AWS CodeBuild Webhook
This page shows how to write Terraform and CloudFormation for CodeBuild Webhook and write them securely.
aws_codebuild_webhook (Terraform)
The Webhook in CodeBuild can be configured in Terraform with the resource name aws_codebuild_webhook. The following sections describe 5 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_codebuild_webhook" "cicd-plan-webhook" {
project_name = aws_codebuild_project.tf-plan.name
build_type = "BUILD"
filter_group {
filter {
type = "EVENT"
resource "aws_codebuild_webhook" "webhook_example" {
project_name = aws_codebuild_project.webhook_example.id
## Only trigger builds when the specified branch (HEAD_REF) is pushed to
filter_group {
filter {
type = "EVENT"
resource "aws_codebuild_webhook" "continuous_apply" {
project_name = aws_codebuild_project.continuous_apply.name
filter_group {
filter {
type = "EVENT"
resource "aws_codebuild_webhook" "prd" {
count = replace(var.env, var.name, "") == "-prd" ? 1 : 0
project_name = aws_codebuild_project.this.name
filter_group {
filter {
resource "aws_codebuild_webhook" "webhook" {
count = length(var.webhook)
project_name = element(var.project_name, lookup(var.webhook[count.index], "project_id"))
branch_filter = lookup(var.webhook[count.index], "branch_filter")
dynamic "filter_group" {
Parameters
-
branch_filteroptional - string -
idoptional computed - string -
payload_urloptional computed - string -
project_namerequired - string -
secretoptional computed - string -
urloptional computed - string -
filter_groupset block-
filterlist block-
exclude_matched_patternoptional - bool -
patternrequired - string -
typerequired - string
-
-
Explanation in Terraform Registry
Manages a CodeBuild webhook, which is an endpoint accepted by the CodeBuild service to trigger builds from source code repositories. Depending on the source type of the CodeBuild project, the CodeBuild service may also automatically create and delete the actual repository webhook as well.
Tips: Best Practices for The Other AWS CodeBuild Resources
In addition to the aws_codebuild_project, AWS CodeBuild has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_codebuild_project
Ensure to enable encryption of CodeBuild artifacts
It's better to protect CodeBuild project artifacts with default encryption.
AWS::CodeBuild::Project WebhookFilter (CloudFormation)
The Project WebhookFilter in CodeBuild can be configured in CloudFormation with the resource name AWS::CodeBuild::Project WebhookFilter. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
ExcludeMatchedPattern
Used to indicate that the pattern determines which webhook events do not trigger a build. If true, then a webhook event that does not match the pattern triggers a build. If false, then a webhook event that matches the pattern triggers a build.
Required: No
Type: Boolean
Update requires: No interruption
Pattern
For a WebHookFilter that uses EVENT type, a comma-separated string that specifies one or more events. For example, the webhook filter PUSH, PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED allows all push, pull request created, and pull request updated events to trigger a build.
For a WebHookFilter that uses any of the other filter types, a regular expression pattern. For example, a WebHookFilter that uses HEAD_REF for its type and the pattern ^refs/heads/ triggers a build when the head reference is a branch with a reference name refs/heads/branch-name.
Required: Yes
Type: String
Update requires: No interruption
Type
The type of webhook filter. There are six webhook filter types: EVENT, ACTOR_ACCOUNT_ID, HEAD_REF, BASE_REF, FILE_PATH, and COMMIT_MESSAGE.
EVENT
A webhook event triggers a build when the provided pattern matches one of five event types: PUSH, PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED, PULL_REQUEST_REOPENED, and PULL_REQUEST_MERGED. The EVENT patterns are specified as a comma-separated string. For example, PUSH, PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED filters all push, pull request created, and pull request updated events.
The PULL_REQUEST_REOPENED works with GitHub and GitHub Enterprise only.
ACTORACCOUNT_ID
A webhook event triggers a build when a GitHub, GitHub Enterprise, or Bitbucket account ID matches the regular expression pattern.
HEAD_REF
A webhook event triggers a build when the head reference matches the regular expression pattern. For example, refs/heads/branch-name and refs/tags/tag-name.
Works with GitHub and GitHub Enterprise push, GitHub and GitHub Enterprise pull request, Bitbucket push, and Bitbucket pull request events.
BASE_REF
A webhook event triggers a build when the base reference matches the regular expression pattern. For example, refs/heads/branch-name.
Works with pull request events only.
FILE_PATH
A webhook triggers a build when the path of a changed file matches the regular expression pattern.
Works with GitHub and Bitbucket events push and pull requests events. Also works with GitHub Enterprise push events, but does not work with GitHub Enterprise pull request events.
COMMIT_MESSAGE
A webhook triggers a build when the head commit message matches the regular expression pattern.
Works with GitHub and Bitbucket events push and pull requests events. Also works with GitHub Enterprise push events, but does not work with GitHub Enterprise pull request events.
_Required: Yes
Type: String
Allowed values: ACTOR_ACCOUNT_ID | BASE_REF | COMMIT_MESSAGE | EVENT | FILE_PATH | HEAD_REF
Update requires: No interruption
Explanation in CloudFormation Registry
WebhookFilteris a structure of theFilterGroupsproperty on the AWS CodeBuild Project ProjectTriggers property type that specifies which webhooks trigger an AWS CodeBuild build.
Frequently asked questions
What is AWS CodeBuild Webhook?
AWS CodeBuild Webhook is a resource for CodeBuild of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS CodeBuild Webhook?
For Terraform, the didilmfs/learn-aws-cicd, exNihlio/terraform and Unripe01/study-terraform-forked source code examples are useful. See the Terraform Example section for further details.
