AWS CodeBuild Webhook
This page shows how to write Terraform and CloudFormation for CodeBuild Webhook and write them securely.
aws_codebuild_webhook (Terraform)
The Webhook in CodeBuild can be configured in Terraform with the resource name aws_codebuild_webhook
. The following sections describe 5 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_codebuild_webhook" "cicd-plan-webhook" {
project_name = aws_codebuild_project.tf-plan.name
build_type = "BUILD"
filter_group {
filter {
type = "EVENT"
resource "aws_codebuild_webhook" "webhook_example" {
project_name = aws_codebuild_project.webhook_example.id
## Only trigger builds when the specified branch (HEAD_REF) is pushed to
filter_group {
filter {
type = "EVENT"
resource "aws_codebuild_webhook" "continuous_apply" {
project_name = aws_codebuild_project.continuous_apply.name
filter_group {
filter {
type = "EVENT"
resource "aws_codebuild_webhook" "prd" {
count = replace(var.env, var.name, "") == "-prd" ? 1 : 0
project_name = aws_codebuild_project.this.name
filter_group {
filter {
resource "aws_codebuild_webhook" "webhook" {
count = length(var.webhook)
project_name = element(var.project_name, lookup(var.webhook[count.index], "project_id"))
branch_filter = lookup(var.webhook[count.index], "branch_filter")
dynamic "filter_group" {
Parameters
-
branch_filter
optional - string -
id
optional computed - string -
payload_url
optional computed - string -
project_name
required - string -
secret
optional computed - string -
url
optional computed - string -
filter_group
set block-
filter
list block-
exclude_matched_pattern
optional - bool -
pattern
required - string -
type
required - string
-
-
Explanation in Terraform Registry
Manages a CodeBuild webhook, which is an endpoint accepted by the CodeBuild service to trigger builds from source code repositories. Depending on the source type of the CodeBuild project, the CodeBuild service may also automatically create and delete the actual repository webhook as well.
Tips: Best Practices for The Other AWS CodeBuild Resources
In addition to the aws_codebuild_project, AWS CodeBuild has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_codebuild_project
Ensure to enable encryption of CodeBuild artifacts
It's better to protect CodeBuild project artifacts with default encryption.
AWS::CodeBuild::Project WebhookFilter (CloudFormation)
The Project WebhookFilter in CodeBuild can be configured in CloudFormation with the resource name AWS::CodeBuild::Project WebhookFilter
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
ExcludeMatchedPattern
Used to indicate that the pattern
determines which webhook events do not trigger a build. If true, then a webhook event that does not match the pattern
triggers a build. If false, then a webhook event that matches the pattern
triggers a build.
Required: No
Type: Boolean
Update requires: No interruption
Pattern
For a WebHookFilter
that uses EVENT
type, a comma-separated string that specifies one or more events. For example, the webhook filter PUSH, PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED
allows all push, pull request created, and pull request updated events to trigger a build.
For a WebHookFilter
that uses any of the other filter types, a regular expression pattern. For example, a WebHookFilter
that uses HEAD_REF
for its type
and the pattern ^refs/heads/
triggers a build when the head reference is a branch with a reference name refs/heads/branch-name
.
Required: Yes
Type: String
Update requires: No interruption
Type
The type of webhook filter. There are six webhook filter types: EVENT
, ACTOR_ACCOUNT_ID
, HEAD_REF
, BASE_REF
, FILE_PATH
, and COMMIT_MESSAGE
.
EVENT
A webhook event triggers a build when the provided pattern
matches one of five event types: PUSH
, PULL_REQUEST_CREATED
, PULL_REQUEST_UPDATED
, PULL_REQUEST_REOPENED
, and PULL_REQUEST_MERGED
. The EVENT
patterns are specified as a comma-separated string. For example, PUSH, PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED
filters all push, pull request created, and pull request updated events.
The PULL_REQUEST_REOPENED
works with GitHub and GitHub Enterprise only.
ACTORACCOUNT_ID
A webhook event triggers a build when a GitHub, GitHub Enterprise, or Bitbucket account ID matches the regular expression pattern
.
HEAD_REF
A webhook event triggers a build when the head reference matches the regular expression pattern
. For example, refs/heads/branch-name
and refs/tags/tag-name
.
Works with GitHub and GitHub Enterprise push, GitHub and GitHub Enterprise pull request, Bitbucket push, and Bitbucket pull request events.
BASE_REF
A webhook event triggers a build when the base reference matches the regular expression pattern
. For example, refs/heads/branch-name
.
Works with pull request events only.
FILE_PATH
A webhook triggers a build when the path of a changed file matches the regular expression pattern
.
Works with GitHub and Bitbucket events push and pull requests events. Also works with GitHub Enterprise push events, but does not work with GitHub Enterprise pull request events.
COMMIT_MESSAGE
A webhook triggers a build when the head commit message matches the regular expression pattern
.
Works with GitHub and Bitbucket events push and pull requests events. Also works with GitHub Enterprise push events, but does not work with GitHub Enterprise pull request events.
_Required: Yes
Type: String
Allowed values: ACTOR_ACCOUNT_ID | BASE_REF | COMMIT_MESSAGE | EVENT | FILE_PATH | HEAD_REF
Update requires: No interruption
Explanation in CloudFormation Registry
WebhookFilter
is a structure of theFilterGroups
property on the AWS CodeBuild Project ProjectTriggers property type that specifies which webhooks trigger an AWS CodeBuild build.
Frequently asked questions
What is AWS CodeBuild Webhook?
AWS CodeBuild Webhook is a resource for CodeBuild of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS CodeBuild Webhook?
For Terraform, the didilmfs/learn-aws-cicd, exNihlio/terraform and Unripe01/study-terraform-forked source code examples are useful. See the Terraform Example section for further details.