AWS CodeBuild Project
This page shows how to write Terraform and CloudFormation for CodeBuild Project and write them securely.
aws_codebuild_project (Terraform)
The Project in CodeBuild can be configured in Terraform with the resource name aws_codebuild_project
. The following sections describe 4 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_codebuild_project" "my_project_noUsage" {
name = "test-project-cache"
description = "test_codebuild_project_cache"
service_role = ""
resource "aws_codebuild_project" "allowed" {
artifacts {
type = "NO_ARTIFACTS"
}
}
resource "aws_codebuild_project" "denied" {
artifacts {
type = "S3"
encryption_disabled = true
}
}
resource "aws_codebuild_project" "tf-plan" {
name = "tf-cicd-plan2"
description = "Plan stage for terraform"
service_role = aws_iam_role.tf-codebuild-role.arn
artifacts {
Security Best Practices for aws_codebuild_project
There is 1 setting in aws_codebuild_project that should be taken care of for security reasons. The following section explain an overview and example code.
Ensure to enable encryption of CodeBuild artifacts
It's better to protect CodeBuild project artifacts with default encryption.
Parameters
-
arn
optional computed - string -
badge_enabled
optional - bool -
badge_url
optional computed - string -
build_timeout
optional - number -
description
optional computed - string -
encryption_key
optional computed - string -
id
optional computed - string -
name
required - string -
queued_timeout
optional - number -
service_role
required - string -
source_version
optional - string -
tags
optional - map from string to string -
artifacts
list block-
artifact_identifier
optional - string -
encryption_disabled
optional - bool -
location
optional - string -
name
optional - string -
namespace_type
optional - string -
override_artifact_name
optional - bool -
packaging
optional - string -
path
optional - string -
type
required - string
-
-
cache
list block -
environment
list block-
certificate
optional - string -
compute_type
required - string -
image
required - string -
image_pull_credentials_type
optional - string -
privileged_mode
optional - bool -
type
required - string -
environment_variable
list block -
registry_credential
list block-
credential
required - string -
credential_provider
required - string
-
-
-
logs_config
list block-
cloudwatch_logs
list block-
group_name
optional - string -
status
optional - string -
stream_name
optional - string
-
-
s3_logs
list block-
encryption_disabled
optional - bool -
location
optional - string -
status
optional - string
-
-
-
secondary_artifacts
set block-
artifact_identifier
required - string -
encryption_disabled
optional - bool -
location
optional - string -
name
optional - string -
namespace_type
optional - string -
override_artifact_name
optional - bool -
packaging
optional - string -
path
optional - string -
type
required - string
-
-
secondary_sources
set block-
buildspec
optional - string -
git_clone_depth
optional - number -
insecure_ssl
optional - bool -
location
optional - string -
report_build_status
optional - bool -
source_identifier
required - string -
type
required - string -
auth
list block -
git_submodules_config
list block-
fetch_submodules
required - bool
-
-
-
source
list block-
buildspec
optional - string -
git_clone_depth
optional - number -
insecure_ssl
optional - bool -
location
optional - string -
report_build_status
optional - bool -
type
required - string -
auth
list block -
git_submodules_config
list block-
fetch_submodules
required - bool
-
-
-
vpc_config
list block-
security_group_ids
required - set of string -
subnets
required - set of string -
vpc_id
required - string
-
Explanation in Terraform Registry
Provides a CodeBuild Project resource. See also the
aws_codebuild_webhook
resource, which manages the webhook to the source (e.g., the "rebuild every time a code change is pushed" option in the CodeBuild web console).
AWS::CodeBuild::Project (CloudFormation)
The Project in CodeBuild can be configured in CloudFormation with the resource name AWS::CodeBuild::Project
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
-
Description
optional - String -
ResourceAccessRole
optional - String -
VpcConfig
optional - VpcConfig -
SecondarySources
optional - List of Source -
EncryptionKey
optional - String -
SourceVersion
optional - String -
Triggers
optional - ProjectTriggers -
SecondaryArtifacts
optional - List of Artifacts -
Source
required - Source -
Name
optional - String -
Artifacts
required - Artifacts -
BadgeEnabled
optional - Boolean -
LogsConfig
optional - LogsConfig -
ServiceRole
required - String -
QueuedTimeoutInMinutes
optional - Integer -
FileSystemLocations
optional - List of ProjectFileSystemLocation -
Environment
required - Environment -
SecondarySourceVersions
optional - List of ProjectSourceVersion -
ConcurrentBuildLimit
optional - Integer -
Visibility
optional - String -
BuildBatchConfig
optional - ProjectBuildBatchConfig -
Tags
optional - List of Tag -
TimeoutInMinutes
optional - Integer -
Cache
optional - ProjectCache
Explanation in CloudFormation Registry
The
AWS::CodeBuild::Project
resource configures how AWS CodeBuild builds your source code. For example, it tells CodeBuild where to get the source code and which build environment to use.
Frequently asked questions
What is AWS CodeBuild Project?
AWS CodeBuild Project is a resource for CodeBuild of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS CodeBuild Project?
For Terraform, the gilyas/infracost, snyk-labs/infrastructure-as-code-goof and snyk-labs/infrastructure-as-code-goof source code examples are useful. See the Terraform Example section for further details.