{"id":31944525,"url":"https://github.com/atheiman/terraform-aws-codebuild-cicd","last_synced_at":"2026-05-12T23:36:24.038Z","repository":{"id":199715333,"uuid":"703565402","full_name":"atheiman/terraform-aws-codebuild-cicd","owner":"atheiman","description":"Terraform module to deploy an AWS CodeBuild project that is automatically triggered on CodeCommit repository branch events","archived":false,"fork":false,"pushed_at":"2025-12-12T21:56:44.000Z","size":152,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-12-14T12:16:57.973Z","etag":null,"topics":["aws","cicd","codebuild","codecommit","codepipeline","terraform"],"latest_commit_sha":null,"homepage":"https://registry.terraform.io/modules/atheiman/codebuild-cicd/aws","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/atheiman.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-10-11T13:33:11.000Z","updated_at":"2025-12-12T21:56:47.000Z","dependencies_parsed_at":"2023-10-15T18:43:24.928Z","dependency_job_id":"1c1bb611-c2b3-4af8-a16e-16fc7529a35d","html_url":"https://github.com/atheiman/terraform-aws-codebuild-cicd","commit_stats":null,"previous_names":["atheiman/terraform-aws-codebuild-cicd"],"tags_count":15,"template":false,"template_full_name":null,"purl":"pkg:github/atheiman/terraform-aws-codebuild-cicd","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/atheiman%2Fterraform-aws-codebuild-cicd","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/atheiman%2Fterraform-aws-codebuild-cicd/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/atheiman%2Fterraform-aws-codebuild-cicd/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/atheiman%2Fterraform-aws-codebuild-cicd/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/atheiman","download_url":"https://codeload.github.com/atheiman/terraform-aws-codebuild-cicd/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/atheiman%2Fterraform-aws-codebuild-cicd/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32961785,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-12T23:30:32.555Z","status":"ssl_error","status_checked_at":"2026-05-12T23:30:18.191Z","response_time":102,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","cicd","codebuild","codecommit","codepipeline","terraform"],"created_at":"2025-10-14T10:43:32.089Z","updated_at":"2026-05-12T23:36:24.032Z","avatar_url":"https://github.com/atheiman.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# terraform-aws-codebuild-cicd\n\nTerraform module to quickly setup a CodeBuild project linked to multiple CodeCommit repositories. CodeBuild will run the `buildspec.yml` in each CodeCommit repository when the default branch is pushed to. If a branch has an open pull request, a build will run for the pull request source branch and the build status will be commented on the pull request.\n\n- GitHub: https://github.com/atheiman/terraform-aws-codebuild-cicd\n- Terraform Registry: https://registry.terraform.io/modules/atheiman/codebuild-cicd/aws\n\n![Build Workflow Diagram](/img/build-workflow-diagram.drawio.png)\n\n## Module Example Usage\n\n```hcl\nmodule \"codebuild_cicd\" {\n  source = \"atheiman/codebuild-cicd/aws\"\n\n  ######################\n  # Optional Variables #\n  ######################\n\n  # Specify extra IAM policy ARNs to attach to the CodeBuild service role\n  # Warning - these permissions will be available to all builds on all CodeCommit repositories\n  codebuild_service_role_extra_managed_policy_arns = [\"arn:aws:iam::aws:policy/ReadOnlyAccess\"]\n\n  # Recommended to namespace extra environment variables with `CI_` or other prefix to avoid\n  # built-in environment variable collisions\n  codebuild_extra_environment_variables = [\n    {\n      name  = \"CI_MY_COLOR\"\n      value = \"Blue\"\n    },\n    {\n      name  = \"CI_MY_NUMBER\"\n      value = 4 # Will be converted to string\n    },\n    {\n      name  = \"CI_ARTIFACTS_BUCKET\"\n      value = aws_s3_bucket.artifacts.id\n    },\n  ]\n\n  # CodeCommit repositories in this region to apply an approval rule template to requiring\n  # successful builds\n  codecommit_approval_rule_template_associated_repositories = [\"my-repository\"]\n\n  # Mapping of repository names to custom settings.\n  codecommit_repositories_customizations = {\n    \"my-favorite-repo\" = {\n      # Ensure the service role trusts service principal \"codebuild.amazonaws.com\". Module output\n      # `codebuild_service_role_policy_arn` is the minimum IAM policy to apply to custom service\n      # roles for basic CodeBuild functionality.\n      codebuild_service_role_arn = aws_iam_role.my_custom_codebuild_service_role.arn\n    }\n  }\n\n  # Define an allow list or a deny list of repository names, or all repos will be built by default\n  codecommit_repositories_allowed = [\"my-favorite-repo\", \"another-repo\"]\n  codecommit_repositories_denied  = [\"never-build-this-repo\"]\n}\n```\n\n## Usage Notes\n\n- CodeBuild builds are automatically started for all CodeCommit repositories in the account and region this project is deployed to. Specifically:\n  - Builds are automatically started for every commit to the default branch of every repository.\n  - Builds are automatically started for every pull request that is opened (with any destination branch), and for every push to update the source branch of an existing pull request. `buildspec.yml` will be loaded from the default branch by default (set `codebuild_load_buildspec_from_default_branch` to `false` to override this behavior).\n- If pull request builds succeed, an IAM role from this project will approve the pull request.\n\n### Available Environment Variables\n\nTo get a full list of environment variables available in your build, run the `env` command in a build. Example:\n\n```yaml\n# https://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html#build-spec-ref-syntax\nversion: 0.2\nphases:\n  build:\n    commands:\n      - env | sort\n```\n\nYou can view the variables available from CodeBuild here: https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-env-vars.html. In addition, these environment variables are set in builds triggered by this project:\n\n| Environment Variable | Example Value(s) | Notes |\n| -------------------- | ---------------- | ----- |\n| `CI_REPOSITORY_NAME` | `my-codecommit-project` | The name of the CodeCommit project related to the build. |\n| `CI_COMMIT_REF_NAME` | `main`, `my-feature-branch` | The name of the source ref (typically a branch) related to the build. |\n| `CI_REPOSITORY_NAME` | `my-codecommit-project` | The name of the CodeCommit project related to the build. |\n| `CI_DESTINATION_COMMIT` | `7674e88683d18f92e53edbabbc3aac52768dbaa4` | *Pull request builds only.* The full commit sha of the destination branch related to the pull request. |\n| `CI_PULL_REQUEST_ID` | `4`, `16` | *Pull request builds only.* The ID of the pull request related to the build. |\n| `CI_SOURCE_COMMIT` | `e12ff82bc22beec38f7a03d0d99c57d319b76a32` | *Pull request builds only.* The full commit sha of the source being built. |\n\n## Full Walkthrough\n\n### Deploy the Terraform project\n\n1. In a new directory, reference this Terraform module and specify an external [Terraform Backend](https://developer.hashicorp.com/terraform/language/settings/backends/configuration). If you need an [S3 backend](https://developer.hashicorp.com/terraform/language/settings/backends/s3), you can create one in your account using [this CloudFormation template](https://gist.github.com/atheiman/055cfc07fe3cbdc7ec54fa40b180900d).\n   ```hcl\n   # main.tf\n\n   module \"codebuild_cicd\" {\n     source = \"atheiman/codebuild-cicd/aws\"\n   }\n   ```\n\n   ```hcl\n   # backend.tf\n\n   terraform {\n     backend \"s3\" {\n       region         = \"us-east-1\"\n       bucket         = \"my-tf-state-bucket\"\n       key            = \"codebuild-cicd.tfstate\"\n       dynamodb_table = \"my-tf-state-lock-table\"\n     }\n   }\n   ```\n1. Initialize and deploy the new terraform project. You will need to [configure the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html). You should be able to run `aws sts get-caller-identity` and get a response showing your expected IAM user or role.\n   ```shell\n   # initialize terraform\n   terraform init -reconfigure\n\n   # review resources to be created\n   terraform plan -out tfplan.binary\n\n   # apply the saved plan\n   terraform apply tfplan.binary\n   ```\n\n### Automatically build the `main` branch of a CodeCommit repository\n\n1. Create a CodeCommit repository to use the CI/CD functionality\n   1. Open the CodeCommit console in the same account and region you deployed the terraform above\n   1. Create a repository named `example-cicd-usage`\n   1. Add a `buildspec.yml` file to the `main` branch:\n      ```yaml\n      # https://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html#build-spec-ref-syntax\n      version: 0.2\n      phases:\n        build:\n          commands:\n            - env | sort\n            - aws sts get-caller-identity\n            - echo \"Running build for source '$CODEBUILD_SOURCE_VERSION'\"\n            - for f in $(find * -type f -name '*.py'); do python -m py_compile \"$f\"; done\n            - if [ \"$CODEBUILD_SOURCE_VERSION\" == 'main' ]; then\n                echo \"Do something special on builds for the 'main' branch here\";\n              fi\n      ```\n1. View the CodeBuild build for the `main` branch of your repository\n   1. Open the CodeBuild console in the same account and region you deployed the terraform above.\n   1. Open the build project named `codebuild-cicd`.\n   1. You should see a build in the build history with status `In progress` or `Succeeded`. By default, builds are automatically started for any CodeCommit repository when the `main` or `master` branch is updated.\n   1. In the build logs, you can see the build ran the commands specified in `buildspec.yml`. The output should include `Do something special on builds for the 'main' branch here` because this build was run on the `main` branch.\n\n### Automatically build and post build status to pull requests\n\n1. Create a feature branch `my-feature` from the branch `main` on the `example-cicd-usage` CodeCommit repository created above.\n1. Add a Python file `script.py` on the `my-feature` branch with the below content to be checked by the build:\n   ```python\n   print \"hello world\"\n   ```\n1. Create a pull request in the CodeCommit repository `example-cicd-usage`. Set the source branch to `my-feature` and the destination branch to `main`. You can title the pull request `Example pull request with CI/CD`.\n1. Wait a minute after creating the pull request, then open the `Activity` tab on the pull request you created. You should see a new comment from `codebuild-cicd-pull-request-build-status` with a message similar to \"⏱ CodeBuild build IN_PROGRESS for commit b829bd89: 3afb3af0-408d-49d4-8a53-d95ac033aea9\". Click the link to the build to open the running build for the pull request.\n1. After another minute the build should complete. On the pull request `Activity` tab, you will see a new comment similar to: \"❌ CodeBuild build FAILED for commit b829bd89: 3afb3af0-408d-49d4-8a53-d95ac033aea9\". Click the link to open the failed build for the pull request. You can see at the end of the build logs, the build failed because the file `script.py` has a syntax error:\n   ```\n   [Container] 2023/10/11 14:50:23 Running command python -m py_compile *.py\n     File \"script.py\", line 1\n       print \"hello world\"\n       ^^^^^^^^^^^^^^^^^^^\n   SyntaxError: Missing parentheses in call to 'print'. Did you mean print(...)?\n   ```\n1. Update `script.py` on the `my-feature` branch with the below content:\n   ```python\n   print(\"hello world\")\n   ```\n1. Return to the pull request that is now updated with your new commit. Within a couple minutes, you should see two new comments from `codebuild-cicd-pull-request-build-status` on the `Activity` tab of the pull request similar to the below (note that comments are sorted newest on top):\n   1. ✅ CodeBuild build SUCCEEDED for commit f22cceb8: bded770d-3514-478b-83a9-89289fd57c14\n   1. ⏱ CodeBuild build IN_PROGRESS for commit f22cceb8: bded770d-3514-478b-83a9-89289fd57c14\n1. You can now merge this pull request with confidence that the build commands specified in `buildspec.yml` have passed for the feature branch `my-feature`.\n1. When you merge the feature branch into `main`, the build will be started again for the updated `main` branch.\n\n### Manage the CodeBuild CI/CD infrastructure within CodeCommit and deploy with CodeBuild\n\n1. Grant additional permissions to the CodeBuild service role using the module variable `codebuild_service_role_managed_policy_arns`. Apply the updated terraform locally.\n1. Put the Terraform from above into a new CodeCommit repository. You will need at least the `module {}` reference, and the `backend {}` configuration. Optionally add a [`.gitignore` for Terraform](https://www.toptal.com/developers/gitignore/api/terraform) and `README.md`.\n1. Update the `buildspec.yml` commands:\n   - all branches: `terraform fmt -recursive \u0026\u0026 terraform init -reconfigure \u0026\u0026 terraform plan`\n   - `main` branch: `terraform apply -auto-approve`\n\n## Roadmap\n\n1. Readme updated to show detailed instructions for managing this infrastructure via codecommit / codebuild\n1. Pull request comment Lambda function to check for `buildspec.yml` in branch - if build errors because `buildspec.yml` not found, comment on pull request that the repo should add a `buildspec.yml` to use CI/CD.\n1. Run CodeBuild inside a VPC - accept vpc config in variables\n1. Build for codecommit repos in other regions\n   - README explanation of cross region event routing https://aws.amazon.com/blogs/compute/introducing-cross-region-event-routing-with-amazon-eventbridge/\n   - Customization logic is based off repo name, would need to update to optionally use arn\n1. Support additional tools installed in codebuild image / custom codebuild images?\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fatheiman%2Fterraform-aws-codebuild-cicd","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fatheiman%2Fterraform-aws-codebuild-cicd","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fatheiman%2Fterraform-aws-codebuild-cicd/lists"}