subcategory | layout | page_title | description |
---|---|---|---|
CodeBuild |
aws |
AWS: aws_codebuild_project |
Provides a CodeBuild Project resource. |
Provides a CodeBuild Project resource. See also the aws_codebuild_webhook
resource, which manages the webhook to the source (e.g., the "rebuild every time a code change is pushed" option in the CodeBuild web console).
resource "aws_s3_bucket" "example" {
bucket = "example"
}
resource "aws_s3_bucket_acl" "example" {
bucket = aws_s3_bucket.example.id
acl = "private"
}
data "aws_iam_policy_document" "assume_role" {
statement {
effect = "Allow"
principals {
type = "Service"
identifiers = ["codebuild.amazonaws.com"]
}
actions = ["sts:AssumeRole"]
}
}
resource "aws_iam_role" "example" {
name = "example"
assume_role_policy = data.aws_iam_policy_document.assume_role.json
}
data "aws_iam_policy_document" "example" {
statement {
effect = "Allow"
actions = [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
]
resources = ["*"]
}
statement {
effect = "Allow"
actions = [
"ec2:CreateNetworkInterface",
"ec2:DescribeDhcpOptions",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs",
]
resources = ["*"]
}
statement {
effect = "Allow"
actions = ["ec2:CreateNetworkInterfacePermission"]
resources = ["arn:aws:ec2:us-east-1:123456789012:network-interface/*"]
condition {
test = "StringEquals"
variable = "ec2:Subnet"
values = [
aws_subnet.example1.arn,
aws_subnet.example2.arn,
]
}
condition {
test = "StringEquals"
variable = "ec2:AuthorizedService"
values = ["codebuild.amazonaws.com"]
}
}
statement {
effect = "Allow"
actions = ["s3:*"]
resources = [
aws_s3_bucket.example.arn,
"${aws_s3_bucket.example.arn}/*",
]
}
}
resource "aws_iam_role_policy" "example" {
role = aws_iam_role.example.name
policy = data.aws_iam_policy_document.example.json
}
resource "aws_codebuild_project" "example" {
name = "test-project"
description = "test_codebuild_project"
build_timeout = 5
service_role = aws_iam_role.example.arn
artifacts {
type = "NO_ARTIFACTS"
}
cache {
type = "S3"
location = aws_s3_bucket.example.bucket
}
environment {
compute_type = "BUILD_GENERAL1_SMALL"
image = "aws/codebuild/amazonlinux2-x86_64-standard:4.0"
type = "LINUX_CONTAINER"
image_pull_credentials_type = "CODEBUILD"
environment_variable {
name = "SOME_KEY1"
value = "SOME_VALUE1"
}
environment_variable {
name = "SOME_KEY2"
value = "SOME_VALUE2"
type = "PARAMETER_STORE"
}
}
logs_config {
cloudwatch_logs {
group_name = "log-group"
stream_name = "log-stream"
}
s3_logs {
status = "ENABLED"
location = "${aws_s3_bucket.example.id}/build-log"
}
}
source {
type = "GITHUB"
location = "https://github.com/mitchellh/packer.git"
git_clone_depth = 1
git_submodules_config {
fetch_submodules = true
}
}
source_version = "master"
vpc_config {
vpc_id = aws_vpc.example.id
subnets = [
aws_subnet.example1.id,
aws_subnet.example2.id,
]
security_group_ids = [
aws_security_group.example1.id,
aws_security_group.example2.id,
]
}
tags = {
Environment = "Test"
}
}
resource "aws_codebuild_project" "project-with-cache" {
name = "test-project-cache"
description = "test_codebuild_project_cache"
build_timeout = 5
queued_timeout = 5
service_role = aws_iam_role.example.arn
artifacts {
type = "NO_ARTIFACTS"
}
cache {
type = "LOCAL"
modes = ["LOCAL_DOCKER_LAYER_CACHE", "LOCAL_SOURCE_CACHE"]
}
environment {
compute_type = "BUILD_GENERAL1_SMALL"
image = "aws/codebuild/amazonlinux2-x86_64-standard:4.0"
type = "LINUX_CONTAINER"
image_pull_credentials_type = "CODEBUILD"
environment_variable {
name = "SOME_KEY1"
value = "SOME_VALUE1"
}
}
source {
type = "GITHUB"
location = "https://github.com/mitchellh/packer.git"
git_clone_depth = 1
}
tags = {
Environment = "Test"
}
}
The following arguments are required:
artifacts
- (Required) Configuration block. Detailed below.environment
- (Required) Configuration block. Detailed below.name
- (Required) Project's name.service_role
- (Required) Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that enables AWS CodeBuild to interact with dependent AWS services on behalf of the AWS account.source
- (Required) Configuration block. Detailed below.
The following arguments are optional:
badge_enabled
- (Optional) Generates a publicly-accessible URL for the projects build badge. Available asbadge_url
attribute when enabled.build_batch_config
- (Optional) Defines the batch build options for the project.build_timeout
- (Optional) Number of minutes, from 5 to 2160 (36 hours), for AWS CodeBuild to wait until timing out any related build that does not get marked as completed. The default is 60 minutes. Thebuild_timeout
property is not available on theLambda
compute type.cache
- (Optional) Configuration block. Detailed below.concurrent_build_limit
- (Optional) Specify a maximum number of concurrent builds for the project. The value specified must be greater than 0 and less than the account concurrent running builds limit.description
- (Optional) Short description of the project.file_system_locations
- (Optional) A set of file system locations to mount inside the build. File system locations are documented below.encryption_key
- (Optional) AWS Key Management Service (AWS KMS) customer master key (CMK) to be used for encrypting the build project's build output artifacts.logs_config
- (Optional) Configuration block. Detailed below.project_visibility
- (Optional) Specifies the visibility of the project's builds. Possible values are:PUBLIC_READ
andPRIVATE
. Default value isPRIVATE
.resource_access_role
- (Optional) The ARN of the IAM role that enables CodeBuild to access the CloudWatch Logs and Amazon S3 artifacts for the project's builds in order to display them publicly. Only applicable ifproject_visibility
isPUBLIC_READ
.queued_timeout
- (Optional) Number of minutes, from 5 to 480 (8 hours), a build is allowed to be queued before it times out. The default is 8 hours. Thequeued_timeout
property is not available on theLambda
compute type.secondary_artifacts
- (Optional) Configuration block. Detailed below.secondary_sources
- (Optional) Configuration block. Detailed below.secondary_source_version
- (Optional) Configuration block. Detailed below.source_version
- (Optional) Version of the build input to be built for this project. If not specified, the latest version is used.tags
- (Optional) Map of tags to assign to the resource. If configured with a providerdefault_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.vpc_config
- (Optional) Configuration block. Detailed below.
artifact_identifier
- (Optional) Artifact identifier. Must be the same specified inside the AWS CodeBuild build specification.bucket_owner_access
- (Optional) Specifies the bucket owner's access for objects that another account uploads to their Amazon S3 bucket. By default, only the account that uploads the objects to the bucket has access to these objects. This property allows you to give the bucket owner access to these objects. Valid values areNONE
,READ_ONLY
, andFULL
. your CodeBuild service role must have thes3:PutBucketAcl
permission. This permission allows CodeBuild to modify the access control list for the bucket.encryption_disabled
- (Optional) Whether to disable encrypting output artifacts. Iftype
is set toNO_ARTIFACTS
, this value is ignored. Defaults tofalse
.location
- (Optional) Information about the build output artifact location. Iftype
is set toCODEPIPELINE
orNO_ARTIFACTS
, this value is ignored. Iftype
is set toS3
, this is the name of the output bucket.name
- (Optional) Name of the project. Iftype
is set toS3
, this is the name of the output artifact objectnamespace_type
- (Optional) Namespace to use in storing build artifacts. Iftype
is set toS3
, then valid values areBUILD_ID
,NONE
.override_artifact_name
(Optional) Whether a name specified in the build specification overrides the artifact name.packaging
- (Optional) Type of build output artifact to create. Iftype
is set toS3
, valid values areNONE
,ZIP
path
- (Optional) Iftype
is set toS3
, this is the path to the output artifact.type
- (Required) Build output artifact's type. Valid values:CODEPIPELINE
,NO_ARTIFACTS
,S3
.
combine_artifacts
- (Optional) Specifies if the build artifacts for the batch build should be combined into a single artifact location.restrictions
- (Optional) Configuration block specifying the restrictions for the batch build. Detailed below.service_role
- (Required) Specifies the service role ARN for the batch build project.timeout_in_mins
- (Optional) Specifies the maximum amount of time, in minutes, that the batch build must be completed in.
compute_types_allowed
- (Optional) An array of strings that specify the compute types that are allowed for the batch build. See Build environment compute types in the AWS CodeBuild User Guide for these values.maximum_builds_allowed
- (Optional) Specifies the maximum number of builds allowed.
location
- (Required when cache type isS3
) Location where the AWS CodeBuild project stores cached resources. For typeS3
, the value must be a valid S3 bucket name/prefix.modes
- (Required when cache type isLOCAL
) Specifies settings that AWS CodeBuild uses to store and reuse build dependencies. Valid values:LOCAL_SOURCE_CACHE
,LOCAL_DOCKER_LAYER_CACHE
,LOCAL_CUSTOM_CACHE
.type
- (Optional) Type of storage that will be used for the AWS CodeBuild project cache. Valid values:NO_CACHE
,LOCAL
,S3
. Defaults toNO_CACHE
.
certificate
- (Optional) ARN of the S3 bucket, path prefix and object key that contains the PEM-encoded certificate.compute_type
- (Required) Information about the compute resources the build project will use. Valid values:BUILD_GENERAL1_SMALL
,BUILD_GENERAL1_MEDIUM
,BUILD_GENERAL1_LARGE
,BUILD_GENERAL1_2XLARGE
,BUILD_LAMBDA_1GB
,BUILD_LAMBDA_2GB
,BUILD_LAMBDA_4GB
,BUILD_LAMBDA_8GB
,BUILD_LAMBDA_10GB
.BUILD_GENERAL1_SMALL
is only valid iftype
is set toLINUX_CONTAINER
. Whentype
is set toLINUX_GPU_CONTAINER
,compute_type
must beBUILD_GENERAL1_LARGE
. Whentype
is set toLINUX_LAMBDA_CONTAINER
orARM_LAMBDA_CONTAINER
,compute_type
must beBUILD_LAMBDA_XGB
.`fleet
- (Optional) Configuration block. Detailed below.environment_variable
- (Optional) Configuration block. Detailed below.image_pull_credentials_type
- (Optional) Type of credentials AWS CodeBuild uses to pull images in your build. Valid values:CODEBUILD
,SERVICE_ROLE
. When you use a cross-account or private registry image, you must use SERVICE_ROLE credentials. When you use an AWS CodeBuild curated image, you must use CodeBuild credentials. Defaults toCODEBUILD
.image
- (Required) Docker image to use for this build project. Valid values include Docker images provided by CodeBuild (e.gaws/codebuild/amazonlinux2-x86_64-standard:4.0
), Docker Hub images (e.g.,hashicorp/terraform:latest
), and full Docker repository URIs such as those for ECR (e.g.,137112412989.dkr.ecr.us-west-2.amazonaws.com/amazonlinux:latest
).privileged_mode
- (Optional) Whether to enable running the Docker daemon inside a Docker container. Defaults tofalse
.registry_credential
- (Optional) Configuration block. Detailed below.type
- (Required) Type of build environment to use for related builds. Valid values:LINUX_CONTAINER
,LINUX_GPU_CONTAINER
,WINDOWS_CONTAINER
(deprecated),WINDOWS_SERVER_2019_CONTAINER
,ARM_CONTAINER
,LINUX_LAMBDA_CONTAINER
,ARM_LAMBDA_CONTAINER
. For additional information, see the CodeBuild User Guide.
fleet_arn
- (Optional) Compute fleet ARN for the build project.
name
- (Required) Environment variable's name or key.type
- (Optional) Type of environment variable. Valid values:PARAMETER_STORE
,PLAINTEXT
,SECRETS_MANAGER
.value
- (Required) Environment variable's value.
Credentials for access to a private Docker registry.
credential
- (Required) ARN or name of credentials created using AWS Secrets Manager.credential_provider
- (Required) Service that created the credentials to access a private Docker registry. Valid value:SECRETS_MANAGER
(AWS Secrets Manager).
See ProjectFileSystemLocation for more details of the fields.
identifier
- (Optional) The name used to access a file system created by Amazon EFS. CodeBuild creates an environment variable by appending the identifier in all capital letters to CODEBUILD_. For example, if you specify my-efs for identifier, a new environment variable is create named CODEBUILD_MY-EFS.location
- (Optional) A string that specifies the location of the file system created by Amazon EFS. Its format isefs-dns-name:/directory-path
.mount_options
- (Optional) The mount options for a file system created by AWS EFS.mount_point
- (Optional) The location in the container where you mount the file system.type
- (Optional) The type of the file system. The one supported type isEFS
.
cloudwatch_logs
- (Optional) Configuration block. Detailed below.s3_logs
- (Optional) Configuration block. Detailed below.
group_name
- (Optional) Group name of the logs in CloudWatch Logs.status
- (Optional) Current status of logs in CloudWatch Logs for a build project. Valid values:ENABLED
,DISABLED
. Defaults toENABLED
.stream_name
- (Optional) Prefix of the log stream name of the logs in CloudWatch Logs.
encryption_disabled
- (Optional) Whether to disable encrypting S3 logs. Defaults tofalse
.location
- (Optional) Name of the S3 bucket and the path prefix for S3 logs. Must be set if status isENABLED
, otherwise it must be empty.status
- (Optional) Current status of logs in S3 for a build project. Valid values:ENABLED
,DISABLED
. Defaults toDISABLED
.bucket_owner_access
- (Optional) Specifies the bucket owner's access for objects that another account uploads to their Amazon S3 bucket. By default, only the account that uploads the objects to the bucket has access to these objects. This property allows you to give the bucket owner access to these objects. Valid values areNONE
,READ_ONLY
, andFULL
. your CodeBuild service role must have thes3:PutBucketAcl
permission. This permission allows CodeBuild to modify the access control list for the bucket.
artifact_identifier
- (Required) Artifact identifier. Must be the same specified inside the AWS CodeBuild build specification.bucket_owner_access
- (Optional) Specifies the bucket owner's access for objects that another account uploads to their Amazon S3 bucket. By default, only the account that uploads the objects to the bucket has access to these objects. This property allows you to give the bucket owner access to these objects. Valid values areNONE
,READ_ONLY
, andFULL
. The CodeBuild service role must have thes3:PutBucketAcl
permission. This permission allows CodeBuild to modify the access control list for the bucket.encryption_disabled
- (Optional) Whether to disable encrypting output artifacts. Iftype
is set toNO_ARTIFACTS
, this value is ignored. Defaults tofalse
.location
- (Optional) Information about the build output artifact location. Iftype
is set toCODEPIPELINE
orNO_ARTIFACTS
, this value is ignored if specified. Iftype
is set toS3
, this is the name of the output bucket. Ifpath
is not specified,location
can specify the path of the output artifact in the output bucket.name
- (Optional) Name of the project. Iftype
is set toCODEPIPELINE
orNO_ARTIFACTS
, this value is ignored if specified. Iftype
is set toS3
, this is the name of the output artifact object.namespace_type
- (Optional) Namespace to use in storing build artifacts. Iftype
is set toCODEPIPELINE
orNO_ARTIFACTS
, this value is ignored if specified. Iftype
is set toS3
, valid values areBUILD_ID
orNONE
.override_artifact_name
(Optional) Whether a name specified in the build specification overrides the artifact name.packaging
- (Optional) Type of build output artifact to create. Iftype
is set toCODEPIPELINE
orNO_ARTIFACTS
, this value is ignored if specified. Iftype
is set toS3
, valid values areNONE
orZIP
.path
- (Optional) Along withnamespace_type
andname
, the pattern that AWS CodeBuild uses to name and store the output artifact. Iftype
is set toCODEPIPELINE
orNO_ARTIFACTS
, this value is ignored if specified. Iftype
is set toS3
, this is the path to the output artifact.type
- (Required) Build output artifact's type. Valid valuesCODEPIPELINE
,NO_ARTIFACTS
, andS3
.
buildspec
- (Optional) The build spec declaration to use for this build project's related builds. This must be set whentype
isNO_SOURCE
. It can either be a path to a file residing in the repository to be built or a local file path leveraging thefile()
built-in.git_clone_depth
- (Optional) Truncate git history to this many commits. Use0
for aFull
checkout which you need to run commands likegit branch --show-current
. See AWS CodePipeline User Guide: Tutorial: Use full clone with a GitHub pipeline source for details.git_submodules_config
- (Optional) Configuration block. Detailed below.insecure_ssl
- (Optional) Ignore SSL warnings when connecting to source control.location
- (Optional) Location of the source code from git or s3.report_build_status
- (Optional) Whether to report the status of a build's start and finish to your source provider. This option is valid only when your source provider is GitHub, GitHub Enterprise, GitLab, GitLab Self Managed, or Bitbucket.build_status_config
- (Optional) Configuration block that contains information that defines how the build project reports the build status to the source provider. This option is only used when the source provider is GitHub, GitHub Enterprise, GitLab, GitLab Self Managed, or Bitbucket.build_status_config
blocks are documented below.source_identifier
- (Required) An identifier for this project source. The identifier can only contain alphanumeric characters and underscores, and must be less than 128 characters in length.type
- (Required) Type of repository that contains the source code to be built. Valid values:BITBUCKET
,CODECOMMIT
,CODEPIPELINE
,GITHUB
,GITHUB_ENTERPRISE
,GITLAB
,GITLAB_SELF_MANAGED
,NO_SOURCE
,S3
.
This block is only valid when the type
is CODECOMMIT
, GITHUB
, GITHUB_ENTERPRISE
, GITLAB
, or GITLAB_SELF_MANAGED
.
fetch_submodules
- (Required) Whether to fetch Git submodules for the AWS CodeBuild build project.
context
- (Optional) Specifies the context of the build status CodeBuild sends to the source provider. The usage of this parameter depends on the source provider.target_url
- (Optional) Specifies the target url of the build status CodeBuild sends to the source provider. The usage of this parameter depends on the source provider.
source_identifier
- (Required) An identifier for a source in the build project.source_version
- (Required) The source version for the corresponding source identifier. See AWS docs for more details.
buildspec
- (Optional) Build specification to use for this build project's related builds. This must be set whentype
isNO_SOURCE
. Also, if a non-default buildspec file name or file path aside from the root is used, it must be specified.git_clone_depth
- (Optional) Truncate git history to this many commits. Use0
for aFull
checkout which you need to run commands likegit branch --show-current
. See AWS CodePipeline User Guide: Tutorial: Use full clone with a GitHub pipeline source for details.git_submodules_config
- (Optional) Configuration block. Detailed below.insecure_ssl
- (Optional) Ignore SSL warnings when connecting to source control.location
- (Optional) Location of the source code from git or s3.report_build_status
- (Optional) Whether to report the status of a build's start and finish to your source provider. This option is valid only when your source provider is GitHub, GitHub Enterprise, GitLab, GitLab Self Managed, or Bitbucket.build_status_config
- (Optional) Configuration block that contains information that defines how the build project reports the build status to the source provider. This option is only used when the source provider is GitHub, GitHub Enterprise, GitLab, GitLab Self Managed, or Bitbucket.build_status_config
blocks are documented below.type
- (Required) Type of repository that contains the source code to be built. Valid values:BITBUCKET
,CODECOMMIT
,CODEPIPELINE
,GITHUB
,GITHUB_ENTERPRISE
,GITLAB
,GITLAB_SELF_MANAGED
,NO_SOURCE
,S3
.
This block is only valid when the type
is CODECOMMIT
, GITHUB
, GITHUB_ENTERPRISE
, GITLAB
, or GITLAB_SELF_MANAGED
.
fetch_submodules
- (Required) Whether to fetch Git submodules for the AWS CodeBuild build project.
context
- (Optional) Specifies the context of the build status CodeBuild sends to the source provider. The usage of this parameter depends on the source provider.target_url
- (Optional) Specifies the target url of the build status CodeBuild sends to the source provider. The usage of this parameter depends on the source provider.
security_group_ids
- (Required) Security group IDs to assign to running builds.subnets
- (Required) Subnet IDs within which to run builds.vpc_id
- (Required) ID of the VPC within which to run builds.
This resource exports the following attributes in addition to the arguments above:
arn
- ARN of the CodeBuild project.badge_url
- URL of the build badge whenbadge_enabled
is enabled.id
- Name (if imported vianame
) or ARN (if created via Terraform or imported via ARN) of the CodeBuild project.public_project_alias
- The project identifier used with the public build APIs.tags_all
- A map of tags assigned to the resource, including those inherited from the providerdefault_tags
configuration block.
In Terraform v1.5.0 and later, use an import
block to import CodeBuild Project using the name
. For example:
import {
to = aws_codebuild_project.name
id = "project-name"
}
Using terraform import
, import CodeBuild Project using the name
. For example:
% terraform import aws_codebuild_project.name project-name