Ziad Osman
Posted on August 30, 2022
Introduction
This guide is for you if you have ever wanted to get live feedback on how your Pipelines on AWS are going. Additionally, if you keep track of your application version on git tags, I’m going to also show you how to retrieve them in CodeBuild and, as a bonus, how to also send them as slack messages.
Credits
While mathmaticians and phycisits stand on the shoulders of giants, software engineers stand on the shoulders of other software engineers. This guide would not be possible without Wesley’s charles’ contribution, as he made the script for the slack bot. As for how to retrieve git tags from CodeBuild, that as well would not have been possible without the contribution of Timothy Jones who wrote a fantastic script to do so.
Pre requisites
A configured AWS CLI
AWS SAM CLI (we will be deploying our slack bot script with the help of AWS SAM)
A working AWS CodePipeline (including CodeCommit, CodeBuild, and CodeDeploy)
Sufficient credentials for the AWS User
Cloning the slack bot script
The first thing we need to do is clone the slack bot repo to a local machine.
After cloning the repo, we should have these files inside of our directory
│ .gitignore
│ build.gif
│ LICENSE
│ Pipfile
│ README.md
│ template.yml
│
└───src
.pylintrc
build_info.py
message_builder.py
notifier.py
requirements.txt
slack_helper.py
Configuring slack
Creating a slack app
First up we need to create a slack app. For that head on to https://api.slack.com/apps.
Click on Create New App
Click “From Scratch”
For App Name, it doesn’t matter. I picked “Pipeline progress”. For workspace, choose your workspace from the drop-down list.
After your app is created, in the Sidebar, go to OAuth & Permissions.
Now Scroll down to scope and add the following permissions one by one: channels:history, channels:manage, channels:read, chat:write, chat:write.customize, chat:write.public, groups:history, groups:read, im:read, links:write, mpim:read
Now, scroll to the top of the page, generate a Bot User OAuth Token
Note: make note of the OAuth Token, as we will need it soon.
Finally, press the button : install the app to your workspace. This is what the button will look like after a successful installation.
Add app to slack
Go to slack and create a new channel called builds. This is the default channel name that the script takes. If you name your channel anything else, I will show you in a later step where to specify it.
Inside your builds channel, in the dialog box, press /.
This opens up a search box. Search for apps and click on add apps to this channel
On the next page, search for your app by its name and add it to the channel. In my case, the name is Pipeline progress.
This is what it should look like after adding it to the channel.
Deploying the script to AWS
Note: For this step, make sure you have the AWS CLI installed and configured, along with the SAM CLI.
To deploy, open a CMD in the script directory, and first run:
sam build
followed by:
sam deploy --guided
this will open up an interactive prompt.
For stack name, I chose to name it as “aws-codepipeline-slack”.
Stack Name [sam-app]: aws-codepipeline-slack
For region, if the default is fine press enter, otherwise specify the region
AWS Region [eu-west-1]:
For SlackBotUserOAuthAccessToken, paste the OAuth token we created in a previous step. Note that this is a hidden field, meaning that what you paste won’t show on the screen.
Parameter SlackBotUserOAuthAccessToken:
For SlackChannel, if you kept the channel name as build, then just press enter. Otherwise, specify the channel name
Parameter SlackChannel [builds]:
For SlackBotName, this is the name of the bot that will send pipeline updates. I left it at default and pressed enter.
Parameter SlackBotName [PipelineBuildBot]:
For SlackBotIcon, this is the icon of the bot that will send pipeline updates. I left it at default and pressed enter.
Parameter SlackBotIcon [:robot_face:]:
For show resource change, if you select y, it will show you changes of resources and prompt you to accept them before it deploys on each time you run SAM deploy.
#Shows you resources changes to be deployed and require a 'Y' to initiate deploy
Confirm changes before deploy [y/N]:
For SAM permissions, keep it at the default Y
#SAM needs permission to be able to create roles to connect to the resources in your template
Allow SAM CLI IAM role creation [Y/n]:
For Disable rollback, choose according to your use-case, it won’t matter much if you’re only planning on deploying once.
#Preserves the state of previously provisioned resources when an operation fails
Disable rollback [y/N]:
For authorization, select Y
Notifier Function Url may not have authorization defined, Is this okay? [y/N]: Y
For save arguments to config file, select Y. this will make future deployments faster since the default values are saved.
Save arguments to configuration file [Y/n]: Y
Press enter to keep the default config file as samconfig.toml
SAM configuration file [samconfig.toml]:
Press enter to keep the configuration environment as default
SAM configuration environment [default]:
This should be enough to successfully deploy the script. If you selected Y for “Confirm changes before deploy” then you’ll get an additional prompt confirming if you want to deploy. Select Y on it and you’re good to go.
With this, we’re done! you are now able to get updates on the states of your pipelines.
You can check out your new lambda function if you go into your AWS console and go to lambda
Adding support for git tags
If you happen to keep track of your application version using git tags, and you’d like to also get notified of the version that’s getting deployed on slack. Then please read along and follow these steps.
We need to enable function url on our newly deployed lambda function, so that we can call the function from CodeBuild and pass to it the git tag. We will also need to add some permissions to the CodeBuild service role. Finally , we will need to add a bash script to our CodeCommit repo that enables CodeBuild to clone the repo and retrieve the git tag from it. If you want to learn more about why we need to do this workaround instead of just retrieving the git tags from our CodeCommit repo, then I highly suggest reading Timothy Jones’s article, the person behind the bash script we will be using.
Enabling function url
To enable function url on our slack script. Open the function code locally on your favorite IDE. Navigate to template.yml, and uncomment these two lines. (line 28 and 29).
And that’s it! Now follow the same steps above to deploy
sam build
followed by:
sam deploy --guided
Now if you got back to your AWS console, and go to your lambda function, you should be able to find your function url under configurtation -> function url
Note: make note of your function URL as we will need it in the next step
adding the bash script to CodeCommit
as explained, we will be using a bash script in CodeBuild to help us retrieve the git tag.
Add this file to your CodeCommit repo’s base directory. Make sure the file name is: codebuild-git-wrapper.sh
Adding the necessary permissions to CodeBuild
You will need to add 2 policies to your CodeBuild service role.
The first one will enable CodeBuild to perform git pull on the CodeCommit repo. This is the policy template. Make sure to add your repo ARN under Resource.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "codecommit:GitPull",
"Resource": "YOUR_REPO_ARN"
}
]
}
The second policy will give CodeBuild permission to invoke the lambda function url. This is the policy template. Make sure to replace the resource with your lambda function ARN.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "lambda:InvokeFunctionUrl",
"Resource": "YOUR_FUNCTION_ARN"
}
]
}
Modify your buildspec.yml
Finally, we will be adding commands to buildspec.yml to clone the repo, retrieve the git tag, and pass the git tag to our function url.
Go to your buildspec.yml file, and in the first step of the build stage, add the following commands.
build:
commands:
- echo get version
- /bin/bash codebuild-git-wrapper.sh YOUR_REPO_URL YOUR_BRANCH_NAME
#get release version from git tag
- RELEASE_VERSION=$(git tag --points-at HEAD)
#send git version to slack
- curl YOUR_FUNCTION_URL/?git-tag=$RELEASE_VERSION -o /dev/null
Make sure to change the following fields:
- YOUR_REPO_URL: your code commit repository url. You can retrieve this by going to CodeCommit, and clicking on HTTPS under Clone URL
YOUR_BRANCH_NAME: the name of the branch the CodePipeline gets triggered on. Normally this should be: main. but check your pipeline configuration to be sure.
YOUR_FUNCTION_URL: the lambda function url we created and took note of in a previous step.
Security considerations
As it stands, your function url can be invoked by anyone that has the url and send messages to your slack channel. You can secure your function by either using IAM authentication or putting your lambda function behind API Gateway and using api keys.
Done!
Congratulations! You now have a slack bot that will give you updates on the state of your CodePipeline pipelines. And if you followed the additional steps, it will also send you a message of your release version via git tags.
Posted on August 30, 2022
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.