AWS DevOps & Developer Productivity Blog
Introducing public builds for AWS CodeBuild
Using AWS CodeBuild, you can now share both the logs and the artifacts produced by CodeBuild projects. This blog post explains how to configure an existing CodeBuild project to enable public builds.
AWS CodeBuild is a fully managed continuous integration service that compiles source code, runs tests, and produces software packages that are ready to deploy. With CodeBuild, you don’t need to provision, manage, and scale your own build servers. With this new feature, you can now make the results of a CodeBuild project build publicly viewable. Public builds simplify the collaboration workflow for open source projects by allowing contributors to see the results of Continuous Integration (CI) tasks.
How public builds work
During a project build, CodeBuild will place build logs in either Amazon Simple Storage Service (Amazon S3) or Amazon CloudWatch, depending on how the customer has configured the project’s LogsConfig
property. Optionally, a project build can produce artifacts that persist after the build has completed. During a project build that has public builds enabled, CodeBuild will set an environment variable named CODEBUILD_PUBLIC_BUILD_URL
that supplies the URL for that build’s publicly viewable logs and artifacts. When a user navigates to that URL, CodeBuild will use an AWS Identity and Access Management (AWS IAM) Role (defined by the project maintainer) to fetch build logs and available artifacts and displays these.
To enable public builds for a project:
- Navigate to the resource page in the CodeBuild console for the project for which you want to enable public builds.
- In the Edit choose Project configuration.
- Select Enable public build access.
- Choose New service role.
- For Service role enter the role name you want this new role to have. For this post we will use the role name
example-public-builds-role
. This creates a new IAM role with the permissions defined in the next section of this blog post. - Choose Update configuration to save the changes and return to the project’s resource page within the CodeBuild console.
Project builds will now have the build logs and artifacts made available at the URL listed in the Public project URL section of the Configuration panel within the project’s resource page.
Now the CI build statuses within pull requests for the GitHub repository will include a public link to the build results. When a pull request is created in the repository, CodeBuild will start a project build and provide commit status updates during the build with a link to the public build information. This link is available as a hyperlink from the Details section of the commit status message.
IAM role permissions
This new feature introduces a new IAM role for CodeBuild. The new role is assumed by the CodeBuild service and needs read access to the build logs and any potential artifacts you would like to make publicly available. In the previous example, we had configured the CodeBuild project to store logs in Amazon CloudWatch and placed our build artifacts in Amazon S3 (namespaced to the build ID). The following AWS CloudFormation template will create an IAM Role with the appropriate least-privilege policies for accessing the public build results.
Role template
Parameters:
LogGroupName:
Type: String
Description: prefix for the CloudWatch log group name
ArtifactBucketArn:
Type: String
Description: Arn for the Amazon S3 bucket used to store build artifacts.
Resources:
PublicReadRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: ['sts:AssumeRole']
Effect: Allow
Principal:
Service: [codebuild.amazonaws.com]
Version: '2012-10-17'
Path: /
PublicReadPolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: PublicBuildPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "logs:GetLogEvents"
Resource:
- !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${LogGroupName}:*"
- Effect: Allow
Action:
- "s3:GetObject"
- "s3:GetObjectVersion"
Resource:
- !Sub "${ArtifactBucketArn}/*"
Roles:
- !Ref PublicReadRole
Creating a public build in AWS CloudFormation
Using AWS CloudFormation, you can provision CodeBuild projects using infrastructure as code (IaC). To update an existing CodeBuild project to enable public builds add the following two fields to your project definition:
CodeBuildProject:
Type: AWS::CodeBuild::Project
Properties:
ServiceRole: !GetAtt CodeBuildRole.Arn
LogsConfig:
CloudWatchLogs:
GroupName: !Ref LogGroupName
Status: ENABLED
StreamName: ServerlessRust
Artifacts:
Type: S3
Location: !Ref ArtifactBucket
Name: ServerlessRust
NamespaceType: BUILD_ID
Packaging: ZIP
Environment:
Type: LINUX_CONTAINER
ComputeType: BUILD_GENERAL1_LARGE
Image: aws/codebuild/standard:4.0
PrivilegedMode: true
Triggers:
BuildType: BUILD
Webhook: true
FilterGroups:
- - Type: EVENT
Pattern: PULL_REQUEST_CREATED,PULL_REQUEST_UPDATED
Source:
Type: GITHUB
Location: "https://github.com/richardhboyd/ServerlessRust.git"
BuildSpec: |
version: 0.2
phases:
build:
commands:
- sam build
artifacts:
files:
- .aws-sam/build/**/*
discard-paths: no
Visibility: PUBLIC_READ
ResourceAccessRole: !Ref PublicReadRole # Note that this references the role defined in the previous section.
Disabling public builds
If a project has public builds enabled and you would like to disable it, you can clear the check-box named Enable public build access in the project configuration or set the Visibility
to PRIVATE
in the CloudFormation definition for the project. To prevent any project in your AWS account from using public builds, you can set an AWS Organizations service control policy (SCP) to deny the IAM Action CodeBuild:UpdateProjectVisibility
Conclusion
With CodeBuild public builds, you can now share build information for your open source projects with all contributors without having to grant them direct access to your AWS account. This post explains how to enable public builds with AWS CodeBuild using both the console and CloudFormation, create a least-privilege IAM role for sharing the public build results, and how to disable public builds for a project.