AWS CodeBuild Concepts: Difference between revisions
Line 9: | Line 9: | ||
A build badge is an embeddable, dynamically generated image that displays the status of the latest build for a project. This image is accessible through a publicly available URL generated for your CodeBuild project. This allows anyone to view the status of an CodeBuild project. Build badges do not contain any security information, so they do not require authentication. | A build badge is an embeddable, dynamically generated image that displays the status of the latest build for a project. This image is accessible through a publicly available URL generated for your CodeBuild project. This allows anyone to view the status of an CodeBuild project. Build badges do not contain any security information, so they do not require authentication. | ||
=Build Environment= | ==Build Environment== | ||
==Privileged Build== | {{External|https://docs.aws.amazon.com/codebuild/latest/APIReference/API_ProjectEnvironment.html}} | ||
===Environment Image=== | |||
The environment image is the container image for the containers that perform the build. The documentation also refers to it as "AWS CodeBuild Docker Image". AWS provides a number of "managed images": | |||
{{External|[https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-available.html Docker Images Provided by CodeBuild]}} | |||
Custom images can be built and used. The procedure to create a custom build image is documented here: {{Internal|AWS_CodeBuild_Operations#Build_an_AWS_CodeBuild_Docker_Image|Build an AWS CodeBuild Docker Image}} | |||
===Privileged Build=== | |||
A "privileged build" is a build that needs to run docker commands, such as that required to build an image, docker build. If the CodeBuild build project does not have the [[AWS CodeBuild Operations#Privileged|Privileged]] flag enabled and attempts to build images, it fails with: | A "privileged build" is a build that needs to run docker commands, such as that required to build an image, docker build. If the CodeBuild build project does not have the [[AWS CodeBuild Operations#Privileged|Privileged]] flag enabled and attempts to build images, it fails with: | ||
Line 21: | Line 30: | ||
<font color=darkgray>Process and integrate: https://docs.aws.amazon.com/codebuild/latest/APIReference/API_ProjectEnvironment.html</font> | <font color=darkgray>Process and integrate: https://docs.aws.amazon.com/codebuild/latest/APIReference/API_ProjectEnvironment.html</font> | ||
==Service Role== | ===Service Role=== | ||
The service role, unless specified otherwise, is automatically created with the following policies: | The service role, unless specified otherwise, is automatically created with the following policies: | ||
Line 37: | Line 46: | ||
{{Warn|Important: if the build process will need to access an ECR instance, the role must get required ECR actions. If the build process will need to access the API Gateway, the role must get the require API Gateway actions, and so on.}} | {{Warn|Important: if the build process will need to access an ECR instance, the role must get required ECR actions. If the build process will need to access the API Gateway, the role must get the require API Gateway actions, and so on.}} | ||
==VPC== | ===VPC=== | ||
If a VPC is used to run the build, additional permissions and configuration may be needed to allow git clone, docker pull and so on. | If a VPC is used to run the build, additional permissions and configuration may be needed to allow git clone, docker pull and so on. | ||
==Security Group== | ===Security Group=== | ||
The build project configuration allows selecting on or more security groups, which are security groups that AWS CodeBuild should use to work with the [[#VPC|VPC]]. The security groups should allow outbound connections. | The build project configuration allows selecting on or more security groups, which are security groups that AWS CodeBuild should use to work with the [[#VPC|VPC]]. The security groups should allow outbound connections. | ||
= | ===Environment Variables=== | ||
==Environment Variables== | |||
{{External|[https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-env-vars.html Environment Variables in Build Environments]}} | {{External|[https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-env-vars.html Environment Variables in Build Environments]}} |
Revision as of 21:29, 25 February 2019
Internal
Build Project
Build Badge
A build badge is an embeddable, dynamically generated image that displays the status of the latest build for a project. This image is accessible through a publicly available URL generated for your CodeBuild project. This allows anyone to view the status of an CodeBuild project. Build badges do not contain any security information, so they do not require authentication.
Build Environment
Environment Image
The environment image is the container image for the containers that perform the build. The documentation also refers to it as "AWS CodeBuild Docker Image". AWS provides a number of "managed images":
Custom images can be built and used. The procedure to create a custom build image is documented here:
Privileged Build
A "privileged build" is a build that needs to run docker commands, such as that required to build an image, docker build. If the CodeBuild build project does not have the Privileged flag enabled and attempts to build images, it fails with:
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
In case of custom environment images, different from those provided by AWS, even if the "privileged build" flag is enabled, the docker daemon must be started explicitly in the build specification - it is not started automatically as in the case of AWS-provided environment images. The following example shows how to configure the build specification:
Process and integrate: https://docs.aws.amazon.com/codebuild/latest/APIReference/API_ProjectEnvironment.html
Service Role
The service role, unless specified otherwise, is automatically created with the following policies:
CodeBuildBasePolicy-<build-project-name>-<region>
Example of working CodeBuildBasePolicy-*:
CodeBuildCloudWatchLogsPolicy-<build-project-name>-<region>
For operational details on handling the service role, see:
Important: if the build process will need to access an ECR instance, the role must get required ECR actions. If the build process will need to access the API Gateway, the role must get the require API Gateway actions, and so on.
VPC
If a VPC is used to run the build, additional permissions and configuration may be needed to allow git clone, docker pull and so on.
Security Group
The build project configuration allows selecting on or more security groups, which are security groups that AWS CodeBuild should use to work with the VPC. The security groups should allow outbound connections.
Environment Variables
Build Specification
How the Build is Triggered
The build can be triggered manually from the console: Code Build -> Build projects -> select the project -> Start Build.
The build can be triggered programmatically. How?.
The build can be triggered by a repository push. How?
The build produces a container images and pushes it into a Docker repository. How about deploying it in ECS?
CodeBuild Operations
Organizatorium
- Where is the project actually built? What resources? Relationship to VPC.