2

I have a lot of codebuild projects that are in use and they rely on aws_codebuild_source_credential to be created.

The problem for me is that some of the projects are specified in different folders and there is only one source credential for codebuild for an account.

This means that if I then delete a 'stack' which has created a aws_codebuild_source_credential in order to be able to create codebuild projects then the auth token is deleted for all codebuilds from that point on.

I cannot seem to find a data provider for the aws_codebuild_source_credential so I am looking for a way to reference one that is already created elsewhere.

When creating a codebuild project the oAuth token needs to be provided:

auth {
      type     = "OAUTH"
      resource = aws_codebuild_source_credential.github.arn
    }

The problem is how do I share a single aws_codebuild_source_credential so that I can pass this into separate code build projects, and should I run a destroy against any folder the token be left alone?

Improve this question

1 Answer 1

Reset to default
2

Comes down how you want to organise your terraform code, what I would do is

  • move aws_codebuild_source_credential resource in a separate repository together with a aws_ssm_parameter resource (potentially even create is as a module).

  • Provision those resources first (pre seeding), when you provision the aws_codebuild_source_credential store it's arn in aws_ssm_parameter under a known name.

  • Next time you provision a new codebuild project, retrieve the source credential arn from the SSM via the corresponding data resource ssm_parameter

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I did work out a way to do this, I almost did exactly what you suggest, I already have the github token in SSM, so I moved the github auth creation to a separate folder and I then use a string to create it, but I do like the idea of putting it in SSM. I held off from posting my own answer until I was certain the stringify was actually going to work which took me a bit of time last night but essentially: resource = "arn:aws:codebuild:${var.region}:${var.account_id}:token/github"
Also for anyone who might stumble across this in the future, this cli command is very useful for checking the source credentials availability on the fly: aws codebuild list-source-credentials

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.