Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support CodeBuild within VPC #2547

Closed
wants to merge 5 commits into from

Conversation

adventureisyou
Copy link

@adventureisyou adventureisyou commented Dec 5, 2017

Fixes #2495

First attempt at a go contribution, happy to implement any suggestions.

  • Update aws_codebuild_project.
  • Acceptance test.
  • Documentation.

There is an issue with the acceptance test (hence WIP). Creation of the CodeBuild project requires the DescribeSecurityGroups permission. This is added to the IAM role, but there is a race condition between the policy actually being applied and the creation of the CodeBuild project, meaning that it can fail. I've added a depends_on = ["aws_iam_policy_attachment.codebuild_policy_attachment"] clause to the aws_codebuild_policy resource, but this doesn't help. I guess it is the natural lag in applying IAM policies. Any ideas? Edit: this is fixed now.

@bflad
Copy link
Contributor

bflad commented Dec 5, 2017

Ah yes, the evils of IAM eventual consistency! 🙁 In many downstream resources we opt to retry creation actions if the AWS error is specific enough to indicate its some form of permissions error code/message.

I haven't looked at the codebuild resource, but here's an example from codedeploy which might help: https://github.com/terraform-providers/terraform-provider-aws/blob/master/aws/resource_aws_codedeploy_deployment_group.go#L391-L423

@adventureisyou
Copy link
Author

Aha! Thanks for the quick reply. Guess I should have looked harder. The CodeBuild code has the same retry logic, but the error message slightly doesn't match.

if isAWSErr(err, "InvalidInputException", "CodeBuild is not authorized to perform") {
	return resource.RetryableError(err)
}

My error is: InvalidInputException: Not authorized to perform DescribeSecurityGroups

Should I change the existing line to this? (I think it might end up retrying lots if the end user's IAM credentials are not authorized to perform actions, rather than just CodeBuild)

if isAWSErr(err, "InvalidInputException", "ot authorized to perform") {
	return resource.RetryableError(err)
}

The safe way is to just add another error message capture, I guess. Preferences?

…h more IAM eventual consistency.

Remove unnecessary depends_on clause from CodeBuild basic acceptance test.
@adventureisyou
Copy link
Author

Went ahead with the safer route after giving it some more thought. This should be good to go now.

@adventureisyou adventureisyou changed the title [WIP] Support CodeBuild within VPC Support CodeBuild within VPC Dec 5, 2017
@radeksimko radeksimko added the enhancement Requests to existing resources that expand the functionality or scope. label Dec 12, 2017
@kilsbo
Copy link

kilsbo commented Jan 19, 2018

Please merge! 💯

@bflad bflad added the service/codebuild Issues and PRs that pertain to the codebuild service. label Jan 27, 2018
Copy link
Contributor

@bflad bflad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @DrSolaris, sorry this has taken so long to get a review. Overall this is actually looking pretty good! Unfortunately due to the acceptance test panic I received, we'll need rework some of this, but should not be too bad. If you do not have time to implement these changes please let us know and we can fix this up with your commits in tact. Let us know if you have any questions!

@@ -324,6 +358,29 @@ func expandProjectEnvironment(d *schema.ResourceData) *codebuild.ProjectEnvironm
return projectEnv
}

func expandVpcConfig(d *schema.ResourceData) *codebuild.VpcConfig {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We really try to limit the usage of *schema.ResourceData in downstream functions unless its necessary in multiple pieces of logic. It helps make the code more testable and reusable (if necessary in the future). Could you update this function's signature to expandCodeBuildVpcConfig(m map[string]interface{}) *codebuild.VpcConfig? Thanks!

@@ -401,6 +442,18 @@ resource "aws_codebuild_project" "foo" {
tags {
"Environment" = "Test"
}

vpc_config {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this new attribute is optional and has some complexity, we should probably split it out into its own acceptance test. We need to verify the resource creation (what's done here already), the update of vpc_config attributes (e.g. add/remove subnet), and the removal of the vpc_config altogether from a configuration (if removing VPC configuration is supported). It would also be good to check that the new attributes are at least making it correctly into the state. e.g.

resource.TestCheckResourceSet("aws_codebuild_project.foo", "vpc_config.0.vpc_id"),
resource.TestCheckResource("aws_codebuild_project.foo", "vpc_config.0.subnets.#", "1"),
resource.TestCheckResource("aws_codebuild_project.foo", "vpc_config.0.security_group_ids.#", "1"),

@@ -324,6 +358,29 @@ func expandProjectEnvironment(d *schema.ResourceData) *codebuild.ProjectEnvironm
return projectEnv
}

func expandVpcConfig(d *schema.ResourceData) *codebuild.VpcConfig {
configs := d.Get("vpc_config").(*schema.Set).List()
data := configs[0].(map[string]interface{})
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This line is generating a panic for me running the acceptance test:

=== RUN   TestAccAWSCodeBuildProject_basic
panic: runtime error: index out of range

goroutine 2579 [running]:
github.com/terraform-providers/terraform-provider-aws/aws.expandVpcConfig(0xc42084b110, 0x3715e47)
	/Users/bflad/go/src/github.com/terraform-providers/terraform-provider-aws/aws/resource_aws_codebuild_project.go:363 +0x790

It will go away with the function signature refactor and TypeList changes mentioned above.

@@ -179,6 +179,31 @@ func resourceAwsCodeBuildProject() *schema.Resource {
ValidateFunc: validateAwsCodeBuildTimeout,
},
"tags": tagsSchema(),
"vpc_config": {
Type: schema.TypeSet,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would switch this to Type: schema.TypeList,. There are subtleties between the two, but the gist being that list in this context is much easier to work with when there's only 1 item.

@@ -213,6 +238,11 @@ func resourceAwsCodeBuildProjectCreate(d *schema.ResourceData, meta interface{})
params.TimeoutInMinutes = aws.Int64(int64(v.(int)))
}

if _, ok := d.GetOk("vpc_config"); ok {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would change this to (note about function signature update below in another comment):

if v, ok := d.GetOk("vpc_config"); ok {
	params.VpcConfig = expandCodeBuildVpcConfig(v.([]interface{})[0].(map[string]interface{}))
}

@@ -390,6 +447,10 @@ func resourceAwsCodeBuildProjectRead(d *schema.ResourceData, meta interface{}) e
return err
}

if err := d.Set("vpc_config", schema.NewSet(resourceAwsCodeBuildVpcConfigHash, flattenAwsCodebuildVpcConfig(project.VpcConfig))); err != nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When this is TypeList this can become:

if err := d.Set("vpc_config", flattenAwsCodebuildVpcConfig(project.VpcConfig)); err != nil {

@@ -567,6 +653,25 @@ func resourceAwsCodeBuildProjectArtifactsHash(v interface{}) int {
return hashcode.String(buf.String())
}

func resourceAwsCodeBuildVpcConfigHash(v interface{}) int {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is extraneous with switch to TypeList 👍

bflad added a commit that referenced this pull request Feb 22, 2018
@bflad
Copy link
Contributor

bflad commented Feb 22, 2018

This support has been merged in with your commits squashed via #3324 and will be released in v1.10.0 of the AWS provider, likely tomorrow. Thanks for you work here!

@bflad bflad closed this Feb 22, 2018
@bflad bflad added this to the v1.10.0 milestone Feb 22, 2018
bflad added a commit that referenced this pull request Feb 22, 2018
@bflad
Copy link
Contributor

bflad commented Feb 27, 2018

This has been released in version 1.10.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

@ghost
Copy link

ghost commented Apr 7, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Apr 7, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/codebuild Issues and PRs that pertain to the codebuild service.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add support for CodeBuild with VPC
4 participants