我正在尝试使用terraform触发上传到s3的代码管道。
用例——因此,各种资源的地形代码将作为zip文件推送到源桶,这将触发管道。该管道将运行用于申请zip文件的格式。为了运行管道,我设置了一个触发器
这是我所做的。
- 创建源s3桶
- 创建代码管道
- 为cloudtrail的s3事件创建cloudwatch事件规则
- 手动创建cloudTrail,将数据事件添加到日志源桶写事件中。
在做了所有这些之后,我的管道不会在上传新桶时触发。
我正在阅读这个文档,它有关于发送跟踪事件到eventbridge规则的特殊声明,我认为这是原因,但我找不到通过控制台添加的选项。
AWS CloudTrail是一项记录和过滤Amazon S3源桶上事件的服务。跟踪将过滤后的源更改发送到Amazon CloudWatch Events规则。Amazon CloudWatch Events规则检测源更改,然后启动管道。
https://docs.aws.amazon.com/codepipeline/latest/userguide/create-cloudtrail-S3-source.html
这是我的事件岭规则
resource "aws_cloudwatch_event_rule" "xxxx-pipeline-event" {
name = "xxxx-ci-cd-pipeline-event"
description = "Cloud watch event when zip is uploaded to s3"
event_pattern = <<EOF
{
"source": ["aws.s3"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["s3.amazonaws.com"],
"eventName": ["PutObject", "CompleteMultipartUpload", "CopyObject"],
"requestParameters": {
"bucketName": ["xxxxx-ci-cd-zip"],
"key": ["app.zip"]
}
}
}
EOF
}
resource "aws_cloudwatch_event_target" "code-pipeline" {
rule = aws_cloudwatch_event_rule.XXXX-pipeline-event.name
target_id = "SendToCodePipeline"
arn = aws_codepipeline.cicd_pipeline.arn
role_arn = aws_iam_role.pipeline_role.arn
}
事件桥角色权限代码
data "aws_iam_policy_document" "event_bridge_role" {
statement {
actions = ["sts:AssumeRole"]
effect = "Allow"
principals {
type = "Service"
identifiers = ["events.amazonaws.com"]
}
}
}
resource "aws_iam_role" "pipeline_event_role" {
name = "xxxxx-pipeline-event-bridge-role"
assume_role_policy = data.aws_iam_policy_document.event_bridge_role.json
}
data "aws_iam_policy_document" "pipeline_event_role_policy" {
statement {
sid = ""
actions = ["codepipeline:StartPipelineExecution"]
resources = ["${aws_codepipeline.cicd_pipeline.arn}"]
effect = "Allow"
}
}
resource "aws_iam_policy" "pipeline_event_role_policy" {
name = "xxxx-codepipeline-event-role-policy"
policy = data.aws_iam_policy_document.pipeline_event_role_policy.json
}
resource "aws_iam_role_policy_attachment" "pipeline_event_role_attach_policy" {
role = aws_iam_role.pipeline_event_role.name
policy_arn = aws_iam_policy.pipeline_event_role_policy.arn
}
我正在使用它来完成类似的目标,但我有aws_s3_object不总是触发通知的问题:
s3.tf h1> cloudwatch.tf h1> codebuild.tf h1> div class="one_answers">问题是CLoudtrail过滤器。为桶和写操作设置过滤器。
我必须通过添加前缀来修改过滤器。因为我的事件桥正在寻找my-app.zip所以如果我只使用桶级前缀
它不会被触发bucket/prefix and write action
文档:https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html