本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
建立為事件啟用 S3 來源的管道 (CloudFormation 範本)
此程序適用於來源儲存貯體已啟用事件的管道。
使用這些步驟來建立具有 Amazon S3 來源的管道,以進行事件型變更偵測。
若要使用 Amazon S3 建置事件驅動型管道,您可以編輯管道的 PollForSourceChanges 參數,然後將下列資源新增至範本:
-
EventBridge 規則和 IAM 角色,以允許此事件啟動您的管道。
如果您使用 CloudFormation 來建立和管理管道,您的範本會包含如下所示的內容。
注意
來源階段 (稱為 PollForSourceChanges) 中的 Configuration 屬性。如果您的範本未包含該屬性,則 PollForSourceChanges 會預設為 true。
- YAML
-
AppPipeline: Type: AWS::CodePipeline::Pipeline Properties: RoleArn: !GetAtt CodePipelineServiceRole.Arn Stages: - Name: Source Actions: - Name: SourceAction ActionTypeId: Category: Source Owner: AWS Version: 1 Provider: S3 OutputArtifacts: - Name: SourceOutput Configuration: S3Bucket: !Ref SourceBucket S3ObjectKey: !Ref S3SourceObjectKey PollForSourceChanges: true RunOrder: 1 ... - JSON
-
"AppPipeline": { "Type": "AWS::CodePipeline::Pipeline", "Properties": { "RoleArn": { "Fn::GetAtt": ["CodePipelineServiceRole", "Arn"] }, "Stages": [ { "Name": "Source", "Actions": [ { "Name": "SourceAction", "ActionTypeId": { "Category": "Source", "Owner": "AWS", "Version": 1, "Provider": "S3" }, "OutputArtifacts": [ { "Name": "SourceOutput" } ], "Configuration": { "S3Bucket": { "Ref": "SourceBucket" }, "S3ObjectKey": { "Ref": "SourceObjectKey" }, "PollForSourceChanges": true }, "RunOrder": 1 } ] }, ...
以 Amazon S3 做為事件來源和 CodePipeline 做為目標建立 EventBridge 規則,並套用許可政策
-
在 範本的 下
Resources,使用AWS::IAM::RoleCloudFormation 資源來設定允許事件啟動管道的 IAM 角色。此項目會建立一個使用兩個政策的角色:-
第一個政策允許要承擔的角色。
-
第二個政策提供啟動管道的許可。
為什麼我會做出此變更? 新增
AWS::IAM::Role資源 CloudFormation 可讓 建立 EventBridge 的許可。此資源會新增至您的 CloudFormation 堆疊。- YAML
-
EventRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - events.amazonaws.com Action: sts:AssumeRole Path: / Policies: - PolicyName: eb-pipeline-execution PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: codepipeline:StartPipelineExecution Resource: !Join [ '', [ 'arn:aws:codepipeline:', !Ref 'AWS::Region', ':', !Ref 'AWS::AccountId', ':', !Ref AppPipeline ] ] ... - JSON
-
"EventRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "events.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }, "Path": "/", "Policies": [ { "PolicyName": "eb-pipeline-execution", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codepipeline:StartPipelineExecution", "Resource": { "Fn::Join": [ "", [ "arn:aws:codepipeline:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":", { "Ref": "AppPipeline" } ] ] ...
-
-
使用
AWS::Events::RuleCloudFormation 資源來新增 EventBridge 規則。此事件模式會建立事件,以監控 Amazon S3 來源儲存貯體中物件的建立或刪除。此外,會包含您管道的目標。建立物件時,此規則會在您的目標管道StartPipelineExecution上叫用 。為什麼我會做出此變更? 新增
AWS::Events::Rule資源 CloudFormation 可讓 建立事件。此資源會新增至您的 CloudFormation 堆疊。- YAML
-
EventRule: Type: AWS::Events::Rule Properties: EventBusName: default EventPattern: source: - aws.s3 detail-type: - Object Created detail: bucket: name: - !Ref SourceBucket Name: EnabledS3SourceRule State: ENABLED Targets: - Arn: !Join [ '', [ 'arn:aws:codepipeline:', !Ref 'AWS::Region', ':', !Ref 'AWS::AccountId', ':', !Ref AppPipeline ] ] RoleArn: !GetAtt EventRole.Arn Id: codepipeline-AppPipeline ... - JSON
-
"EventRule": { "Type": "AWS::Events::Rule", "Properties": { "EventBusName": "default", "EventPattern": { "source": [ "aws.s3" ], "detail-type": [ "Object Created" ], "detail": { "bucket": { "name": [ "s3-pipeline-source-fra-bucket" ] } } }, "Name": "EnabledS3SourceRule", "State": "ENABLED", "Targets": [ { "Arn": { "Fn::Join": [ "", [ "arn:aws:codepipeline:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":", { "Ref": "AppPipeline" } ] ] }, "RoleArn": { "Fn::GetAtt": [ "EventRole", "Arn" ] }, "Id": "codepipeline-AppPipeline" } ] } } }, ...
-
儲存您的更新範本到本機電腦,並開啟 CloudFormation 主控台。
-
選擇您的堆疊,然後選擇 Create Change Set for Current Stack (建立目前堆疊的變更集)。
-
上傳您的更新範本,然後檢視中 CloudFormation所列的變更。這些是會針對堆疊進行的變更。您應該會在清單中看到新資源。
-
選擇 Execute (執行)。
編輯管道的 PollForSourceChanges 參數
重要
當您使用這個方法建立管道時,如果沒有明確設為 false,則 PollForSourceChanges 參數會預設為 true。當新增基於事件的變更偵測時,您必須將該參數新增到輸出,並將其設為 false 以停用輪詢。否則,您的管道會針對單一來源變更啟動兩次。如需詳細資訊,請參閱PollForSourceChanges 參數的有效設定。
-
在範本中,將
PollForSourceChanges變更為false。如果您並未在管道定義中包含PollForSourceChanges,請新增它,並將其設為false。為什麼我會做出此變更? 將
PollForSourceChanges變更為false會關閉定期檢查,因此您只能使用事件型變更偵測。- YAML
-
Name: Source Actions: - Name: SourceAction ActionTypeId: Category: Source Owner: AWS Version: 1 Provider: S3 OutputArtifacts: - Name: SourceOutput Configuration: S3Bucket: !Ref SourceBucket S3ObjectKey: !Ref SourceObjectKeyPollForSourceChanges: falseRunOrder: 1 - JSON
-
{ "Name": "SourceAction", "ActionTypeId": { "Category": "Source", "Owner": "AWS", "Version": 1, "Provider": "S3" }, "OutputArtifacts": [ { "Name": "SourceOutput" } ], "Configuration": { "S3Bucket": { "Ref": "SourceBucket" }, "S3ObjectKey": { "Ref": "SourceObjectKey" }, "PollForSourceChanges":false}, "RunOrder": 1 }
範例
當您使用 CloudFormation 建立這些資源時,您的管道會在儲存庫中的檔案建立或更新時觸發。
注意
不要在此處停止。雖然您的管道已建立,但您必須為 Amazon S3 管道建立第二個 CloudFormation 範本。如果您未建立第二個範本,您的管道不會有任何變更偵測功能。
- YAML
-
Parameters: SourceObjectKey: Description: 'S3 source artifact' Type: String Default: SampleApp_Linux.zip ApplicationName: Description: 'CodeDeploy application name' Type: String Default: DemoApplication BetaFleet: Description: 'Fleet configured in CodeDeploy' Type: String Default: DemoFleet Resources: SourceBucket: Type: AWS::S3::Bucket Properties: NotificationConfiguration: EventBridgeConfiguration: EventBridgeEnabled: true VersioningConfiguration: Status: Enabled CodePipelineArtifactStoreBucket: Type: AWS::S3::Bucket CodePipelineArtifactStoreBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref CodePipelineArtifactStoreBucket PolicyDocument: Version: 2012-10-17 Statement: - Sid: DenyUnEncryptedObjectUploads Effect: Deny Principal: '*' Action: s3:PutObject Resource: !Join [ '', [ !GetAtt CodePipelineArtifactStoreBucket.Arn, '/*' ] ] Condition: StringNotEquals: s3:x-amz-server-side-encryption: aws:kms - Sid: DenyInsecureConnections Effect: Deny Principal: '*' Action: s3:* Resource: !Sub ${CodePipelineArtifactStoreBucket.Arn}/* Condition: Bool: aws:SecureTransport: false CodePipelineServiceRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - codepipeline.amazonaws.com Action: sts:AssumeRole Path: / Policies: - PolicyName: AWS-CodePipeline-Service-3 PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - codecommit:CancelUploadArchive - codecommit:GetBranch - codecommit:GetCommit - codecommit:GetUploadArchiveStatus - codecommit:UploadArchive Resource: 'resource_ARN' - Effect: Allow Action: - codedeploy:CreateDeployment - codedeploy:GetApplicationRevision - codedeploy:GetDeployment - codedeploy:GetDeploymentConfig - codedeploy:RegisterApplicationRevision Resource: 'resource_ARN' - Effect: Allow Action: - codebuild:BatchGetBuilds - codebuild:StartBuild Resource: 'resource_ARN' - Effect: Allow Action: - devicefarm:ListProjects - devicefarm:ListDevicePools - devicefarm:GetRun - devicefarm:GetUpload - devicefarm:CreateUpload - devicefarm:ScheduleRun Resource: 'resource_ARN' - Effect: Allow Action: - lambda:InvokeFunction - lambda:ListFunctions Resource: 'resource_ARN' - Effect: Allow Action: - iam:PassRole Resource: 'resource_ARN' - Effect: Allow Action: - elasticbeanstalk:* - ec2:* - elasticloadbalancing:* - autoscaling:* - cloudwatch:* - s3:* - sns:* - cloudformation:* - rds:* - sqs:* - ecs:* Resource: 'resource_ARN' AppPipeline: Type: AWS::CodePipeline::Pipeline Properties: Name: s3-events-pipeline RoleArn: !GetAtt CodePipelineServiceRole.Arn Stages: - Name: Source Actions: - Name: SourceAction ActionTypeId: Category: Source Owner: AWS Version: 1 Provider: S3 OutputArtifacts: - Name: SourceOutput Configuration: S3Bucket: !Ref SourceBucket S3ObjectKey: !Ref SourceObjectKey PollForSourceChanges: false RunOrder: 1 - Name: Beta Actions: - Name: BetaAction InputArtifacts: - Name: SourceOutput ActionTypeId: Category: Deploy Owner: AWS Version: 1 Provider: CodeDeploy Configuration: ApplicationName: !Ref ApplicationName DeploymentGroupName: !Ref BetaFleet RunOrder: 1 ArtifactStore: Type: S3 Location: !Ref CodePipelineArtifactStoreBucket EventRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - events.amazonaws.com Action: sts:AssumeRole Path: / Policies: - PolicyName: eb-pipeline-execution PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: codepipeline:StartPipelineExecution Resource: !Join [ '', [ 'arn:aws:codepipeline:', !Ref 'AWS::Region', ':', !Ref 'AWS::AccountId', ':', !Ref AppPipeline ] ] EventRule: Type: AWS::Events::Rule Properties: EventBusName: default EventPattern: source: - aws.s3 detail-type: - Object Created detail: bucket: name: - !Ref SourceBucket Name: EnabledS3SourceRule State: ENABLED Targets: - Arn: !Join [ '', [ 'arn:aws:codepipeline:', !Ref 'AWS::Region', ':', !Ref 'AWS::AccountId', ':', !Ref AppPipeline ] ] RoleArn: !GetAtt EventRole.Arn Id: codepipeline-AppPipeline - JSON
-
JSON
- JSON
-
{ "Version":"2012-10-17", "Statement": [ { "Action": [ "appconfig:StartDeployment", "appconfig:StopDeployment", "appconfig:GetDeployment" ], "Resource": [ "arn:aws:appconfig:*:111122223333:application/[[Application]]", "arn:aws:appconfig:*:111122223333:application/[[Application]]/*", "arn:aws:appconfig:*:111122223333:deploymentstrategy/*" ], "Effect": "Allow" } ] }
在為事件啟用 S3 來源的情況下建立管道 (CLI)
連線至使用 EventBridge 和 的 Amazon S3 來源動作 AWS CloudTrail