-
Notifications
You must be signed in to change notification settings - Fork 9.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support CodeBuild within VPC #2547
Conversation
Ah yes, the evils of IAM eventual consistency! 🙁 In many downstream resources we opt to retry creation actions if the AWS error is specific enough to indicate its some form of permissions error code/message. I haven't looked at the codebuild resource, but here's an example from codedeploy which might help: https://github.com/terraform-providers/terraform-provider-aws/blob/master/aws/resource_aws_codedeploy_deployment_group.go#L391-L423 |
Aha! Thanks for the quick reply. Guess I should have looked harder. The CodeBuild code has the same retry logic, but the error message slightly doesn't match. if isAWSErr(err, "InvalidInputException", "CodeBuild is not authorized to perform") {
return resource.RetryableError(err)
} My error is: Should I change the existing line to this? (I think it might end up retrying lots if the end user's IAM credentials are not authorized to perform actions, rather than just CodeBuild) if isAWSErr(err, "InvalidInputException", "ot authorized to perform") {
return resource.RetryableError(err)
} The safe way is to just add another error message capture, I guess. Preferences? |
…h more IAM eventual consistency. Remove unnecessary depends_on clause from CodeBuild basic acceptance test.
Went ahead with the safer route after giving it some more thought. This should be good to go now. |
Please merge! 💯 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @DrSolaris, sorry this has taken so long to get a review. Overall this is actually looking pretty good! Unfortunately due to the acceptance test panic I received, we'll need rework some of this, but should not be too bad. If you do not have time to implement these changes please let us know and we can fix this up with your commits in tact. Let us know if you have any questions!
@@ -324,6 +358,29 @@ func expandProjectEnvironment(d *schema.ResourceData) *codebuild.ProjectEnvironm | |||
return projectEnv | |||
} | |||
|
|||
func expandVpcConfig(d *schema.ResourceData) *codebuild.VpcConfig { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We really try to limit the usage of *schema.ResourceData
in downstream functions unless its necessary in multiple pieces of logic. It helps make the code more testable and reusable (if necessary in the future). Could you update this function's signature to expandCodeBuildVpcConfig(m map[string]interface{}) *codebuild.VpcConfig
? Thanks!
@@ -401,6 +442,18 @@ resource "aws_codebuild_project" "foo" { | |||
tags { | |||
"Environment" = "Test" | |||
} | |||
|
|||
vpc_config { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since this new attribute is optional and has some complexity, we should probably split it out into its own acceptance test. We need to verify the resource creation (what's done here already), the update of vpc_config
attributes (e.g. add/remove subnet), and the removal of the vpc_config
altogether from a configuration (if removing VPC configuration is supported). It would also be good to check that the new attributes are at least making it correctly into the state. e.g.
resource.TestCheckResourceSet("aws_codebuild_project.foo", "vpc_config.0.vpc_id"),
resource.TestCheckResource("aws_codebuild_project.foo", "vpc_config.0.subnets.#", "1"),
resource.TestCheckResource("aws_codebuild_project.foo", "vpc_config.0.security_group_ids.#", "1"),
@@ -324,6 +358,29 @@ func expandProjectEnvironment(d *schema.ResourceData) *codebuild.ProjectEnvironm | |||
return projectEnv | |||
} | |||
|
|||
func expandVpcConfig(d *schema.ResourceData) *codebuild.VpcConfig { | |||
configs := d.Get("vpc_config").(*schema.Set).List() | |||
data := configs[0].(map[string]interface{}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This line is generating a panic for me running the acceptance test:
=== RUN TestAccAWSCodeBuildProject_basic
panic: runtime error: index out of range
goroutine 2579 [running]:
github.com/terraform-providers/terraform-provider-aws/aws.expandVpcConfig(0xc42084b110, 0x3715e47)
/Users/bflad/go/src/github.com/terraform-providers/terraform-provider-aws/aws/resource_aws_codebuild_project.go:363 +0x790
It will go away with the function signature refactor and TypeList changes mentioned above.
@@ -179,6 +179,31 @@ func resourceAwsCodeBuildProject() *schema.Resource { | |||
ValidateFunc: validateAwsCodeBuildTimeout, | |||
}, | |||
"tags": tagsSchema(), | |||
"vpc_config": { | |||
Type: schema.TypeSet, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would switch this to Type: schema.TypeList,
. There are subtleties between the two, but the gist being that list in this context is much easier to work with when there's only 1 item.
@@ -213,6 +238,11 @@ func resourceAwsCodeBuildProjectCreate(d *schema.ResourceData, meta interface{}) | |||
params.TimeoutInMinutes = aws.Int64(int64(v.(int))) | |||
} | |||
|
|||
if _, ok := d.GetOk("vpc_config"); ok { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would change this to (note about function signature update below in another comment):
if v, ok := d.GetOk("vpc_config"); ok {
params.VpcConfig = expandCodeBuildVpcConfig(v.([]interface{})[0].(map[string]interface{}))
}
@@ -390,6 +447,10 @@ func resourceAwsCodeBuildProjectRead(d *schema.ResourceData, meta interface{}) e | |||
return err | |||
} | |||
|
|||
if err := d.Set("vpc_config", schema.NewSet(resourceAwsCodeBuildVpcConfigHash, flattenAwsCodebuildVpcConfig(project.VpcConfig))); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When this is TypeList this can become:
if err := d.Set("vpc_config", flattenAwsCodebuildVpcConfig(project.VpcConfig)); err != nil {
@@ -567,6 +653,25 @@ func resourceAwsCodeBuildProjectArtifactsHash(v interface{}) int { | |||
return hashcode.String(buf.String()) | |||
} | |||
|
|||
func resourceAwsCodeBuildVpcConfigHash(v interface{}) int { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is extraneous with switch to TypeList
👍
CodeBuild in VPC continuing Issue #2547
This support has been merged in with your commits squashed via #3324 and will be released in v1.10.0 of the AWS provider, likely tomorrow. Thanks for you work here! |
This has been released in version 1.10.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Fixes #2495
First attempt at a go contribution, happy to implement any suggestions.
aws_codebuild_project
.There is an issue with the acceptance test (hence WIP). Creation of the CodeBuild project requires the DescribeSecurityGroups permission. This is added to the IAM role, but there is a race condition between the policy actually being applied and the creation of the CodeBuild project, meaning that it can fail. I've added a
depends_on = ["aws_iam_policy_attachment.codebuild_policy_attachment"]
clause to theaws_codebuild_policy
resource, but this doesn't help. I guess it is the natural lag in applying IAM policies. Any ideas? Edit: this is fixed now.