Skip to content

Resource: awsCodebuildProject

Provides a CodeBuild Project resource. See also the awsCodebuildWebhook resource, which manages the webhook to the source (e.g., the "rebuild every time a code change is pushed" option in the CodeBuild web console).

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsS3BucketExample = new aws.s3Bucket.S3Bucket(this, "example", {
  bucket: "example",
});
const awsS3BucketAclExample = new aws.s3BucketAcl.S3BucketAcl(
  this,
  "example_1",
  {
    acl: "private",
    bucket: awsS3BucketExample.id,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsS3BucketAclExample.overrideLogicalId("example");
const dataAwsIamPolicyDocumentAssumeRole =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
    this,
    "assume_role",
    {
      statement: [
        {
          actions: ["sts:AssumeRole"],
          effect: "Allow",
          principals: [
            {
              identifiers: ["codebuild.amazonaws.com"],
              type: "Service",
            },
          ],
        },
      ],
    }
  );
const dataAwsIamPolicyDocumentExample =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(this, "example_3", {
    statement: [
      {
        actions: [
          "logs:CreateLogGroup",
          "logs:CreateLogStream",
          "logs:PutLogEvents",
        ],
        effect: "Allow",
        resources: ["*"],
      },
      {
        actions: [
          "ec2:CreateNetworkInterface",
          "ec2:DescribeDhcpOptions",
          "ec2:DescribeNetworkInterfaces",
          "ec2:DeleteNetworkInterface",
          "ec2:DescribeSubnets",
          "ec2:DescribeSecurityGroups",
          "ec2:DescribeVpcs",
        ],
        effect: "Allow",
        resources: ["*"],
      },
      {
        actions: ["ec2:CreateNetworkInterfacePermission"],
        condition: [
          {
            test: "StringEquals",
            values: [
              "${aws_subnet.example1.arn}",
              "${aws_subnet.example2.arn}",
            ],
            variable: "ec2:Subnet",
          },
          {
            test: "StringEquals",
            values: ["codebuild.amazonaws.com"],
            variable: "ec2:AuthorizedService",
          },
        ],
        effect: "Allow",
        resources: ["arn:aws:ec2:us-east-1:123456789012:network-interface/*"],
      },
      {
        actions: ["s3:*"],
        effect: "Allow",
        resources: [awsS3BucketExample.arn, `\${${awsS3BucketExample.arn}}/*`],
      },
    ],
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAwsIamPolicyDocumentExample.overrideLogicalId("example");
const awsIamRoleExample = new aws.iamRole.IamRole(this, "example_4", {
  assumeRolePolicy: dataAwsIamPolicyDocumentAssumeRole.json,
  name: "example",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamRoleExample.overrideLogicalId("example");
const awsIamRolePolicyExample = new aws.iamRolePolicy.IamRolePolicy(
  this,
  "example_5",
  {
    policy: dataAwsIamPolicyDocumentExample.json,
    role: awsIamRoleExample.name,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamRolePolicyExample.overrideLogicalId("example");
const awsCodebuildProjectExample = new aws.codebuildProject.CodebuildProject(
  this,
  "example_6",
  {
    artifacts: {
      type: "NO_ARTIFACTS",
    },
    buildTimeout: "5",
    cache: {
      location: awsS3BucketExample.bucket,
      type: "S3",
    },
    description: "test_codebuild_project",
    environment: {
      computeType: "BUILD_GENERAL1_SMALL",
      environmentVariable: [
        {
          name: "SOME_KEY1",
          value: "SOME_VALUE1",
        },
        {
          name: "SOME_KEY2",
          type: "PARAMETER_STORE",
          value: "SOME_VALUE2",
        },
      ],
      image: "aws/codebuild/standard:1.0",
      imagePullCredentialsType: "CODEBUILD",
      type: "LINUX_CONTAINER",
    },
    logsConfig: {
      cloudwatchLogs: {
        groupName: "log-group",
        streamName: "log-stream",
      },
      s3Logs: {
        location: `\${${awsS3BucketExample.id}}/build-log`,
        status: "ENABLED",
      },
    },
    name: "test-project",
    serviceRole: awsIamRoleExample.arn,
    source: {
      gitCloneDepth: 1,
      gitSubmodulesConfig: {
        fetchSubmodules: true,
      },
      location: "https://github.com/mitchellh/packer.git",
      type: "GITHUB",
    },
    sourceVersion: "master",
    tags: {
      Environment: "Test",
    },
    vpcConfig: {
      securityGroupIds: [
        "${aws_security_group.example1.id}",
        "${aws_security_group.example2.id}",
      ],
      subnets: ["${aws_subnet.example1.id}", "${aws_subnet.example2.id}"],
      vpcId: "${aws_vpc.example.id}",
    },
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsCodebuildProjectExample.overrideLogicalId("example");
new aws.codebuildProject.CodebuildProject(this, "project-with-cache", {
  artifacts: {
    type: "NO_ARTIFACTS",
  },
  buildTimeout: "5",
  cache: {
    modes: ["LOCAL_DOCKER_LAYER_CACHE", "LOCAL_SOURCE_CACHE"],
    type: "LOCAL",
  },
  description: "test_codebuild_project_cache",
  environment: {
    computeType: "BUILD_GENERAL1_SMALL",
    environmentVariable: [
      {
        name: "SOME_KEY1",
        value: "SOME_VALUE1",
      },
    ],
    image: "aws/codebuild/standard:1.0",
    imagePullCredentialsType: "CODEBUILD",
    type: "LINUX_CONTAINER",
  },
  name: "test-project-cache",
  queuedTimeout: "5",
  serviceRole: awsIamRoleExample.arn,
  source: {
    gitCloneDepth: 1,
    location: "https://github.com/mitchellh/packer.git",
    type: "GITHUB",
  },
  tags: {
    Environment: "Test",
  },
});

Argument Reference

The following arguments are required:

  • artifacts - (Required) Configuration block. Detailed below.
  • environment - (Required) Configuration block. Detailed below.
  • name - (Required) Project's name.
  • serviceRole - (Required) Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that enables AWS CodeBuild to interact with dependent AWS services on behalf of the AWS account.
  • source - (Required) Configuration block. Detailed below.

The following arguments are optional:

  • badgeEnabled - (Optional) Generates a publicly-accessible URL for the projects build badge. Available as badgeUrl attribute when enabled.
  • buildBatchConfig - (Optional) Defines the batch build options for the project.
  • buildTimeout - (Optional) Number of minutes, from 5 to 480 (8 hours), for AWS CodeBuild to wait until timing out any related build that does not get marked as completed. The default is 60 minutes.
  • cache - (Optional) Configuration block. Detailed below.
  • concurrentBuildLimit - (Optional) Specify a maximum number of concurrent builds for the project. The value specified must be greater than 0 and less than the account concurrent running builds limit.
  • description - (Optional) Short description of the project.
  • fileSystemLocations - (Optional) A set of file system locations to mount inside the build. File system locations are documented below.
  • encryptionKey - (Optional) AWS Key Management Service (AWS KMS) customer master key (CMK) to be used for encrypting the build project's build output artifacts.
  • logsConfig - (Optional) Configuration block. Detailed below.
  • projectVisibility - (Optional) Specifies the visibility of the project's builds. Possible values are: PUBLIC_READ and private. Default value is private.
  • resourceAccessRole - The ARN of the IAM role that enables CodeBuild to access the CloudWatch Logs and Amazon S3 artifacts for the project's builds.
  • queuedTimeout - (Optional) Number of minutes, from 5 to 480 (8 hours), a build is allowed to be queued before it times out. The default is 8 hours.
  • secondaryArtifacts - (Optional) Configuration block. Detailed below.
  • secondarySources - (Optional) Configuration block. Detailed below.
  • secondarySourceVersion - (Optional) Configuration block. Detailed below.
  • sourceVersion - (Optional) Version of the build input to be built for this project. If not specified, the latest version is used.
  • tags - (Optional) Map of tags to assign to the resource. If configured with a provider defaultTags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
  • vpcConfig - (Optional) Configuration block. Detailed below.

artifacts

  • artifactIdentifier - (Optional) Artifact identifier. Must be the same specified inside the AWS CodeBuild build specification.
  • bucketOwnerAccess - (Optional) Specifies the bucket owner's access for objects that another account uploads to their Amazon S3 bucket. By default, only the account that uploads the objects to the bucket has access to these objects. This property allows you to give the bucket owner access to these objects. Valid values are none, READ_ONLY, and full. your CodeBuild service role must have the s3:putBucketAcl permission. This permission allows CodeBuild to modify the access control list for the bucket.
  • encryptionDisabled - (Optional) Whether to disable encrypting output artifacts. If type is set to NO_ARTIFACTS, this value is ignored. Defaults to false.
  • location - (Optional) Information about the build output artifact location. If type is set to codepipeline or NO_ARTIFACTS, this value is ignored. If type is set to s3, this is the name of the output bucket.
  • name - (Optional) Name of the project. If type is set to s3, this is the name of the output artifact object
  • namespaceType - (Optional) Namespace to use in storing build artifacts. If type is set to s3, then valid values are BUILD_ID, none.
  • overrideArtifactName (Optional) Whether a name specified in the build specification overrides the artifact name.
  • packaging - (Optional) Type of build output artifact to create. If type is set to s3, valid values are none, zip
  • path - (Optional) If type is set to s3, this is the path to the output artifact.
  • type - (Required) Build output artifact's type. Valid values: codepipeline, NO_ARTIFACTS, s3.

buildBatchConfig

  • combineArtifacts - (Optional) Specifies if the build artifacts for the batch build should be combined into a single artifact location.
  • restrictions - (Optional) Configuration block specifying the restrictions for the batch build. Detailed below.
  • serviceRole - (Required) Specifies the service role ARN for the batch build project.
  • timeoutInMins - (Optional) Specifies the maximum amount of time, in minutes, that the batch build must be completed in.

build_batch_config: restrictions

  • computeTypesAllowed - (Optional) An array of strings that specify the compute types that are allowed for the batch build. See Build environment compute types in the AWS CodeBuild User Guide for these values.
  • maximumBuildsAllowed - (Optional) Specifies the maximum number of builds allowed.

cache

  • location - (Required when cache type is s3) Location where the AWS CodeBuild project stores cached resources. For type s3, the value must be a valid S3 bucket name/prefix.
  • modes - (Required when cache type is local) Specifies settings that AWS CodeBuild uses to store and reuse build dependencies. Valid values: LOCAL_SOURCE_CACHE, LOCAL_DOCKER_LAYER_CACHE, LOCAL_CUSTOM_CACHE.
  • type - (Optional) Type of storage that will be used for the AWS CodeBuild project cache. Valid values: NO_CACHE, local, s3. Defaults to NO_CACHE.

environment

  • certificate - (Optional) ARN of the S3 bucket, path prefix and object key that contains the PEM-encoded certificate.
  • computeType - (Required) Information about the compute resources the build project will use. Valid values: BUILD_GENERAL1_SMALL, BUILD_GENERAL1_MEDIUM, BUILD_GENERAL1_LARGE, BUILD_GENERAL1_2XLARGE. BUILD_GENERAL1_SMALL is only valid if type is set to LINUX_CONTAINER. When type is set to LINUX_GPU_CONTAINER, computeType must be BUILD_GENERAL1_LARGE.
  • environmentVariable - (Optional) Configuration block. Detailed below.
  • imagePullCredentialsType - (Optional) Type of credentials AWS CodeBuild uses to pull images in your build. Valid values: codebuild, SERVICE_ROLE. When you use a cross-account or private registry image, you must use SERVICE_ROLE credentials. When you use an AWS CodeBuild curated image, you must use CodeBuild credentials. Defaults to codebuild.
  • image - (Required) Docker image to use for this build project. Valid values include Docker images provided by CodeBuild (e.g aws/codebuild/standard:20), Docker Hub images (e.g., hashicorp/terraform:latest), and full Docker repository URIs such as those for ECR (e.g., 137112412989DkrEcrUsWest2AmazonawsCom/amazonlinux:latest).
  • privilegedMode - (Optional) Whether to enable running the Docker daemon inside a Docker container. Defaults to false.
  • registryCredential - (Optional) Configuration block. Detailed below.
  • type - (Required) Type of build environment to use for related builds. Valid values: LINUX_CONTAINER, LINUX_GPU_CONTAINER, WINDOWS_CONTAINER (deprecated), WINDOWS_SERVER_2019_CONTAINER, ARM_CONTAINER. For additional information, see the CodeBuild User Guide.

environment: environmentVariable

  • name - (Required) Environment variable's name or key.
  • type - (Optional) Type of environment variable. Valid values: PARAMETER_STORE, plaintext, SECRETS_MANAGER.
  • value - (Required) Environment variable's value.

environment: registryCredential

Credentials for access to a private Docker registry.

  • credential - (Required) ARN or name of credentials created using AWS Secrets Manager.
  • credentialProvider - (Required) Service that created the credentials to access a private Docker registry. Valid value: SECRETS_MANAGER (AWS Secrets Manager).

fileSystemLocations

See ProjectFileSystemLocation for more details of the fields.

  • identifier - (Optional) The name used to access a file system created by Amazon EFS. CodeBuild creates an environment variable by appending the identifier in all capital letters to CODEBUILD_. For example, if you specify my-efs for identifier, a new environment variable is create named CODEBUILD_MY-EFS.
  • location - (Optional) A string that specifies the location of the file system created by Amazon EFS. Its format is efsDnsName:/directoryPath.
  • mountOptions - (Optional) The mount options for a file system created by AWS EFS.
  • mountPoint - (Optional) The location in the container where you mount the file system.
  • type - (Optional) The type of the file system. The one supported type is efs.

logsConfig

  • cloudwatchLogs - (Optional) Configuration block. Detailed below.
  • s3Logs - (Optional) Configuration block. Detailed below.

logs_config: cloudwatchLogs

  • groupName - (Optional) Group name of the logs in CloudWatch Logs.
  • status - (Optional) Current status of logs in CloudWatch Logs for a build project. Valid values: enabled, disabled. Defaults to enabled.
  • streamName - (Optional) Stream name of the logs in CloudWatch Logs.

logs_config: s3Logs

  • encryptionDisabled - (Optional) Whether to disable encrypting S3 logs. Defaults to false.
  • location - (Optional) Name of the S3 bucket and the path prefix for S3 logs. Must be set if status is enabled, otherwise it must be empty.
  • status - (Optional) Current status of logs in S3 for a build project. Valid values: enabled, disabled. Defaults to disabled.
  • bucketOwnerAccess - (Optional) Specifies the bucket owner's access for objects that another account uploads to their Amazon S3 bucket. By default, only the account that uploads the objects to the bucket has access to these objects. This property allows you to give the bucket owner access to these objects. Valid values are none, READ_ONLY, and full. your CodeBuild service role must have the s3:putBucketAcl permission. This permission allows CodeBuild to modify the access control list for the bucket.

secondaryArtifacts

  • artifactIdentifier - (Required) Artifact identifier. Must be the same specified inside the AWS CodeBuild build specification.
  • bucketOwnerAccess - (Optional) Specifies the bucket owner's access for objects that another account uploads to their Amazon S3 bucket. By default, only the account that uploads the objects to the bucket has access to these objects. This property allows you to give the bucket owner access to these objects. Valid values are none, READ_ONLY, and full. The CodeBuild service role must have the s3:putBucketAcl permission. This permission allows CodeBuild to modify the access control list for the bucket.
  • encryptionDisabled - (Optional) Whether to disable encrypting output artifacts. If type is set to NO_ARTIFACTS, this value is ignored. Defaults to false.
  • location - (Optional) Information about the build output artifact location. If type is set to codepipeline or NO_ARTIFACTS, this value is ignored if specified. If type is set to s3, this is the name of the output bucket. If path is not specified, location can specify the path of the output artifact in the output bucket.
  • name - (Optional) Name of the project. If type is set to codepipeline or NO_ARTIFACTS, this value is ignored if specified. If type is set to s3, this is the name of the output artifact object.
  • namespaceType - (Optional) Namespace to use in storing build artifacts. If type is set to codepipeline or NO_ARTIFACTS, this value is ignored if specified. If type is set to s3, valid values are BUILD_ID or none.
  • overrideArtifactName (Optional) Whether a name specified in the build specification overrides the artifact name.
  • packaging - (Optional) Type of build output artifact to create. If type is set to codepipeline or NO_ARTIFACTS, this value is ignored if specified. If type is set to s3, valid values are none or zip.
  • path - (Optional) Along with namespaceType and name, the pattern that AWS CodeBuild uses to name and store the output artifact. If type is set to codepipeline or NO_ARTIFACTS, this value is ignored if specified. If type is set to s3, this is the path to the output artifact.
  • type - (Required) Build output artifact's type. Valid values codepipeline, NO_ARTIFACTS, and s3.

secondarySources

  • auth - (Optional, Deprecated) Configuration block with the authorization settings for AWS CodeBuild to access the source code to be built. This information is for the AWS CodeBuild console's use only. Use the awsCodebuildSourceCredential resource instead. Auth blocks are documented below.
  • buildspec - (Optional) The build spec declaration to use for this build project's related builds. This must be set when type is NO_SOURCE. It can either be a path to a file residing in the repository to be built or a local file path leveraging the file() built-in.
  • gitCloneDepth - (Optional) Truncate git history to this many commits. Use 0 for a full checkout which you need to run commands like gitBranchShowCurrent. See AWS CodePipeline User Guide: Tutorial: Use full clone with a GitHub pipeline source for details.
  • gitSubmodulesConfig - (Optional) Configuration block. Detailed below.
  • insecureSsl - (Optional) Ignore SSL warnings when connecting to source control.
  • location - (Optional) Location of the source code from git or s3.
  • reportBuildStatus - (Optional) Whether to report the status of a build's start and finish to your source provider. This option is only valid when your source provider is github, bitbucket, or GITHUB_ENTERPRISE.
  • buildStatusConfig - (Optional) Configuration block that contains information that defines how the build project reports the build status to the source provider. This option is only used when the source provider is github, GITHUB_ENTERPRISE, or bitbucket. buildStatusConfig blocks are documented below.
  • sourceIdentifier - (Required) An identifier for this project source. The identifier can only contain alphanumeric characters and underscores, and must be less than 128 characters in length.
  • type - (Required) Type of repository that contains the source code to be built. Valid values: codecommit, codepipeline, github, GITHUB_ENTERPRISE, bitbucket or s3.

secondary_sources: auth

secondary_sources: gitSubmodulesConfig

This block is only valid when the type is codecommit, github or GITHUB_ENTERPRISE.

  • fetchSubmodules - (Required) Whether to fetch Git submodules for the AWS CodeBuild build project.

secondary_sources: buildStatusConfig

  • context - (Optional) Specifies the context of the build status CodeBuild sends to the source provider. The usage of this parameter depends on the source provider.
  • targetUrl - (Optional) Specifies the target url of the build status CodeBuild sends to the source provider. The usage of this parameter depends on the source provider.

secondarySourceVersion

  • sourceIdentifier - (Required) An identifier for a source in the build project.
  • sourceVersion - (Required) The source version for the corresponding source identifier. See AWS docs for more details.

source

  • auth - (Optional, Deprecated) Configuration block with the authorization settings for AWS CodeBuild to access the source code to be built. This information is for the AWS CodeBuild console's use only. Use the awsCodebuildSourceCredential resource instead. Auth blocks are documented below.
  • buildspec - (Optional) Build specification to use for this build project's related builds. This must be set when type is NO_SOURCE.
  • gitCloneDepth - (Optional) Truncate git history to this many commits. Use 0 for a full checkout which you need to run commands like gitBranchShowCurrent. See AWS CodePipeline User Guide: Tutorial: Use full clone with a GitHub pipeline source for details.
  • gitSubmodulesConfig - (Optional) Configuration block. Detailed below.
  • insecureSsl - (Optional) Ignore SSL warnings when connecting to source control.
  • location - (Optional) Location of the source code from git or s3.
  • reportBuildStatus - (Optional) Whether to report the status of a build's start and finish to your source provider. This option is only valid when the type is bitbucket or github.
  • buildStatusConfig - (Optional) Configuration block that contains information that defines how the build project reports the build status to the source provider. This option is only used when the source provider is github, GITHUB_ENTERPRISE, or bitbucket. buildStatusConfig blocks are documented below.
  • type - (Required) Type of repository that contains the source code to be built. Valid values: codecommit, codepipeline, github, GITHUB_ENTERPRISE, bitbucket, s3, NO_SOURCE.

source: auth

source: gitSubmodulesConfig

This block is only valid when the type is codecommit, github or GITHUB_ENTERPRISE.

  • fetchSubmodules - (Required) Whether to fetch Git submodules for the AWS CodeBuild build project.

source: buildStatusConfig

  • context - (Optional) Specifies the context of the build status CodeBuild sends to the source provider. The usage of this parameter depends on the source provider.
  • targetUrl - (Optional) Specifies the target url of the build status CodeBuild sends to the source provider. The usage of this parameter depends on the source provider.

vpcConfig

  • securityGroupIds - (Required) Security group IDs to assign to running builds.
  • subnets - (Required) Subnet IDs within which to run builds.
  • vpcId - (Required) ID of the VPC within which to run builds.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • arn - ARN of the CodeBuild project.
  • badgeUrl - URL of the build badge when badgeEnabled is enabled.
  • id - Name (if imported via name) or ARN (if created via Terraform or imported via ARN) of the CodeBuild project.
  • publicProjectAlias - The project identifier used with the public build APIs.
  • tagsAll - A map of tags assigned to the resource, including those inherited from the provider defaultTags configuration block.

Import

CodeBuild Project can be imported using the name, e.g.,

$ terraform import aws_codebuild_project.name project-name