Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

CodePipeline: ECR as Source Action #7012

Open
jlsan92 opened this issue Jan 2, 2019 · 5 comments
Open

CodePipeline: ECR as Source Action #7012

jlsan92 opened this issue Jan 2, 2019 · 5 comments
Labels
enhancement service/codepipeline

Comments

@jlsan92
Copy link

@jlsan92 jlsan92 commented Jan 2, 2019

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

ECR was recently added to CodePipeline as a Source Stage/Action (link). The provider allows to use the ECR as Source but the CloudWatch Event configuration is missing, so the pipeline is never triggered.

New or Affected Resource(s)

  • aws_codepipeline

Potential Terraform Configuration

resource "aws_codepipeline" "this" {
  name     = "test-pipeline"
  role_arn = "${aws_iam_role.codepipeline.arn}"

  artifact_store {
    location = "${aws_s3_bucket.this.bucket}"
    type     = "S3"
  }

  stage {
    name = "Source"

    action {
      name             = "Source"
      category         = "Source"
      owner            = "AWS"
      provider         = "ECR"
      version          = "1"
      output_artifacts = ["source"]

      configuration {
        RepositoryName = "${aws_ecr_repository.this.name}"
        ImageTag       = "latest"
      }
    }
  }
}

References

  • N/A
jlsan92 added a commit to strvcom/terraform-aws-fargate that referenced this issue Jan 2, 2019
@bflad bflad added the service/codepipeline label Jan 3, 2019
@aeschright aeschright added the needs-triage label Jun 24, 2019
@aeschright aeschright added new-resource enhancement and removed new-resource labels Sep 13, 2019
@aeschright aeschright removed the needs-triage label Nov 20, 2019
@poflynn
Copy link

@poflynn poflynn commented Jan 25, 2020

So sad :-( Any suggested workarounds to this?

@jpSimkins
Copy link

@jpSimkins jpSimkins commented Aug 6, 2020

With pipelines becoming a standard, this is has become a big issue. This is going to force many to move to the CDK. Is this on the roadmap to be addressed? 20 months and still nothing... given the lack of tags I assume there is no movement on this?

@tmegow
Copy link

@tmegow tmegow commented May 7, 2021

This is still busted. Creating aws_codepipeline with ECR source doesn't create the CloudWatch Event rule that is created when doing the same action in the AWS console.

@tmegow
Copy link

@tmegow tmegow commented May 7, 2021

resource "aws_cloudwatch_event_rule" "image_push" {
  name     = "ecr_image_push"
  role_arn = aws_iam_role.cwe_role.arn

  event_pattern = <<EOF
{
  "source": [
    "aws.ecr"
  ],
  "detail": {
    "action-type": [
      "PUSH"
    ],
    "image-tag": [
      "latest"
    ],
    "repository-name": [
      "${var.ecr_repository_name}"
    ],
    "result": [
      "SUCCESS"
    ]
  },
  "detail-type": [
    "ECR Image Action"
  ]
}
EOF
}

resource "aws_cloudwatch_event_target" "codepipeline" {
  rule      = aws_cloudwatch_event_rule.image_push.name
  target_id = "${var.ecr_repository_name}-Image-Push-Codepipeline"
  arn       = aws_codepipeline.codepipeline.arn
  role_arn  = aws_iam_role.cwe_role.arn
}


resource "aws_iam_role" "cwe_role" {
  name               = "${var.project}-${var.life_cycle}-cwe-role"
  assume_role_policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": ["events.amazonaws.com"]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
EOF
}

resource "aws_iam_policy" "cwe_policy" {
  name = "${var.project}-${var.life_cycle}-cwe-policy"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "codepipeline:StartPipelineExecution"
        ],
        "Resource": [
            "${aws_codepipeline.codepipeline.arn}"
        ]
    }
  ]
}
EOF
}

resource "aws_iam_policy_attachment" "cws_policy_attachment" {

  name       = "${var.project}-${var.life_cycle}-cwe-policy"
  roles      = [aws_iam_role.cwe_role.name]
  policy_arn = aws_iam_policy.cwe_policy.arn
}

For anyone who needs to Terraform the CloudWatch Event Rule + Target, here is a TF v0.14.6 version of the console-created resources.

@rabidscorpio
Copy link

@rabidscorpio rabidscorpio commented Oct 5, 2021

@tmegow Thank you for this, having the detail section and the IAM permissions was really helpful.

Since I prefer to keep things as much in HCL as possible for readability, I made this change to the event rule (I added the IAM permissions to existing roles and policies):

resource "aws_cloudwatch_event_rule" "ecr_image_push" {
  name     = "${local.base_name}-ecr-image-push"
  role_arn = aws_iam_role.codepipeline.arn

  event_pattern = jsonencode({
    source      = ["aws.ecr"]
    detail-type = ["ECR Image Action"]

    detail = {
      repository-name = [local.source_ecr_repo_name]
      image-tag       = [var.environment]
      action-type     = ["PUSH"]
      result          = ["SUCCESS"]
    }
  })
}

resource "aws_cloudwatch_event_target" "ecr_image_push" {
  rule      = aws_cloudwatch_event_rule.ecr_image_push.name
  target_id = local.name_codepipeline
  arn       = aws_codepipeline.application.arn
  role_arn  = aws_iam_role.codepipeline.arn
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement service/codepipeline
Projects
None yet
Development

No branches or pull requests

7 participants