CloudWatch Rule for ECR "PutImage" event not triggering CodePipeline

Question

Hello -  
I have not been able to automatically trigger a CodePipeline when a particular ECR "PutImage" event is generated.  
  
Scenario: I have a working CodeBuild project that generates an ECR image successfully and I would like that event (PutImage) to trigger CodePipeline for deployment.  The flow works perfectly if I Release the CodePipeline manually.  The ECR image is generated correctly, CloudTrail indicates the PutImage event was generated correctly, but for some reason the CloudWatch Rule is not picking up the event and triggering CodePipeline.  
  
**I have referenced the following forums:**  
https://forums.aws.amazon.com/thread.jspa?messageID=890694  
https://forums.aws.amazon.com/thread.jspa?messageID=908140  
  
**As well as the documentation:**  
https://docs.aws.amazon.com/codepipeline/latest/userguide/create-cwe-ecr-source-console.html  
  
**But it does not work.  My CloudWatch rule is as follows:**  
{  
  "source": \[  
    "aws.ecr"  
  ],  
  "detail-type": \[  
    "AWS API Call via CloudTrail"  
  ],  
  "detail": {  
    "eventSource": \[  
      "ecr.amazonaws.com"  
    ],  
    "requestParameters": {  
      "repositoryName": \[  
        "repo-name"  
      ],  
      "imageTag": \[  
        "latest"  
      ]  
    },  
    "eventName": \[  
      "PutImage"  
    ]  
  }  
}

**The recorded CloudTrail event looks like this (short snippet):**  
"responseElements": {  
        "image": {  
            "registryId": "xxxxxxxxxxxxxx",  
            "repositoryName": "repo-name",  
            "imageId": {  
                "imageDigest": "sha256:xxxxxxxxxxxxxxxx",  
                "imageTag": "latest"  
            },  
            "imageManifest": "xxxxxxxxxxxxxxxx"  
        }  
    }  
  
Appreciate any help.  Thanks  
  
Edited by: rosarifj on Jan 12, 2020 3:17 PM

Answer

In case it can help anyone else, I was able to find my answer on this forum:  
https://www.reddit.com/r/aws/comments/cdgi9y/ecr_putimage_cloudwatch_event_rule_codepipeline/  
  
General things to check:  
1. Check if CloudTrail has been enabled for the region. If yes, for what event types is it enabled for? Ensure that it logs 'All' event types, not 'Read' or 'Write' events alone.  
  
2. Check the CloudWatch metrics for the event rule. Specifically, check the 'Invocations' metric to see if it had been invoked, and if so, check 'FailedInvocations' to see if there have been failures.  
  
My problem was in #1 above - my CloudTrail trail had "Read/Write events" set to "None" and should have been "All".  
  
Closing this issue.

Answer

I've found a work around.  
Modify your CWE rule like following

```
{
  "source": [
    "aws.ecr"
  ],
  "detail-type": [
    "ECR Image Action"
  ],
  "detail": {
    "action-type": [
      "PUSH"
    ],
    "repository-name": [
      "repo-name"
    ],
    "image-tag": [
      "latest"
    ]
  }
}
```

thanks.

Answer

Hi Amazonians,  
is it required to have CloudTrail trail created in order to use ECR events for CodePipeline?  
  
It doesn't work till you enable it.  
  
Goran

CloudWatch Rule for ECR "PutImage" event not triggering CodePipeline

関連するコンテンツ