Build Trigger for AWS CodeBuild using AWS EventBridge

Let’s use Amazon EventBridge to enable the build trigger on a Codebuild project in response to the status change on the CodeCommit repository. This post discusses how to start a build on CodeBuild Project automatically when the code commits or merge happens on the CodeCommit repository.

Prerequisites

• A Codebuild project and, its source should be a CodeCommit repository. The branch I have taken here is develop.let’s assume the CodeBuild Project Name is TestTrigger and CodeCommit repository name is TestRepositoryin this tutorial.

Create the trust policy that allows CloudWatch Events to assume the service role. Name the trust policy TrustPolicyForCWE.json

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "events.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Use the following command to create the CodeBuild-Invoke-Role-For-Cloudwatch-Events role and attach the trust policy.

aws iam create-role --role-name CodeBuild-Invoke-Role-For-Cloudwatch-Events --assume-role-policy-document file://TrustPolicyForCWE.json

Create the permissions policy JSON, as shown below, for the CodeBuild project named TestTrigger. Replace <CodeBuildProjectARN> with your CodeBuild Project ARN. Name the permissions policy PermissionsPolicyforCWE.json

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "codebuild:StartBuild"
            ],
            "Resource": [
                "<CodeBuildProjectARN>"
            ]
        }
    ]
}

Here, let’s assume the CodeBuild Project ARN is arn:aws:codebuild:us-west-2:123456789123:project/TestTrigger

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "codebuild:StartBuild"
            ],
            "Resource": [
                "arn:aws:codebuild:us-west-2:123456789123:project/TestTrigger"
            ]
        }
    ]
}

Use the following command to attach the CodeBuild-Permissions-Policy-for-CWE permissions policy to the CodeBuild-Invoke-Role-For-Cloudwatch-Events role. Adding this policy to the role creates permissions for CloudWatch Events.

aws iam put-role-policy --role-name CodeBuild-Invoke-Role-For-Cloudwatch-Events --policy-name CodeBuild-Permissions-Policy-For-CWE --policy-document file://PermissionsPolicyforCWE.json

Call the put-rule command and include the --name, --event-pattern , and--role-arn parameters.

aws events put-rule --name "CodeBuildTriggerRule" --event-pattern "{\"source\":[\"aws.codecommit\"],\"detail-type\":[\"CodeCommit Repository State Change\"],\"resources\":[\"arn:aws:codecommit:us-west-2:123456789123:TestRepository\"],\"detail\":{\"referenceType\":[\"branch\"],\"referenceName\":[\"develop\"]}}" --role-arn "arn:aws:iam::123456789123:role/CodeBuild-Invoke-Role-For-Cloudwatch-Events"

To add CodeBuild Project as a target, call the put-targets command and include the following parameters:

• The --rule parameter is used with the rule_name you created by using put-rule.
• The --targets parameter is used with the list Id of the target in the list of targets and the ARN of the Codebuild target.

aws events put-targets --rule CodeBuildTriggerRule --targets "Id"="1","Arn"="arn:aws:codebuild:us-west-2:123456789123:project/TestTrigger","RoleArn"="arn:aws:iam::123456789123:role/CodeBuild-Invoke-Role-For-Cloudwatch-Events"

The build process is now automated for every commit or merge occurring on the develop branch.

Reference

Create a CloudWatch Events rule for a CodeCommit source (CLI)

Monitoring CodeCommit events in Amazon EventBridge and Amazon CloudWatch Events