aws_iam_policy" "pipeline_event_role_policy" {
name = "xxxx-codepipeline-event-role-policy"
policy = data.aws_iam_policy_document.pipeline_event_role_policy.json
}
resource "aws_iam_role_policy_attachment" "pipeline_event_role_attach_policy" {
role = aws_iam_role.pipeline_event_role.name
policy_arn = aws_iam_policy.pipeline_event_role_policy.arn
}
The problem was with CLoudtrail filter.问题出在 CLoudtrail 过滤器上。 The filter was set for bucket and write actions.
过滤器是为存储桶和写入操作设置的。
I had to modify filter by adding prefix to it.Because my event bridge is looking for my-app.zip so it was not triggered if I used only bucket level prefix我不得不通过添加前缀来修改过滤器。因为我的事件桥正在寻找 my-app.zip 所以如果我只使用桶级前缀它不会被触发
bucket/prefix and write action
Docs: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html文档: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.