[英]Terraform: Codepipeline not triggered on upload to s3 source bucket
我正在嘗試使用 terraform 在上傳到 s3 時觸發代碼管道。
用例 - 因此,各種資源的 terraform 代碼將作為 zip 文件推送到源存儲桶,這將觸發管道。 此管道將運行 terraform 申請 zip 文件。 所以為了運行管道,我設置了一個觸發器
這是我所做的。
在完成所有這些之后,上傳新存儲桶時不會觸發我的管道。
我正在閱讀此文檔,它有關於將跟蹤事件發送到 eventbridge 規則的特定聲明,我認為這是原因,但我找不到通過控制台添加的選項。
AWS CloudTrail 是一項記錄和篩選 Amazon S3 源存儲桶上的事件的服務。 該跟蹤將過濾后的源更改發送到 Amazon CloudWatch Events 規則。 Amazon CloudWatch Events 規則檢測源更改,然后啟動您的管道。
https://docs.aws.amazon.com/codepipeline/latest/userguide/create-cloudtrail-S3-source.html
這是我的事件嶺規則
resource "aws_cloudwatch_event_rule" "xxxx-pipeline-event" {
name = "xxxx-ci-cd-pipeline-event"
description = "Cloud watch event when zip is uploaded to s3"
event_pattern = <<EOF
{
"source": ["aws.s3"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["s3.amazonaws.com"],
"eventName": ["PutObject", "CompleteMultipartUpload", "CopyObject"],
"requestParameters": {
"bucketName": ["xxxxx-ci-cd-zip"],
"key": ["app.zip"]
}
}
}
EOF
}
resource "aws_cloudwatch_event_target" "code-pipeline" {
rule = aws_cloudwatch_event_rule.XXXX-pipeline-event.name
target_id = "SendToCodePipeline"
arn = aws_codepipeline.cicd_pipeline.arn
role_arn = aws_iam_role.pipeline_role.arn
}
事件橋角色權限 terraform 代碼
data "aws_iam_policy_document" "event_bridge_role" {
statement {
actions = ["sts:AssumeRole"]
effect = "Allow"
principals {
type = "Service"
identifiers = ["events.amazonaws.com"]
}
}
}
resource "aws_iam_role" "pipeline_event_role" {
name = "xxxxx-pipeline-event-bridge-role"
assume_role_policy = data.aws_iam_policy_document.event_bridge_role.json
}
data "aws_iam_policy_document" "pipeline_event_role_policy" {
statement {
sid = ""
actions = ["codepipeline:StartPipelineExecution"]
resources = ["${aws_codepipeline.cicd_pipeline.arn}"]
effect = "Allow"
}
}
resource "aws_iam_policy" "pipeline_event_role_policy" {
name = "xxxx-codepipeline-event-role-policy"
policy = data.aws_iam_policy_document.pipeline_event_role_policy.json
}
resource "aws_iam_role_policy_attachment" "pipeline_event_role_attach_policy" {
role = aws_iam_role.pipeline_event_role.name
policy_arn = aws_iam_policy.pipeline_event_role_policy.arn
}
問題出在 CLoudtrail 過濾器上。 過濾器是為存儲桶和寫入操作設置的。
我不得不通過添加前綴來修改過濾器。因為我的事件橋正在尋找 my-app.zip 所以如果我只使用桶級前綴它不會被觸發
bucket/prefix and write action
文檔: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.