diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 41c1baa..bed3c96 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,4 +1,14 @@ # Use this file to define individuals or teams that are responsible for code in a repository. # Read more: +# +# Order is important: the last matching pattern takes the most precedence -* @cloudposse/engineering \ No newline at end of file +# These owners will be the default owners for everything +* @cloudposse/engineering @cloudposse/contributors + +# Cloud Posse must review any changes to Makefiles +**/Makefile @cloudposse/engineering +**/Makefile.* @cloudposse/engineering + +# Cloud Posse must review any changes to GitHub actions +.github/* @cloudposse/engineering diff --git a/README.md b/README.md index c5e9481..b91a5e3 100644 --- a/README.md +++ b/README.md @@ -143,50 +143,79 @@ Available targets: lint Lint terraform code ``` +## Requirements + +| Name | Version | +|------|---------| +| terraform | ~> 0.12.0 | +| aws | ~> 2.0 | +| local | ~> 1.2 | +| null | ~> 2.0 | +| random | ~> 2.1 | +| template | ~> 2.0 | + +## Providers + +| Name | Version | +|------|---------| +| aws | ~> 2.0 | +| random | ~> 2.1 | + ## Inputs | Name | Description | Type | Default | Required | -|------|-------------|:----:|:-----:|:-----:| -| artifact_type | The build output artifact's type. Valid values for this parameter are: CODEPIPELINE, NO_ARTIFACTS or S3 | string | `CODEPIPELINE` | no | -| attributes | Additional attributes (e.g. `policy` or `role`) | list(string) | `` | no | -| aws_account_id | (Optional) AWS Account ID. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | string | `` | no | -| aws_region | (Optional) AWS Region, e.g. us-east-1. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | string | `` | no | -| badge_enabled | Generates a publicly-accessible URL for the projects build badge. Available as badge_url attribute when enabled | bool | `false` | no | -| build_compute_type | Instance type of the build instance | string | `BUILD_GENERAL1_SMALL` | no | -| build_image | Docker image for build environment, e.g. 'aws/codebuild/standard:2.0' or 'aws/codebuild/eb-nodejs-6.10.0-amazonlinux-64:4.0.0'. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref.html | string | `aws/codebuild/standard:2.0` | no | -| build_timeout | How long in minutes, from 5 to 480 (8 hours), for AWS CodeBuild to wait until timing out any related build that does not get marked as completed | string | `60` | no | -| build_type | The type of build environment, e.g. 'LINUX_CONTAINER' or 'WINDOWS_CONTAINER' | string | `LINUX_CONTAINER` | no | -| buildspec | Optional buildspec declaration to use for building the project | string | `` | no | -| cache_bucket_suffix_enabled | The cache bucket generates a random 13 character string to generate a unique bucket name. If set to false it uses terraform-null-label's id value. It only works when cache_type is 'S3 | bool | `true` | no | -| cache_expiration_days | How many days should the build cache be kept. It only works when cache_type is 'S3' | string | `7` | no | -| cache_type | The type of storage that will be used for the AWS CodeBuild project cache. Valid values: NO_CACHE, LOCAL, and S3. Defaults to NO_CACHE. If cache_type is S3, it will create an S3 bucket for storing codebuild cache inside | string | `NO_CACHE` | no | -| delimiter | Delimiter to be used between `name`, `namespace`, `stage`, etc. | string | `-` | no | -| enabled | A boolean to enable/disable resource creation | bool | `true` | no | -| environment_variables | A list of maps, that contain both the key 'name' and the key 'value' to be used as additional environment variables for the build | object | `` | no | -| github_token | (Optional) GitHub auth token environment variable (`GITHUB_TOKEN`) | string | `` | no | -| image_repo_name | (Optional) ECR repository name to store the Docker image built by this module. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | string | `UNSET` | no | -| image_tag | (Optional) Docker image tag in the ECR repository, e.g. 'latest'. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | string | `latest` | no | -| local_cache_modes | Specifies settings that AWS CodeBuild uses to store and reuse build dependencies. Valid values: LOCAL_SOURCE_CACHE, LOCAL_DOCKER_LAYER_CACHE, and LOCAL_CUSTOM_CACHE | list(string) | `` | no | -| name | Solution name, e.g. 'app' or 'jenkins' | string | - | yes | -| namespace | Namespace, which could be your organization name, e.g. 'eg' or 'cp' | string | `` | no | -| privileged_mode | (Optional) If set to true, enables running the Docker daemon inside a Docker container on the CodeBuild instance. Used when building Docker images | bool | `false` | no | -| report_build_status | Set to true to report the status of a build's start and finish to your source provider. This option is only valid when the source_type is BITBUCKET or GITHUB | bool | `false` | no | -| source_location | The location of the source code from git or s3 | string | `` | no | -| source_type | The type of repository that contains the source code to be built. Valid values for this parameter are: CODECOMMIT, CODEPIPELINE, GITHUB, GITHUB_ENTERPRISE, BITBUCKET or S3 | string | `CODEPIPELINE` | no | -| stage | Stage, e.g. 'prod', 'staging', 'dev', or 'test' | string | `` | no | -| tags | Additional tags (e.g. `map('BusinessUnit', 'XYZ')` | map(string) | `` | no | +|------|-------------|------|---------|:--------:| +| artifact\_type | The build output artifact's type. Valid values for this parameter are: CODEPIPELINE, NO\_ARTIFACTS or S3 | `string` | `"CODEPIPELINE"` | no | +| attributes | Additional attributes (e.g. `policy` or `role`) | `list(string)` | `[]` | no | +| aws\_account\_id | (Optional) AWS Account ID. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `""` | no | +| aws\_region | (Optional) AWS Region, e.g. us-east-1. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `""` | no | +| badge\_enabled | Generates a publicly-accessible URL for the projects build badge. Available as badge\_url attribute when enabled | `bool` | `false` | no | +| build\_compute\_type | Instance type of the build instance | `string` | `"BUILD_GENERAL1_SMALL"` | no | +| build\_image | Docker image for build environment, e.g. 'aws/codebuild/standard:2.0' or 'aws/codebuild/eb-nodejs-6.10.0-amazonlinux-64:4.0.0'. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref.html | `string` | `"aws/codebuild/standard:2.0"` | no | +| build\_timeout | How long in minutes, from 5 to 480 (8 hours), for AWS CodeBuild to wait until timing out any related build that does not get marked as completed | `number` | `60` | no | +| build\_type | The type of build environment, e.g. 'LINUX\_CONTAINER' or 'WINDOWS\_CONTAINER' | `string` | `"LINUX_CONTAINER"` | no | +| buildspec | Optional buildspec declaration to use for building the project | `string` | `""` | no | +| cache\_bucket\_suffix\_enabled | The cache bucket generates a random 13 character string to generate a unique bucket name. If set to false it uses terraform-null-label's id value. It only works when cache\_type is 'S3 | `bool` | `true` | no | +| cache\_expiration\_days | How many days should the build cache be kept. It only works when cache\_type is 'S3' | `number` | `7` | no | +| cache\_type | The type of storage that will be used for the AWS CodeBuild project cache. Valid values: NO\_CACHE, LOCAL, and S3. Defaults to NO\_CACHE. If cache\_type is S3, it will create an S3 bucket for storing codebuild cache inside | `string` | `"NO_CACHE"` | no | +| delimiter | Delimiter to be used between `name`, `namespace`, `stage`, etc. | `string` | `"-"` | no | +| enabled | A boolean to enable/disable resource creation | `bool` | `true` | no | +| environment\_variables | A list of maps, that contain both the key 'name' and the key 'value' to be used as additional environment variables for the build | 
list(object(
    {
      name  = string
      value = string
  }))
| 
[
  {
    "name": "NO_ADDITIONAL_BUILD_VARS",
    "value": "TRUE"
  }
]
| no | +| extra\_permissions | List of action strings which will be added to IAM service account permissions. | `list` | `[]` | no | +| fetch\_git\_submodules | If set to true, fetches Git submodules for the AWS CodeBuild build project. | `bool` | `false` | no | +| git\_clone\_depth | Truncate git history to this many commits. | `number` | `null` | no | +| github\_token | (Optional) GitHub auth token environment variable (`GITHUB_TOKEN`) | `string` | `""` | no | +| image\_repo\_name | (Optional) ECR repository name to store the Docker image built by this module. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `"UNSET"` | no | +| image\_tag | (Optional) Docker image tag in the ECR repository, e.g. 'latest'. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `"latest"` | no | +| local\_cache\_modes | Specifies settings that AWS CodeBuild uses to store and reuse build dependencies. Valid values: LOCAL\_SOURCE\_CACHE, LOCAL\_DOCKER\_LAYER\_CACHE, and LOCAL\_CUSTOM\_CACHE | `list(string)` | `[]` | no | +| logs\_config | Configuration for the builds to store log data to CloudWatch or S3. | `any` | `{}` | no | +| name | Solution name, e.g. 'app' or 'jenkins' | `string` | n/a | yes | +| namespace | Namespace, which could be your organization name, e.g. 'eg' or 'cp' | `string` | `""` | no | +| private\_repository | Set to true to login into private repository with credentials supplied in source\_credential variable. | `bool` | `false` | no | +| privileged\_mode | (Optional) If set to true, enables running the Docker daemon inside a Docker container on the CodeBuild instance. Used when building Docker images | `bool` | `false` | no | +| report\_build\_status | Set to true to report the status of a build's start and finish to your source provider. This option is only valid when the source\_type is BITBUCKET or GITHUB | `bool` | `false` | no | +| source\_credential\_auth\_type | The type of authentication used to connect to a GitHub, GitHub Enterprise, or Bitbucket repository. | `string` | `"PERSONAL_ACCESS_TOKEN"` | no | +| source\_credential\_server\_type | The source provider used for this project. | `string` | `"GITHUB"` | no | +| source\_credential\_token | For GitHub or GitHub Enterprise, this is the personal access token. For Bitbucket, this is the app password. | `string` | `""` | no | +| source\_credential\_user\_name | The Bitbucket username when the authType is BASIC\_AUTH. This parameter is not valid for other types of source providers or connections. | `string` | `""` | no | +| source\_location | The location of the source code from git or s3 | `string` | `""` | no | +| source\_type | The type of repository that contains the source code to be built. Valid values for this parameter are: CODECOMMIT, CODEPIPELINE, GITHUB, GITHUB\_ENTERPRISE, BITBUCKET or S3 | `string` | `"CODEPIPELINE"` | no | +| source\_version | A version of the build input to be built for this project. If not specified, the latest version is used. | `string` | `""` | no | +| stage | Stage, e.g. 'prod', 'staging', 'dev', or 'test' | `string` | `""` | no | +| tags | Additional tags (e.g. `map('BusinessUnit', 'XYZ')` | `map(string)` | `{}` | no | +| vpc\_config | Configuration for the builds to run inside a VPC. | `any` | `{}` | no | ## Outputs | Name | Description | |------|-------------| -| badge_url | The URL of the build badge when badge_enabled is enabled | -| cache_bucket_arn | Cache S3 bucket ARN | -| cache_bucket_name | Cache S3 bucket name | -| project_id | Project ID | -| project_name | Project name | -| role_arn | IAM Role ARN | -| role_id | IAM Role ID | +| badge\_url | The URL of the build badge when badge\_enabled is enabled | +| cache\_bucket\_arn | Cache S3 bucket ARN | +| cache\_bucket\_name | Cache S3 bucket name | +| project\_id | Project ID | +| project\_name | Project name | +| role\_arn | IAM Role ARN | +| role\_id | IAM Role ID | @@ -332,8 +361,8 @@ Check out [our other projects][github], [follow us on twitter][twitter], [apply ### Contributors -| [![Erik Osterman][osterman_avatar]][osterman_homepage]
[Erik Osterman][osterman_homepage] | [![Igor Rodionov][goruha_avatar]][goruha_homepage]
[Igor Rodionov][goruha_homepage] | [![Andriy Knysh][aknysh_avatar]][aknysh_homepage]
[Andriy Knysh][aknysh_homepage] | [![Jamie Nelson][Jamie-BitfFlight_avatar]][Jamie-BitfFlight_homepage]
[Jamie Nelson][Jamie-BitfFlight_homepage] | [![Sarkis Varozian][sarkis_avatar]][sarkis_homepage]
[Sarkis Varozian][sarkis_homepage] | -|---|---|---|---|---| +| [![Erik Osterman][osterman_avatar]][osterman_homepage]
[Erik Osterman][osterman_homepage] | [![Igor Rodionov][goruha_avatar]][goruha_homepage]
[Igor Rodionov][goruha_homepage] | [![Andriy Knysh][aknysh_avatar]][aknysh_homepage]
[Andriy Knysh][aknysh_homepage] | [![Jamie Nelson][Jamie-BitfFlight_avatar]][Jamie-BitfFlight_homepage]
[Jamie Nelson][Jamie-BitfFlight_homepage] | [![Sarkis Varozian][sarkis_avatar]][sarkis_homepage]
[Sarkis Varozian][sarkis_homepage] | [![Bircan Bilici][brcnblc_avatar]][brcnblc_homepage]
[Bircan Bilici][brcnblc_homepage] | +|---|---|---|---|---|---| [osterman_homepage]: https://github.com/osterman [osterman_avatar]: https://img.cloudposse.com/150x150/https://github.com/osterman.png @@ -345,6 +374,8 @@ Check out [our other projects][github], [follow us on twitter][twitter], [apply [Jamie-BitfFlight_avatar]: https://img.cloudposse.com/150x150/https://github.com/Jamie-BitfFlight.png [sarkis_homepage]: https://github.com/sarkis [sarkis_avatar]: https://img.cloudposse.com/150x150/https://github.com/sarkis.png + [brcnblc_homepage]: https://github.com/brcnblc + [brcnblc_avatar]: https://img.cloudposse.com/150x150/https://github.com/brcnblc.png [![README Footer][readme_footer_img]][readme_footer_link] [![Beacon][beacon]][website] diff --git a/README.yaml b/README.yaml index 24fda3b..5f7fdbf 100644 --- a/README.yaml +++ b/README.yaml @@ -81,3 +81,5 @@ contributors: github: Jamie-BitfFlight - name: Sarkis Varozian github: sarkis +- name: Bircan Bilici + github: brcnblc diff --git a/docs/terraform.md b/docs/terraform.md index a6e4c3b..cd7fc02 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -1,45 +1,74 @@ +## Requirements + +| Name | Version | +|------|---------| +| terraform | ~> 0.12.0 | +| aws | ~> 2.0 | +| local | ~> 1.2 | +| null | ~> 2.0 | +| random | ~> 2.1 | +| template | ~> 2.0 | + +## Providers + +| Name | Version | +|------|---------| +| aws | ~> 2.0 | +| random | ~> 2.1 | + ## Inputs | Name | Description | Type | Default | Required | -|------|-------------|:----:|:-----:|:-----:| -| artifact_type | The build output artifact's type. Valid values for this parameter are: CODEPIPELINE, NO_ARTIFACTS or S3 | string | `CODEPIPELINE` | no | -| attributes | Additional attributes (e.g. `policy` or `role`) | list(string) | `` | no | -| aws_account_id | (Optional) AWS Account ID. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | string | `` | no | -| aws_region | (Optional) AWS Region, e.g. us-east-1. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | string | `` | no | -| badge_enabled | Generates a publicly-accessible URL for the projects build badge. Available as badge_url attribute when enabled | bool | `false` | no | -| build_compute_type | Instance type of the build instance | string | `BUILD_GENERAL1_SMALL` | no | -| build_image | Docker image for build environment, e.g. 'aws/codebuild/standard:2.0' or 'aws/codebuild/eb-nodejs-6.10.0-amazonlinux-64:4.0.0'. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref.html | string | `aws/codebuild/standard:2.0` | no | -| build_timeout | How long in minutes, from 5 to 480 (8 hours), for AWS CodeBuild to wait until timing out any related build that does not get marked as completed | string | `60` | no | -| build_type | The type of build environment, e.g. 'LINUX_CONTAINER' or 'WINDOWS_CONTAINER' | string | `LINUX_CONTAINER` | no | -| buildspec | Optional buildspec declaration to use for building the project | string | `` | no | -| cache_bucket_suffix_enabled | The cache bucket generates a random 13 character string to generate a unique bucket name. If set to false it uses terraform-null-label's id value. It only works when cache_type is 'S3 | bool | `true` | no | -| cache_expiration_days | How many days should the build cache be kept. It only works when cache_type is 'S3' | string | `7` | no | -| cache_type | The type of storage that will be used for the AWS CodeBuild project cache. Valid values: NO_CACHE, LOCAL, and S3. Defaults to NO_CACHE. If cache_type is S3, it will create an S3 bucket for storing codebuild cache inside | string | `NO_CACHE` | no | -| delimiter | Delimiter to be used between `name`, `namespace`, `stage`, etc. | string | `-` | no | -| enabled | A boolean to enable/disable resource creation | bool | `true` | no | -| environment_variables | A list of maps, that contain both the key 'name' and the key 'value' to be used as additional environment variables for the build | object | `` | no | -| github_token | (Optional) GitHub auth token environment variable (`GITHUB_TOKEN`) | string | `` | no | -| image_repo_name | (Optional) ECR repository name to store the Docker image built by this module. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | string | `UNSET` | no | -| image_tag | (Optional) Docker image tag in the ECR repository, e.g. 'latest'. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | string | `latest` | no | -| local_cache_modes | Specifies settings that AWS CodeBuild uses to store and reuse build dependencies. Valid values: LOCAL_SOURCE_CACHE, LOCAL_DOCKER_LAYER_CACHE, and LOCAL_CUSTOM_CACHE | list(string) | `` | no | -| name | Solution name, e.g. 'app' or 'jenkins' | string | - | yes | -| namespace | Namespace, which could be your organization name, e.g. 'eg' or 'cp' | string | `` | no | -| privileged_mode | (Optional) If set to true, enables running the Docker daemon inside a Docker container on the CodeBuild instance. Used when building Docker images | bool | `false` | no | -| report_build_status | Set to true to report the status of a build's start and finish to your source provider. This option is only valid when the source_type is BITBUCKET or GITHUB | bool | `false` | no | -| source_location | The location of the source code from git or s3 | string | `` | no | -| source_type | The type of repository that contains the source code to be built. Valid values for this parameter are: CODECOMMIT, CODEPIPELINE, GITHUB, GITHUB_ENTERPRISE, BITBUCKET or S3 | string | `CODEPIPELINE` | no | -| stage | Stage, e.g. 'prod', 'staging', 'dev', or 'test' | string | `` | no | -| tags | Additional tags (e.g. `map('BusinessUnit', 'XYZ')` | map(string) | `` | no | +|------|-------------|------|---------|:--------:| +| artifact\_type | The build output artifact's type. Valid values for this parameter are: CODEPIPELINE, NO\_ARTIFACTS or S3 | `string` | `"CODEPIPELINE"` | no | +| attributes | Additional attributes (e.g. `policy` or `role`) | `list(string)` | `[]` | no | +| aws\_account\_id | (Optional) AWS Account ID. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `""` | no | +| aws\_region | (Optional) AWS Region, e.g. us-east-1. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `""` | no | +| badge\_enabled | Generates a publicly-accessible URL for the projects build badge. Available as badge\_url attribute when enabled | `bool` | `false` | no | +| build\_compute\_type | Instance type of the build instance | `string` | `"BUILD_GENERAL1_SMALL"` | no | +| build\_image | Docker image for build environment, e.g. 'aws/codebuild/standard:2.0' or 'aws/codebuild/eb-nodejs-6.10.0-amazonlinux-64:4.0.0'. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref.html | `string` | `"aws/codebuild/standard:2.0"` | no | +| build\_timeout | How long in minutes, from 5 to 480 (8 hours), for AWS CodeBuild to wait until timing out any related build that does not get marked as completed | `number` | `60` | no | +| build\_type | The type of build environment, e.g. 'LINUX\_CONTAINER' or 'WINDOWS\_CONTAINER' | `string` | `"LINUX_CONTAINER"` | no | +| buildspec | Optional buildspec declaration to use for building the project | `string` | `""` | no | +| cache\_bucket\_suffix\_enabled | The cache bucket generates a random 13 character string to generate a unique bucket name. If set to false it uses terraform-null-label's id value. It only works when cache\_type is 'S3 | `bool` | `true` | no | +| cache\_expiration\_days | How many days should the build cache be kept. It only works when cache\_type is 'S3' | `number` | `7` | no | +| cache\_type | The type of storage that will be used for the AWS CodeBuild project cache. Valid values: NO\_CACHE, LOCAL, and S3. Defaults to NO\_CACHE. If cache\_type is S3, it will create an S3 bucket for storing codebuild cache inside | `string` | `"NO_CACHE"` | no | +| delimiter | Delimiter to be used between `name`, `namespace`, `stage`, etc. | `string` | `"-"` | no | +| enabled | A boolean to enable/disable resource creation | `bool` | `true` | no | +| environment\_variables | A list of maps, that contain both the key 'name' and the key 'value' to be used as additional environment variables for the build | 
list(object(
    {
      name  = string
      value = string
  }))
| 
[
  {
    "name": "NO_ADDITIONAL_BUILD_VARS",
    "value": "TRUE"
  }
]
| no | +| extra\_permissions | List of action strings which will be added to IAM service account permissions. | `list` | `[]` | no | +| fetch\_git\_submodules | If set to true, fetches Git submodules for the AWS CodeBuild build project. | `bool` | `false` | no | +| git\_clone\_depth | Truncate git history to this many commits. | `number` | `null` | no | +| github\_token | (Optional) GitHub auth token environment variable (`GITHUB_TOKEN`) | `string` | `""` | no | +| image\_repo\_name | (Optional) ECR repository name to store the Docker image built by this module. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `"UNSET"` | no | +| image\_tag | (Optional) Docker image tag in the ECR repository, e.g. 'latest'. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `"latest"` | no | +| local\_cache\_modes | Specifies settings that AWS CodeBuild uses to store and reuse build dependencies. Valid values: LOCAL\_SOURCE\_CACHE, LOCAL\_DOCKER\_LAYER\_CACHE, and LOCAL\_CUSTOM\_CACHE | `list(string)` | `[]` | no | +| logs\_config | Configuration for the builds to store log data to CloudWatch or S3. | `any` | `{}` | no | +| name | Solution name, e.g. 'app' or 'jenkins' | `string` | n/a | yes | +| namespace | Namespace, which could be your organization name, e.g. 'eg' or 'cp' | `string` | `""` | no | +| private\_repository | Set to true to login into private repository with credentials supplied in source\_credential variable. | `bool` | `false` | no | +| privileged\_mode | (Optional) If set to true, enables running the Docker daemon inside a Docker container on the CodeBuild instance. Used when building Docker images | `bool` | `false` | no | +| report\_build\_status | Set to true to report the status of a build's start and finish to your source provider. This option is only valid when the source\_type is BITBUCKET or GITHUB | `bool` | `false` | no | +| source\_credential\_auth\_type | The type of authentication used to connect to a GitHub, GitHub Enterprise, or Bitbucket repository. | `string` | `"PERSONAL_ACCESS_TOKEN"` | no | +| source\_credential\_server\_type | The source provider used for this project. | `string` | `"GITHUB"` | no | +| source\_credential\_token | For GitHub or GitHub Enterprise, this is the personal access token. For Bitbucket, this is the app password. | `string` | `""` | no | +| source\_credential\_user\_name | The Bitbucket username when the authType is BASIC\_AUTH. This parameter is not valid for other types of source providers or connections. | `string` | `""` | no | +| source\_location | The location of the source code from git or s3 | `string` | `""` | no | +| source\_type | The type of repository that contains the source code to be built. Valid values for this parameter are: CODECOMMIT, CODEPIPELINE, GITHUB, GITHUB\_ENTERPRISE, BITBUCKET or S3 | `string` | `"CODEPIPELINE"` | no | +| source\_version | A version of the build input to be built for this project. If not specified, the latest version is used. | `string` | `""` | no | +| stage | Stage, e.g. 'prod', 'staging', 'dev', or 'test' | `string` | `""` | no | +| tags | Additional tags (e.g. `map('BusinessUnit', 'XYZ')` | `map(string)` | `{}` | no | +| vpc\_config | Configuration for the builds to run inside a VPC. | `any` | `{}` | no | ## Outputs | Name | Description | |------|-------------| -| badge_url | The URL of the build badge when badge_enabled is enabled | -| cache_bucket_arn | Cache S3 bucket ARN | -| cache_bucket_name | Cache S3 bucket name | -| project_id | Project ID | -| project_name | Project name | -| role_arn | IAM Role ARN | -| role_id | IAM Role ID | +| badge\_url | The URL of the build badge when badge\_enabled is enabled | +| cache\_bucket\_arn | Cache S3 bucket ARN | +| cache\_bucket\_name | Cache S3 bucket name | +| project\_id | Project ID | +| project\_name | Project name | +| role\_arn | IAM Role ARN | +| role\_id | IAM Role ID | diff --git a/examples/bitbucket/.gitignore b/examples/bitbucket/.gitignore new file mode 100644 index 0000000..04bda8c --- /dev/null +++ b/examples/bitbucket/.gitignore @@ -0,0 +1,7 @@ +# Compiled files +*.tfstate +*.tfstate.backup +.terraform.tfstate.lock.info +.terraform/ +*.log +build_out.json \ No newline at end of file diff --git a/examples/bitbucket/README.md b/examples/bitbucket/README.md new file mode 100644 index 0000000..f769d5c --- /dev/null +++ b/examples/bitbucket/README.md @@ -0,0 +1,148 @@ +### Sample Terraform AWS CodeBuild Application for Bitbucket Private Repository ### + +This application creates AWS ECR repository and AWS `CodeBuild` project, in specified region `aws_region` for specified profile `àws_profile`. + +Inputs are supplied from `build.auto.tfvars.json` automatically. + +#### Install #### +* AWS Client +https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2-mac.html + +(Note:Version 1 is also acceptable) + +* CW Log Application +**cw** log application should be installed for proper use. (https://github.com/lucagrulla/cw) + +Thanks to [lucagrulla](https://github.com/lucagrulla) for this nice logging application. AWS Cli (even in version 2.0) does not support tail to single log stream in a log group where [cw](https://github.com/lucagrulla/cw) does. + +``` +brew tap lucagrulla/tap +brew install cw +``` +#### Configure Your Repository #### +* You need a properly configured and locally tested `Dockerfile`. + +named as `Dockerfile` and located in the root folder of your application. +File name: `Dockerfile` +```docker +FROM node:current-slim +WORKDIR /usr/src/app +COPY . . +RUN npm install +EXPOSE 3000 +CMD [ "npm", "start"] +``` + +* Run `docker build . -t sample-app:latest`to test your docker build locally. + +* You need to place the following `YAML` file into your application root folder.(Ex: Where package.json is located) (You can find the sample file in example folder) + +Sample `builspec.yml` +```yaml +version: 0.2 + +phases: + pre_build: + commands: + - echo Logging in to Amazon ECR... + - $(aws ecr get-login --no-include-email --region $AWS_DEFAULT_REGION) + build: + commands: + - echo Build started on `date` + - echo Building the Docker image... + - docker build -t $IMAGE_REPO_NAME:$IMAGE_TAG . + - docker tag $IMAGE_REPO_NAME:$IMAGE_TAG $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE_REPO_NAME:$IMAGE_TAG + post_build: + commands: + - echo Build completed on `date` + - echo Pushing the Docker image... + - docker push $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE_REPO_NAME:$IMAGE_TAG +``` + + +#### RUN #### +``` +terraform apply +``` + +Enter `yes`in command prompt to approve deployment. + + +After deployment of the environment is complete, a provisioner runs `start-build.sh` script. This script runs the `CodeBuild` project, finds the related `CloudWatch` Log Stream and tails to it, so that logs are viewed in `Terraform` output. + +#### Inputs #### + +Edit following fields in `build.auto.tfvars.json` +```json +{ + "aws_region":"eu-central-1", + "aws_profile":"default", + "namespace": "feature", + "stage":"tests", + "repository_name":"sample-app", + "image_tag":"latest", + "source_credential_user_name":"", + "source_credential_token":"/.git", + "source_version": " + } +``` + +#### Contributors #### + +* Bircan Bilici + https://github.com/brcnblc \ No newline at end of file diff --git a/examples/bitbucket/build.auto.tfvars.json b/examples/bitbucket/build.auto.tfvars.json new file mode 100644 index 0000000..dfb4560 --- /dev/null +++ b/examples/bitbucket/build.auto.tfvars.json @@ -0,0 +1,44 @@ +{ + "aws_region":"eu-central-1", + "aws_profile":"default", + "namespace": "feature", + "stage":"tests", + "repository_name":"sample-app", + "image_tag":"latest", + "privileged_mode":true, + "private_repository": true, + "source_type": "BITBUCKET", + "source_credential_auth_type": "BASIC_AUTH", + "source_credential_server_type": "BITBUCKET", + "source_credential_user_name":"", + "source_credential_token":"/.git", + "source_version": " + } + + depends_on = [module.build, aws_ecr_repository.ecr_repo] +} \ No newline at end of file diff --git a/examples/bitbucket/outputs.tf b/examples/bitbucket/outputs.tf new file mode 100644 index 0000000..339efd4 --- /dev/null +++ b/examples/bitbucket/outputs.tf @@ -0,0 +1,71 @@ +# Codebuild +output "project_name" { + description = "Project name" + value = module.build.project_name +} + +output "project_id" { + description = "Project ID" + value = module.build.project_id +} + +output "role_id" { + description = "IAM Role ID" + value = module.build.role_id +} + +output "role_arn" { + description = "IAM Role ARN" + value = module.build.role_arn +} + +output "cache_bucket_name" { + description = "Cache S3 bucket name" + value = module.build.cache_bucket_name +} + +output "cache_bucket_arn" { + description = "Cache S3 bucket ARN" + value = module.build.cache_bucket_arn +} + +output "badge_url" { + description = "The URL of the build badge when badge_enabled is enabled" + value = module.build.badge_url +} + +# ECR + +output "repository_arn" { + # Full ARN of the repository. + value = aws_ecr_repository.ecr_repo.arn +} + +output "repository_image_full_name_tag" { + # The full name of the container image as docker style "name:tag". + value = "${aws_ecr_repository.ecr_repo.repository_url}:${local.image_tag}" + +} + +output "repository_name" { + # The name of the repository. + value = aws_ecr_repository.ecr_repo.name +} + +output "repository_name_tag" { + # The tag of the container image. + value = local.image_tag +} + +output "registry_id" { + # The registry ID where the repository was created. + value = aws_ecr_repository.ecr_repo.registry_id +} + +output "repository_url" { + # The URL of the repository (in the form aws_account_id.dkr.ecr.region.amazonaws.com/repositoryName). + value = aws_ecr_repository.ecr_repo.repository_url +} + + + diff --git a/examples/bitbucket/start-build.sh b/examples/bitbucket/start-build.sh new file mode 100755 index 0000000..17d9921 --- /dev/null +++ b/examples/bitbucket/start-build.sh @@ -0,0 +1,347 @@ +#!/bin/bash + +# MIT Licence - Copyright (c) 2020 Bircan Bilici - Run at Scale +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: + +# The above copyright notice and this permission notice shall be included in all +# copies or substantial portions of the Software. + +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +# SOFTWARE. +# + + +# capture an interrupt # 0 +trap '[ ! -z "$job_id" ] && kill -9 $job_id' EXIT + +# colors +RED='\033[0;31m' +GREEN='\033[0;32m' +BLUE='\033[0;34m' +NC='\033[0m' # No Color + +# Help +if [[ -z $1 || $1 == "help" || $1 == "--help" || $1 == "-h" ]] + then + echo + echo -e "${GREEN} ----------- AWS Codebuild Provisioning. Start Build and tail to Log Stream. ----------- ${NC} " + echo + echo -e "${RED} Basic Usage:${NC} ./start-build.bash " + echo + echo -e "${RED} With Optional Parameters:${NC} ./start-build.bash " + echo + echo -e "${RED} Parameter Definitions${NC} " + echo + echo -e "${GREEN} codebuild-project-name ${NC} : The name of the codebuild project. (Required)" + echo + echo -e "${GREEN} aws-profile ${NC} : AWS profile name in aws credentials file. (Optional)" + echo + echo -e "${GREEN} aws-region ${NC} : AWS region to be passed into external program calls. (Optional)" + echo + echo -e "${GREEN} print-dots ${NC} : Use 'print-dots' phrase to print dots on every sleep interval. Default active if not specified. " + echo + echo -e "${GREEN} initial-timeout ${NC} : Number in seconds. If log stream is never updated within time interval specified in this parameter, script will terminate. Default is 60 seconds. It takes about 40-50 seconds for first data stream to come." + echo + echo -e "${GREEN} update-timeout ${NC} : Number in seconds. If log stream is not recieved after last update exceeding update-timeout interval, script will terminate. Default is 60 seconds." + echo + echo -e "${GREEN} sleep-interval ${NC} : Number in seconds. Waiting period in each cyle. Default value is 1 second." + echo + echo -e "${GREEN} init-wait-time ${NC} : Number in seconds. Initial wait time to let codebuild prepare log groups.Default is 10 seconds." + echo + echo -e "${GREEN} max-log-retry ${NC} : Maximum number of retry count for log stream creation. Default is 6 ." + echo + echo -e "${RED} Note :${NC} Use 'na' phrase to bypass an argument." + echo + echo " ---------------------------------------------------------------" + echo -e "${RED} github: ${BLUE}https://github.com/brcnblc ${NC}" + echo + echo -e "${RED} Licence${NC} : Copyright (c) 2020 Bircan Bilici - Run at Scale - See source code for details." + echo + exit 1 +fi + + +# Check if cw is installed - Thnks to Luca Grulla (https://github.com/lucagrulla/cw) +echo Checking cw version +cw --version +if [[ $? != 0 ]] + then + echo -e "${RED}cw is not installed - ${BLUE}https://github.com/lucagrulla/cw" + echo -e "${NC}Type following to install cw:" + echo -e "${GREEN}brew tap lucagrulla/tap" + echo -e "${GREEN}brew install cw" + echo -e "${NC} " + echo Exiting script. + exit 1 + fi + +# Stop on error +set -e + +# Argument default values +project_name=$1 +arg=$2;if [[ $arg != "na" && ! -z $arg ]];then aws_profile="$arg";fi; +arg=$3;if [[ $arg != "na" && ! -z $arg ]];then aws_region="$arg";fi; +arg=$4;if [[ $arg == "print-dots" || -z $arg ]];then dots=true;fi; + +declare -i init_timeout="${5:-60}" +declare -i update_timeout="${6:-60}" +declare -i sleep_interval="${7:-10}" +declare -i init_wait_time="${8:-10}" +declare -i max_log_retry="${9:-6}" + +echo +echo "Project Name: "$project_name +echo "Aws Profile: "$aws_profile +echo "Aws Region: "$aws_region +echo -n "Print dots: "; if [[ $dots ]];then echo "true";else echo "false";fi +echo "Initial Timeout: "$init_timeout +echo "Update Timeout: "$update_timeout +echo "Sleep Interwal: "$sleep_interval +echo "Initial Wait time: "$init_wait_time +echo "Max Log Retry: "$max_log_retry + +# Completion criteria +complete_phrase="Phase complete: POST_BUILD" +success_phrase="Phase complete: POST_BUILD State: SUCCEEDED" + +# Stream file to be created and evaluated by the script +log_file="stream.log" + +# --------------------------------------- + +# Starting info +echo Starting to build $project_name + +# Prepare arguments +if [[ $aws_profile ]];then aws_profile_arg="--profile $aws_profile";fi +if [[ $aws_region ]];then aws_region_arg="--region $aws_region";fi + +function getStatus(){ + build_info=$(aws codebuild batch-get-builds --ids $build_id | jq .builds[0]) + + Phases=$(echo $build_info | jq .phases) + PhaseStatuses=$(echo $Phases | jq '.[] | {(.phaseType):(.phaseStatus)}' | jq -s add) + + if [[ $(echo $PhaseStatuses | grep -p "\"COMPLETED\": null") != "" ]];then BatchCompleted=true;fi + if [[ $(echo $PhaseStatuses | grep -p "\"POST_BUILD\": \"SUCCEEDED\"") != "" ]];then BatchSucceeded=true;fi + +} + +# Run build command +build_id=$(aws codebuild start-build --project-name $project_name $aws_profile_arg $aws_region_arg | jq .build.id | sed s/\"//g) +echo build_id=$build_id + +# Wait for Provisioning +set +e +while true +do + +# Get status +getStatus +echo $PhaseStatuses | jq . + +ProvisioningPhase=$(echo $Phases | jq '.[] | select( .phaseType | contains("PROVISIONING"))' ) +ProvisioningStatus=$(echo $ProvisioningPhase | jq .phaseStatus | sed s/\"//g) + +echo ProvisioningStatus=$ProvisioningStatus + +if [[ $ProvisioningStatus == "SUCCEEDED" ]] +then + break +fi + +if [[ $(echo $ProvisioningStatus | grep "ERROR") != "" || $BatchCompleted == true ]] +then + statusCode=$(echo $ProvisioningPhase | jq .contexts[0].statusCode | sed s/\"//g) + errorMessage=$(echo $ProvisioningPhase | jq .contexts[0].message) + + # Try again if it gives "ACCESS_DENIED", in the very first deployment of build project + findInMessage=$(echo $errorMessage | grep "does not allow AWS CodeBuild to create Amazon CloudWatch Logs log streams for build") + + if [[ $statusCode == "ACCESS_DENIED" && $findInMessage != "" && $retryCount < 2 ]] + then + retryCount=$(($retryCount + 1)) + echo Access Denied error. + echo Echo Retrying Build within 15 seconds... + echo Retry: $retryCount + echo "Waiting for 10 seconds" + sleep 15 + # Run build command + build_id=$(aws codebuild start-build --project-name $project_name $aws_profile_arg $aws_region_arg | jq .build.id | sed s/\"//g) + echo new build id=$build_id + BatchCompleted="" + else + echo -e "${RED}Error: $statusCode${NC}" + echo -e "${RED}$errorMessage${NC}" + exit 1 + fi + +fi +echo "Provisioning still continues, Waiting for 15 seconds and retrying..." +sleep 15 +done +set -e +# End of provisioning + +# Extract Log Arn +cloudWatchLogsArn=$(echo $build_info | jq .logs.cloudWatchLogsArn) +echo cloudWatchLogsArn=$cloudWatchLogsArn + +# Extract group +log_group=/aws/codebuild/$(echo $build_id | cut -d ":" -f 1) + +# Extract stream +stream=$(echo $build_id | cut -d ":" -f 2) + +# Concat +log_group_stream=$log_group:$stream + +echo Log Id: $log_group_stream + +# Clear file +if [ -f "$log_file" ]; then rm $log_file;fi +touch $log_file + +# Wait for initialization +declare -i log_retry_count=0 +while [ $log_retry_count -lt $max_log_retry ] +do + log_retry_count=$((log_retry_count+1)) + echo "Try count: $log_retry_count" + echo "Checking log_group $log_group" + + # Check if Log group exists + if [[ $(cw ls groups | grep -p "$log_group$") != "" ]] + then + log_group_exists=true + echo -e "${GREEN}Log group exists.${NC}" + echo "Checking stream $stream" + if [[ $(cw ls streams $log_group | grep -p "$stream$") != "" ]] + then + echo -e "${GREEN}Log stream exists.${NC}" + log_stream_exists=true + else + echo -e "${RED}Log stream does not exist.${NC}" + fi + else + echo -e "${RED}Log group does not exist.${NC}" + fi + + if [ $log_stream_exists ] + then + break + else + if [ $log_retry_count -lt $max_log_retry ] + then + echo "Wait for stream, trying in $init_wait_time seconds." + else + echo + echo -e "${RED}Error: Couldn't find log stream. Exiting.${NC}" + exit 1 + fi + fi + + sleep $init_wait_time +done + +# Attach cw process to background, direct stdout to log file +cw tail -f $aws_profile_arg $aws_region_arg $log_group_stream > $log_file 2>&1 & + +# Get Job Id +job_id=$! + +echo Job: $job_id + +sleep 1 + +declare -i lines=0 +declare -i linesold=0 +declare -i elapsedtime=0 +logupdated=false + +echo "Waiting for first log update. " + +while : +do + linesold=$lines + lines=$(wc -l $log_file | awk '{ print $1 }') + + if [[ $linesold != $lines ]] + then + echo + awk -v linesold=$linesold 'NR > linesold' $log_file | sed '/^$/d' + elapsedtime=0 + logupdated=true + + # Evaluate completion and exit on complete + if [[ -f $log_file ]] && [[ ! -z $complete_phrase ]] && [[ ! -z $success_phrase ]] + then + if [[ $(grep "$complete_phrase" "$log_file") ]] + then + if [[ $(grep "$success_phrase" "$log_file") ]] + then + echo + echo -e "${GREEN}Success: Build completed succesfully.${NC} " + exit 0 + else + echo + echo -e "${RED}Error: Build Failed.${NC} " + exit 1 + fi + fi + fi + fi + + + # Wait for each cycle + sleep $sleep_interval + + # Exit if timeout occurs + elapsedtime+=$sleep_interval + + if [[ $logupdated == true ]] + then + if [[ $elapsedtime -gt $update_timeout ]]; then echo;echo Log Update Timeout;echo Error: Build failed.;exit 1; fi + else + if [[ $elapsedtime -gt $init_timeout ]]; then echo;echo Init Timeout;echo Error: Build failed.;exit 1; fi + fi + + # Print Dots and seconds + if [[ $dots ]] + then + if [[ $(($elapsedtime % 10)) -eq 0 ]] + then + echo -n $elapsedtime + else + echo -n . + fi + fi + + # check job status + getStatus + echo + if [[ $BatchCompleted == true && $BatchSucceeded != true ]] + then + exitBatchCounter=$(($exitBatchCounter + 1)) + fi + + if [[ $exitBatchCounter > 2 ]] + then + echo -e "${RED}Job Terminated Unexpectedly!${NC}" + echo $PhaseStatuses | jq . + exit 1 + fi +done + diff --git a/examples/bitbucket/variables.tf b/examples/bitbucket/variables.tf new file mode 100644 index 0000000..683faa7 --- /dev/null +++ b/examples/bitbucket/variables.tf @@ -0,0 +1,300 @@ + +variable "aws_profile" { + type = string + default = "" + description = "(Optional) AWS Profile name as used in AWS credentials file." +} + +# ECR Vars +variable "repository_name" { + description = "Name of the ECR repository" + type = string + default = "" +} + +variable "image_tag_mutability" { + description = "The tag mutability setting for the repository.Must be one of MUTABLE or IMMUTABLE." + type = string + default = "MUTABLE" +} + +variable "scan_on_push" { + description = "Indicates whether images are scanned after being pushed to the repository (true) or not scanned (false)." + type = bool + default = true +} + +variable "life_cycle_policy" { + description = "Enables lifecycle policy" + type = bool + default = true +} + +variable "keep_tagged_last_n_images" { + description = "Keeps only n number of images in the repository." + type = number + default = 30 +} + +variable "tagPrefixList" { + description = "Selection criteria for tagged images lifecycle policy." + type = list(string) + default = ["v"] +} + +variable "expire_untagged_older_than_n_days" { + description = "Deletes untagged images older than n days." + type = number + default = 15 +} + +variable "run_build_token" { + description = "Change it to initiate run." + type = string + default = "" +} + + +# build vars + +variable "namespace" { + type = string + default = "" + description = "Namespace, which could be your organization name, e.g. 'eg' or 'cp'" +} + +variable "stage" { + type = string + default = "" + description = "Stage, e.g. 'prod', 'staging', 'dev', or 'test'" +} + +variable "environment_variables" { + type = list(object( + { + name = string + value = string + })) + + default = [ + { + name = "NO_ADDITIONAL_BUILD_VARS" + value = "TRUE" + }] + + description = "A list of maps, that contain both the key 'name' and the key 'value' to be used as additional environment variables for the build" +} + +variable "enabled" { + type = bool + default = true + description = "A boolean to enable/disable resource creation" +} + +variable "cache_expiration_days" { + default = 7 + description = "How many days should the build cache be kept. It only works when cache_type is 'S3'" +} + +variable "cache_bucket_suffix_enabled" { + type = bool + default = true + description = "The cache bucket generates a random 13 character string to generate a unique bucket name. If set to false it uses terraform-null-label's id value. It only works when cache_type is 'S3" +} + +variable "cache_type" { + type = string + default = "NO_CACHE" + description = "The type of storage that will be used for the AWS CodeBuild project cache. Valid values: NO_CACHE, LOCAL, and S3. Defaults to NO_CACHE. If cache_type is S3, it will create an S3 bucket for storing codebuild cache inside" +} + +variable "local_cache_modes" { + type = list(string) + default = [] + description = "Specifies settings that AWS CodeBuild uses to store and reuse build dependencies. Valid values: LOCAL_SOURCE_CACHE, LOCAL_DOCKER_LAYER_CACHE, and LOCAL_CUSTOM_CACHE" +} + +variable "badge_enabled" { + type = bool + default = false + description = "Generates a publicly-accessible URL for the projects build badge. Available as badge_url attribute when enabled" +} + +variable "build_image" { + type = string + default = "aws/codebuild/standard:2.0" + description = "Docker image for build environment, e.g. 'aws/codebuild/standard:2.0' or 'aws/codebuild/eb-nodejs-6.10.0-amazonlinux-64:4.0.0'. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref.html" +} + +variable "build_compute_type" { + type = string + default = "BUILD_GENERAL1_SMALL" + description = "Instance type of the build instance" +} + +variable "build_environment_type" { + type = string + default = "LINUX_CONTAINER" + description = "The type of build environment to use for related builds. Available values are: LINUX_CONTAINER, LINUX_GPU_CONTAINER, WINDOWS_CONTAINER or ARM_CONTAINER." +} + +variable "build_timeout" { + default = 60 + description = "How long in minutes, from 5 to 480 (8 hours), for AWS CodeBuild to wait until timing out any related build that does not get marked as completed" +} + +variable "buildspec" { + type = string + default = "" + description = "Optional buildspec declaration to use for building the project" +} + +variable "delimiter" { + type = string + default = "-" + description = "Delimiter to be used between `name`, `namespace`, `stage`, etc." +} + +variable "attributes" { + type = list(string) + default = [] + description = "Additional attributes (e.g. `policy` or `role`)" +} + +variable "tags" { + type = map(string) + default = {} + description = "Additional tags (e.g. `map('BusinessUnit', 'XYZ')`" +} + +variable "privileged_mode" { + type = bool + default = false + description = "(Optional) If set to true, enables running the Docker daemon inside a Docker container on the CodeBuild instance. Used when building Docker images" +} + +variable "github_token" { + type = string + default = "" + description = "(Optional) GitHub auth token environment variable (`GITHUB_TOKEN`)" +} + +variable "aws_region" { + type = string + default = "" + description = "(Optional) AWS Region, e.g. us-east-1. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html" +} + +variable "aws_account_id" { + type = string + default = "" + description = "(Optional) AWS Account ID. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html" +} + +variable "image_repo_name" { + type = string + default = "UNSET" + description = "(Optional) ECR repository name to store the Docker image built by this module. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html" +} + +variable "image_tag" { + type = string + default = "latest" + description = "(Optional) Docker image tag in the ECR repository, e.g. 'latest'. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html" +} + +variable "source_type" { + type = string + default = "CODEPIPELINE" + description = "The type of repository that contains the source code to be built. Valid values for this parameter are: CODECOMMIT, CODEPIPELINE, GITHUB, GITHUB_ENTERPRISE, BITBUCKET or S3" +} + +variable "source_location" { + type = string + default = "" + description = "The location of the source code from git or s3" +} + +variable "artifact_type" { + type = string + default = "CODEPIPELINE" + description = "The build output artifact's type. Valid values for this parameter are: CODEPIPELINE, NO_ARTIFACTS or S3" +} + +variable "report_build_status" { + type = bool + default = false + description = "Set to true to report the status of a build's start and finish to your source provider. This option is only valid when the source_type is BITBUCKET or GITHUB" +} + +variable "git_clone_depth" { + type = number + default = null + description = "Truncate git history to this many commits." +} + +variable "private_repository" { + type = bool + default = false + description = "Set to true to login into private repository with credentials supplied in source_credential variable." +} + +variable "source_credential_auth_type" { + type = string + default = "PERSONAL_ACCESS_TOKEN" + description = "The type of authentication used to connect to a GitHub, GitHub Enterprise, or Bitbucket repository." +} + +variable "source_credential_server_type" { + type = string + default = "GITHUB" + description = "The source provider used for this project." +} + +variable "source_credential_token" { + type = string + default = "" + description = "For GitHub or GitHub Enterprise, this is the personal access token. For Bitbucket, this is the app password." +} + +variable "source_credential_user_name" { + type = string + default = "" + description = "The Bitbucket username when the authType is BASIC_AUTH. This parameter is not valid for other types of source providers or connections." +} + +variable "source_version" { + type = string + default = "" + description = "A version of the build input to be built for this project. If not specified, the latest version is used." +} + +variable "fetch_git_submodules" { + type = bool + default = false + description = "If set to true, fetches Git submodules for the AWS CodeBuild build project." +} + +variable "vpc_config" { + type = any + default = {} + description = "Configuration for the builds to run inside a VPC." +} + +variable "logs_config" { + type = any + default = {} + description = "Configuration for the builds to store log data to CloudWatch or S3." +} + +variable "extra_permissions" { + type = list + default = [] + description = "List of action strings which will be added to IAM service account permissions." +} + +# Log tracker +variable "log_tracker" { + type = map + default = {} +} diff --git a/main.tf b/main.tf index 631d3a9..bfff560 100644 --- a/main.tf +++ b/main.tf @@ -79,9 +79,10 @@ locals { } resource "aws_iam_role" "default" { - count = var.enabled ? 1 : 0 - name = module.label.id - assume_role_policy = data.aws_iam_policy_document.role.json + count = var.enabled ? 1 : 0 + name = module.label.id + assume_role_policy = data.aws_iam_policy_document.role.json + force_detach_policies = true } data "aws_iam_policy_document" "role" { @@ -109,7 +110,9 @@ resource "aws_iam_policy" "default" { } resource "aws_iam_policy" "default_cache_bucket" { - count = var.enabled && local.s3_cache_enabled ? 1 : 0 + count = var.enabled && local.s3_cache_enabled ? 1 : 0 + + name = "${module.label.id}-cache-bucket" path = "/service-role/" policy = join("", data.aws_iam_policy_document.permissions_cache_bucket.*.json) @@ -119,7 +122,7 @@ data "aws_iam_policy_document" "permissions" { statement { sid = "" - actions = [ + actions = compact(concat([ "codecommit:GitPull", "ecr:BatchCheckLayerAvailability", "ecr:CompleteLayerUpload", @@ -133,7 +136,8 @@ data "aws_iam_policy_document" "permissions" { "logs:CreateLogStream", "logs:PutLogEvents", "ssm:GetParameters", - ] + "secretsmanager:GetSecretValue", + ], var.extra_permissions)) effect = "Allow" @@ -145,7 +149,6 @@ data "aws_iam_policy_document" "permissions" { data "aws_iam_policy_document" "permissions_cache_bucket" { count = var.enabled && local.s3_cache_enabled ? 1 : 0 - statement { sid = "" @@ -174,12 +177,26 @@ resource "aws_iam_role_policy_attachment" "default_cache_bucket" { role = join("", aws_iam_role.default.*.id) } +resource "aws_codebuild_source_credential" "authorization" { + count = var.enabled && var.private_repository ? 1 : 0 + auth_type = var.source_credential_auth_type + server_type = var.source_credential_server_type + token = var.source_credential_token + user_name = var.source_credential_user_name +} + resource "aws_codebuild_project" "default" { - count = var.enabled ? 1 : 0 - name = module.label.id - service_role = join("", aws_iam_role.default.*.arn) - badge_enabled = var.badge_enabled - build_timeout = var.build_timeout + count = var.enabled ? 1 : 0 + name = module.label.id + service_role = join("", aws_iam_role.default.*.arn) + badge_enabled = var.badge_enabled + build_timeout = var.build_timeout + source_version = var.source_version != "" ? var.source_version : null + tags = { + for name, value in module.label.tags : + name => value + if length(value) > 0 + } artifacts { type = var.artifact_type @@ -201,25 +218,42 @@ resource "aws_codebuild_project" "default" { name = "AWS_REGION" value = signum(length(var.aws_region)) == 1 ? var.aws_region : data.aws_region.default.name } + environment_variable { name = "AWS_ACCOUNT_ID" value = signum(length(var.aws_account_id)) == 1 ? var.aws_account_id : data.aws_caller_identity.default.account_id } - environment_variable { - name = "IMAGE_REPO_NAME" - value = signum(length(var.image_repo_name)) == 1 ? var.image_repo_name : "UNSET" + + dynamic "environment_variable" { + for_each = signum(length(var.image_repo_name)) == 1 ? [""] : [] + content { + name = "IMAGE_REPO_NAME" + value = var.image_repo_name + } } - environment_variable { - name = "IMAGE_TAG" - value = signum(length(var.image_tag)) == 1 ? var.image_tag : "latest" + + dynamic "environment_variable" { + for_each = signum(length(var.image_tag)) == 1 ? [""] : [] + content { + name = "IMAGE_TAG" + value = var.image_tag + } } - environment_variable { - name = "STAGE" - value = signum(length(var.stage)) == 1 ? var.stage : "UNSET" + + dynamic "environment_variable" { + for_each = signum(length(var.stage)) == 1 ? [""] : [] + content { + name = "STAGE" + value = var.stage + } } - environment_variable { - name = "GITHUB_TOKEN" - value = signum(length(var.github_token)) == 1 ? var.github_token : "UNSET" + + dynamic "environment_variable" { + for_each = signum(length(var.github_token)) == 1 ? [""] : [] + content { + name = "GITHUB_TOKEN" + value = var.github_token + } } dynamic "environment_variable" { @@ -229,6 +263,7 @@ resource "aws_codebuild_project" "default" { value = environment_variable.value.value } } + } source { @@ -236,7 +271,54 @@ resource "aws_codebuild_project" "default" { type = var.source_type location = var.source_location report_build_status = var.report_build_status + git_clone_depth = var.git_clone_depth != null ? var.git_clone_depth : null + + dynamic "auth" { + for_each = var.private_repository ? [""] : [] + content { + type = "OAUTH" + resource = join("", aws_codebuild_source_credential.authorization.*.id) + } + } + + dynamic "git_submodules_config" { + for_each = var.fetch_git_submodules ? [""] : [] + content { + fetch_submodules = true + } + } + } + + dynamic "vpc_config" { + for_each = length(var.vpc_config) > 0 ? [""] : [] + content { + vpc_id = lookup(var.vpc_config, "vpc_id", null) + subnets = lookup(var.vpc_config, "subnets", null) + security_group_ids = lookup(var.vpc_config, "security_group_ids", null) + } } - tags = module.label.tags + dynamic "logs_config" { + for_each = length(var.logs_config) > 0 ? [""] : [] + content { + dynamic "cloudwatch_logs" { + for_each = contains(keys(var.logs_config), "cloudwatch_logs") ? { key = var.logs_config["cloudwatch_logs"] } : {} + content { + status = lookup(cloudwatch_logs.value, "status", null) + group_name = lookup(cloudwatch_logs.value, "group_name", null) + stream_name = lookup(cloudwatch_logs.value, "stream_name", null) + } + } + + dynamic "s3_logs" { + for_each = contains(keys(var.logs_config), "s3_logs") ? { key = var.logs_config["s3_logs"] } : {} + content { + status = lookup(s3_logs.value, "status", null) + location = lookup(s3_logs.value, "location", null) + encryption_disabled = lookup(s3_logs.value, "encryption_disabled", null) + } + } + } + } } + diff --git a/variables.tf b/variables.tf index 2d2377f..e69e136 100644 --- a/variables.tf +++ b/variables.tf @@ -172,3 +172,69 @@ variable "report_build_status" { default = false description = "Set to true to report the status of a build's start and finish to your source provider. This option is only valid when the source_type is BITBUCKET or GITHUB" } + +variable "git_clone_depth" { + type = number + default = null + description = "Truncate git history to this many commits." +} + +variable "private_repository" { + type = bool + default = false + description = "Set to true to login into private repository with credentials supplied in source_credential variable." +} + +variable "source_credential_auth_type" { + type = string + default = "PERSONAL_ACCESS_TOKEN" + description = "The type of authentication used to connect to a GitHub, GitHub Enterprise, or Bitbucket repository." +} + +variable "source_credential_server_type" { + type = string + default = "GITHUB" + description = "The source provider used for this project." +} + +variable "source_credential_token" { + type = string + default = "" + description = "For GitHub or GitHub Enterprise, this is the personal access token. For Bitbucket, this is the app password." +} + +variable "source_credential_user_name" { + type = string + default = "" + description = "The Bitbucket username when the authType is BASIC_AUTH. This parameter is not valid for other types of source providers or connections." +} + +variable "source_version" { + type = string + default = "" + description = "A version of the build input to be built for this project. If not specified, the latest version is used." +} + +variable "fetch_git_submodules" { + type = bool + default = false + description = "If set to true, fetches Git submodules for the AWS CodeBuild build project." +} + +variable "vpc_config" { + type = any + default = {} + description = "Configuration for the builds to run inside a VPC." +} + +variable "logs_config" { + type = any + default = {} + description = "Configuration for the builds to store log data to CloudWatch or S3." +} + +variable "extra_permissions" { + type = list + default = [] + description = "List of action strings which will be added to IAM service account permissions." +}