CodePipeline: ECR as Source Action

[jlsan92]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

ECR was recently added to CodePipeline as a Source Stage/Action (link). The provider allows to use the ECR as Source but the CloudWatch Event configuration is missing, so the pipeline is never triggered.

New or Affected Resource(s)

• aws_codepipeline

Potential Terraform Configuration

resource "aws_codepipeline" "this" {
  name     = "test-pipeline"
  role_arn = "${aws_iam_role.codepipeline.arn}"

  artifact_store {
    location = "${aws_s3_bucket.this.bucket}"
    type     = "S3"
  }

  stage {
    name = "Source"

    action {
      name             = "Source"
      category         = "Source"
      owner            = "AWS"
      provider         = "ECR"
      version          = "1"
      output_artifacts = ["source"]

      configuration {
        RepositoryName = "${aws_ecr_repository.this.name}"
        ImageTag       = "latest"
      }
    }
  }
}

References

• N/A

[poflynn]

So sad :-( Any suggested workarounds to this?

[jpSimkins]

With pipelines becoming a standard, this is has become a big issue. This is going to force many to move to the CDK. Is this on the roadmap to be addressed? 20 months and still nothing... given the lack of tags I assume there is no movement on this?

[tmegow]

This is still busted. Creating aws_codepipeline with ECR source doesn't create the CloudWatch Event rule that is created when doing the same action in the AWS console.

[tmegow]

resource "aws_cloudwatch_event_rule" "image_push" {
  name     = "ecr_image_push"
  role_arn = aws_iam_role.cwe_role.arn

  event_pattern = <<EOF
{
  "source": [
    "aws.ecr"
  ],
  "detail": {
    "action-type": [
      "PUSH"
    ],
    "image-tag": [
      "latest"
    ],
    "repository-name": [
      "${var.ecr_repository_name}"
    ],
    "result": [
      "SUCCESS"
    ]
  },
  "detail-type": [
    "ECR Image Action"
  ]
}
EOF
}

resource "aws_cloudwatch_event_target" "codepipeline" {
  rule      = aws_cloudwatch_event_rule.image_push.name
  target_id = "${var.ecr_repository_name}-Image-Push-Codepipeline"
  arn       = aws_codepipeline.codepipeline.arn
  role_arn  = aws_iam_role.cwe_role.arn
}


resource "aws_iam_role" "cwe_role" {
  name               = "${var.project}-${var.life_cycle}-cwe-role"
  assume_role_policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": ["events.amazonaws.com"]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
EOF
}

resource "aws_iam_policy" "cwe_policy" {
  name = "${var.project}-${var.life_cycle}-cwe-policy"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "codepipeline:StartPipelineExecution"
        ],
        "Resource": [
            "${aws_codepipeline.codepipeline.arn}"
        ]
    }
  ]
}
EOF
}

resource "aws_iam_policy_attachment" "cws_policy_attachment" {

  name       = "${var.project}-${var.life_cycle}-cwe-policy"
  roles      = [aws_iam_role.cwe_role.name]
  policy_arn = aws_iam_policy.cwe_policy.arn
}

For anyone who needs to Terraform the CloudWatch Event Rule + Target, here is a TF v0.14.6 version of the console-created resources.

[rabidscorpio]

@tmegow Thank you for this, having the detail section and the IAM permissions was really helpful.

Since I prefer to keep things as much in HCL as possible for readability, I made this change to the event rule (I added the IAM permissions to existing roles and policies):

resource "aws_cloudwatch_event_rule" "ecr_image_push" {
  name     = "${local.base_name}-ecr-image-push"
  role_arn = aws_iam_role.codepipeline.arn

  event_pattern = jsonencode({
    source      = ["aws.ecr"]
    detail-type = ["ECR Image Action"]

    detail = {
      repository-name = [local.source_ecr_repo_name]
      image-tag       = [var.environment]
      action-type     = ["PUSH"]
      result          = ["SUCCESS"]
    }
  })
}

resource "aws_cloudwatch_event_target" "ecr_image_push" {
  rule      = aws_cloudwatch_event_rule.ecr_image_push.name
  target_id = local.name_codepipeline
  arn       = aws_codepipeline.application.arn
  role_arn  = aws_iam_role.codepipeline.arn
}

[ewbankkit]

Closing this issue as I have verified that RepositoryName and ImageTag can be specified in configuration and the examples above show how to create the CloudWatch event.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.