Skip to content

AWS::CodeBuild::Project

  • Build Service for Continuous Integration (CI)
  • Similar to Jenkins
  • Actions
  • Compiles source code
  • Run tests
  • Creates artifacts
  • The actions executed by CodeBuild is defined by the buildspec.yaml file in the root directory of the target git repository

Properties

Type: AWS::CodeBuild::Project
Properties:
  Artifacts:
    Artifacts
  BadgeEnabled: Boolean
  BuildBatchConfig:
    ProjectBuildBatchConfig
  Cache:
    ProjectCache
  ConcurrentBuildLimit: Integer
  Description: String
  EncryptionKey: String
  Environment:
    Environment
  FileSystemLocations:
    - ProjectFileSystemLocation
  LogsConfig:
    LogsConfig
  Name: String
  QueuedTimeoutInMinutes: Integer
  ResourceAccessRole: String
  SecondaryArtifacts:
    - Artifacts
  SecondarySources:
    - Source
  SecondarySourceVersions:
    - ProjectSourceVersion
  ServiceRole: String
  Source:
    Source
  SourceVersion: String
  Tags:
    - Tag
  TimeoutInMinutes: Integer
  Triggers:
    ProjectTriggers
  Visibility: String
  VpcConfig:
    VpcConfig

Source

  • Source code settings for the project, such as the source code's repository type and location.

  • BITBUCKET

  • CODECOMMIT
  • CODEPIPELINE
  • GITHUB
  • GITHUB_ENTERPRISE
  • GITLAB
  • GITLAB_SELF_MANAGED
  • NO_SOURCE
  • S3

Environment

  • The code is built in a build environment in which all the necessary build tools are available

Triggers

  • Specifies webhooks that trigger an AWS CodeBuild build
  • Examples: based on push events to the main branch
  • Can also be triggered manually

Artifacts

  • Specifies output settings for artifacts generated by an AWS CodeBuild build.

LogsConfig

  • A project can create logs in CloudWatch Logs, an S3 bucket, or both.

ServiceRole

  • This is the IAM Role that grants permissions to CodeBuild to modify AWS resources
  • This Role is usually automatically created as part of the CodeBuild project creation
// trust-policy.json
{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "codebuild.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

EKS

  • In order to allow CodeBuild to apply manifests to Kubernetes API we will create a separate role just to be assumed by CodeBuild in the deploy step

  • This role allows:

  • To List EKS clusters directly
  • To impersonate as a Kubernetes Entity (the build user in the system:masters group). The system:masters group, which allows it to do anything in the cluster
// trust-policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root" // not a good practice! This is too broad so that anyone can assume this role
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

# Create role to be assumed by CodeCommit
aws iam create-role \
  --role-name MyEksRole \
  --assume-role-policy-document (cat trust-policy.json)

// policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "eks:Describe*",
      "Resource": "*"
    }
  ]
}

# Add inline policy to the role
aws iam put-role-policy \
  --role-name MyEksRole \
  --policy-name eks-describe \
  --policy-document file://policy.json
  • After creating the role you need to associate the IAM role to the Kubernetes Entity

  • aws-auth ConfigMap

    • Patch the cm/aws-auth in order to attach the new role to the worker nodes (when impersonated by the "build" user)
    • The "build" user is used when running CodeBuild actions on the worker nodes

  • EKS Access Entry

    • Instead of patching the aws-auth configmap you can also create an access entry in the EKS API
apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapRoles: |
    - rolearn: arn:aws:iam::123456789012:role/eksctl-foo-nodegroup-bar-NodeInstanceRole-u4CxYVzWNTmG
      username: system:node:{{EC2PrivateDNSName}}
      groups:
        - system:bootstrappers
        - system:nodes
    - rolearn: arn:aws:iam::123456789012:role/EksCodeBuildKubectlRole
      username: build
      groups:
        - system:masters
  • And then finally you need to make this role assumable by the CodeBuild's original role by adding a AssumeRole policy to the CodeBuild's original role
// policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::307096125112:role/foo"
    }
  ]
}

aws iam put-role-policy \
  --role-name CodeBuildRole \
  --policy-name assume-eks-role \
  --policy-document file://policy.json

ECR

  • Grant CodeBuild full access to ECR
aws iam attach-role-policy \
  --role-name MyCodeBuildRole \
  --policy-arn "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerRegistryFullAccess"