[Bug]: aws_codebuild_project queued_timeout unsupported value when using lambda compute

[jrobison-sb]

Terraform Core Version

1.6.1

AWS Provider Version

5.25.0

Affected Resource(s)

• aws_codebuild_project

Expected Behavior

The queued_timeout attribute should never become set to an unsupported value, even when using Lambda as the underlying compute.

Actual Behavior

The queued_timeout attribute does become set to an unsupported value, when using Lambda as the underlying compute.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

See the Steps to Reproduce section.

Steps to Reproduce

1. Use HCL which creates a Codebuild project which uses EC2 as its underlying compute, and without specifying any value for queued_timeout, like this:

resource "aws_codebuild_project" "dev2865" {
  name          = "DEV-2865-terraform-aws-codebuild-project"
  description   = "DEV-2865-terraform-aws-codebuild-project"
  build_timeout = "15"
  service_role  = aws_iam_role.codepipeline.arn

  artifacts {
    type = "NO_ARTIFACTS"
  }

  source {
    type = "NO_SOURCE"
    buildspec = yamlencode({
      version = "0.2"
      env = {
        shell = "bash"
      }
      phases = {
        post_build = {
          commands = [
            "echo hello",
          ]
        }
      }
    })
  }

  environment {
    compute_type    = "BUILD_GENERAL1_SMALL"
    image           = "aws/codebuild/standard:5.0"
    type            = "LINUX_CONTAINER"
    privileged_mode = false
  }

  tags = {
    Name = "DEV-2865-terraform-aws-codebuild-project"
  }
}

2. Run terraform apply to apply the above resource. This will apply successfully.
3. Run a terraform plan and see that there are no outstanding diffs.
4. Change the underlying compute type to Lambda, like this:

      ~ environment {
          ~ compute_type                = "BUILD_GENERAL1_SMALL" -> "BUILD_LAMBDA_1GB"
          ~ image                       = "aws/codebuild/standard:5.0" -> "aws/codebuild/amazonlinux-aarch64-lambda-standard:python3.11"
          ~ type                        = "LINUX_CONTAINER" -> "ARM_LAMBDA_CONTAINER"
            # (2 unchanged attributes hidden)
        }

5. Run terraform apply to lock in the above change. This will apply successfully.
6. Run terraform plan and see that it now reports a diff on queued_timeout, which isn't even set in the HCL:

  # module.qa_application.aws_codebuild_project.dev2865 will be updated in-place
  ~ resource "aws_codebuild_project" "dev2865" {
        id                     = "arn:aws:codebuild:us-east-1:1234567890:project/DEV-2865-terraform-aws-codebuild-project"
        name                   = "DEV-2865-terraform-aws-codebuild-project"
      ~ queued_timeout         = 0 -> 480
        tags                   = {
            "Name" = "DEV-2865-terraform-aws-codebuild-project"
        }
        # (9 unchanged attributes hidden)

        # (5 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

7. Okay, that's weird, let's add queued_timeout = 0 to the HCL to make the diff go away, then let's run another Terraform plan:

Error: expected queued_timeout to be in the range (5 - 480), got 0

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

Using Lambda as the underlying compute is a new feature as-of 4 days ago, see https://aws.amazon.com/blogs/devops/aws-codebuild-adds-support-for-aws-lambda-compute-mode/.

Would you like to implement a fix?

No

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[jrobison-sb]

My workaround until this gets fixed is to just ignore_changes on this attribute:

  lifecycle {
    ignore_changes = [
      queued_timeout # https://github.com/hashicorp/terraform-provider-aws/issues/34376
    ]
  }

[acwwat]

I did some testing in the AWS Console and see that if you set Compute to Lambda, you don't see the Queued timeout option. I included two screenshots below for illustration.

Subsequently, I looked at what's returned by the AWS API in the TF debug log, and I can see that the queuedTimeoutInMinutes attribute is simply absent. The Terraform code in turn converts the missing attribute value to 0 during type conversion, resulting in a 0 being stored in the final TF state.

TBH I am not sure how to best interpret the AWS Project data type contract. queuedTimeoutInMinutes is not required, but it has a valid value range of 5 - 480. Either way, this is not documented very well on AWS' part.

I'd need someone more experienced to comment on how to best handle this in the provider code. Knowing the observed behavior on queuedTimeoutInMinutes being absent, should we assume that this value should be set to nil (and allow nil value) when the runtime is Lambda?

Compute = EC2:

Compute = Lambda:

Sample output from AWS extracted from TF debug log:

2023-11-13T23:31:06.829-0500 [DEBUG] provider.terraform-provider-aws: HTTP Response Received: aws.region=us-west-2 http.response.header.x_amzn_requestid=439541b3-81ea-49e4-a6c0-173cebd0269c tf_req_id=ab769b1d-cc20-37c3-8bcc-68f4e4edfe82 tf_resource_type=aws_codebuild_project http.status_code=200 rpc.service=CodeBuild rpc.system=aws-api tf_rpc=ApplyResourceChange http.duration=449 http.response.body="{"project":{"arn":"arn:aws:codebuild:us-west-2:xxxxxxxxxxxx:project/DEV-2865-terraform-aws-codebuild-project","artifacts":{"overrideArtifactName":false,"type":"NO_ARTIFACTS"},"badge":{"badgeEnabled":false},"cache":{"type":"NO_CACHE"},"created":1.699936084006E9,"description":"DEV-2865-terraform-aws-codebuild-project","encryptionKey":"arn:aws:kms:us-west-2:xxxxxxxxxxxx:alias/aws/s3","environment":{"computeType":"BUILD_LAMBDA_1GB","environmentVariables":[],"image":"aws/codebuild/amazonlinux-aarch64-lambda-standard:python3.11","imagePullCredentialsType":"CODEBUILD","privilegedMode":false,"type":"ARM_LAMBDA_CONTAINER"},"lastModified":1.699936212497E9,"logsConfig":{"cloudWatchLogs":{"status":"ENABLED"},"s3Logs":{"encryptionDisabled":false,"status":"DISABLED"}},"name":"DEV-2865-terraform-aws-codebuild-project","projectVisibility":"PRIVATE","serviceRole":"arn:aws:iam::xxxxxxxxxxxx:role/service-role/codebuild-test-service-role","source":{"buildspec":"\"env\":\n  \"shell\": \"bash\"\n\"phases\":\n  \"post_build\":\n    \"commands\":\n    - \"echo hello\"\n\"version\": \"0.2\"\n","gitCloneDepth":0,"insecureSsl":false,"type":"NO_SOURCE"},"tags":[{"key":"Name","value":"DEV-2865-terraform-aws-codebuild-project"}],"timeoutInMinutes":15},"webhookDeletedStatus":"no_webhook"}

[moritzzimmer]

with provider 5.26.0 we receive the following Error message when trying to apply with a Lambda compute platform

creating CodeBuild project: InvalidInputException: Cannot specify queuedTimeoutInMinutes for lambda compute

relevant part of the plan:

+ resource "aws_codebuild_project" "this" {
      + arn                  = (known after apply)
      + badge_enabled        = false
      + badge_url            = (known after apply)
      + build_timeout        = 60
      + description          = (known after apply)
      + encryption_key       = (known after apply)
      + id                   = (known after apply)
      + name                 = "test"
      + project_visibility   = "PRIVATE"
      + public_project_alias = (known after apply)
      + queued_timeout       = 5
      + service_role         = "redacted"

      + artifacts {
          + encryption_disabled    = false
          + override_artifact_name = false
          + type                   = "CODEPIPELINE"
        }

      + environment {
          + compute_type                = "BUILD_LAMBDA_1GB"
          + image                       = "aws/codebuild/amazonlinux-aarch64-lambda-standard:python3.11"
          + image_pull_credentials_type = "CODEBUILD"
          + privileged_mode             = false
          + type                        = "ARM_LAMBDA_CONTAINER"

[github-actions]

This functionality has been released in v5.32.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.