4/8/22, 5:17 PM Trigger AWS CodePipeline with a GitHub webhook using Terraform

joestump / test.tf
Last active 6 months ago
•
Report abuse

Star

Code
Revisions
3
Stars
8
Forks
2

Trigger AWS CodePipeline with a GitHub webhook using Terraform

test.tf

1 provider "aws" {}
2 provider "github" {}
3
4 resource "github_repository" "test" {
5 name = "joestump-test"
6 description = "Terraform test repository"
7 private = true
8 }
9
10 resource "aws_s3_bucket" "test" {
11 bucket = "joestump-test-bucket"
12 acl = "private"
13 }
14
15 data "aws_iam_policy_document" "assume_role" {
16 statement {
17 effect = "Allow"
18
19 principals {
20 type = "Service"
21
22 identifiers = [
23 "codebuild.amazonaws.com",
24 "codepipeline.amazonaws.com",
25 ]
26 }
27
28 actions = ["sts:AssumeRole"]
29 }
30 }
31
32 resource "aws_iam_role" "test" {
33 name = "joestump-test-role"
34 assume_role_policy = "${data.aws_iam_policy_document.assume_role.json}"
35 }

https://gist.github.com/joestump/cac3abb94050186fcba1c57c8a880a71 1/8
4/8/22, 5:17 PM Trigger AWS CodePipeline with a GitHub webhook using Terraform

36
37 data "aws_iam_policy_document" "test" {
38 # CodePipeline and CodeBuild use CloudWatch logs for managing their console output.
39 # This statement gives them them appropriate access according to the docs.
40 statement {
41 sid = "AllowLogging"
42 effect = "Allow"
43
44 resources = ["*"]
45
46 actions = [
47 "logs:CreateLogGroup",
48 "logs:CreateLogStream",
49 "logs:PutLogEvents",
50 ]
51 }
52
53 statement {
54 sid = "AllowAccessToTheKMSKey"
55 effect = "Allow"
56
57 resources = [
58 "${aws_kms_key.test.arn}",
59 ]
60
61 actions = [
62 "kms:DescribeKey",
63 "kms:ListKeyPolicies",
64 "kms:GetKeyPolicy",
65 "kms:GetKeyRotationStatus",
66 "kms:Encrypt",
67 "kms:Decrypt",
68 "kms:GenerateDataKey*",
69 "kms:ReEncrypt*",
70 ]
71 }
72
73 statement {
74 sid = "AllowAccessToArtifactsInS3"
75
76 resources = [
77 "${aws_s3_bucket.test.arn}/*",
78 ]
79
80 actions = [
81 "s3:DeleteObject",
82 "s3:GetObject*",
83 "s3:ListBucket",
84 "s3:PutObject*",
https://gist.github.com/joestump/cac3abb94050186fcba1c57c8a880a71 2/8
4/8/22, 5:17 PM Trigger AWS CodePipeline with a GitHub webhook using Terraform

85 ]
86 }
87
88 statement {
89 sid = "AllowAccessToArtifactsBucketInS3"
90
91 resources = [
92 "${aws_s3_bucket.test.arn}",
93 ]
94
95 actions = [
96 "s3:GetBucketVersioning",
97 "s3:GetObject",
98 "s3:GetObjectVersion",
99 "s3:ListBucket",
100 "s3:ListObjects",
101 ]
102 }
103
104 statement {
105 sid = "AllowCodePipelineToManageResourcesItCreates"
106 effect = "Allow"
107
108 resources = [
109 "arn:aws:s3:::codepipeline*",
110 "arn:aws:s3:::elasticbeanstalk*",
111 ]
112
113 actions = [
114 "s3:PutObject",
115 ]
116 }
117
118 statement {
119 sid = "AllowCodePipelinToRunCodeDeploy"
120 effect = "Allow"
121
122 resources = [
123 "*",
124 ]
125
126 actions = [
127 "codedeploy:CreateDeployment",
128 "codedeploy:GetApplicationRevision",
129 "codedeploy:GetDeployment",
130 "codedeploy:GetDeploymentConfig",
131 "codedeploy:RegisterApplicationRevision",
132 ]
133 }
https://gist.github.com/joestump/cac3abb94050186fcba1c57c8a880a71 3/8
4/8/22, 5:17 PM Trigger AWS CodePipeline with a GitHub webhook using Terraform

134
135 statement {
136 sid = "AllowCodePipelineToSeeResources"
137 effect = "Allow"
138
139 resources = [
140 "*",
141 ]
142
143 actions = [
144 "elasticbeanstalk:CreateApplicationVersion",
145 "elasticbeanstalk:DescribeApplicationVersions",
146 "elasticbeanstalk:DescribeEnvironments",
147 "elasticbeanstalk:DescribeEvents",
148 "elasticbeanstalk:UpdateEnvironment",
149 "autoscaling:DescribeAutoScalingGroups",
150 "autoscaling:DescribeLaunchConfigurations",
151 "autoscaling:DescribeScalingActivities",
152 "autoscaling:ResumeProcesses",
153 "autoscaling:SuspendProcesses",
154 "cloudformation:GetTemplate",
155 "cloudformation:DescribeStackResource",
156 "cloudformation:DescribeStackResources",
157 "cloudformation:DescribeStackEvents",
158 "cloudformation:DescribeStacks",
159 "cloudformation:UpdateStack",
160 "ec2:DescribeInstances",
161 "ec2:DescribeImages",
162 "ec2:DescribeAddresses",
163 "ec2:DescribeSubnets",
164 "ec2:DescribeVpcs",
165 "ec2:DescribeSecurityGroups",
166 "ec2:DescribeKeyPairs",
167 "elasticloadbalancing:DescribeLoadBalancers",
168 "rds:DescribeDBInstances",
169 "rds:DescribeOrderableDBInstanceOptions",
170 "sns:ListSubscriptionsByTopic",
171 ]
172 }
173
174 statement {
175 sid = "AllowCodePipelineToInvokeLambdaFunctions"
176 effect = "Allow"
177
178 resources = [
179 "*",
180 ]
181
182 actions = [
https://gist.github.com/joestump/cac3abb94050186fcba1c57c8a880a71 4/8
4/8/22, 5:17 PM Trigger AWS CodePipeline with a GitHub webhook using Terraform

183 "lambda:invokefunction",
184 "lambda:listfunctions",
185 ]
186 }
187
188 statement {
189 sid = "AllowCodePipelineToManageBeanstalkS3Artifacts"
190 effect = "Allow"
191
192 resources = [
193 "arn:aws:s3:::elasticbeanstalk*",
194 ]
195
196 actions = [
197 "s3:ListBucket",
198 "s3:GetBucketPolicy",
199 "s3:GetObjectAcl",
200 "s3:PutObjectAcl",
201 "s3:DeleteObject",
202 ]
203 }
204
205 statement {
206 sid = "AllowCodePipelineToManageCodeBuildJobs"
207 effect = "Allow"
208
209 resources = [
210 "*",
211 ]
212
213 actions = [
214 "codebuild:StartBuild",
215 "codebuild:StopBuild",
216 "codebuild:BatchGetBuilds",
217 "codebuild:BatchGetProjects",
218 "codebuild:ListBuilds",
219 "codebuild:ListBuildsForProject",
220 "codebuild:ListProjects",
221 ]
222 }
223 }
224
225 resource "aws_iam_role_policy" "test" {
226 name = "joestump_codepipeline_policy"
227 role = "${aws_iam_role.test.id}"
228 policy = "${data.aws_iam_policy_document.test.json}"
229 }
230
231 resource "aws_kms_key" "test" {
https://gist.github.com/joestump/cac3abb94050186fcba1c57c8a880a71 5/8
4/8/22, 5:17 PM Trigger AWS CodePipeline with a GitHub webhook using Terraform

232 description = "joestump-test-key"

233 }
234
235 resource "aws_kms_alias" "test" {
236 name = "alias/joestump-test"
237 target_key_id = "${aws_kms_key.test.key_id}"
238 }
239
240 resource "aws_codebuild_project" "test" {
241 name = "joestump-test-project"
242 description = "Joe Stump testing GitHub and CodePipeline"
243 build_timeout = "5"
244 service_role = "${aws_iam_role.test.arn}"
245
246 artifacts {
247 type = "CODEPIPELINE"
248 }
249
250 cache {
251 type = "S3"
252 location = "${aws_s3_bucket.test.bucket}"
253 }
254
255 environment {
256 compute_type = "BUILD_GENERAL1_SMALL"
257 image = "sfdcpcg/ci-tools"
258 type = "LINUX_CONTAINER"
259 }
260
261 source {
262 type = "CODEPIPELINE"
263 }
264
265 tags {
266 "Joe_Stump" = "Test"
267 }
268 }
269
270 resource "aws_codepipeline" "test" {
271 name = "joestump-test-pipeline"
272 role_arn = "${aws_iam_role.test.arn}"
273
274 artifact_store {
275 location = "${aws_s3_bucket.test.bucket}"
276 type = "S3"
277
278 encryption_key {
279 id = "${aws_kms_key.test.arn}"
280 type = "KMS"
https://gist.github.com/joestump/cac3abb94050186fcba1c57c8a880a71 6/8
4/8/22, 5:17 PM Trigger AWS CodePipeline with a GitHub webhook using Terraform

281 }
282 }
283
284 stage {
285 name = "Source"
286
287 action {
288 name = "Source"
289 category = "Source"
290 owner = "ThirdParty"
291 provider = "GitHub"
292 version = "1"
293 output_artifacts = ["test"]
294
295 configuration {
296 Owner = "sfdc-pcg"
297 Repo = "${github_repository.test.name}"
298 Branch = "master"
299 }
300 }
301 }
302
303 stage {
304 name = "Build"
305
306 action {
307 name = "Build"
308 category = "Build"
309 owner = "AWS"
310 provider = "CodeBuild"
311 input_artifacts = ["test"]
312 version = "1"
313
314 configuration {
315 ProjectName = "${aws_codebuild_project.test.name}"
316 }
317 }
318 }
319 }
320
321 locals {
322 webhook
webhook_secret = "super-secret"
323 }
324
325 resource "aws_codepipeline_webhook
webhook" "bar" {
326 name = "test-webhook-github-bar
webhook "
327 authentication = "GITHUB_HMAC"
328 target_action = "Source"
329 target_pipeline = "${aws_codepipeline.test.name}"
https://gist.github.com/joestump/cac3abb94050186fcba1c57c8a880a71 7/8
4/8/22, 5:17 PM Trigger AWS CodePipeline with a GitHub webhook using Terraform

330
331 authentication_configuration {
332 secret_token = "${local.webhook_secret
webhook }"
333 }
334
335 filter {
336 json_path = "$.ref"
337 match_equals = "refs/heads/{Branch}"
338 }
339 }
340
341 resource "github_repository_webhook
webhook" "test" {
342 repository = "${github_repository.test.name}"
343
344 name = "web"
345
346 configuration {
347 url = "${aws_codepipeline_webhook
webhook.test.url}"
348 content_type = "form"
349 insecure_ssl = true
350 secret = "${local.webhook_secret
webhook }"
351 }
352
353 events = ["push"]
354 }

https://gist.github.com/joestump/cac3abb94050186fcba1c57c8a880a71 8/8