Reminder: Rotate Your GitHub Tokens for Pipeline Security

Everybody knows the inconvenience of working with secrets like Tokens or Webhooks: You need to create them, save them in the Parameter Store to avoid leakage and rotate them every couple of months. But now, using CodeStar connections and the GitHub App on AWS you are completely free of them!

Creating this connection is as simple as you can see in this link; however, in Terraform you will find that it’s as easy as in the AWS Management Console!

You just need to create your codestar_connection:

resource "aws_codestarconnections_connection" "github" {
 name          = "pipeline-github-connection"
 provider_type = "GitHub"
}

After applying, the connection will be on Pending status:

You need to update the status by enabling the connection manually. You will be redirected to the connection settings, where you must allow GithubApp to connect the repo with AWS (if it’s the first time, only the organization or repo owner can set this connection). You can connect all your repos or just one:

Once the connection is established you just need to update the source stage on your CodePipeline:

stage {
 name = "Source"
 action {
   name             = "Source"
   category         = "Source"
   owner            = "AWS"
   provider         = "CodeStarSourceConnection"
   version          = "1"
   output_artifacts = ["source"]
 
   configuration = {
     ConnectionArn    = aws_codestarconnections_connection.github.arn
     FullRepositoryId = var.repo_path
     BranchName       = var.repo_branch
   }
 }
}

And that's it!, you can run your Pipelines as usual, but no longer be worried about the need to update the GitHub token

This solution also applies to Bitbucket repos!

You can find more info about configuration here:

https://docs.aws.amazon.com/codepipeline/latest/userguide/action-reference-CodestarConnectionSource.html

https://docs.aws.amazon.com/dtconsole/latest/userguide/connections.html

Lourdes Dorado

DevOps Engineer

Teracloud