Cannot get source from artifact AWS CodeBuild in Terraform

2
votes

I need to create a pipeline with a buildstep with terraform. I need to get the source from the artifact but the Terraform documentation is not very clear. This is my code so far:

resource "aws_codebuild_project" "authorization" {
  name         = "authorization"
  description  = "BuildProject for authrorization service"
  build_timeout      = "5"
  service_role = "${aws_iam_role.codebuild_role.arn}"

  artifacts {
    type = "CODEPIPELINE"
  }

  environment {
    compute_type = "BUILD_GENERAL1_SMALL"
    image        = "aws/codebuild/docker:17.09.0"
    type         = "LINUX_CONTAINER"
    privileged_mode = true

    environment_variable {
      "name"  = "SOME_KEY1"
      "value" = "SOME_VALUE1"
    }

    environment_variable {
      "name"  = "SOME_KEY2"
      "value" = "SOME_VALUE2"
    }
  }


  source {
    type = "CODEPIPELINE"
    buildspec = "buildspecs.yml"
  }

  tags {
    "Environment" = "alpha"
  }
}

The problem is that pointing to file gets me this error during pipeline execution of that step:

DOWNLOAD_SOURCE Failed 
[Container] 2018/03/29 11:15:31 Waiting for agent ping 
[Container] 2018/03/29 11:15:31 Waiting for DOWNLOAD_SOURCE
Message: Access Denied

This is how my Pipeline looks like:

resource "aws_codepipeline" "foo" {
  name     = "tf-test-pipeline"
  role_arn = "${aws_iam_role.codepipeline_role.arn}"

  artifact_store {
    location = "${aws_s3_bucket.foo.bucket}"
    type     = "S3"
    encryption_key {
      id   = "${aws_kms_key.a.arn}"
      type = "KMS"
    }
  }

  stage {
    name = "Source"

    action {
      name             = "Source"
      category         = "Source"
      owner            = "AWS"
      provider         = "CodeCommit"
      version         = "1"
      output_artifacts = ["src"]

      configuration {
        RepositoryName = "authorization"
        BranchName = "master"
      }
    }
  }

  stage {
    name = "Build"

    action {
      name            = "Build"
      category        = "Build"
      owner           = "AWS"
      provider        = "CodeBuild"
      input_artifacts = ["src"]
      version         = "1"

      configuration {
        ProjectName = "${aws_codebuild_project.authorization.name}"
      }
    }
  }
}

I guess i did something wrong but i can't seem to find my case described somewhere. Source needs to be received from the Source step in CodePipeline and this step is ok. I know how the pipeline works but the terraform implementation is pretty confusing. EDIT: I've checked the S3 bucket and i can confirm that the Source step is successfully uploading the artifacts there. So the problem remains that i cannot access the source when i am in the second step. Role is allowing all access on all resources. Console version of the pipeline looks normal and nothing not filled. Role is fine.

1
amazon-web-servicesterraformaws-codepipelineaws-codebuildterraform-provider-aws

1 Answers

0
votes

This generally happens when you have a CodeBuild project already and you integrate it to the CodePipeline project. The Codebuild now does not download the sources from CodeCommit/Github repo. Instead, it will try to download the source artifact created in the codepipeline bucket in S3. So, you will need to provide permissions to the CodeBuild role to access the codepipline bucket in S3.