Allow specifying of image_pull_credentials_type

[rschaefer-m1]

Have a question? Please checkout our Slack Community or visit our Slack Archive.

Describe the Feature

Presently, the module doesn't allow you to change the image_pull_credentials_type (it's not specified in the module, so it's using the AWS provider default of CODEBUILD). Specifying this and defaulting it to CODEBUILD would allow users to change the pull credentials type to SERVICE_ROLE. This is required in cases where users want to use their own build image hosted in ECR.

Expected Behavior

Users should be able to change the image_pull_credentials_type to SERVICE_ROLE which isn't currently possible.

Use Case

When hosting a custom build image within a private ECR, it's necessary to grant access to that image via service role permissions. In order to use the service role permissions for pulling the image, the value of image_pull_credentials_type must be set to SERVICE_ROLE.

Describe Ideal Solution

Add a variable such as this to the module:

variable "build_image_pull_credentials_type" {
  type        = string
  default     = "CODEBUILD"
  description = "Type of credentials AWS CodeBuild uses to pull images in your build.Valid values: CODEBUILD, SERVICE_ROLE. When you use a cross-account or private registry image, you must use SERVICE_ROLE credentials."
}

And update the environment block within the aws_codebuild_project resource to use this variable:

  environment {
    compute_type                = var.build_compute_type
    image                       = var.build_image
    image_pull_credentials_type = var.build_image_pull_credentials_type
    type                        = var.build_type
    privileged_mode             = var.privileged_mode

This will remain backwards compatible and also allow users to change the value if desired.

Alternatives Considered

Since this isn't currently exposed by the module, there aren't any other alternatives I can see.

Additional Context

N/A