Terraform module to provision an AWS codebuild CI/CD system.
When to use Codebuild: If you want to stay with AWS, or when you are using ECR, Codepipeline or CodeCommit.
It's 100% Open Source and licensed under the APACHE2.
Include this repository as a module in your existing Terraform code:
module "codebuild" {
source = "jameswoolfenden/codebuild/aws"
version = "0.2.70"
common_tags = var.common_tags
description = var.description
force_artifact_destroy = var.force_artifact_destroy
name = var.name
projectroot = var.projectroot
sourcecode = var.sourcecode
}As always a full example is included for reference.
Every version of this module is built in Terraform using the the example examplea using Github Actions. It 100% has worked. See the successes and failures here: https://github.com/JamesWoolfenden/terraform-aws-codebuild/actions
These templates implement the module terraform-aws-codebuild. It includes a number of defaulted behaviours.
In the root directory there is an example buildspec.yml. This is a build specification you can supply to CodeCommit. It includes some basic codebuild functionality to drive semantic versioning using SSM parameters.
No requirements.
| Name | Version |
|---|---|
| aws | n/a |
No modules.
| Name | Type |
|---|---|
| aws_cloudwatch_event_rule.codechange | resource |
| aws_cloudwatch_event_target.triggerbuild | resource |
| aws_codebuild_project.project | resource |
| aws_iam_policy.trigger | resource |
| aws_iam_role.codebuild | resource |
| aws_iam_role.trigger | resource |
| aws_iam_role_policy.codebuild | resource |
| aws_iam_role_policy.codecommit | resource |
| aws_iam_role_policy_attachment.attachtotriggerrole | resource |
| aws_s3_bucket.artifacts | resource |
| aws_s3_bucket_acl.example | resource |
| aws_s3_bucket_lifecycle_configuration.pike | resource |
| aws_s3_bucket_public_access_block.artifacts | resource |
| aws_s3_bucket_server_side_encryption_configuration.example | resource |
| aws_s3_bucket_versioning.example | resource |
| aws_ssm_parameter.buildnumber | resource |
| aws_ssm_parameter.latest | resource |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.codebuild | data source |
| aws_iam_role.existing | data source |
| aws_region.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| artifact | Populates the Artifact block | map |
{ |
no |
| artifact_expiry | number of days | number |
365 |
no |
| artifact_type | The Artifact type, S3, CODEPIPELINE or NO_ARTIFACT | string |
"S3" |
no |
| bucketname | n/a | string |
"" |
no |
| build_timeout | The time to wait for a CodeBuild to complete before timing out in minutes (default: 5) | string |
"60" |
no |
| common_tags | An AWS tagging scheme | map(any) |
n/a | yes |
| defaultbranch | The default git branch | string |
"master" |
no |
| description | Yeah it's the description | string |
"" |
no |
| encryption_disabled | Disable the encryption of artifacts | bool |
false |
no |
| environment | A map to describe the build environment and populate the environment block | map(any) |
{ |
no |
| force_artifact_destroy | Force the removal of the artifact S3 bucket on destroy (default: false). | string |
false |
no |
| kms_key_id | Your Custom KMS key | string |
"" |
no |
| logs_bucket | The bucket id and path for storing the logs | string |
n/a | yes |
| mfa_delete | Require MFA to delete | string |
"Disabled" |
no |
| name | The name of the Build | string |
n/a | yes |
| projectroot | The name of the parent project for SSM | string |
"core" |
no |
| reponame | The name of the repository | string |
"" |
no |
| role | Override for providing a role | string |
"" |
no |
| sourcecode | A map to describe where your sourcecode comes from, to fill the sourcecode block in a Codebuild project | map(any) |
{ |
no |
| sse_algorithm | The type of encryption algorithm to use | string |
"aws:kms" |
no |
| versioning | Set bucket to version | string |
"Enabled" |
no |
| Name | Description |
|---|---|
| artifact_bucket | n/a |
| codebuild_role_name | n/a |
| project | n/a |
The Terraform resource required is:
resource "aws_iam_policy" "terraform_pike" {
name_prefix = "terraform_pike"
path = "/"
description = "Pike Autogenerated policy from IAC"
policy = jsonencode({
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"codebuild:BatchGetProjects",
"codebuild:CreateProject",
"codebuild:DeleteProject",
"codebuild:UpdateProject"
],
"Resource": [
"*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"events:DeleteRule",
"events:DescribeRule",
"events:ListTagsForResource",
"events:ListTargetsByRule",
"events:PutRule",
"events:PutTargets",
"events:RemoveTargets"
],
"Resource": [
"*"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:CreatePolicy",
"iam:CreateRole",
"iam:DeletePolicy",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:TagRole"
],
"Resource": [
"*"
]
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"*"
]
},
{
"Sid": "VisualEditor4",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:GetAccelerateConfiguration",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLogging",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketPolicy",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetReplicationConfiguration",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:PutBucketAcl",
"s3:PutBucketLogging",
"s3:PutBucketPublicAccessBlock",
"s3:PutBucketVersioning",
"s3:PutEncryptionConfiguration",
"s3:PutLifecycleConfiguration"
],
"Resource": [
"*"
]
},
{
"Sid": "VisualEditor5",
"Effect": "Allow",
"Action": [
"ssm:AddTagsToResource",
"ssm:DeleteParameter",
"ssm:DescribeParameters",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:ListTagsForResource",
"ssm:PutParameter"
],
"Resource": [
"*"
]
}
]
})
}
Check out these related projects.
- terraform-aws-codecommit - Storing ones code
Got a question?
File a GitHub issue.
Please use the issue tracker to report any bugs or file feature requests.
Copyright © 2019-2023 James Woolfenden
See LICENSE for full details.
Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
