feat(ci): Terraform module to monitor CodeCommit repo and trigger CodePipeline

Author: Dzhuneyt

locals.tf

@@ -0,0 +1,5 @@
+locals {
+  git_branch = var.branch_to_monitor
+  codepipeline_arn = var.codepipeline_arn
+  repo_arn = var.codecommit_repo_arn
+}

main.tf

@@ -0,0 +1,76 @@
+# Listen for activity on the CodeCommit repo and trigger the CodePipeline
+resource "aws_cloudwatch_event_rule" "codecommit_activity" {
+  name = "${var.tag}-codecommit-activity"
+  description = "Detect commits to CodeCommit repo of ${var.tag}"
+
+  event_pattern = <<PATTERN
+{
+  "source": [ "aws.codecommit" ],
+  "detail-type": [ "CodeCommit Repository State Change" ],
+  "resources": [ "${local.repo_arn}" ],
+  "detail": {
+     "event": [
+       "referenceCreated",
+       "referenceUpdated"
+      ],
+     "referenceType":["branch"],
+     "referenceName": ["${local.git_branch}"]
+  }
+}
+PATTERN
+}
+
+resource "aws_cloudwatch_event_target" "cloudwatch_triggers_pipeline" {
+  target_id = "${var.tag}-commits-trigger-pipeline"
+  rule = aws_cloudwatch_event_rule.codecommit_activity.name
+  arn = local.codepipeline_arn
+  role_arn = aws_iam_role.cloudwatch_ci_role.arn
+}
+
+# Allows the CloudWatch event to assume roles
+resource "aws_iam_role" "cloudwatch_ci_role" {
+  name_prefix = "${var.tag}-cloudwatch-ci-"
+
+  assume_role_policy = <<DOC
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "",
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "events.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+DOC
+}
+data "aws_iam_policy_document" "cloudwatch_ci_iam_policy" {
+  statement {
+    actions = [
+      "iam:PassRole"
+    ]
+    resources = [
+      "*"
+    ]
+  }
+  statement {
+    # Allow CloudWatch to start the Pipeline
+    actions = [
+      "codepipeline:StartPipelineExecution"
+    ]
+    resources = [
+      local.codepipeline_arn
+    ]
+  }
+}
+resource "aws_iam_policy" "cloudwatch_ci_iam_policy" {
+  name_prefix = "${var.tag}-cloudwatch-ci-"
+  policy = data.aws_iam_policy_document.cloudwatch_ci_iam_policy.json
+}
+resource "aws_iam_role_policy_attachment" "cloudwatch_ci_iam" {
+  policy_arn = aws_iam_policy.cloudwatch_ci_iam_policy.arn
+  role = aws_iam_role.cloudwatch_ci_role.name
+}

outputs.tf

@@ -0,0 +1,6 @@
+output "cloudwatch_rule_id" {
+  value = aws_cloudwatch_event_rule.codecommit_activity.id
+}
+output "cloudwatch_target_id" {
+  value = aws_cloudwatch_event_target.cloudwatch_triggers_pipeline.id
+}

variables.tf

@@ -0,0 +1,12 @@
+variable "codepipeline_arn" {
+  description = "Trigger the following CodePipeline"
+}
+variable "codecommit_repo_arn" {
+  description = "The repo which will be monitored"
+}
+variable "branch_to_monitor" {
+  description = "Monitor changes on this branch of CodeCommit"
+}
+variable "tag" {
+  description = "Tags the resources with this name"
+}