我正在遵循Hashicorp的指令,以便在此处使用Webhook提供AWS AWS CodePipeline。我不断遇到错误:
$ terraform plan -var-file="secret.tfvars" -out=tfplan -input=false
Error: provider.github: "organization": required field is not set
Error: provider.github: "token": required field is not set
,但在他们的文档中没有在哪里添加这些字段的地方。我尝试将它们添加到所有阶段,或者只是源阶段,因为这是GitHub唯一被提及的提供商。
我能够在这里不用Webhook提供他们的AWS CodePipeline。该一个可以定期进行轮询的选项,但不像我可以使用控制台设置的Webhook选项进行轮询。
为了方便起见,这是tf文件:
resource "aws_codepipeline" "bar" {
name = "tf-test-pipeline"
role_arn = "${aws_iam_role.bar.arn}"
artifact_store {
location = "${aws_s3_bucket.bar.bucket}"
type = "S3"
encryption_key {
id = "${data.aws_kms_alias.s3kmskey.arn}"
type = "KMS"
}
}
stage {
name = "Source"
action {
name = "Source"
category = "Source"
owner = "ThirdParty"
provider = "GitHub"
version = "1"
output_artifacts = ["test"]
configuration = {
Owner = "my-organization"
Repo = "test"
Branch = "master"
}
}
}
stage {
name = "Build"
action {
name = "Build"
category = "Build"
owner = "AWS"
provider = "CodeBuild"
input_artifacts = ["test"]
version = "1"
configuration = {
ProjectName = "test"
}
}
}
}
# A shared secret between GitHub and AWS that allows AWS
# CodePipeline to authenticate the request came from GitHub.
# Would probably be better to pull this from the environment
# or something like SSM Parameter Store.
locals {
webhook_secret = "super-secret"
}
resource "aws_codepipeline_webhook" "bar" {
name = "test-webhook-github-bar"
authentication = "GITHUB_HMAC"
target_action = "Source"
target_pipeline = "${aws_codepipeline.bar.name}"
authentication_configuration {
secret_token = "${local.webhook_secret}"
}
filter {
json_path = "$.ref"
match_equals = "refs/heads/{Branch}"
}
}
# Wire the CodePipeline webhook into a GitHub repository.
resource "github_repository_webhook" "bar" {
repository = "${github_repository.repo.name}"
name = "web"
configuration {
url = "${aws_codepipeline_webhook.bar.url}"
content_type = "form"
insecure_ssl = true
secret = "${local.webhook_secret}"
}
events = ["push"]
}
更新
我尝试过的一件事是:
stage {
name = "Source"
action {
name = "Source"
category = "Source"
owner = "ThirdParty"
provider = "GitHub"
token = "${var.github_token}"
organization = "${var.github_username}"
version = "1"
output_artifacts = ["SourceArtifact"]
configuration {
# Owner = "${var.github_username}"
# OAuthToken = "${var.github_token}"
Repo = "${var.github_repo}"
Branch = "master"
PollForSourceChanges = "true"
}
}
}
,因此您需要首先设置GitHub提供商。
样本为:
# Configure the GitHub Provider
provider "github" {
token = "${var.github_token}"
organization = "${var.github_organization}"
}
我已经弄清楚了我遇到的问题:
Terraform模板具有称为
的VARlocals {
webhook_secret = "super-secret"
}
将在部署模板时使用GitHub创建Webhook Secret。没有webhook_secret。没有webhook_secret,即使您添加了像BMW的token答案和问题organization的答案,错误也会持续下去。
hashicorp还建议从环境中创建,存储和拉出Webhook秘密或类似SSM参数商店的东西。
您还可以检查GitHub指南以生成和保护Webhook Secret(例如,通过将Ruby -rsecurerandom -e输出取出superererandom.hex(20)'在终端)
这是工作模板,我只粘贴了更改,其余的(...)看起来与Hashicorp的示例相同:
# Input variables
variable "aws_region" {
type = "string"
default = "us-east-1"
}
variable "pipeline_name" {
type = "string"
default = "static-website-terraform"
}
variable "github_username" {
type = "string"
default = "nditech"
}
variable "github_token" {
type = "string"
}
variable "webhook_secret" {
type = "string"
}
...
# Add webhook to pipeline
resource "aws_codepipeline_webhook" "codepipeline" {
name = "${var.pipeline_name}-codepipeline-webhook"
authentication = "GITHUB_HMAC"
target_action = "Source"
target_pipeline = "${aws_codepipeline.codepipeline.name}"
authentication_configuration {
secret_token = "${var.webhook_secret}"
}
filter {
json_path = "$.ref"
match_equals = "refs/heads/{Branch}"
}
}
# Wire the CodePipeline webhook into a GitHub repository.
resource "github_repository_webhook" "codepipeline" {
repository = "${var.github_repo}"
name = "web"
configuration {
url = "${aws_codepipeline_webhook.codepipeline.url}"
content_type = "form"
insecure_ssl = true
secret = "${var.webhook_secret}"
}
events = ["push"]
}