Support CodeBuild within VPC

aws/resource_aws_codebuild_project.go

@@ -179,6 +179,31 @@ func resourceAwsCodeBuildProject() *schema.Resource {
 				ValidateFunc: validateAwsCodeBuildTimeout,
 			},
 			"tags": tagsSchema(),
+			"vpc_config": {
+				Type:     schema.TypeSet,
+				Optional: true,
+				MaxItems: 1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"vpc_id": {
+							Type:     schema.TypeString,
+							Required: true,
+						},
+						"subnets": {
+							Type:     schema.TypeList,
+							Required: true,
+							Elem:     &schema.Schema{Type: schema.TypeString},
+							MaxItems: 16,
+						},
+						"security_group_ids": {
+							Type:     schema.TypeList,
+							Required: true,
+							Elem:     &schema.Schema{Type: schema.TypeString},
+							MaxItems: 5,
+						},
+					},
+				},
+			},
 		},
 	}
 }
@@ -213,6 +238,11 @@ func resourceAwsCodeBuildProjectCreate(d *schema.ResourceData, meta interface{})
 		params.TimeoutInMinutes = aws.Int64(int64(v.(int)))
 	}
 
+	if _, ok := d.GetOk("vpc_config"); ok {
+		vpcConfig := expandVpcConfig(d)
+		params.VpcConfig = vpcConfig
+	}
+
 	if v, ok := d.GetOk("tags"); ok {
 		params.Tags = tagsFromMapCodeBuild(v.(map[string]interface{}))
 	}
@@ -228,6 +258,10 @@ func resourceAwsCodeBuildProjectCreate(d *schema.ResourceData, meta interface{})
 				return resource.RetryableError(err)
 			}
 
+			if isAWSErr(err, "InvalidInputException", "Not authorized to perform DescribeSecurityGroups") {
+				return resource.RetryableError(err)
+			}
+
 			return resource.NonRetryableError(err)
 		}
 
@@ -324,6 +358,29 @@ func expandProjectEnvironment(d *schema.ResourceData) *codebuild.ProjectEnvironm
 	return projectEnv
 }
 
+func expandVpcConfig(d *schema.ResourceData) *codebuild.VpcConfig {
+	configs := d.Get("vpc_config").(*schema.Set).List()
+	data := configs[0].(map[string]interface{})
+
+	vpcConfig := codebuild.VpcConfig{
+		VpcId: aws.String(data["vpc_id"].(string)),
+	}
+
+	var vpcConfigSubnets []*string
+	for _, v := range data["subnets"].([]interface{}) {
+		vpcConfigSubnets = append(vpcConfigSubnets, aws.String(v.(string)))
+	}
+	vpcConfig.Subnets = vpcConfigSubnets
+
+	var vpcSecurityGroupIds []*string
+	for _, s := range data["security_group_ids"].([]interface{}) {
+		vpcSecurityGroupIds = append(vpcSecurityGroupIds, aws.String(s.(string)))
+	}
+	vpcConfig.SecurityGroupIds = vpcSecurityGroupIds
+
+	return &vpcConfig
+}
+
 func expandProjectSource(d *schema.ResourceData) codebuild.ProjectSource {
 	configs := d.Get("source").(*schema.Set).List()
 	projectSource := codebuild.ProjectSource{}
@@ -390,6 +447,10 @@ func resourceAwsCodeBuildProjectRead(d *schema.ResourceData, meta interface{}) e
 		return err
 	}
 
+	if err := d.Set("vpc_config", schema.NewSet(resourceAwsCodeBuildVpcConfigHash, flattenAwsCodebuildVpcConfig(project.VpcConfig))); err != nil {
+		return err
+	}
+
 	d.Set("description", project.Description)
 	d.Set("encryption_key", project.EncryptionKey)
 	d.Set("name", project.Name)
@@ -425,6 +486,11 @@ func resourceAwsCodeBuildProjectUpdate(d *schema.ResourceData, meta interface{})
 		params.Artifacts = &projectArtifacts
 	}
 
+	if d.HasChange("vpc_config") {
+		vpcConfig := expandVpcConfig(d)
+		params.VpcConfig = vpcConfig
+	}
+
 	if d.HasChange("description") {
 		params.Description = aws.String(d.Get("description").(string))
 	}
@@ -556,6 +622,26 @@ func flattenAwsCodebuildProjectSource(source *codebuild.ProjectSource) *schema.S
 
 }
 
+func flattenAwsCodebuildVpcConfig(vpcConfig *codebuild.VpcConfig) []interface{} {
+	values := map[string]interface{}{}
+
+	values["vpc_id"] = *vpcConfig.VpcId
+
+	var subnets []string
+	for _, s := range vpcConfig.Subnets {
+		subnets = append(subnets, *s)
+	}
+	values["subnets"] = subnets
+
+	var securityGroupIds []string
+	for _, s := range vpcConfig.SecurityGroupIds {
+		securityGroupIds = append(securityGroupIds, *s)
+	}
+	values["security_group_ids"] = securityGroupIds
+
+	return []interface{}{values}
+}
+
 func resourceAwsCodeBuildProjectArtifactsHash(v interface{}) int {
 	var buf bytes.Buffer
 	m := v.(map[string]interface{})
@@ -567,6 +653,25 @@ func resourceAwsCodeBuildProjectArtifactsHash(v interface{}) int {
 	return hashcode.String(buf.String())
 }
 
+func resourceAwsCodeBuildVpcConfigHash(v interface{}) int {
+	var buf bytes.Buffer
+	m := v.(map[string]interface{})
+
+	buf.WriteString(fmt.Sprintf("%s-", m["vpc_id"].(string)))
+
+	for _, s := range m["subnets"].([]string) {
+		buf.WriteString(fmt.Sprintf("%s-", s))
+	}
+
+	if m["security_group_ids"] != nil {
+		for _, s := range m["security_group_ids"].([]string) {
+			buf.WriteString(fmt.Sprintf("%s-", s))
+		}
+	}
+
+	return hashcode.String(buf.String())
+}
+
 func resourceAwsCodeBuildProjectEnvironmentHash(v interface{}) int {
 	var buf bytes.Buffer
 	m := v.(map[string]interface{})

aws/resource_aws_codebuild_project_test.go

@@ -324,6 +324,19 @@ func testAccCheckAWSCodeBuildProjectDestroy(s *terraform.State) error {
 
 func testAccAWSCodeBuildProjectConfig_basic(rName string) string {
 	return fmt.Sprintf(`
+resource "aws_vpc" "codebuild_vpc" {
+  cidr_block = "10.0.0.0/16"
+}
+
+resource "aws_subnet" "codebuild_subnet" {
+  vpc_id     = "${aws_vpc.codebuild_vpc.id}"
+  cidr_block = "10.0.0.0/24"
+}
+
+resource "aws_security_group" "codebuild_security_group" {
+  vpc_id = "${aws_vpc.codebuild_vpc.id}"
+}
+
 resource "aws_iam_role" "codebuild_role" {
   name = "codebuild-role-%s"
   assume_role_policy = <<EOF
@@ -343,10 +356,10 @@ EOF
 }
 
 resource "aws_iam_policy" "codebuild_policy" {
-    name        = "codebuild-policy-%s"
-    path        = "/service-role/"
-    description = "Policy used in trust relationship with CodeBuild"
-    policy      = <<POLICY
+  name        = "codebuild-policy-%s"
+  path        = "/service-role/"
+  description = "Policy used in trust relationship with CodeBuild"
+  policy      = <<POLICY
 {
   "Version": "2012-10-17",
   "Statement": [
@@ -360,6 +373,34 @@ resource "aws_iam_policy" "codebuild_policy" {
         "logs:CreateLogStream",
         "logs:PutLogEvents"
       ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:CreateNetworkInterface",
+        "ec2:DescribeDhcpOptions",
+        "ec2:DescribeNetworkInterfaces",
+        "ec2:DeleteNetworkInterface",
+        "ec2:DescribeSubnets",
+        "ec2:DescribeSecurityGroups",
+        "ec2:DescribeVpcs"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:CreateNetworkInterfacePermission"
+      ],
+      "Resource": "arn:aws:ec2::*:network-interface/*",
+      "Condition": {
+        "StringEquals": {
+          "ec2:Subnet": [
+            "arn:aws:ec2::*:subnet/${aws_subnet.codebuild_subnet.id}"
+          ],
+          "ec2:AuthorizedService": "codebuild.amazonaws.com"
+        }
+      }
     }
   ]
 }
@@ -373,10 +414,10 @@ resource "aws_iam_policy_attachment" "codebuild_policy_attachment" {
 }
 
 resource "aws_codebuild_project" "foo" {
-  name         = "test-project-%s"
-  description  = "test_codebuild_project"
-  build_timeout      = "5"
-  service_role = "${aws_iam_role.codebuild_role.arn}"
+  name          = "test-project-%s"
+  description   = "test_codebuild_project"
+  build_timeout = "5"
+  service_role  = "${aws_iam_role.codebuild_role.arn}"
 
   artifacts {
     type = "NO_ARTIFACTS"
@@ -401,6 +442,18 @@ resource "aws_codebuild_project" "foo" {
   tags {
     "Environment" = "Test"
   }
+
+  vpc_config {
+    vpc_id = "${aws_vpc.codebuild_vpc.id}"
+
+    subnets = [
+      "${aws_subnet.codebuild_subnet.id}"
+    ]
+
+    security_group_ids = [
+      "${aws_security_group.codebuild_security_group.id}"
+    ]
+  }
 }
 `, rName, rName, rName, rName)
 }

website/docs/r/codebuild_project.html.markdown

@@ -94,6 +94,20 @@ resource "aws_codebuild_project" "foo" {
     location = "https://github.com/mitchellh/packer.git"
   }
 
+  vpc_config {
+    vpc_id = "vpc-725fca"
+
+    subnets = [
+      "subnet-ba35d2e0",
+      "subnet-ab129af1",
+    ]
+
+    security_group_ids = [
+      "sg-f9f27d91",
+      "sg-e4f48g23",
+    ]
+  }
+
   tags {
     "Environment" = "Test"
   }
@@ -113,6 +127,7 @@ The following arguments are supported:
 * `artifacts` - (Required) Information about the project's build output artifacts. Artifact blocks are documented below.
 * `environment` - (Required) Information about the project's build environment. Environment blocks are documented below.
 * `source` - (Required) Information about the project's input source code. Source blocks are documented below.
+* `vpc_config` - (Optional) Configuration for the builds to run inside a VPC. VPC config blocks are documented below.
 
 `artifacts` supports the following:
 
@@ -132,6 +147,7 @@ The following arguments are supported:
 * `environment_variable` - (Optional) A set of environment variables to make available to builds for this build project.
 
 `environment_variable` supports the following:
+
 * `name` - (Required) The environment variable's name or key.
 * `value` - (Required) The environment variable's value.
 
@@ -147,6 +163,12 @@ The following arguments are supported:
 * `type` - (Required) The authorization type to use. The only valid value is `OAUTH`
 * `resource` - (Optional) The resource value that applies to the specified authorization type.
 
+`vpc_config` supports the following:
+
+* `vpc_id` - (Required) The ID of the VPC within which to run builds.
+* `subnets` - (Required) The subnet IDs within which to run builds.
+* `security_group_ids` - (Required) The security group IDs to assign to running builds.
+
 ## Attributes Reference
 
 The following attributes are exported:
@@ -156,4 +178,3 @@ The following attributes are exported:
 * `encryption_key` - The AWS Key Management Service (AWS KMS) customer master key (CMK) that was used for encrypting the build project's build output artifacts.
 * `name` - The projects name.
 * `service_role` - The ARN of the IAM service role.
-