AWS CodeBuild Concepts
Internal
CodeBuild as AWS Service
CodeBuild is an AWS service, named "codebuild.amazonaws.com".
Build Project
Build Badge
A build badge is an embeddable, dynamically generated image that displays the status of the latest build for a project. This image is accessible through a publicly available URL generated for your CodeBuild project. This allows anyone to view the status of an CodeBuild project. Build badges do not contain any security information, so they do not require authentication.
Build Environment
Environment Image
The environment image is the container image for the containers that perform the build. The documentation also refers to it as "AWS CodeBuild Docker Image". AWS provides a number of "managed images":
Custom images can be built and used. The procedure to create a custom build image is documented here:
Privileged Build
A "privileged build" is a build that needs to run docker commands, such as that required to build an image, docker build. If the CodeBuild build project does not have the Privileged flag enabled and attempts to build images, it fails with:
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
In case of custom environment images, different from those provided by AWS, even if the "privileged build" flag is enabled, the docker daemon must be started explicitly in the build specification - it is not started automatically as in the case of AWS-provided environment images. The following example shows how to configure the build specification:
Process and integrate: https://docs.aws.amazon.com/codebuild/latest/APIReference/API_ProjectEnvironment.html
Service Role
The service role, unless specified otherwise, is automatically created with the following policies:
CodeBuildBasePolicy-<build-project-name>-<region>
Example of working CodeBuildBasePolicy-*:
CodeBuildCloudWatchLogsPolicy-<build-project-name>-<region>
For operational details on handling the service role, see:
Important: if the build process will need to access an ECR instance, the role must get required ECR actions. If the build process will need to access the API Gateway, the role must get the require API Gateway actions, and so on.
VPC
If a VPC is used to run the build, additional permissions and configuration may be needed to allow git clone, docker pull and so on.
Security Group
The build project configuration allows selecting on or more security groups, which are security groups that AWS CodeBuild should use to work with the VPC. The security groups should allow outbound connections.
Environment Variables
Also see, below:
CODEBUILD_RESOLVED_SOURCE_VERSION
'CODEBUILD_RESOLVED_SOURCE_VERSION' carries an identifier for the version of a build's source code. The format is dependent on the source repository. For GitHub, it is the commit ID. Also see CloudFormation Deployment - Container Image Tag Considerations.
Build Specification, Buildspec
Build Environment
Example of environment exposes to a CodeBuild build by a CodePipeline pipeline:
TARGET_BUCKET=example-buildbucket-1po70uz4qr4l5 CODEBUILD_LAST_EXIT=0 CODEBUILD_START_TIME=1552585467738 CODEBUILD_BMR_URL=https://CODEBUILD_AGENT:3000 CODEBUILD_SOURCE_VERSION=arn:aws:s3:::example-buildbucket-1po70uz4qr4l5/example-Pipe/ContainerS/WqhFogn.zip CODEBUILD_AGENT_ENDPOINT=http://127.0.0.1:7831 CODEBUILD_KMS_KEY_ID=arn:aws:kms:us-west-2:777777777777:alias/aws/s3 CODEBUILD_BUILD_ID=example:53fd170a-0445-42bd-9bf9-cd7b97dc3b13 CODEBUILD_RESOLVED_SOURCE_VERSION=46996c9340aee1415f57d81e77b88359c6ab3110 CODEBUILD_BUILD_SUCCEEDING=1 CODEBUILD_BUILD_ARN=arn:aws:codebuild:us-west-2:777777777777:build/example:43fd170a-0445-42bd-9bf8-cd7b97dc3b13 CODEBUILD_INITIATOR=codepipeline/example-Pipeline-8GR91NZTCLYVA CODEBUILD_LOG_PATH=33fd170a-0445-42bd-9bf9-cd7b97dc3b15 CODEBUILD_BUILD_IMAGE=aws/codebuild/java:openjdk-8 CODEBUILD_SRC_DIR=/codebuild/output/src461115545/src CODEBUILD_PROJECT_UUID=.... CODEBUILD_AUTH_TOKEN=..... CODEBUILD_CONTAINER_NAME=default CODEBUILD_EXECUTION_ROLE_BUILD= CODEBUILD_BUILD_URL=https://us-west-2.console.aws.amazon.com/codebuild/home?region=us-west-2#/builds/example:43fd170a-0445-42bd-9bf9-cd7b97dc3b19/view/new AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=/v2/credentials/4b6c5959-d624-4bfb-b239-2f985281c878 AWS_EXECUTION_ENV=AWS_ECS_EC2 AWS_DEFAULT_REGION=us-west-2 AWS_REGION=us-west-2 ECS_CONTAINER_METADATA_URI=http://188.88.88.88/v3/481887c2-cfc5-49c1-a3da-c0a1a0139e90 JRE_HOME=/usr/lib/jvm/java-8-openjdk-amd64 JDK_HOME=/usr/lib/jvm/java-8-openjdk-amd64 JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64 JAVA_VERSION=8 JDK_VERSION=8u171-b11-2~14.04 ANT_VERSION=... ANT_DOWNLOAD_SHA512=... MAVEN_HOME=/opt/maven MAVEN_OPTS=-Dmaven.wagon.httpconnectionManager.maxPerRoute=2 MAVEN_CONFIG=/root/.m2 MAVEN_VERSION=3.5.4 MAVEN_DOWNLOAD_SHA1=... GRADLE_DOWNLOAD_SHA256=... GRADLE_VERSION=4.2.1 PYTHON_TOOL_VERSION=3.3-* GITVERSION_VERSION=3.6.5 DOCKER_BUCKET=download.docker.com DOCKER_SHA256=... DOCKER_CHANNEL=stable DOCKER_COMPOSE_VERSION=... DOCKER_VERSION=17.09.0-ce ENV=dev REPOSITORY_URI=777777777777.dkr.ecr.us-west-2.amazonaws.com/example SVC_TEMPLATE=container-generic-svcTemplate.yaml OPENAPI_FILE_NAME=openapi-aws.json PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin HOSTNAME=4fcfb195f8c4
CodePipeline-Driven CodeBuild Builds
How the Build is Triggered
The build can be triggered manually from the console: Code Build -> Build projects -> select the project -> Start Build.
The build can be triggered programmatically. How?.
The build can be triggered by a repository push. How?
The build produces a container images and pushes it into a Docker repository. How about deploying it in ECS?
CodeBuild Operations
Organizatorium
- Where is the project actually built? What resources? Relationship to VPC.