Resource: awsCodebuildProject
Provides a CodeBuild Project resource. See also the awsCodebuildWebhook
resource, which manages the webhook to the source (e.g., the "rebuild every time a code change is pushed" option in the CodeBuild web console).
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsS3BucketExample = new aws.s3Bucket.S3Bucket(this, "example", {
bucket: "example",
});
const awsS3BucketAclExample = new aws.s3BucketAcl.S3BucketAcl(
this,
"example_1",
{
acl: "private",
bucket: awsS3BucketExample.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsS3BucketAclExample.overrideLogicalId("example");
const dataAwsIamPolicyDocumentAssumeRole =
new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
this,
"assume_role",
{
statement: [
{
actions: ["sts:AssumeRole"],
effect: "Allow",
principals: [
{
identifiers: ["codebuild.amazonaws.com"],
type: "Service",
},
],
},
],
}
);
const dataAwsIamPolicyDocumentExample =
new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(this, "example_3", {
statement: [
{
actions: [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
],
effect: "Allow",
resources: ["*"],
},
{
actions: [
"ec2:CreateNetworkInterface",
"ec2:DescribeDhcpOptions",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs",
],
effect: "Allow",
resources: ["*"],
},
{
actions: ["ec2:CreateNetworkInterfacePermission"],
condition: [
{
test: "StringEquals",
values: [
"${aws_subnet.example1.arn}",
"${aws_subnet.example2.arn}",
],
variable: "ec2:Subnet",
},
{
test: "StringEquals",
values: ["codebuild.amazonaws.com"],
variable: "ec2:AuthorizedService",
},
],
effect: "Allow",
resources: ["arn:aws:ec2:us-east-1:123456789012:network-interface/*"],
},
{
actions: ["s3:*"],
effect: "Allow",
resources: [awsS3BucketExample.arn, `\${${awsS3BucketExample.arn}}/*`],
},
],
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAwsIamPolicyDocumentExample.overrideLogicalId("example");
const awsIamRoleExample = new aws.iamRole.IamRole(this, "example_4", {
assumeRolePolicy: dataAwsIamPolicyDocumentAssumeRole.json,
name: "example",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamRoleExample.overrideLogicalId("example");
const awsIamRolePolicyExample = new aws.iamRolePolicy.IamRolePolicy(
this,
"example_5",
{
policy: dataAwsIamPolicyDocumentExample.json,
role: awsIamRoleExample.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamRolePolicyExample.overrideLogicalId("example");
const awsCodebuildProjectExample = new aws.codebuildProject.CodebuildProject(
this,
"example_6",
{
artifacts: {
type: "NO_ARTIFACTS",
},
buildTimeout: "5",
cache: {
location: awsS3BucketExample.bucket,
type: "S3",
},
description: "test_codebuild_project",
environment: {
computeType: "BUILD_GENERAL1_SMALL",
environmentVariable: [
{
name: "SOME_KEY1",
value: "SOME_VALUE1",
},
{
name: "SOME_KEY2",
type: "PARAMETER_STORE",
value: "SOME_VALUE2",
},
],
image: "aws/codebuild/standard:1.0",
imagePullCredentialsType: "CODEBUILD",
type: "LINUX_CONTAINER",
},
logsConfig: {
cloudwatchLogs: {
groupName: "log-group",
streamName: "log-stream",
},
s3Logs: {
location: `\${${awsS3BucketExample.id}}/build-log`,
status: "ENABLED",
},
},
name: "test-project",
serviceRole: awsIamRoleExample.arn,
source: {
gitCloneDepth: 1,
gitSubmodulesConfig: {
fetchSubmodules: true,
},
location: "https://github.com/mitchellh/packer.git",
type: "GITHUB",
},
sourceVersion: "master",
tags: {
Environment: "Test",
},
vpcConfig: {
securityGroupIds: [
"${aws_security_group.example1.id}",
"${aws_security_group.example2.id}",
],
subnets: ["${aws_subnet.example1.id}", "${aws_subnet.example2.id}"],
vpcId: "${aws_vpc.example.id}",
},
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsCodebuildProjectExample.overrideLogicalId("example");
new aws.codebuildProject.CodebuildProject(this, "project-with-cache", {
artifacts: {
type: "NO_ARTIFACTS",
},
buildTimeout: "5",
cache: {
modes: ["LOCAL_DOCKER_LAYER_CACHE", "LOCAL_SOURCE_CACHE"],
type: "LOCAL",
},
description: "test_codebuild_project_cache",
environment: {
computeType: "BUILD_GENERAL1_SMALL",
environmentVariable: [
{
name: "SOME_KEY1",
value: "SOME_VALUE1",
},
],
image: "aws/codebuild/standard:1.0",
imagePullCredentialsType: "CODEBUILD",
type: "LINUX_CONTAINER",
},
name: "test-project-cache",
queuedTimeout: "5",
serviceRole: awsIamRoleExample.arn,
source: {
gitCloneDepth: 1,
location: "https://github.com/mitchellh/packer.git",
type: "GITHUB",
},
tags: {
Environment: "Test",
},
});
Argument Reference
The following arguments are required:
artifacts
- (Required) Configuration block. Detailed below.environment
- (Required) Configuration block. Detailed below.name
- (Required) Project's name.serviceRole
- (Required) Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that enables AWS CodeBuild to interact with dependent AWS services on behalf of the AWS account.source
- (Required) Configuration block. Detailed below.
The following arguments are optional:
badgeEnabled
- (Optional) Generates a publicly-accessible URL for the projects build badge. Available asbadgeUrl
attribute when enabled.buildBatchConfig
- (Optional) Defines the batch build options for the project.buildTimeout
- (Optional) Number of minutes, from 5 to 480 (8 hours), for AWS CodeBuild to wait until timing out any related build that does not get marked as completed. The default is 60 minutes.cache
- (Optional) Configuration block. Detailed below.concurrentBuildLimit
- (Optional) Specify a maximum number of concurrent builds for the project. The value specified must be greater than 0 and less than the account concurrent running builds limit.description
- (Optional) Short description of the project.fileSystemLocations
- (Optional) A set of file system locations to mount inside the build. File system locations are documented below.encryptionKey
- (Optional) AWS Key Management Service (AWS KMS) customer master key (CMK) to be used for encrypting the build project's build output artifacts.logsConfig
- (Optional) Configuration block. Detailed below.projectVisibility
- (Optional) Specifies the visibility of the project's builds. Possible values are:PUBLIC_READ
andprivate
. Default value isprivate
.resourceAccessRole
- The ARN of the IAM role that enables CodeBuild to access the CloudWatch Logs and Amazon S3 artifacts for the project's builds.queuedTimeout
- (Optional) Number of minutes, from 5 to 480 (8 hours), a build is allowed to be queued before it times out. The default is 8 hours.secondaryArtifacts
- (Optional) Configuration block. Detailed below.secondarySources
- (Optional) Configuration block. Detailed below.secondarySourceVersion
- (Optional) Configuration block. Detailed below.sourceVersion
- (Optional) Version of the build input to be built for this project. If not specified, the latest version is used.tags
- (Optional) Map of tags to assign to the resource. If configured with a providerdefaultTags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.vpcConfig
- (Optional) Configuration block. Detailed below.
artifacts
artifactIdentifier
- (Optional) Artifact identifier. Must be the same specified inside the AWS CodeBuild build specification.bucketOwnerAccess
- (Optional) Specifies the bucket owner's access for objects that another account uploads to their Amazon S3 bucket. By default, only the account that uploads the objects to the bucket has access to these objects. This property allows you to give the bucket owner access to these objects. Valid values arenone
,READ_ONLY
, andfull
. your CodeBuild service role must have thes3:putBucketAcl
permission. This permission allows CodeBuild to modify the access control list for the bucket.encryptionDisabled
- (Optional) Whether to disable encrypting output artifacts. Iftype
is set toNO_ARTIFACTS
, this value is ignored. Defaults tofalse
.location
- (Optional) Information about the build output artifact location. Iftype
is set tocodepipeline
orNO_ARTIFACTS
, this value is ignored. Iftype
is set tos3
, this is the name of the output bucket.name
- (Optional) Name of the project. Iftype
is set tos3
, this is the name of the output artifact objectnamespaceType
- (Optional) Namespace to use in storing build artifacts. Iftype
is set tos3
, then valid values areBUILD_ID
,none
.overrideArtifactName
(Optional) Whether a name specified in the build specification overrides the artifact name.packaging
- (Optional) Type of build output artifact to create. Iftype
is set tos3
, valid values arenone
,zip
path
- (Optional) Iftype
is set tos3
, this is the path to the output artifact.type
- (Required) Build output artifact's type. Valid values:codepipeline
,NO_ARTIFACTS
,s3
.
buildBatchConfig
combineArtifacts
- (Optional) Specifies if the build artifacts for the batch build should be combined into a single artifact location.restrictions
- (Optional) Configuration block specifying the restrictions for the batch build. Detailed below.serviceRole
- (Required) Specifies the service role ARN for the batch build project.timeoutInMins
- (Optional) Specifies the maximum amount of time, in minutes, that the batch build must be completed in.
build_batch_config: restrictions
computeTypesAllowed
- (Optional) An array of strings that specify the compute types that are allowed for the batch build. See Build environment compute types in the AWS CodeBuild User Guide for these values.maximumBuildsAllowed
- (Optional) Specifies the maximum number of builds allowed.
cache
location
- (Required when cache type iss3
) Location where the AWS CodeBuild project stores cached resources. For types3
, the value must be a valid S3 bucket name/prefix.modes
- (Required when cache type islocal
) Specifies settings that AWS CodeBuild uses to store and reuse build dependencies. Valid values:LOCAL_SOURCE_CACHE
,LOCAL_DOCKER_LAYER_CACHE
,LOCAL_CUSTOM_CACHE
.type
- (Optional) Type of storage that will be used for the AWS CodeBuild project cache. Valid values:NO_CACHE
,local
,s3
. Defaults toNO_CACHE
.
environment
certificate
- (Optional) ARN of the S3 bucket, path prefix and object key that contains the PEM-encoded certificate.computeType
- (Required) Information about the compute resources the build project will use. Valid values:BUILD_GENERAL1_SMALL
,BUILD_GENERAL1_MEDIUM
,BUILD_GENERAL1_LARGE
,BUILD_GENERAL1_2XLARGE
.BUILD_GENERAL1_SMALL
is only valid iftype
is set toLINUX_CONTAINER
. Whentype
is set toLINUX_GPU_CONTAINER
,computeType
must beBUILD_GENERAL1_LARGE
.environmentVariable
- (Optional) Configuration block. Detailed below.imagePullCredentialsType
- (Optional) Type of credentials AWS CodeBuild uses to pull images in your build. Valid values:codebuild
,SERVICE_ROLE
. When you use a cross-account or private registry image, you must use SERVICE_ROLE credentials. When you use an AWS CodeBuild curated image, you must use CodeBuild credentials. Defaults tocodebuild
.image
- (Required) Docker image to use for this build project. Valid values include Docker images provided by CodeBuild (e.gaws/codebuild/standard:20
), Docker Hub images (e.g.,hashicorp/terraform:latest
), and full Docker repository URIs such as those for ECR (e.g.,137112412989DkrEcrUsWest2AmazonawsCom/amazonlinux:latest
).privilegedMode
- (Optional) Whether to enable running the Docker daemon inside a Docker container. Defaults tofalse
.registryCredential
- (Optional) Configuration block. Detailed below.type
- (Required) Type of build environment to use for related builds. Valid values:LINUX_CONTAINER
,LINUX_GPU_CONTAINER
,WINDOWS_CONTAINER
(deprecated),WINDOWS_SERVER_2019_CONTAINER
,ARM_CONTAINER
. For additional information, see the CodeBuild User Guide.
environment: environmentVariable
name
- (Required) Environment variable's name or key.type
- (Optional) Type of environment variable. Valid values:PARAMETER_STORE
,plaintext
,SECRETS_MANAGER
.value
- (Required) Environment variable's value.
environment: registryCredential
Credentials for access to a private Docker registry.
credential
- (Required) ARN or name of credentials created using AWS Secrets Manager.credentialProvider
- (Required) Service that created the credentials to access a private Docker registry. Valid value:SECRETS_MANAGER
(AWS Secrets Manager).
fileSystemLocations
See ProjectFileSystemLocation for more details of the fields.
identifier
- (Optional) The name used to access a file system created by Amazon EFS. CodeBuild creates an environment variable by appending the identifier in all capital letters to CODEBUILD_. For example, if you specify my-efs for identifier, a new environment variable is create named CODEBUILD_MY-EFS.location
- (Optional) A string that specifies the location of the file system created by Amazon EFS. Its format isefsDnsName:/directoryPath
.mountOptions
- (Optional) The mount options for a file system created by AWS EFS.mountPoint
- (Optional) The location in the container where you mount the file system.type
- (Optional) The type of the file system. The one supported type isefs
.
logsConfig
cloudwatchLogs
- (Optional) Configuration block. Detailed below.s3Logs
- (Optional) Configuration block. Detailed below.
logs_config: cloudwatchLogs
groupName
- (Optional) Group name of the logs in CloudWatch Logs.status
- (Optional) Current status of logs in CloudWatch Logs for a build project. Valid values:enabled
,disabled
. Defaults toenabled
.streamName
- (Optional) Stream name of the logs in CloudWatch Logs.
logs_config: s3Logs
encryptionDisabled
- (Optional) Whether to disable encrypting S3 logs. Defaults tofalse
.location
- (Optional) Name of the S3 bucket and the path prefix for S3 logs. Must be set if status isenabled
, otherwise it must be empty.status
- (Optional) Current status of logs in S3 for a build project. Valid values:enabled
,disabled
. Defaults todisabled
.bucketOwnerAccess
- (Optional) Specifies the bucket owner's access for objects that another account uploads to their Amazon S3 bucket. By default, only the account that uploads the objects to the bucket has access to these objects. This property allows you to give the bucket owner access to these objects. Valid values arenone
,READ_ONLY
, andfull
. your CodeBuild service role must have thes3:putBucketAcl
permission. This permission allows CodeBuild to modify the access control list for the bucket.
secondaryArtifacts
artifactIdentifier
- (Required) Artifact identifier. Must be the same specified inside the AWS CodeBuild build specification.bucketOwnerAccess
- (Optional) Specifies the bucket owner's access for objects that another account uploads to their Amazon S3 bucket. By default, only the account that uploads the objects to the bucket has access to these objects. This property allows you to give the bucket owner access to these objects. Valid values arenone
,READ_ONLY
, andfull
. The CodeBuild service role must have thes3:putBucketAcl
permission. This permission allows CodeBuild to modify the access control list for the bucket.encryptionDisabled
- (Optional) Whether to disable encrypting output artifacts. Iftype
is set toNO_ARTIFACTS
, this value is ignored. Defaults tofalse
.location
- (Optional) Information about the build output artifact location. Iftype
is set tocodepipeline
orNO_ARTIFACTS
, this value is ignored if specified. Iftype
is set tos3
, this is the name of the output bucket. Ifpath
is not specified,location
can specify the path of the output artifact in the output bucket.name
- (Optional) Name of the project. Iftype
is set tocodepipeline
orNO_ARTIFACTS
, this value is ignored if specified. Iftype
is set tos3
, this is the name of the output artifact object.namespaceType
- (Optional) Namespace to use in storing build artifacts. Iftype
is set tocodepipeline
orNO_ARTIFACTS
, this value is ignored if specified. Iftype
is set tos3
, valid values areBUILD_ID
ornone
.overrideArtifactName
(Optional) Whether a name specified in the build specification overrides the artifact name.packaging
- (Optional) Type of build output artifact to create. Iftype
is set tocodepipeline
orNO_ARTIFACTS
, this value is ignored if specified. Iftype
is set tos3
, valid values arenone
orzip
.path
- (Optional) Along withnamespaceType
andname
, the pattern that AWS CodeBuild uses to name and store the output artifact. Iftype
is set tocodepipeline
orNO_ARTIFACTS
, this value is ignored if specified. Iftype
is set tos3
, this is the path to the output artifact.type
- (Required) Build output artifact's type. Valid valuescodepipeline
,NO_ARTIFACTS
, ands3
.
secondarySources
auth
- (Optional, Deprecated) Configuration block with the authorization settings for AWS CodeBuild to access the source code to be built. This information is for the AWS CodeBuild console's use only. Use theawsCodebuildSourceCredential
resource instead. Auth blocks are documented below.buildspec
- (Optional) The build spec declaration to use for this build project's related builds. This must be set whentype
isNO_SOURCE
. It can either be a path to a file residing in the repository to be built or a local file path leveraging thefile()
built-in.gitCloneDepth
- (Optional) Truncate git history to this many commits. Use0
for afull
checkout which you need to run commands likegitBranchShowCurrent
. See AWS CodePipeline User Guide: Tutorial: Use full clone with a GitHub pipeline source for details.gitSubmodulesConfig
- (Optional) Configuration block. Detailed below.insecureSsl
- (Optional) Ignore SSL warnings when connecting to source control.location
- (Optional) Location of the source code from git or s3.reportBuildStatus
- (Optional) Whether to report the status of a build's start and finish to your source provider. This option is only valid when your source provider isgithub
,bitbucket
, orGITHUB_ENTERPRISE
.buildStatusConfig
- (Optional) Configuration block that contains information that defines how the build project reports the build status to the source provider. This option is only used when the source provider isgithub
,GITHUB_ENTERPRISE
, orbitbucket
.buildStatusConfig
blocks are documented below.sourceIdentifier
- (Required) An identifier for this project source. The identifier can only contain alphanumeric characters and underscores, and must be less than 128 characters in length.type
- (Required) Type of repository that contains the source code to be built. Valid values:codecommit
,codepipeline
,github
,GITHUB_ENTERPRISE
,bitbucket
ors3
.
secondary_sources: auth
resource
- (Optional, Deprecated) Resource value that applies to the specified authorization type. Use theawsCodebuildSourceCredential
resource instead.type
- (Required, Deprecated) Authorization type to use. The only valid value isoauth
. This data type is deprecated and is no longer accurate or used. Use theawsCodebuildSourceCredential
resource instead.
secondary_sources: gitSubmodulesConfig
This block is only valid when the type
is codecommit
, github
or GITHUB_ENTERPRISE
.
fetchSubmodules
- (Required) Whether to fetch Git submodules for the AWS CodeBuild build project.
secondary_sources: buildStatusConfig
context
- (Optional) Specifies the context of the build status CodeBuild sends to the source provider. The usage of this parameter depends on the source provider.targetUrl
- (Optional) Specifies the target url of the build status CodeBuild sends to the source provider. The usage of this parameter depends on the source provider.
secondarySourceVersion
sourceIdentifier
- (Required) An identifier for a source in the build project.sourceVersion
- (Required) The source version for the corresponding source identifier. See AWS docs for more details.
source
auth
- (Optional, Deprecated) Configuration block with the authorization settings for AWS CodeBuild to access the source code to be built. This information is for the AWS CodeBuild console's use only. Use theawsCodebuildSourceCredential
resource instead. Auth blocks are documented below.buildspec
- (Optional) Build specification to use for this build project's related builds. This must be set whentype
isNO_SOURCE
.gitCloneDepth
- (Optional) Truncate git history to this many commits. Use0
for afull
checkout which you need to run commands likegitBranchShowCurrent
. See AWS CodePipeline User Guide: Tutorial: Use full clone with a GitHub pipeline source for details.gitSubmodulesConfig
- (Optional) Configuration block. Detailed below.insecureSsl
- (Optional) Ignore SSL warnings when connecting to source control.location
- (Optional) Location of the source code from git or s3.reportBuildStatus
- (Optional) Whether to report the status of a build's start and finish to your source provider. This option is only valid when thetype
isbitbucket
orgithub
.buildStatusConfig
- (Optional) Configuration block that contains information that defines how the build project reports the build status to the source provider. This option is only used when the source provider isgithub
,GITHUB_ENTERPRISE
, orbitbucket
.buildStatusConfig
blocks are documented below.type
- (Required) Type of repository that contains the source code to be built. Valid values:codecommit
,codepipeline
,github
,GITHUB_ENTERPRISE
,bitbucket
,s3
,NO_SOURCE
.
source: auth
resource
- (Optional, Deprecated) Resource value that applies to the specified authorization type. Use theawsCodebuildSourceCredential
resource instead.type
- (Required, Deprecated) Authorization type to use. The only valid value isoauth
. This data type is deprecated and is no longer accurate or used. Use theawsCodebuildSourceCredential
resource instead.
source: gitSubmodulesConfig
This block is only valid when the type
is codecommit
, github
or GITHUB_ENTERPRISE
.
fetchSubmodules
- (Required) Whether to fetch Git submodules for the AWS CodeBuild build project.
source: buildStatusConfig
context
- (Optional) Specifies the context of the build status CodeBuild sends to the source provider. The usage of this parameter depends on the source provider.targetUrl
- (Optional) Specifies the target url of the build status CodeBuild sends to the source provider. The usage of this parameter depends on the source provider.
vpcConfig
securityGroupIds
- (Required) Security group IDs to assign to running builds.subnets
- (Required) Subnet IDs within which to run builds.vpcId
- (Required) ID of the VPC within which to run builds.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
arn
- ARN of the CodeBuild project.badgeUrl
- URL of the build badge whenbadgeEnabled
is enabled.id
- Name (if imported vianame
) or ARN (if created via Terraform or imported via ARN) of the CodeBuild project.publicProjectAlias
- The project identifier used with the public build APIs.tagsAll
- A map of tags assigned to the resource, including those inherited from the providerdefaultTags
configuration block.
Import
CodeBuild Project can be imported using the name
, e.g.,