How To Trigger A CodeBuild Build Using GitHub Webhook
Hello Everyone
Welcome to CloudAffaire and this is Debjeet.
In the last blog post, we have discussed how to schedule a codebuild build using a trigger.
https://cloudaffaire.com/how-to-schedule-an-aws-codebuild-using-trigger/
In this blog post, we will discuss how to trigger a CodeBuild build using GitHub Webhook. You can use GitHub webhook events to trigger a CodeBuild build. For example, suppose your source code is hosted in GitLab and you want to perform a quick build using AWS CodeBuild before accepting any pull request to check if your code is ok after the change. You can use webhook filter groups to specify which GitHub webhook events trigger a build. For example, you can specify that a build is triggered for specified branches only. You can create one or more webhook filter groups to specify which webhook events trigger a build. A build is triggered if all the filters on one or more filter groups evaluate to true.
How To Trigger A CodeBuild Build Using GitHub Webhook:
Requirements:
AWS CLI installed and configured. You can follow the below blog post to install and configure AWS CLI.
https://cloudaffaire.com/how-to-install-aws-cli/
https://cloudaffaire.com/how-to-configure-aws-cli/
Git installed and configured.
https://cloudaffaire.com/category/devops/git/
One GitHub account.
Step 1: Create your GitHub access token.
In order for CodeBuild to communicate with GitHub, you need to set up an access token for GitHub in AWS CodeBuild. For GitHub, your personal access token must have the following scopes.
- repo: Grants full control of private repositories.
- repo:status: Grants access to commit statuses.
- admin:repo_hook: Grants full control of repository hooks.
Follow the below steps to get your GitHub access token.
Step 1.a: Login to your GitHub account and click on ‘Settings’. Navigate to ‘Developer settings’ and click on ‘Personal access tokens’ and finally click ‘New GitHub App’.
Step 1.b: Provide a name and select the access scope and click on ‘Generate token’.
Your GitHub access token generated successfully. Copy and save the access token in a secure place.
Step 2: Create a private repository in your GitHub account and upload the source code that you want to build using CodeBuild. If you don’t have any source code, you can use the sample code provided by AWS from the below repo.
https://github.com/CloudAffaire/CodeBuild
Step 3: Add GitHub access token in AWS CodeBuild
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
########################################################### ## How To Trigger A CodeBuild Build Using GitHub Webhook ## ########################################################### ## I am using a Linux shell to execute AWS CLI commands ## --------------------------------------------------- ## Connect source provider (GitHub) with access tokens ## --------------------------------------------------- ## create a directory for this demo mkdir codebuld && cd codebuld ## declare some variables for your codebuild project S3_BUCKET_NAME="myappcbcloudaffaire" ## (must be uniqe globally) GITHUB_ACCESS_TOKEN=" GITHUB_REPO_HTTPS_URL=" ## create a source credentials config file cat < { "token": "$GITHUB_ACCESS_TOKEN", "serverType": "GITHUB", "authType": "PERSONAL_ACCESS_TOKEN", "shouldOverwrite": true } EOF ## create codebuild source credential for GitHub aws codebuild import-source-credentials \ --cli-input-json file://access.json ## check source credentials information aws codebuild list-source-credentials |
Step 4: Create an IAM role for AWS CodeBuild.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
## -------------------------------- ## Create an IAM role for CodeBuild ## -------------------------------- ## create iam policy cat < { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF ## create iam role IAM_ROLE_ARN=$(aws iam create-role \ --role-name CodeBuildServiceRole \ --assume-role-policy-document file://role_assume_policy.json \ --query 'Role.Arn' \ --output text) ## attach some policies to the role (S3, CodeCommit, CloudWatch) aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess \ --role-name CodeBuildServiceRole && aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AWSCodeCommitFullAccess \ --role-name CodeBuildServiceRole && aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/CloudWatchFullAccess \ --role-name CodeBuildServiceRole |
Step 5: Create an S3 bucket to store your build artifacts.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
## ------------------------------------------ ## Create an S3 bucket for CodeBuild artifact ## ------------------------------------------ ## Create a new s3 bucket aws s3api create-bucket \ --bucket "$S3_BUCKET_NAME" \ --create-bucket-configuration "LocationConstraint=ap-south-1" ## Add a tag to the s3 bucket aws s3api put-bucket-tagging \ --bucket "$S3_BUCKET_NAME" \ --tagging 'TagSet=[{Key=Name,Value=MYAPP}]' |
Step 6: Create a CodeBuild build project.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
## -------------------------------- ## Create a CodeBuild build project ## -------------------------------- ## create build project definition cat < { "name": "mycodebuildproject", "source": { "type": "GITHUB", "location": "$GITHUB_REPO_HTTPS_URL" }, "artifacts": { "type": "S3", "location": "$S3_BUCKET_NAME" }, "environment": { "type": "LINUX_CONTAINER", "image": "aws/codebuild/amazonlinux2-x86_64-standard:3.0", "computeType": "BUILD_GENERAL1_SMALL" }, "serviceRole": "$IAM_ROLE_ARN" } EOF ## create the build project aws codebuild create-project \ --cli-input-json file://build_project_def.json ## list all projects in your codebuild aws codebuild list-projects ## get project build details aws codebuild batch-get-projects \ --names "mycodebuildproject" |
Note: You will get charged for each build minute, 120 minutes free for the free tier with small compute (used in this demo)
Step 6: Create a webhook for GitHub.
|
1 2 3 4 5 6 7 8 9 10 11 12 |
## --------------------------- ## Create a webhook for GitHub ## --------------------------- ## create the webhook aws codebuild create-webhook \ --project-name "mycodebuildproject" \ --filter-groups "[[{\"type\":\"EVENT\",\"pattern\":\"PUSH\"}]]" \ --build-type "BUILD" ## if everything works fine, then you will be able ## to see a new webhook in your GitHub repo |
Note: AWS CodeBuild allows setting up of different conditions for your build trigger using GitHub webhook. For simplicity, I am setting the condition for any push event in GitHub. You can refer to AWS documentation to get a complete list of filters.
https://docs.aws.amazon.com/codebuild/latest/userguide/github-webhook.html
Step 7: Push a change in your GitHub repository.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
## ------------------------------------------------------------------- ## Start your CodeBuild build by pushing an update in your GitHub repo ## ------------------------------------------------------------------- ## clone your GitHub private repository git clone $GITHUB_REPO_HTTPS_URL ## perform some change and push cd echo "hello" >> README.md git config --global user.name "Debjeet" git config --global user.email "cloudaffaire@gmail.com" git add . git commit -m "demo update" git push ## this will trigger a codebuild build cd .. ## get list of build for the project aws codebuild list-builds-for-project \ --project-name "mycodebuildproject" ## get build details AWS_CODEBULD_BUILD_ID=$(aws codebuild list-builds-for-project \ --project-name "mycodebuildproject" \ --query 'ids[0]' \ --output text) && aws codebuild batch-get-builds \ --ids $AWS_CODEBULD_BUILD_ID |
Note: This will trigger a CodeBuild build of your GitHub project using GitHub webhook.
Step 8: Get your CodeBuild build project logs and artifacts.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
## --------------------------------------------------- ## Get your CodeBuild build project logs and artifacts ## --------------------------------------------------- ## check the artifacts for the builds aws s3api list-objects \ --bucket $S3_BUCKET_NAME ## check cloudwatch logs for the build logs AWS_CLOUDWATCH_LOG_STREAM=`echo $AWS_CODEBULD_BUILD_ID | awk -F":" '{print $2}'` AWS_CLOUDWATCH_LOG_GROUP=$(aws logs describe-log-groups \ --query 'logGroups[0].logGroupName' \ --output text) aws logs get-log-events \ --log-group-name $AWS_CLOUDWATCH_LOG_GROUP \ --log-stream-name $AWS_CLOUDWATCH_LOG_STREAM \ --limit 10 |
Step 9: Cleanup.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 |
## ------- ## Cleanup ## ------- ## delete the webhook aws codebuild delete-webhook \ --project-name "mycodebuildproject" ## delete github source credentails SOURCE_CONFIG_ARN=$(aws codebuild list-source-credentials \ --query 'sourceCredentialsInfos[0].arn' \ --output text) && aws codebuild delete-source-credentials \ --arn $SOURCE_CONFIG_ARN ## delete codebuild project aws codebuild delete-project \ --name "mycodebuildproject" ## delete cloudwatch logs aws logs delete-log-group \ --log-group-name $AWS_CLOUDWATCH_LOG_GROUP ## delete s3 artifact bucket aws s3 rm s3://$S3_BUCKET_NAME \ --recursive && aws s3 rb s3://$S3_BUCKET_NAME \ --force ## detach IAM role policy aws iam detach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess \ --role-name CodeBuildServiceRole && aws iam detach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AWSCodeCommitFullAccess \ --role-name CodeBuildServiceRole && aws iam detach-role-policy \ --policy-arn arn:aws:iam::aws:policy/CloudWatchFullAccess \ --role-name CodeBuildServiceRole ## delete IAM role aws iam delete-role \ --role-name "CodeBuildServiceRole" ## delete your github private repo and access token ## delete the directory for this dmeo cd .. && rm -rf codebuld |
Hope you have enjoyed this blog post. To get more details on AWS CodeBuild, please refer below AWS documentation
https://docs.aws.amazon.com/codebuild/index.html
We recommend that you use a filter group to specify which GitHub users can trigger a build in a public repository. This can prevent a user from triggering an unexpected build. For more information, see GitHub webhook events . If a CodeBuild information page is displayed, choose Create build project. Otherwise, on the navigation pane, expand Build, choose Build projects, and then choose Create build project .
If a CodeBuild information page is displayed, choose Create build project. Otherwise, on the navigation pane, expand Build, choose Build projects, and then choose Create build project . Enter a name for this build project. Build project names must be unique across each AWS account. You can also include an optional description of the build project to help other users understand what this project is used for.