Terraform:上传到 s3 源存储桶时未触发代码管道
[英]Terraform: Codepipeline not triggered on upload to s3 source bucket
问题描述
I am trying to trigger the codepipeline on upload to s3 using terraform.
我正在尝试使用 terraform 在上传到 s3 时触发代码管道。
Use case - So a terraform code for various resources will be pushed as a zip file to the source bucket which will trigger a pipeline.用例 - 因此,各种资源的 terraform 代码将作为 zip 文件推送到源存储桶,这将触发管道。 This pipeline will run terraform apply for the zip file.此管道将运行 terraform 申请 zip 文件。 So in order to run the pipeline I am setting up a trigger所以为了运行管道,我设置了一个触发器
Here is what I have done.这是我所做的。
- Create source s3 bucket创建源 s3 存储桶
- Create code pipeline创建代码管道
- Created cloudwatch events rule for s3 events fro cloudtrail为来自 cloudtrail 的 s3 事件创建了 cloudwatch 事件规则
- Created cloudTrail Manually, and added data event to log source bucket write events.手动创建 cloudTrail,并将数据事件添加到日志源存储桶写入事件。 , all previous steps were done using terraform. ,所有前面的步骤都是使用 terraform 完成的。
After doing all this still, my pipeline is not triggered on upload of new bucket.在完成所有这些之后,上传新存储桶时不会触发我的管道。
I was reading this docs and it had particular statement about sending trail events to eventbridge rule which I think is the cause but I can't find the option to add through console.我正在阅读此文档,它有关于将跟踪事件发送到 eventbridge 规则的特定声明,我认为这是原因,但我找不到通过控制台添加的选项。
AWS CloudTrail is a service that logs and filters events on your Amazon S3 source bucket.
https://docs.aws.amazon.com/codepipeline/latest/userguide/create-cloudtrail-S3-source.html https://docs.aws.amazon.com/codepipeline/latest/userguide/create-cloudtrail-S3-source.html
Here is my event ridge rule这是我的事件岭规则
resource "aws_cloudwatch_event_rule" "xxxx-pipeline-event" {
name = "xxxx-ci-cd-pipeline-event"
description = "Cloud watch event when zip is uploaded to s3"
event_pattern = <<EOF
{
"source": ["aws.s3"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["s3.amazonaws.com"],
"eventName": ["PutObject", "CompleteMultipartUpload", "CopyObject"],
"requestParameters": {
"bucketName": ["xxxxx-ci-cd-zip"],
"key": ["app.zip"]
}
}
}
EOF
}
resource "aws_cloudwatch_event_target" "code-pipeline" {
rule = aws_cloudwatch_event_rule.XXXX-pipeline-event.name
target_id = "SendToCodePipeline"
arn = aws_codepipeline.cicd_pipeline.arn
role_arn = aws_iam_role.pipeline_role.arn
}
Event bridge role permissions terraform code事件桥角色权限 terraform 代码
data "aws_iam_policy_document" "event_bridge_role" {
statement {
actions = ["sts:AssumeRole"]
effect = "Allow"
principals {
type = "Service"
identifiers = ["events.amazonaws.com"]
}
}
}
resource "aws_iam_role" "pipeline_event_role" {
name = "xxxxx-pipeline-event-bridge-role"
assume_role_policy = data.aws_iam_policy_document.event_bridge_role.json
}
data "aws_iam_policy_document" "pipeline_event_role_policy" {
statement {
sid = ""
actions = ["codepipeline:StartPipelineExecution"]
resources = ["${aws_codepipeline.cicd_pipeline.arn}"]
effect = "Allow"
}
}
resource "aws_iam_policy" "pipeline_event_role_policy" {
name = "xxxx-codepipeline-event-role-policy"
policy = data.aws_iam_policy_document.pipeline_event_role_policy.json
}
resource "aws_iam_role_policy_attachment" "pipeline_event_role_attach_policy" {
role = aws_iam_role.pipeline_event_role.name
policy_arn = aws_iam_policy.pipeline_event_role_policy.arn
}
1 个解决方案
解决方案1
0 已采纳 2022-12-01 02:00:45
The problem was with CLoudtrail filter.问题出在 CLoudtrail 过滤器上。 The filter was set for bucket and write actions.过滤器是为存储桶和写入操作设置的。
I had to modify filter by adding prefix to it.Because my event bridge is looking for my-app.zip so it was not triggered if I used only bucket level prefix我不得不通过添加前缀来修改过滤器。因为我的事件桥正在寻找 my-app.zip 所以如果我只使用桶级前缀它不会被触发
bucket/prefix and write action
Docs: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html文档: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.