Creates a pipeline that generates a lambda zip archive and updates the existing function code
The account that owns the guthub token must have admin access on the repo in order to generate a github webhook
The secrets manager environment variable REPO_ACCESS_GITHUB_TOKEN_SECRETS_ID is exposed via codebuild.
You can add the 1 line to the beginning of your build phase commands in buildspec.yml to assign the token's secret value to local variable GITHUB_TOKEN.
Removes the github provider from main.tf and is moved to the required_providers stanza in versions.tf
build:
commands:
- export GITHUB_TOKEN=${REPO_ACCESS_GITHUB_TOKEN_SECRETS_ID}If use_repo_access_github_token is set to true, the environment variable REPO_ACCESS_GITHUB_TOKEN_SECRETS_ID is exposed via codebuild.
Usage remains the same as v1.6.
If s3_block_public_access is set to true, the block public access setting for the artifact bucket is enabled.
module "lambda_pipeline" {
source = "github.com/globeandmail/aws-codepipeline-lambda?ref=2.3"
name = app-name
function_name = lambda-function-name
github_repo_owner = github-account-name
github_repo_name = github-repo-name
github_branch_name = github-branch-name
github_oauth_token = data.aws_ssm_parameter.github_token.value
tags = {
Environment = var.environment
}
use_repo_access_github_token = true
svcs_account_github_token_aws_secret_arn = svcs-account-github-token-aws-secret-arn
svcs_account_aws_kms_cmk_arn = svcs-account-aws-kms-cmk-arn
s3_block_public_access = true
}| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| buildspec | build spec file other than buildspec.yml | string |
"buildspec.yml" |
no |
| codebuild_image | The codebuild image to use | string |
null |
no |
| create_github_webhook | Create the github webhook that triggers codepipeline. Defaults to true | bool |
true |
no |
| deploy_function_name | The name of the Lambda function in the account that will update the function code | string |
"CodepipelineDeploy" |
no |
| function_alias | The name of the Lambda function alias that gets passed to the UserParameters data in the deploy stage | string |
"live" |
no |
| function_name | The name of the Lambda function to update | string |
n/a | yes |
| github_branch_name | The git branch name to use for the codebuild project | string |
"master" |
no |
| github_oauth_token | GitHub oauth token | string |
n/a | yes |
| github_repo_name | The name of the GitHub repository | string |
n/a | yes |
| github_repo_owner | The owner of the GitHub repo | string |
n/a | yes |
| name | The name associated with the pipeline and assoicated resources. ie: app-name | string |
n/a | yes |
| privileged_mode | Use privileged mode for containers | string |
false |
no |
| s3_block_public_access | (Optional) Enable the S3 block public access setting for the artifact bucket. | bool |
false |
no |
| svcs_account_aws_kms_cmk_arn | (Optional) The us-east-1 region AWS KMS customer managed key ARN for encrypting all AWS secrets. The key is created in the shared service account. Required if var.use_repo_access_github_token or var.use_sysdig_api_token is true. |
string |
null |
no |
| svcs_account_github_token_aws_secret_arn | (Optional) The AWS secret ARN for the repo access Github token. The secret is created in the shared service account. Required if var.use_repo_access_github_token is true. |
string |
null |
no |
| tags | A mapping of tags to assign to the resource | map(any) |
{} |
no |
| use_repo_access_github_token | (Optional) Allow the AWS codebuild IAM role read access to the REPO_ACCESS_GITHUB_TOKEN secrets manager secret in the shared service account. Defaults to false. |
bool |
false |
no |
| Name | Description |
|---|---|
| artifact_bucket_arn | n/a |
| artifact_bucket_id | n/a |
| codebuild_project_arn | n/a |
| codebuild_project_id | n/a |
| codepipeline_arn | n/a |
| codepipeline_id | n/a |
version: 0.2
phases:
install:
runtime-versions:
python: 3.7
build:
commands:
- pip install --upgrade pip
- pip install -r requirements.txt -t .
artifacts:
type: zip
files:
- '**/*'