8

I originally had a simple CodePipeline setup triggered by commits to a CodeCommit repo, with a "Stage" that output the source code as an artifact and another "Stage" using CodeBuild to run some code from that source output. Now I want to access RDS in that CodeBuild "Stage", so I added my RDS's VPC settings to my CodeBuild project.

The problem is that now CodeBuild can no longer access the CodeCommit source. I am receiving the following error:

CLIENT_ERROR: RequestError: send request failed caused by: Get https://mypipeline-artifactstorebucket-twlrq7tj45fq.s3.amazonaws.com/MYPipeline-data-pipe/RepoSource/PKGw3xs: dial tcp 52.216.160.35:443: i/o timeout for primary source and source version arn:aws:s3:::mypipeline-artifactstorebucket-twlrq7tj45fq/MYPipeline-data-pipe/RepoSource/PKGw3xs

Does adding a VPC to a CodeBuild project also remove whatever the default settings are? (maybe it was originally using the default VPC?)

How can I allow CodeBuild to access both RDS and CodeCommit?

twiz
  • 305
  • 2
  • 11
  • From what I see now, AWS forces you to run CodeBuild on a private subnet with a default route to NAT Gateway. – jweyrich Jul 22 '19 at 14:16
  • @jweyrich Yep, that's what I found too. I mentioned in a comment on MLu's answer, there is a great AWS training video that explains setting up subnet + NAT Gateway. If you're not already an expert on those topics, I highly recommend it: https://www.aws.training/learningobject/video?id=16490 – twiz Jul 23 '19 at 11:06
  • 1
    Yep, but you only need a private subnet+natgw if you configure it to use a VPC. You're not required to use a VPC unless the build needs access to a resource in that VPC. – jweyrich Jul 25 '19 at 03:18
  • Alternatively, you can now use a VPC endpoint to publish the S3 route to the private subnets. It currently costs 1/4 of what a NAT gateway costs. – jweyrich Aug 21 '19 at 03:38

3 Answers3

4

I had this same problem, trying to have CodeBuild retrieve code from CodeDeploy so it could deploy code to RDS in a VPC. When CodeBuild was outside the VPC it could connect to CodeCommit fine, but once I put CodeDeploy into VPC the error message was

CLIENT_ERROR: Get https://git-codecommit.ap-southeast-2.amazonaws.com/v1/repos/repo-name/info/refs?service=name: dial tcp 1.2.3.4:443: i/o timeout for primary source and source version refs/heads/master

I couldn't find any documentation about this at all, so I resorted to trial and error based on what is written above. I went through quite a few combinations of things to work out what worked and what didn't. Here's what I found:

  • CodeBuild needs to be associated with a VPC. I imagine that CodeBuild allocates an ENI (private IP address, effectively) in the VPC.
  • CodeBuild needs to be associated with a security group that allows egress to the VPC CIDR range. It doesn't seem to need ingress rules, which makes sense, as nothing is calling into CodeCommi.
  • You need a git-codecommit interface endpoint ( com.amazonaws.ap-southeast-2.git-codecommit )
  • The git-codecommit endpoint needs to be associated with a security group that allows ingress from CodeBuild. The easiest way to do this is probably just to allow ingress from the VPC range, but you can probably just reference the security group that CodeBuild uses for ingress.
  • It makes no difference whether an internet gateway / route to the internet is present. I was initially doing this in a private subnet with no internet access, but then added an internet gateway, associated it with the VPC, then routed the subnets to the internet gateway (0.0.0.0/0)

Hopefully this helps someone else connect CodeBuild or CodePipeline to a VPC to deploy to EC2, RDS, ECS, or other services.

Tim
  • 30,383
  • 6
  • 47
  • 77
  • Thank you very much. That was super helpful. Any idea why I can't see any build logs when have the build project in. VPC? – DrkStr Nov 11 '20 at 08:18
  • Note: you will need to create another endpoint with com.amazonaws..logs if you want to see your build logs – DrkStr Nov 11 '20 at 08:42
4

What a VPC-based CodeBuild can access depends on the subnet configuration that you're using for the CodeBuild container.

If you're placing it in a Private subnet make sure that the subnet is configured for internet access through NAT Gateway.

If you're running it in a Public subnet make sure that it is configured to assign Public IP by default.

Refer to this answer for more info: Public and private subnet in VPC

And also make sure that there are no other restrictions in place, e.g. the Security Group permits outbound access to the internet, there are no NACLs in place, etc.

Simple test: is to spin up a tiny EC2 instance in the same subnet where you're running your CodeBuild containers and test from there if it can reach the codebuild endpoint (e.g. curl https://mypipeline-artifactstorebucket.../PKGw3xs).

In other words: Yes, CodeBuild can be run in a VPC and still have access to CodeCommit but your subnet network config must be correct.

Hope that helps :)

MLu
  • 23,798
  • 5
  • 54
  • 81
  • 1
    Thanks! I think this pointed me in the right direction, but now I am wondering if this can also be accomplished using a "VPC Endpoint" for S3: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.html I'm experimenting with it, but haven't yet had success. Do you have any insight about using endpoints to accomplish this? – twiz Jan 11 '19 at 16:55
  • So I did eventually get this working. This answer was really helpful, but has a couple issues. Apparently AWS prevents CodeBuild from working on public subnets, so you need to use a private one. Testing on EC2 is a good suggestion, but it is a bit complicated since it needs to be on a private subnet. Also, I think maybe my question doesn't have a definite answer beyond "setup your VPC correctly". If anyone is confused about VPCs like I was, I highly recommend watching the AWS training video "Subnets, Gateways, and Route Tables Explained" at https://aws.training – twiz Apr 08 '19 at 12:47
0

I had such error when I condfigured 

    Type: AWS::CodeBuild::Project
    Properties:
        Source: 
            BuildSpec: buildspec-ProdCf.yml
            ....

but in fact the yml file was in a subdirectory.

Putnik
  • 2,095
  • 3
  • 23
  • 40