chore(codebuild): improve the doc for subnetSelection

[pahud]

If vpc is specified with subnetSelection undefined, according to this:

aws-cdk/packages/aws-cdk-lib/aws-ec2/lib/vpc.ts

Lines 655 to 660 in d5c64cb

	if (placement.subnetType === undefined && placement.subnetGroupName === undefined && placement.subnets === undefined) {
	// Return default subnet type based on subnets that actually exist
	let subnetType = this.privateSubnets.length
	? SubnetType.PRIVATE_WITH_EGRESS : this.isolatedSubnets.length ? SubnetType.PRIVATE_ISOLATED : SubnetType.PUBLIC;
	placement = { ...placement, subnetType: subnetType };
	}

CDK will look for PRIVATE_WITH_EGRESS, PRIVATE_ISOLATED, and PUBLIC in order. If customer does not have PRIVATE_WITH_EGRESS subnets, they will need to have vpc endpoints if they need to access AWS services such as AWS Secrets Manager or Amazon ECR.

This PR improves the doc to clarify.

Closes #.

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[rix0rrr]

If you have no PRIVATE_WITH_EGRESS subnets in the specified vpc, leaving this undefined will require VPC endpoints to access AWS services.

I think this is giving vague instructions but don't really explain the underlying reasons. How about:

To access AWS services, your CodeBuild project needs to be in one of the following types of subnets:

* Subnets with access to the internet (of type PRIVATE_WITH_EGRESS or PUBLIC).
* Private subnets unconnected to the internet, but with [VPC endpoints](link here) for the necessary services.

If you don't specify a subnet selection, the default behavior is to use PRIVATE_WITH_EGRESS subnets first if they exist, then PRIVATE_WITHOUT_EGRESS, and finally PUBLIC subnets. If your VPC doesn't have PRIVATE_WITH_EGRESS subnets but you need AWS service access, either select PUBLIC subnets explicitly or add VPC Endpoints to your private subnets.

[rix0rrr]

See comment above

[pahud]

@rix0rrr

According to Best practices for VPCs,

You need a NAT gateway or NAT instance to use CodeBuild with your VPC so that CodeBuild can reach public endpoints (for example, to run CLI commands when running builds). You cannot use the internet gateway instead of a NAT gateway or a NAT instance because CodeBuild does not support assigning Elastic IP addresses to the network interfaces that it creates, and auto-assigning a public IP address is not supported by Amazon EC2 for any network interfaces created outside of Amazon EC2 instance launches.

I believe if user selects public subnets, codebuild will not be able to access the public endpoints. So the option would be either PRIVATE_WITH_EGRESS or enable vpc endpoints.

I have modified the suggested changes. Let me know if it works for you.

[rix0rrr]

Good find on the CodeBuild exception, I didn't know that. Thanks!

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: c23aaeb
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).