4

Although AWS considers using git webhooks to be antiquated practice, the documentation on aws codestar connections seems to be a bit scarce. I want to create a generic pipeline that can be triggered when a new repository is committed to for the first time (that it contains a folder of TF config). To do this, I need to be able to monitor when an aws codestar connection is used. I think that doing it this way will mean that I can build something that scales better.

But there doesn't appear to be a well documented way to monitor when 'anything' accesses a codestar connection:

https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodestarconnections.html#awscodestarconnections-actions-as-permissions

aws-codestar-connections-actions

In the image above, one can see that there is an action that happens that needs a permission to work, but that is not directly accessible. In cloud trail, I found an action with a payload like this:

    "eventTime": "2021-07-06T11:22:46Z",
    "eventSource": "codestar-connections.amazonaws.com",
    "eventName": "UseConnection",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "codepipeline.amazonaws.com",
    "userAgent": "codepipeline.amazonaws.com",
    "requestParameters": {
        "connectionArn": "arn:aws:codestar-connections:*:connection/",
        "referenceType": "COMMIT",
        "reference": {
            "FullRepositoryId": "GitHub-User/Github-Repo",
            "Commit": "SHA"
        }
    },

I believe that this is enough for me to use for what I want. I could create an SNS notification with a Lambda listener when this event triggers, but that requires setting up infrastructure to monitor CloudTrail events.

But while I was researching this, I noticed that AWS event bridge appears to know about codestar connections:

aws-eventbridge-codestar-connections

Note, if I take this a bit further, I can get something that looks like this:

{
  "source": [
    "aws.codestar-connections"
  ],
  "detail-type": [
    "AWS API Call via CloudTrail"
  ],
  "detail": {
    "eventSource": [
      "codestar-connections.amazonaws.com"
    ]
  }
}

... but I see no sample events, as it appears that I should, if they were there. And I'm unable to find documentation describing how to make codestar connections log the the UseConnection event to cloudwatch.

If this can be used, instead, then I can use a more direct approach without needing to build the infrastructure to monitor the CloudTrail events.

Can this be done?

Cognitiaclaeves
  • 808
  • 10
  • 16

0 Answers0