Integrating Bitbucket in AWS CodePipeline

Integrating Bitbucket in AWS CodePipeline

At Sentia, we use AWS CodePipeline for our CI/CD automation. CodePipeline makes it possible to combine code from various sources into one codebase, build it, and deploy it, in a segmented process with clear step by step checkpoints. This CodePipeline, like most of our resources in current projects, is generated from code using the Cloud Development Kit (CDK).

Code comes into our CodePipeline from a variety of repositories. Some are on Github, others on AWS’s own CodeCommit, and some are on Bitbucket.

The integration between Bitbucket and CodePipeline is not quite as straightforward as the other two. In this article, we’ll run through how this connection is established, and why it’s done this way.

Creating the Codestar Connection

The first step, through the AWS CLI, is to create a Codestar connection. The command

aws-codestar-connections create-connection —provider-type Bitbucket —connection-name YourConnection

Will return an ARN. This ARN is needed for the next step, where you link the connection to your pipeline within the CDK.

Adding the connection to your CodePipeline

In the CDK code for your CodePipeline component, add the reference to Bitbucket as follows:

        # Creation of Bitbucket reference
        source_artifact_name_code = (
            'SourceArtifact_Bitbucket'
        )
        action_name = 'CodeCommit-Bitbucket'
        source_bb = codepipeline_actions.BitBucketSourceAction(
            connection_arn=self.connection_arn,
            output=codepipeline.Artifact(
                artifact_name=source_artifact_name_code
            ),
            owner='bitbucket_owner',
            repo='test_repo',
            action_name=action_name,
            branch=cc_branch_name_parameter.value_as_string
        )
        all_sources.append(source_bb)
        extra_artifacts.append(
                codepipeline.Artifact(
                    artifact_name=source_artifact_name_code
                )
        )

With the ARN generated in the previous step as the value of self.connection_arn.

In order to receive the Codestar Connection, your pipeline needs have the right permission:

        pipeline.role.add_to_policy(
            iam.PolicyStatement(
                actions=[
                    'codestar-connections:UseConnection'
                ],
                effect=iam.Effect.ALLOW,
                resources=[
                    self.connection_arn
                ]
            )
        )

Once the pipeline is deployed with this source action included, the connection will be linked to the pipeline.

Completing the connection through the AWS Console

But it’s not working yet. Instead, the connection is now “pending”. That’s because it hasn’t been authenticated yet. You need to log into the AWS Console and open the pipeline. Edit the pipeline, then edit the first stage, and then edit the failing Bitbucket source action. The option “complete the connection” will appear in the middle of the screen. After the connection is completed, you can exit the action editor with “done”, then save the pipeline and release the change. For each combination of AWS account with a Bitbucket account, this will need to be authenticated once by also logging into the Bitbucket account. If more repositories of the same Bitbucket account need to be added, the connection still needs to be manually completed but does not need to be authenticated by Bitbucket.

So now, when you run the pipeline, it works! And if you delete the pipeline and rebuild it, it still works: the connection is authenticated, separately from the pipeline. As long as the connection isn’t deleted and you keep using the same connection ARN, any (authorized) pipeline can use it.

Final thoughts

Altogether, AWS doesn’t make it exactly easy to connect to Bitbucket. You need to do a step with the CLI, one with CDK or CloudFormation, and one with the AWS Console. In each step other options are excluded:

The Codestar Connection cannot be created through CDK or CloudFormation, and the CDK CodePipeline resources do not accept a Bitbucket source in any other way than a Codestar Connection.

The permission for the pipeline has to be created through Infrastructure as Code, because the AWS Console cannot find the codestar-connection resource type and therefore the policy to allow access to it cannot be created through the Console.

Finally, the connection has to be completed using the Console. There is no automated way provisioned for CodePipeline to authenticate a connection to a Bitbucket repository.

However, once you know that these are the steps and these are the tools you need to use for each of them, the process is not so complicated or long. Using Bitbucket as a source repository for AWS CodePipeline is viable and feasible.

Sources

https://docs.aws.amazon.com/cli/latest/reference/codestar-connections/create-connection.html

https://docs.aws.amazon.com/codepipeline/latest/userguide/action-reference-CodestarConnectionSource.html

Renke Meuwese
Renke Meuwese

AWS Consultant at Sentia Consulting