I am trying to restrict access to a load balancer to a fixed IP and to CodeBuild agents. To that end, I want to add a security group rule that will prevent access to the load balancer unless traffic comes from the security group associated with the CodeBuild agents (as well as a separate security group rule that restricts access except from the fixed IP). I think this means I need to associate CodeBuild with the VPC of the load balancer.
However, when I try to update an existing CodeBuild project using Terraform's codebuild_project resourcce and configure the VPC like this:
vpc_config {
security_group_ids = [var.codebuild_sg]
subnets = var.public_subnet_ids
vpc_id = var.vpc_id
}
where the variables are the security group to be used by CodeBuild, the subnets into which CodeBuild should be launched and the VPC, respectively, I get the following error message:
Error updating CodeBuild project (arn:aws:codebuild:eu-west-2:xxxxx:project/my-project): InvalidInputException: CodeBuild currently doesn't support VPC in eu-west-2c, please select subnets in other availability zones.
Are there some AZs for which CodeBuild does not support VPCs? Or does this message mean something else?