Skip to content

Resource: awsCodepipeline

Provides a CodePipeline.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsCodestarconnectionsConnectionExample =
  new aws.codestarconnectionsConnection.CodestarconnectionsConnection(
    this,
    "example",
    {
      name: "example-connection",
      providerType: "GitHub",
    }
  );
const awsS3BucketCodepipelineBucket = new aws.s3Bucket.S3Bucket(
  this,
  "codepipeline_bucket",
  {
    bucket: "test-bucket",
  }
);
new aws.s3BucketAcl.S3BucketAcl(this, "codepipeline_bucket_acl", {
  acl: "private",
  bucket: awsS3BucketCodepipelineBucket.id,
});
const dataAwsIamPolicyDocumentAssumeRole =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
    this,
    "assume_role",
    {
      statement: [
        {
          actions: ["sts:AssumeRole"],
          effect: "Allow",
          principals: [
            {
              identifiers: ["codepipeline.amazonaws.com"],
              type: "Service",
            },
          ],
        },
      ],
    }
  );
const dataAwsIamPolicyDocumentCodepipelinePolicy =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
    this,
    "codepipeline_policy",
    {
      statement: [
        {
          actions: [
            "s3:GetObject",
            "s3:GetObjectVersion",
            "s3:GetBucketVersioning",
            "s3:PutObjectAcl",
            "s3:PutObject",
          ],
          effect: "Allow",
          resources: [
            awsS3BucketCodepipelineBucket.arn,
            `\${${awsS3BucketCodepipelineBucket.arn}}/*`,
          ],
        },
        {
          actions: ["codestar-connections:UseConnection"],
          effect: "Allow",
          resources: [awsCodestarconnectionsConnectionExample.arn],
        },
        {
          actions: ["codebuild:BatchGetBuilds", "codebuild:StartBuild"],
          effect: "Allow",
          resources: ["*"],
        },
      ],
    }
  );
const dataAwsKmsAliasS3Kmskey = new aws.dataAwsKmsAlias.DataAwsKmsAlias(
  this,
  "s3kmskey",
  {
    name: "alias/myKmsKey",
  }
);
const awsIamRoleCodepipelineRole = new aws.iamRole.IamRole(
  this,
  "codepipeline_role",
  {
    assumeRolePolicy: dataAwsIamPolicyDocumentAssumeRole.json,
    name: "test-role",
  }
);
const awsIamRolePolicyCodepipelinePolicy = new aws.iamRolePolicy.IamRolePolicy(
  this,
  "codepipeline_policy_7",
  {
    name: "codepipeline_policy",
    policy: dataAwsIamPolicyDocumentCodepipelinePolicy.json,
    role: awsIamRoleCodepipelineRole.id,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamRolePolicyCodepipelinePolicy.overrideLogicalId("codepipeline_policy");
new aws.codepipeline.Codepipeline(this, "codepipeline", {
  artifactStore: [
    {
      encryptionKey: {
        id: dataAwsKmsAliasS3Kmskey.arn,
        type: "KMS",
      },
      location: awsS3BucketCodepipelineBucket.bucket,
      type: "S3",
    },
  ],
  name: "tf-test-pipeline",
  roleArn: awsIamRoleCodepipelineRole.arn,
  stage: [
    {
      action: [
        {
          category: "Source",
          configuration: [
            {
              branchName: "main",
              connectionArn: awsCodestarconnectionsConnectionExample.arn,
              fullRepositoryId: "my-organization/example",
            },
          ],
          name: "Source",
          outputArtifacts: ["source_output"],
          owner: "AWS",
          provider: "CodeStarSourceConnection",
          version: "1",
        },
      ],
      name: "Source",
    },
    {
      action: [
        {
          category: "Build",
          configuration: [
            {
              projectName: "test",
            },
          ],
          inputArtifacts: ["source_output"],
          name: "Build",
          outputArtifacts: ["build_output"],
          owner: "AWS",
          provider: "CodeBuild",
          version: "1",
        },
      ],
      name: "Build",
    },
    {
      action: [
        {
          category: "Deploy",
          configuration: [
            {
              actionMode: "REPLACE_ON_FAILURE",
              capabilities: "CAPABILITY_AUTO_EXPAND,CAPABILITY_IAM",
              outputFileName: "CreateStackOutput.json",
              stackName: "MyStack",
              templatePath: "build_output::sam-templated.yaml",
            },
          ],
          inputArtifacts: ["build_output"],
          name: "Deploy",
          owner: "AWS",
          provider: "CloudFormation",
          version: "1",
        },
      ],
      name: "Deploy",
    },
  ],
});

Argument Reference

The following arguments are supported:

  • name - (Required) The name of the pipeline.
  • roleArn - (Required) A service role Amazon Resource Name (ARN) that grants AWS CodePipeline permission to make calls to AWS services on your behalf.
  • artifactStore (Required) One or more artifact_store blocks. Artifact stores are documented below.
  • stage (Minimum of at least two stage blocks is required) A stage block. Stages are documented below.
  • tags - (Optional) A map of tags to assign to the resource. If configured with a provider defaultTags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

An artifactStore block supports the following arguments:

  • location - (Required) The location where AWS CodePipeline stores artifacts for a pipeline; currently only s3 is supported.
  • type - (Required) The type of the artifact store, such as Amazon S3
  • encryptionKey - (Optional) The encryption key block AWS CodePipeline uses to encrypt the data in the artifact store, such as an AWS Key Management Service (AWS KMS) key. If you don't specify a key, AWS CodePipeline uses the default key for Amazon Simple Storage Service (Amazon S3). An encryptionKey block is documented below.
  • region - (Optional) The region where the artifact store is located. Required for a cross-region CodePipeline, do not provide for a single-region CodePipeline.

An encryptionKey block supports the following arguments:

  • id - (Required) The KMS key ARN or ID
  • type - (Required) The type of key; currently only kms is supported

A stage block supports the following arguments:

  • name - (Required) The name of the stage.
  • action - (Required) The action(s) to include in the stage. Defined as an action block below

An action block supports the following arguments:

  • category - (Required) A category defines what kind of action can be taken in the stage, and constrains the provider type for the action. Possible values are approval, build, deploy, invoke, source and test.
  • owner - (Required) The creator of the action being called. Possible values are aws, custom and thirdParty.
  • name - (Required) The action declaration's name.
  • provider - (Required) The provider of the service being called by the action. Valid providers are determined by the action category. Provider names are listed in the Action Structure Reference documentation.
  • version - (Required) A string that identifies the action type.
  • configuration - (Optional) A map of the action declaration's configuration. Configurations options for action types and providers can be found in the Pipeline Structure Reference and Action Structure Reference documentation.
  • inputArtifacts - (Optional) A list of artifact names to be worked on.
  • outputArtifacts - (Optional) A list of artifact names to output. Output artifact names must be unique within a pipeline.
  • roleArn - (Optional) The ARN of the IAM service role that will perform the declared action. This is assumed through the roleArn for the pipeline.
  • runOrder - (Optional) The order in which actions are run.
  • region - (Optional) The region in which to run the action.
  • namespace - (Optional) The namespace all output variables will be accessed from.

\~> Note: The input artifact of an action must exactly match the output artifact declared in a preceding action, but the input artifact does not have to be the next action in strict sequence from the action that provided the output artifact. Actions in parallel can declare different output artifacts, which are in turn consumed by different following actions.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - The codepipeline ID.
  • arn - The codepipeline ARN.
  • tagsAll - A map of tags assigned to the resource, including those inherited from the provider defaultTags configuration block.

Import

CodePipelines can be imported using the name, e.g.,

$ terraform import aws_codepipeline.foo example