Context
The apply pipeline (#83) needs an actual runner. CodeBuild is chosen: time-boxed, AWS-native, project-level concurrency lock, output streamable via CloudWatch.
Scope
- New
terraform/codebuild.tf:
aws_s3_bucket.plan_artifacts — versioned, encrypted, lifecycle 30 days for plan output.aws_iam_role.codebuild with the same GameServerDeployAll policy (or a tightened variant — note: starts out matching ops permissions, can be scoped down later).aws_codebuild_project.terraform running an inline buildspec that:
- Reads tfvars from S3.
- Runs
terraform init + terraform plan -out=plan.bin.
- Uploads plan.bin to the plan artifacts bucket keyed by run id.
- On apply runs: downloads the same plan.bin and runs
terraform apply plan.bin.
concurrent_build_limit = 1.- CloudWatch log group for the project.
- New variable
apply_pipeline_enabled (default false) so existing operators don't pay for the bucket if they don't use it.
Acceptance criteria
Dependencies
Part of: #83
Blocked by #80
Blocks: #107
Context
The apply pipeline (#83) needs an actual runner. CodeBuild is chosen: time-boxed, AWS-native, project-level concurrency lock, output streamable via CloudWatch.
Scope
terraform/codebuild.tf:aws_s3_bucket.plan_artifacts— versioned, encrypted, lifecycle 30 days for plan output.aws_iam_role.codebuildwith the sameGameServerDeployAllpolicy (or a tightened variant — note: starts out matching ops permissions, can be scoped down later).aws_codebuild_project.terraformrunning an inline buildspec that:terraform init+terraform plan -out=plan.bin.terraform apply plan.bin.concurrent_build_limit = 1.apply_pipeline_enabled(default false) so existing operators don't pay for the bucket if they don't use it.Acceptance criteria
apply_pipeline_enabled = true.aws codebuild start-buildrunsterraform planend-to-end.Dependencies
Part of: #83
Blocked by #80
Blocks: #107