I am trying to configure an AWS CodePipeline that retrieves code from a Bitbucket repository and then executes a script. So far manipulating the repository in AWS CodePipeline has proven to be problematic. The following are terraform resources I have in place for this AWS CodePipeline:
AWS IAM
data "aws_iam_policy_document" "example_assume_role_codebuild" {
statement {
effect = "Allow"
principals {
type = "Service"
identifiers = ["codebuild.amazonaws"]
}
actions = ["sts:AssumeRole"]
}
}
resource "aws_iam_role" "example_codebuild_role" {
name = "example_codebuild_role"
assume_role_policy = data.aws_iam_policy_document.example_assume_role_codebuild.json
managed_policy_arns = [
"arn:aws:iam::aws:policy/AdministratorAccess"
]
}
data "aws_iam_policy_document" "example_assume_role" {
statement {
effect = "Allow"
principals {
type = "Service"
identifiers = ["codepipeline.amazonaws"]
}
actions = ["sts:AssumeRole"]
}
}
resource "aws_iam_role" "example_codepipeline_role" {
name = "example_codepipeline_role"
assume_role_policy = data.aws_iam_policy_document.example_assume_role.json
}
data "aws_iam_policy_document" "example_codepipeline_policy" {
statement {
effect = "Allow"
actions = [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetBucketVersioning",
"s3:PutObjectAcl",
"s3:PutObject",
]
resources = [
aws_s3_bucket.example-s3-bucket.arn,
"${aws_s3_bucket.example-s3-bucket.arn}/*"
]
}
statement {
effect = "Allow"
actions = ["codestar-connections:UseConnection"]
resources = [aws_codestarconnections_connection.example_bitbucket.arn]
}
statement {
effect = "Allow"
actions = [
"codebuild:BatchGetBuilds",
"codebuild:StartBuild",
]
resources = ["*"]
}
statement {
effect = "Allow"
actions = [
"sns:Publish",
]
resources = ["*"]
}
}
resource "aws_iam_role_policy" "example_codepipeline_policy" {
name = "example_codepipeline_policy"
role = aws_iam_role.example_codepipeline_role.id
policy = data.aws_iam_policy_document.example_codepipeline_policy.json
}
AWS Developer Tools settings
resource "aws_codestarconnections_connection" "example_bitbucket" {
name = "example_bitbucket"
provider_type = "Bitbucket"
}
AWS CodePipeline
resource "aws_codepipeline" "example_codepipeline" {
name = "example-codepipeline"
role_arn = aws_iam_role.example_codepipeline_role.arn
artifact_store {
location = aws_s3_bucket.example-s3-bucket.bucket
type = "S3"
}
stage {
name = "Source"
action {
name = "Source"
category = "Source"
owner = "AWS"
provider = "CodeStarSourceConnection"
version = "1"
output_artifacts = ["source_output"]
configuration = {
ConnectionArn = aws_codestarconnections_connection.example_bitbucket.arn
FullRepositoryId = "workspace/example-bitbucket-repo"
BranchName = "main"
DetectChanges = "false"
}
}
}
stage {
name = "Build"
action {
name = "Execute"
category = "Build"
owner = "AWS"
provider = "CodeBuild"
input_artifacts = ["source_output"]
output_artifacts = ["build_output"]
version = "1"
run_order = "1"
configuration = {
ProjectName = "example-codebuild"
}
}
}
}
On top of these resources in place I have checked the bitbucket repository I am using here and it seem that a certain user Bitbucket-AWS-INT has write access to it.
All that said when I run the AWS CodePipeline in question it fails while attempting to pull the Bitbucket repository with the following output:
Error code
Action execution failed
Error message
[Bitbucket] No Branch [main] found for FullRepositoryName [workspace/example-bitbucket-repo]
main is the only branch on this repository at the moment.
Anyone know why I am getting this message? What can I do to resolve it?
I am trying to configure an AWS CodePipeline that retrieves code from a Bitbucket repository and then executes a script. So far manipulating the repository in AWS CodePipeline has proven to be problematic. The following are terraform resources I have in place for this AWS CodePipeline:
AWS IAM
data "aws_iam_policy_document" "example_assume_role_codebuild" {
statement {
effect = "Allow"
principals {
type = "Service"
identifiers = ["codebuild.amazonaws.com"]
}
actions = ["sts:AssumeRole"]
}
}
resource "aws_iam_role" "example_codebuild_role" {
name = "example_codebuild_role"
assume_role_policy = data.aws_iam_policy_document.example_assume_role_codebuild.json
managed_policy_arns = [
"arn:aws:iam::aws:policy/AdministratorAccess"
]
}
data "aws_iam_policy_document" "example_assume_role" {
statement {
effect = "Allow"
principals {
type = "Service"
identifiers = ["codepipeline.amazonaws.com"]
}
actions = ["sts:AssumeRole"]
}
}
resource "aws_iam_role" "example_codepipeline_role" {
name = "example_codepipeline_role"
assume_role_policy = data.aws_iam_policy_document.example_assume_role.json
}
data "aws_iam_policy_document" "example_codepipeline_policy" {
statement {
effect = "Allow"
actions = [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetBucketVersioning",
"s3:PutObjectAcl",
"s3:PutObject",
]
resources = [
aws_s3_bucket.example-s3-bucket.arn,
"${aws_s3_bucket.example-s3-bucket.arn}/*"
]
}
statement {
effect = "Allow"
actions = ["codestar-connections:UseConnection"]
resources = [aws_codestarconnections_connection.example_bitbucket.arn]
}
statement {
effect = "Allow"
actions = [
"codebuild:BatchGetBuilds",
"codebuild:StartBuild",
]
resources = ["*"]
}
statement {
effect = "Allow"
actions = [
"sns:Publish",
]
resources = ["*"]
}
}
resource "aws_iam_role_policy" "example_codepipeline_policy" {
name = "example_codepipeline_policy"
role = aws_iam_role.example_codepipeline_role.id
policy = data.aws_iam_policy_document.example_codepipeline_policy.json
}
AWS Developer Tools settings
resource "aws_codestarconnections_connection" "example_bitbucket" {
name = "example_bitbucket"
provider_type = "Bitbucket"
}
AWS CodePipeline
resource "aws_codepipeline" "example_codepipeline" {
name = "example-codepipeline"
role_arn = aws_iam_role.example_codepipeline_role.arn
artifact_store {
location = aws_s3_bucket.example-s3-bucket.bucket
type = "S3"
}
stage {
name = "Source"
action {
name = "Source"
category = "Source"
owner = "AWS"
provider = "CodeStarSourceConnection"
version = "1"
output_artifacts = ["source_output"]
configuration = {
ConnectionArn = aws_codestarconnections_connection.example_bitbucket.arn
FullRepositoryId = "workspace/example-bitbucket-repo"
BranchName = "main"
DetectChanges = "false"
}
}
}
stage {
name = "Build"
action {
name = "Execute"
category = "Build"
owner = "AWS"
provider = "CodeBuild"
input_artifacts = ["source_output"]
output_artifacts = ["build_output"]
version = "1"
run_order = "1"
configuration = {
ProjectName = "example-codebuild"
}
}
}
}
On top of these resources in place I have checked the bitbucket repository I am using here and it seem that a certain user Bitbucket-AWS-INT has write access to it.
All that said when I run the AWS CodePipeline in question it fails while attempting to pull the Bitbucket repository with the following output:
Error code
Action execution failed
Error message
[Bitbucket] No Branch [main] found for FullRepositoryName [workspace/example-bitbucket-repo]
main is the only branch on this repository at the moment.
Anyone know why I am getting this message? What can I do to resolve it?
I had the same error until I manually approved the pending codestar connection from console. Once you approve it then you will be redirected to bitbucket to allow access to aws to access your repository.
You can either give access to full repository but in my case giving to specific branch proved to be working solution.
A connection created through the AWS Command Line Interface (AWS CLI) or AWS CloudFormation is in PENDING status by default. After you create a connection with the AWS CLI or AWS CloudFormation, use the console to update the connection to make its status AVAILABLE.
https://docs.aws.amazon.com/dtconsole/latest/userguide/connections-update.html
It is also mentioned in the terraform docs in note section
The aws_codestarconnections_connection resource is created in the state PENDING. Authentication with the connection provider must be completed in the AWS Console.
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codestarconnections_connection
I also see a problem how you have provided FullRepositoryId. It should be like this
configuration = {
ConnectionArn = aws_codestarconnections_connection.codepipeline_github.arn
FullRepositoryId = "jatinmehrotra/ekscicdtest"
BranchName = "master"
}
Just a note: You also missed trigger was to when should your pipeline should be triggered. Depends on your use case but for my GitHub repo I added someone thing like this
resource "aws_codepipeline" "codepipeline" {
name = "eks-codepipeline"
role_arn = aws_iam_role.codepipeline_role.arn
pipeline_type = "V2"
execution_mode = "QUEUED"
trigger {
provider_type = "CodeStarSourceConnection"
git_configuration {
source_action_name = "Source"
push {
branches {
includes = ["master"]
}
}
}
}
// terraform code
stage {
name = "Source"
configuration = {
ConnectionArn = aws_codestarconnections_connection.codepipeline_github.arn
FullRepositoryId = "jatinmehrotra/ekscicdtest"
BranchName = "master"
}
// rest of the pipeline code