I am trying to setup CI/CD with AWS codepipeline and now I am stuck with pipeline autostart.
Looks like cloudwatch does not detect ECR events so does not start a pipeline.
Target and role configured correctly, but in access advisor for role I don`t see any role invocations.
Region us-west-2.
Here is event pattern that I use:
{
"detail": {
"eventName": [
"PutImage"
],
"requestParameters": {
"imageTag": [
"service.develop.latest"
],
"repositoryName": [
"repository"
]
}
},
"source": [
"aws.ecr"
]
}
I can see PutImage events in cloudtrail but this rule does not work. Any help appreciated, thanks.
Well, magically this thing started to work.
Looks like an AWS bug as I did not fixed it somehow.
Related
I want to be able to setup an AWS CloudWatch event rule that will trigger to an SNS topic whenever one of my Step Functions completes (either success or failure). I do not want this to run for all Step Functions, but there will be an indeterminate number of them based on a common name prefix. Ideally, I'd like to be able to do something like this, but it appears that wildcards are not allowed in Event Patterns. Are there any creative ways to work around this?
{
"source": [
"aws.states"
],
"detail-type": [
"Step Functions Execution Status Change"
],
"detail": {
"status": [
"FAILED",
"SUCCEEDED"
],
"stateMachineArn": [
"arn:aws:states:us-west-1:123456789012:stateMachine:Prefix-*"
]
}
}
Wildcards are not supported in Cloudwatch event rule according to AWS official forum.
You will have to add all the arn's in the state machine ARN list. To do it easily you may write a script that does the following:
Get all the state machine names with specific prefix.
Update the Cloudwatch Event Rule to include all the state machine arn's with specific prefix.
My solution is below:
{
"source": ["aws.states"],
"detail-type": ["Step Functions Execution Status Change"],
"detail": {
"status": ["SUCCEEDED", "FAILED"],
"stateMachineArn": [ { "prefix": "arn:aws:states::us-west-1:123456789012:stateMachine:prefix-" } ]
}
}
I am trying to configure a Cloudwatch Event Rule (to trigger an SNS notification) for whenever
someone assumes a particular role:
{
"detail": {
"eventName": [
"AssumeRole"
],
"eventSource": [
"sts.amazonaws.com"
],
"requestParameters": {
"roleArn": [
"arn:aws:iam::0000:role/the_role_name"
]
}
},
"detail-type": [
"AWS API Call via CloudTrail"
]
}
Where 0000 is the account id and the_role_name is the role I want to alert on.
This is failing to trigger any notification, however when I search in Cloudtrail Insights for the
events:
filter eventName = 'AssumeRole'
| filter requestParameters.roleArn =~ 'the_role_name'
| sort #timestamp desc
| display #timestamp, requestParameters.roleSessionName, eventName, requestParameters.roleArn, userAgent, sourceIPAddress
I DO get results that SHOULD have triggered the rule:
requestParameters.roleSessionName eventName requestParameters.roleArn
my_username AssumeRole arn:aws:iam::0000:role/the_role_name
...
For the sake of trying to dumb things down and catch a broader set of events, I also tried the
following Rule (which would catch all AssumeRole events to any role):
{
"detail": {
"eventName": [
"AssumeRole"
]
},
"detail-type": [
"AWS API Call via CloudTrail"
]
}
This rule also is failing to trigger.
Does anyone have ideas on how to configure Cloudwatch Event Rules to trigger on AssumeRole events?
I read through this related question (which is trying to achieve something similar), but it did not have a solution: AWS CloudWatch Events trigger SNS on STS role assuming for cross account
First of all make sure whether the event is invoked or not by checking the monitoring metrics for the rule. It is possible that it is triggered, but it fails to invoke the target. In this case, you should check your IAM policies.
If it is not triggered, there could be issues with trail delivery to Cloudwatch Logs. Make sure that you created a trail in the same region, which delivers events to Cloudwatch Logs.
I've the following rule in us-east-1 region, which works fine:
{
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventSource": [
"sts.amazonaws.com"
],
"eventName": [
"AssumeRole"
]
},
"source": [
"aws.sts"
]
}
According an an AWS Support agent I was speaking with yesterday, and also indicated by the linked documents, Eventbridge Rules (formerly Cloudwatch Event Rules) unfortunately do not support STS events.
What's perplexing about this and might lead you down a wrong path, as it did me, is that the sts test-event-pattern api will in fact validate your event against a valid pattern and give no indication that it's an unsupported service.
Hopefully AWS adds STS event support in the future.
https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-service-event.html
When i create the ec2 instance the cloud watch event should trigger, But it is not working.. Below is the event Json. Could you please help.
The same event is triggered successful in other aws account, I not sure what is wrong with this account. IAM policy to lambda has complete access and when i test lambda code it is working fine.. But the problem is the event should be triggered.
{
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventSource": [
"ec2.amazonaws.com",
"rds.amazonaws.com",
"s3.amazonaws.com"
],
"eventName": [
"CreateVolume",
"RunInstances",
"RequestSpotInstances",
"CreateSnapshot",
"CreateVpnGateway",
"CreateSecurityGroup",
"CreateInternetGateway",
"CreateNatGateway",
"CreateVpc",
"CreateSubnet",
"CreateRouteTable",
"CreateCustomerGateway",
"CreateNetworkAcl",
"CreateVpnConnection",
"CreateImage",
"CreateDBInstance",
"CreateDBSnapshot",
"CreateDBCluster",
"CreateDBClusterParameterGroup",
"CreateDBClusterSnapshot",
"CreateDBInstanceReadReplica",
"CreateDBParameterGroup",
"CreateDBSecurityGroup",
"CreateDBSubnetGroup",
"CreateEventSubscription",
"CreateOptionGroup",
"CreateBucket"
]
}
}
Are you configuring Trails from AWS CloudTrail to track API Calls?
1) Check on your Trails configuration if the Logging status is enabled or not.
2) Check again on your policies as most of the cases, we mis-configured our IAM policies so one of the services cannot work as expected.
I am trying to add some notifications to my Pipeline in AWS.
I have a build stage where I use AWS CodeBuild and I want to receive an email whenever the build fails.
I have followed the tutorial that amazon offers and it works fine to notify me about the failure, but I can't seem to find how to add the logs in the email.
I have created the following CloudWatch Event Rule, which monitors the execution of the entire Pipeline.
{
"source": [
"aws.codepipeline"
],
"detail-type": [
"CodePipeline Pipeline Execution State Change"
],
"detail": {
"state": [
"FAILED",
"SUCCEEDED",
"CANCELED"
],
"pipeline": [
"Pipeline_Trial"
]
}
}
Can anyone help me figure how to add the logs to this rule ?
The event from CodePipeline does not contain the CodeBuild logs so you can't pass this through to your email without something in the middle.
A solution could be to have your CloudWatch event target a Lambda function which looks up the logs via the CodeBuild / CloudWatch logs API. It can then generate the email including the logs and send the notification via SNS.
I am trying to make a rule trigger on any API call for creation, but I haven't had any success.
I have another rule that triggers whenever and ec2 instance is running which works, but this rule does not trigger for RunInstances although I see the cloudtrail logs with RunInstances in the API log.
I have made a CloudWatch log from the cloudtrail and see the events that should be triggering it, but they don't. Is there a step I am missing? What are the necessary components to have CloudWatch properly trigger on API calls?
The rule mentioned:
{
"source": [
"aws.cloudtrail"
],
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventSource": [
"cloudtrail.amazonaws.com"
],
"eventName": [
"CreateUserPool",
"CreateImage",
"CreateCacheCluster",
"RunInstances",
"CreateActivation",
"RunJobFlow ",
"CreateVault",
"CreateDeliveryStream",
"CreateStream",
"CreateCluster",
"CreateDBInstance",
"CreateHostedZone",
"CreateBucket",
"CreateLaunchConfiguration",
"CreateStack",
"CreateEnvironment",
"CreateWorkspaces"
]
}
}
To add more detail here is the other rule I used to test CloudWatch
{
"source": [
"aws.ec2"
],
"detail-type": [
"EC2 Instance State-change Notification"
],
"detail": {
"state": [
"running"
]
}
}
This is the log of the startInstances and the following Lambda function running.
Cloudtrail of the the lambda function specifically which functions normally.
Here is the API call which should also initiate it according to the rule, but it does not.
Hopefully these images make it clearer as to what I am having trouble with.
P.S. I didn't know how much info I should consider confidential, so I over censored
I misunderstood the rule I created. I thought "AWS API calls from Cloudtrail" when using the cloudtrail Service meant all the information stored in Cloudtrail. That does not seem to be the case.
As I mention in my comment, I am looking for other solutions for my problem, but I will make a separate question for that. Thanks!