我正在遵循HashiCorp的指示,以通过Webhook here设置AWS CodePipeline。我不断收到错误消息:
$ terraform plan -var-file="secret.tfvars" -out=tfplan -input=false
Error: provider.github: "organization": required field is not set
Error: provider.github: "token": required field is not set
但是他们的文档中没有任何地方说明要在何处添加这些字段。我尝试将它们添加到所有阶段,或者只是添加到Source阶段,因为这是唯一一次提到GitHub作为提供者。
我无需Webhook here即可配置其AWS CodePipeline。该选项可以定期进行轮询,但不像我可以使用控制台进行设置的webhook选项那样立即进行轮询。
为方便起见,这是tf文件:
resource "aws_codepipeline" "bar" {
name = "tf-test-pipeline"
role_arn = "${aws_iam_role.bar.arn}"
artifact_store {
location = "${aws_s3_bucket.bar.bucket}"
type = "S3"
encryption_key {
id = "${data.aws_kms_alias.s3kmskey.arn}"
type = "KMS"
}
}
stage {
name = "Source"
action {
name = "Source"
category = "Source"
owner = "ThirdParty"
provider = "GitHub"
version = "1"
output_artifacts = ["test"]
configuration = {
Owner = "my-organization"
Repo = "test"
Branch = "master"
}
}
}
stage {
name = "Build"
action {
name = "Build"
category = "Build"
owner = "AWS"
provider = "CodeBuild"
input_artifacts = ["test"]
version = "1"
configuration = {
ProjectName = "test"
}
}
}
}
# A shared secret between GitHub and AWS that allows AWS
# CodePipeline to authenticate the request came from GitHub.
# Would probably be better to pull this from the environment
# or something like SSM Parameter Store.
locals {
webhook_secret = "super-secret"
}
resource "aws_codepipeline_webhook" "bar" {
name = "test-webhook-github-bar"
authentication = "GITHUB_HMAC"
target_action = "Source"
target_pipeline = "${aws_codepipeline.bar.name}"
authentication_configuration {
secret_token = "${local.webhook_secret}"
}
filter {
json_path = "$.ref"
match_equals = "refs/heads/{Branch}"
}
}
# Wire the CodePipeline webhook into a GitHub repository.
resource "github_repository_webhook" "bar" {
repository = "${github_repository.repo.name}"
name = "web"
configuration {
url = "${aws_codepipeline_webhook.bar.url}"
content_type = "form"
insecure_ssl = true
secret = "${local.webhook_secret}"
}
events = ["push"]
}
更新
我尝试过的一件事是:
stage {
name = "Source"
action {
name = "Source"
category = "Source"
owner = "ThirdParty"
provider = "GitHub"
token = "${var.github_token}"
organization = "${var.github_username}"
version = "1"
output_artifacts = ["SourceArtifact"]
configuration {
# Owner = "${var.github_username}"
# OAuthToken = "${var.github_token}"
Repo = "${var.github_repo}"
Branch = "master"
PollForSourceChanges = "true"
}
}
}
答案 0 :(得分:2)
因此,您需要先设置Github provider。
样本为:
# Configure the GitHub Provider
provider "github" {
token = "${var.github_token}"
organization = "${var.github_organization}"
}
答案 1 :(得分:0)
我发现了我遇到的问题:
terraform模板具有一个称为
的变量locals {
webhook_secret = "super-secret"
}
部署模板后,它将用于与GitHub创建Webhook机密。没有webhook_secret。如果没有webhook_secret,则即使您为宝马token添加服务提供商并发布organization,错误也将持续存在。
HashiCorp还建议从环境或诸如SSM参数存储之类的环境中创建,存储和提取Webhook机密。
您还可以检查GitHub's guide to generate and secure your webhook secret(例如,通过在终端上获取ruby -rsecurerandom -e'puts SecureRandom.hex(20)'的输出)
这是工作模板,我只粘贴了更改,其余的(...)与HashiCorp的示例相同:
# Input variables
variable "aws_region" {
type = "string"
default = "us-east-1"
}
variable "pipeline_name" {
type = "string"
default = "static-website-terraform"
}
variable "github_username" {
type = "string"
default = "nditech"
}
variable "github_token" {
type = "string"
}
variable "webhook_secret" {
type = "string"
}
...
# Add webhook to pipeline
resource "aws_codepipeline_webhook" "codepipeline" {
name = "${var.pipeline_name}-codepipeline-webhook"
authentication = "GITHUB_HMAC"
target_action = "Source"
target_pipeline = "${aws_codepipeline.codepipeline.name}"
authentication_configuration {
secret_token = "${var.webhook_secret}"
}
filter {
json_path = "$.ref"
match_equals = "refs/heads/{Branch}"
}
}
# Wire the CodePipeline webhook into a GitHub repository.
resource "github_repository_webhook" "codepipeline" {
repository = "${var.github_repo}"
name = "web"
configuration {
url = "${aws_codepipeline_webhook.codepipeline.url}"
content_type = "form"
insecure_ssl = true
secret = "${var.webhook_secret}"
}
events = ["push"]
}