AWS recently release the functionaly of setting up notification
for CodePipeline using SNS.
“You can now receive notifications about events in repositories,
build projects, deployments, and pipelines when you use AWS
CodeCommit, AWS
CodeBuild, AWS
CodeDeploy, and/or AWS
CodePipeline. Notifications
will come in the form of Amazon SNS notifications. Each notification
will include a status message as well as a link to the resources whose event
generated that notification.”
When I tested the functionalty the first time, I created
the SNS topic using the console (during the Notification Rule creation) and
everything worked as expected.
After the test, I decided to create the resources (specially
the SNS topic) using cloud formation and I noticed that the notification weren’t
being published to the topic anymore.
After
some research I found this on the AWS documentation:
“If you want to use an existing Amazon SNS topic
instead of creating a new one, in Targets, choose its ARN. Make sure the topic has the appropriate
access policy,….”
And indeed I realised that, when the topic was being created by the console, it added
permission to “codestar” to publish to the topic…something that I never
imagined necessary, because I didn’t know codestar was part of the equation.
In CloudFormation words, what I needed to do was
something liem this:
FYI: the __default_statement_ID Sid is created automatically by cloudformation if you don’t specify a “TopicPolicy”. Since we are adding the “codestar” permission, we need to add the default statement (if, of course you actually need those permissions)
PipelineNotificationTopic:
Type: AWS::SNS::Topic
Properties:
DisplayName: MyTopicDisplayName
TopicName: MyTopicName
PipelineNotificationTopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Version: '2008-10-17'
Statement:
- Sid: CodeNotification_publish
Effect: Allow
Principal:
Service: codestar-notifications.amazonaws.com
Action: SNS:Publish
Resource: !Ref PipelineNotificationTopic
- Sid: __default_statement_ID
Effect: Allow
Principal:
AWS: "*"
Action:
- SNS:GetTopicAttributes
- SNS:SetTopicAttributes
- SNS:AddPermission
- SNS:RemovePermission
- SNS:DeleteTopic
- SNS:Subscribe
- SNS:ListSubscriptionsByTopic
- SNS:Publish
- SNS:Receive
Resource: !Ref PipelineNotificationTopic
Condition:
StringEquals:
AWS:SourceOwner: !Sub ${AWS::AccountId}
Topics:
- !Ref PipelineNotificationTopic