{"id":44534717,"url":"https://github.com/flexion/aws-codebuild-runner-project-tf-module","last_synced_at":"2026-02-13T18:44:39.209Z","repository":{"id":288173734,"uuid":"967026780","full_name":"flexion/aws-codebuild-runner-project-tf-module","owner":"flexion","description":"A Terraform module to build a codebuild hosted runner project","archived":false,"fork":false,"pushed_at":"2025-11-20T18:46:13.000Z","size":78,"stargazers_count":0,"open_issues_count":2,"forks_count":0,"subscribers_count":49,"default_branch":"main","last_synced_at":"2025-11-20T20:23:35.388Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/flexion.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-04-15T20:13:38.000Z","updated_at":"2025-10-29T22:02:23.000Z","dependencies_parsed_at":"2025-10-30T00:06:41.752Z","dependency_job_id":"45571726-fe30-4c73-92f2-88e04683fbd3","html_url":"https://github.com/flexion/aws-codebuild-runner-project-tf-module","commit_stats":null,"previous_names":["flexion/aws-codebuild-runner-project-tf-module"],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/flexion/aws-codebuild-runner-project-tf-module","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flexion%2Faws-codebuild-runner-project-tf-module","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flexion%2Faws-codebuild-runner-project-tf-module/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flexion%2Faws-codebuild-runner-project-tf-module/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flexion%2Faws-codebuild-runner-project-tf-module/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/flexion","download_url":"https://codeload.github.com/flexion/aws-codebuild-runner-project-tf-module/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flexion%2Faws-codebuild-runner-project-tf-module/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29414282,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-13T06:24:03.484Z","status":"ssl_error","status_checked_at":"2026-02-13T06:23:12.830Z","response_time":78,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-02-13T18:44:37.561Z","updated_at":"2026-02-13T18:44:39.204Z","avatar_url":"https://github.com/flexion.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Terraform AWS CodeBuild Runner Project\n\nThis Terraform module provisions an AWS CodeBuild Runner project with an attached webhook. Currently, AWS does not support creating Runner Projects via API or CLI. This module is a workaround. Terraform creates a default project and, by applying certain webhooks, it converts the project into a Runner project. This module is useful for teams that want to run GitHub Actions on AWS-managed on-demand compute.\n\n---\n\n## 🛠️ Prerequisites\n\n- A GitHub App **\"AWS Connector for GitHub\"** successfully installed and configured in your AWS account. [More info on that](https://qnetconfluence.cms.gov/display/ISFCS/Configuring+Github+Runners+using+AWS+CodeBuild)\n- CodeConnection itself can be provisioned via Terraform but requires manual authorization from AWS. The module will fail if the connection is not authorized.\n\n## ✨ Features\n\n- 🚀 Provisions a CodeBuild Runner project using GitHub as the source (via CodeConnections)\n- 📦 Adds default filter groups to capture key events (indirectly creates a runner project without official support)\n- ➕ Supports additional user-supplied filter groups\n- 🧠 Automatically configures `scope_configuration` when applicable (i.e., webhook access at repo level vs org level)\n- 🔁 Defaults to Lambda compute with 2 GB memory, Linux OS, and Node.js runtime\n\n---\n\n## 📦 Module Usage Examples\n\nSee the [examples](examples) dir for examples of usage:\n\n1. [Access level - Repo | Compute - EC2 | Mode - Container](examples/repo-ec2)\n1. [Access level - Org | Compute - Lambda (4 GB) | Mode - Container](examples/org-lambda)\n1. [Repo-level access with additional webhook filter](examples/repo-webhook)\n\n---\n\n## 🧩 Default Filter Groups\n\nThis default filter group is the core logic that triggers creation of a runner project. Since AWS does not officially support provisioning CodeBuild runner projects via API, this webhook indirectly transforms a default CodeBuild project into a runner-enabled project.\n\n```tf\n[ # group 1\n  {\n    type    = \"EVENT\"\n    pattern = \"WORKFLOW_JOB_QUEUED\"\n  }\n]\n```\n\n---\n\n## 🔧 Input Variables\n\n## Requirements\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"requirement_terraform\"\u003e\u003c/a\u003e [terraform](#requirement\\_terraform) | \u003e= 1.0.0 |\n| \u003ca name=\"requirement_aws\"\u003e\u003c/a\u003e [aws](#requirement\\_aws) | \u003e= 5.0.0 |\n\n## Providers\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"provider_aws\"\u003e\u003c/a\u003e [aws](#provider\\_aws) | 5.95.0 |\n\n## Modules\n\nNo modules.\n\n## Resources\n\n| Name | Type |\n|------|------|\n| [aws_codebuild_project.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project) | resource |\n| [aws_codebuild_source_credential.ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_source_credential) | resource |\n| [aws_codebuild_webhook.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_webhook) | resource |\n| [aws_secretsmanager_secret.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |\n| [aws_secretsmanager_secret_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_policy) | resource |\n| [aws_secretsmanager_secret_version.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |\n| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |\n| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_role.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role) | data source |\n| [aws_ssm_parameter.github_personal_access_token](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| \u003ca name=\"input_additional_filter_groups\"\u003e\u003c/a\u003e [additional\\_filter\\_groups](#input\\_additional\\_filter\\_groups) | Additional filter groups to be appended to the default | \u003cpre\u003elist(list(object({\u003cbr/\u003e    type                    = string\u003cbr/\u003e    pattern                 = string\u003cbr/\u003e    exclude_matched_pattern = optional(bool)\u003cbr/\u003e  })))\u003c/pre\u003e | `[]` | no |\n| \u003ca name=\"input_build_timeout\"\u003e\u003c/a\u003e [build\\_timeout](#input\\_build\\_timeout) | Build timeout in minutes | `number` | `5` | no |\n| \u003ca name=\"input_cloudwatch_logs_group_name\"\u003e\u003c/a\u003e [cloudwatch\\_logs\\_group\\_name](#input\\_cloudwatch\\_logs\\_group\\_name) | Name of the CloudWatch log group | `string` | `\"\"` | no |\n| \u003ca name=\"input_cloudwatch_logs_stream_name\"\u003e\u003c/a\u003e [cloudwatch\\_logs\\_stream\\_name](#input\\_cloudwatch\\_logs\\_stream\\_name) | Name of the CloudWatch log stream | `string` | `\"\"` | no |\n| \u003ca name=\"input_codeconnections_arn\"\u003e\u003c/a\u003e [codeconnections\\_arn](#input\\_codeconnections\\_arn) | preauthorized ARN of the CodeConnection | `string` | `null` | no |\n| \u003ca name=\"input_description\"\u003e\u003c/a\u003e [description](#input\\_description) | Description of the CodeBuild project | `string` | `\"\"` | no |\n| \u003ca name=\"input_docker_server_compute_type\"\u003e\u003c/a\u003e [docker\\_server\\_compute\\_type](#input\\_docker\\_server\\_compute\\_type) | Compute type for the Docker server. Default: null. Valid values: BUILD\\_GENERAL1\\_SMALL, BUILD\\_GENERAL1\\_MEDIUM, BUILD\\_GENERAL1\\_LARGE, BUILD\\_GENERAL1\\_XLARGE, and BUILD\\_GENERAL1\\_2XLARGE. | `string` | `null` | no |\n| \u003ca name=\"input_docker_server_security_group_ids\"\u003e\u003c/a\u003e [docker\\_server\\_security\\_group\\_ids](#input\\_docker\\_server\\_security\\_group\\_ids) | The list of Security Group IDs for the Docker server. | `list(string)` | `null` | no |\n| \u003ca name=\"input_environment_compute_type\"\u003e\u003c/a\u003e [environment\\_compute\\_type](#input\\_environment\\_compute\\_type) | BUILD\\_GENERAL1\\_SMALL, BUILD\\_GENERAL1\\_MEDIUM, BUILD\\_LAMBDA\\_2GB, BUILD\\_LAMBDA\\_4GB, etc | `string` | `\"BUILD_LAMBDA_2GB\"` | no |\n| \u003ca name=\"input_environment_image\"\u003e\u003c/a\u003e [environment\\_image](#input\\_environment\\_image) | applicable image of ec2 or lambda | `string` | `\"aws/codebuild/amazonlinux-x86_64-lambda-standard:nodejs20\"` | no |\n| \u003ca name=\"input_environment_image_pull_creds\"\u003e\u003c/a\u003e [environment\\_image\\_pull\\_creds](#input\\_environment\\_image\\_pull\\_creds) | Type of credentials AWS CodeBuild uses to pull images in your build. Valid values: CODEBUILD, SERVICE\\_ROLE. | `string` | `\"CODEBUILD\"` | no |\n| \u003ca name=\"input_environment_type\"\u003e\u003c/a\u003e [environment\\_type](#input\\_environment\\_type) | LINUX\\_CONTAINER for EC2 and LINUX\\_LAMBDA\\_CONTAINER for Lambda | `string` | `\"LINUX_LAMBDA_CONTAINER\"` | no |\n| \u003ca name=\"input_github_org_name\"\u003e\u003c/a\u003e [github\\_org\\_name](#input\\_github\\_org\\_name) | Name of your github org if webhook is of org level | `string` | n/a | yes |\n| \u003ca name=\"input_github_personal_access_token_ssm_parameter\"\u003e\u003c/a\u003e [github\\_personal\\_access\\_token\\_ssm\\_parameter](#input\\_github\\_personal\\_access\\_token\\_ssm\\_parameter) | The GitHub personal access token to use for accessing the repository. If not specified then GitHub auth must be configured separately. | `string` | `null` | no |\n| \u003ca name=\"input_name\"\u003e\u003c/a\u003e [name](#input\\_name) | Name of the CodeBuild project | `string` | n/a | yes |\n| \u003ca name=\"input_pat_override\"\u003e\u003c/a\u003e [pat\\_override](#input\\_pat\\_override) | Is the PAT provided an override of the default account token. Default: true | `bool` | `true` | no |\n| \u003ca name=\"input_privileged_mode\"\u003e\u003c/a\u003e [privileged\\_mode](#input\\_privileged\\_mode) | Is privileged mode enabled for AWS CodeBuild. Required for Docker builds. Default: false | `bool` | `false` | no |\n| \u003ca name=\"input_service_role_name\"\u003e\u003c/a\u003e [service\\_role\\_name](#input\\_service\\_role\\_name) | IAM role name for CodeBuild to assume | `string` | n/a | yes |\n| \u003ca name=\"input_source_buildspec\"\u003e\u003c/a\u003e [source\\_buildspec](#input\\_source\\_buildspec) | The build spec declaration to use for this build project's related builds. Enter a path from your repository's root dir. | `string` | `null` | no |\n| \u003ca name=\"input_source_git_submodules_config_fetch\"\u003e\u003c/a\u003e [source\\_git\\_submodules\\_config\\_fetch](#input\\_source\\_git\\_submodules\\_config\\_fetch) | Whether to fetch Git submodules for the AWS CodeBuild build project. | `bool` | `false` | no |\n| \u003ca name=\"input_source_location\"\u003e\u003c/a\u003e [source\\_location](#input\\_source\\_location) | The git remote address for the repository | `string` | `\"CODEBUILD_DEFAULT_WEBHOOK_SOURCE_LOCATION\"` | no |\n| \u003ca name=\"input_vpc_id\"\u003e\u003c/a\u003e [vpc\\_id](#input\\_vpc\\_id) | The VPC ID for AWS CodeBuild to launch ephemeral instances in. | `string` | `null` | no |\n| \u003ca name=\"input_vpc_security_group_ids\"\u003e\u003c/a\u003e [vpc\\_security\\_group\\_ids](#input\\_vpc\\_security\\_group\\_ids) | The list of Security Group IDs for AWS CodeBuild to launch ephemeral EC2 instances in. | `list(string)` | `[]` | no |\n| \u003ca name=\"input_vpc_subnet_ids\"\u003e\u003c/a\u003e [vpc\\_subnet\\_ids](#input\\_vpc\\_subnet\\_ids) | The list of Subnet IDs for AWS CodeBuild to launch ephemeral EC2 instances in. | `list(string)` | `[]` | no |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| \u003ca name=\"output_project_arn\"\u003e\u003c/a\u003e [project\\_arn](#output\\_project\\_arn) | n/a |\n| \u003ca name=\"output_project_name\"\u003e\u003c/a\u003e [project\\_name](#output\\_project\\_name) | n/a |\n\n## ℹ️  Notes:\n\u003e - A default filter group is always added to transform the project into a runner project.\n\u003e - `additional_filter_groups` are appended after the default filter group.\n\u003e - Each additional group must contain a filter with `type = \"EVENT\"`.\n\u003e - `exclude_matched_pattern` is optional and defaults to `false`.\n\u003e - `scope_configuration` is applied only when `source_location` is default or unset.\n\n---\n\n## ✅ Tested With\n\n- Terraform v1.5+\n- AWS Provider v5.x\n- GitHub + CodeConnections integration\n- Default and additional filter group handling\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fflexion%2Faws-codebuild-runner-project-tf-module","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fflexion%2Faws-codebuild-runner-project-tf-module","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fflexion%2Faws-codebuild-runner-project-tf-module/lists"}