Terraform AWS/CICD CodeBuild

NOTE: Use tf-aws-cicd instead of using this module directly.

Set up and manage an AWS Build to facilitate Continuous Integration and Continuous Deployments/Delivery (CI/CD). Use var.stages to define different build stages.

Prerequisites

See tf-aws-cicd

Usage

Include the module in your Terraformcode

locals {

  repo_name = "test"
  repo_role = "arn:aws:iam::123456789012:role/CsTffwkcs.Shared.USW1.CodeCommit.Test"

  # Format for CodeBuild module
  stages = [{
    name   = "Plan"
    action = {
      provider      = "CodeBuild"
      configuration = {
        ProjectName = (
          "plan"
        )
      }
    }
    resource = {
      description = "CICDTEST: Plan project resources."
      script      = "plan.yml"
      compute = {
        compute_type = "BUILD_GENERAL1_SMALL"
        image        = "aws/codebuild/standard:6.0-22.06.30" # "ACCOUNTID.dkr.ecr.REGION.amazonaws.com/ecr-repo:latest"
        type         = "LINUX_CONTAINER"
      }
    }
  }, {
    name   = "Apply"
    action = {
      provider      = "CodeBuild"
      configuration = {
        ProjectName = (
          "apply"
        )
      }
    }
    resource = {
      description = "CICDTEST: Apply project resources."
      script      = "plan.yml"
      compute = {
        compute_type = "BUILD_GENERAL1_SMALL"
        image        = "aws/codebuild/standard:6.0-22.06.30" # "ACCOUNTID.dkr.ecr.REGION.amazonaws.com/ecr-repo:latest"
        type         = "LINUX_CONTAINER"
      }
    }
  }]
}

module "codebuild" {
  source    = "github.com/clearscale/tf-aws-cicd-codebuild.git?ref=v1.0.0"

  account = {
    id = "*", name = local.account.name, provider = "aws", key = "current", region = local.region.name
  }


  prefix  = local.context.prefix
  client  = local.context.client
  project = local.context.project
  env     = local.account.name
  region  = local.region.name
  name    = "codebuild"

  # Keep the project_name simple. Try to keep it consistent with the CodeCommit repo and CodePipeline name.
  project_name = "test"
  script       = "${abspath(path.module)}/scripts/plan.yml"
  repo         = { name = local.repo_name }
  
  # Only needed if CodePipeline is being used. The CodePipeline stages need to be passed to CodeBuild
  # so the required IAM resources can be generated.
  # stages = [{
  #   name   = "CbTest"
  #   action = {
  #       configuration = {}
  #   }
  # }]

  stages = local.stages

  # The default VPC. Can be overridden in each var.vpc.stages[x].vpc.
  vpc = {
    id              = "VPC_ID"
    subnets         = ["SUBNET_ID_1", "SUBNET_ID_2"]
    security_groups = ["SG_ID_1", "SG_ID_2"],
  }
}

Plan

terraform plan -var='repo={name="my-codecommit-repo"}' -var='script=./test/build.yml' -var='vpc=null' -var='stages=[{name="CodeBuildProjectName",action={configuration={}}}]' -var='project_name=RunTerratest'

Apply

terraform apply -var='repo={name="my-codecommit-repo"}' -var='script=./test/build.yml' -var='vpc=null' -var='stages=[{name="CodeBuildProjectName",action={configuration={}}}]' -var='project_name=RunTerratest'

Destroy

terraform destroy -var='repo={name="my-codecommit-repo"}' -var='script=./test/build.yml' -var='vpc=null' -var='stages=[{name="CodeBuildProjectName",action={configuration={}}}]' -var='project_name=RunTerratest'

TODO

Fix IAM permissions in iam.tf. For example,

  statement {
    sid       = ""
    resources = ["*"]
    effect  = "Allow"
    actions = [
      "iam:*",
      "codecommit:*",
      "codepipeline:*",
      "codebuild:*",
      "logs:*",
      "s3:*",
      "secretsmanager:*",
      "glue:*",
      "ec2:*",
      "dynamodb:*",
      "lakeformation:*",
      "cloudtrail:DescribeTrails",
      "cloudtrail:LookupEvents"
    ]
  }

These permissions were added and created while testing the inital deployment of a project and are too open. Also, cleanup the other permissions in the policy.

Requirements

Name	Version
terraform	>= 1.5.6
aws	~> 5.0

Providers

Name	Version
aws	~> 5.0

Modules

Name	Source	Version
std	github.com/clearscale/tf-standards.git	v1.0.0

Resources

Name	Type
aws_codebuild_project.this	resource
aws_iam_policy.this	resource
aws_iam_role.this	resource
aws_iam_role_policy_attachment.cb_attachment	resource
aws_iam_role_policy_attachment.this	resource
aws_caller_identity.current	data source
aws_iam_policy_document.this	data source
aws_security_group.this	data source
aws_subnets.this	data source
aws_vpc.this	data source

Inputs

Name	Description	Type	Default	Required
account	(Optional). Cloud provider account object.	object({ key = optional(string, "current") provider = optional(string, "aws") id = optional(string, "*") name = string region = optional(string, null) })	{ "id": "*", "name": "shared" }	no
cache	(Optional). Cache store	object({ type = optional(string, "S3") location = optional(string, null) modes = optional(list(string), []) })	null	no
client	(Optional). Name of the client	string	"ClearScale"	no
compute	(Optional). Environment (Compute Resource) configuration for the CodeBuild project.	object({ compute_type = optional(string, "BUILD_GENERAL1_SMALL") image = optional(string, "aws/codebuild/amazonlinux2-x86_64-standard:5.0") type = optional(string, "LINUX_CONTAINER") })	{ "compute_type": "BUILD_GENERAL1_SMALL", "image": "aws/codebuild/amazonlinux2-x86_64-standard:5.0", "type": "LINUX_CONTAINER" }	no
description	(Optional). Description of the CodeBuild project.	string	"A CodeBuild project brought to you by ClearScale."	no
encryption_key	(Optional). KMS key ARN.	string	null	no
env	(Optional). Name of the current environment.	string	"dev"	no
iam_codepipeline	(Optional). The ARN of the CodePipeline IAM role and the policy. Only required if var.stages is set.	list(string)	null	no
iam_service_role_policies	(Optional). List of IAM policy ARNs to attach to the primary service role.	list(string)	[]	no
logs	(Optional). List of log group names which this CodeBuild project has access to.	list(string)	[]	no
name	(Optional). The name of the CodeBuild project. Used to add additional context to dependency resources like IAM roles. Project name should be added to var.project_name.	string	"codebuild"	no
prefix	(Optional). Prefix override for all generated naming conventions.	string	"cs"	no
project	(Optional). Name of the client project.	string	"pmod"	no
project_name	(Required). Unrelated to var.project and var.name. This represents the name of the CodeBuild Project.	string	null	no
region	(Optional). AWS region.	string	"us-west-1"	no
repo	(Required). SCM code repository settings.	object({ name = string provider = optional(string, "CodeCommit") region = optional(string, null) role_arn = optional(string, null) })	n/a	yes
script	(Required). Path to the buildspec file for the CodeBuild project.	string	n/a	yes
secrets	(Optional). List of secret names that are stored in Secrets Manager which this project will have read access to.	list(string)	[]	no
stages	(Required if CodePipeline is being used). List of stages that are being passed to CodePipeline (if used). This list will be used to generate the needed IAM resources. There is no dependency on CodePipeline and, when set, object values in each list item do not override any other input variable.	list(object({ name = string action = object({ name = optional(string, "Build") category = optional(string, "Build") provider = optional(string, "CodeBuild") version = optional(string, "1") owner = optional(string, "AWS") region = optional(string, null) input_artifacts = optional(list(string), null) configuration = optional(object({ ProjectName = optional(string, null) }), null) }) resource = optional(object({ region = optional(string, null) name = optional(string, null) description = optional(string, null) script = optional(string, null) iam_service_role_policies = optional(list(string), []) # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project#environment # https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-available.html compute = optional(object({ compute_type = optional(string, "BUILD_GENERAL1_SMALL") image = optional(string, "aws/codebuild/amazonlinux2-x86_64-standard:5.0") type = optional(string, "LINUX_CONTAINER") })) # Inherits var.vpc if not set. vpc = optional(object({ id = optional(string, null) # vpc id subnets = optional(list(string), null) # ids security_groups = optional(list(string), null) # ids }), null) }), null) secrets = optional(list(string), []) logs = optional(list(string), []) }))	null	no
vpc	(Required). VPC configuration for the CodeBuild project.	object({ id = string # vpc id subnets = list(string) # ids security_groups = list(string) # ids })	null	no

Outputs

Name	Description
arn	The ARN of the CodeBuild project.
badge_url	The ARN of the CodeBuild project.
id	Name (if imported via name) or ARN (if created via Terraform or imported via ARN) of the CodeBuild project.
name	The name of the CodeBuild project.
public_project_alias	The project identifier used with the public build APIs..
role	Service role information.
stage_roles	Role names of all the CodePipeline stages that were specified as var.stages.
tags_all	All tags applied to the CodeBuild project.