[英]Terraform: Codepipeline not triggered on upload to s3 source bucket
我正在尝试使用 terraform 在上传到 s3 时触发代码管道。
用例 - 因此,各种资源的 terraform 代码将作为 zip 文件推送到源存储桶,这将触发管道。 此管道将运行 terraform 申请 zip 文件。 所以为了运行管道,我设置了一个触发器
这是我所做的。
在完成所有这些之后,上传新存储桶时不会触发我的管道。
我正在阅读此文档,它有关于将跟踪事件发送到 eventbridge 规则的特定声明,我认为这是原因,但我找不到通过控制台添加的选项。
AWS CloudTrail 是一项记录和筛选 Amazon S3 源存储桶上的事件的服务。 该跟踪将过滤后的源更改发送到 Amazon CloudWatch Events 规则。 Amazon CloudWatch Events 规则检测源更改,然后启动您的管道。
https://docs.aws.amazon.com/codepipeline/latest/userguide/create-cloudtrail-S3-source.html
这是我的事件岭规则
resource "aws_cloudwatch_event_rule" "xxxx-pipeline-event" {
name = "xxxx-ci-cd-pipeline-event"
description = "Cloud watch event when zip is uploaded to s3"
event_pattern = <<EOF
{
"source": ["aws.s3"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["s3.amazonaws.com"],
"eventName": ["PutObject", "CompleteMultipartUpload", "CopyObject"],
"requestParameters": {
"bucketName": ["xxxxx-ci-cd-zip"],
"key": ["app.zip"]
}
}
}
EOF
}
resource "aws_cloudwatch_event_target" "code-pipeline" {
rule = aws_cloudwatch_event_rule.XXXX-pipeline-event.name
target_id = "SendToCodePipeline"
arn = aws_codepipeline.cicd_pipeline.arn
role_arn = aws_iam_role.pipeline_role.arn
}
事件桥角色权限 terraform 代码
data "aws_iam_policy_document" "event_bridge_role" {
statement {
actions = ["sts:AssumeRole"]
effect = "Allow"
principals {
type = "Service"
identifiers = ["events.amazonaws.com"]
}
}
}
resource "aws_iam_role" "pipeline_event_role" {
name = "xxxxx-pipeline-event-bridge-role"
assume_role_policy = data.aws_iam_policy_document.event_bridge_role.json
}
data "aws_iam_policy_document" "pipeline_event_role_policy" {
statement {
sid = ""
actions = ["codepipeline:StartPipelineExecution"]
resources = ["${aws_codepipeline.cicd_pipeline.arn}"]
effect = "Allow"
}
}
resource "aws_iam_policy" "pipeline_event_role_policy" {
name = "xxxx-codepipeline-event-role-policy"
policy = data.aws_iam_policy_document.pipeline_event_role_policy.json
}
resource "aws_iam_role_policy_attachment" "pipeline_event_role_attach_policy" {
role = aws_iam_role.pipeline_event_role.name
policy_arn = aws_iam_policy.pipeline_event_role_policy.arn
}
问题出在 CLoudtrail 过滤器上。 过滤器是为存储桶和写入操作设置的。
我不得不通过添加前缀来修改过滤器。因为我的事件桥正在寻找 my-app.zip 所以如果我只使用桶级前缀它不会被触发
bucket/prefix and write action
文档: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.