Skip to content

Commit

Permalink
fix: add CodeBuild VPC endpoint + IAM policy for Lambda→CodeBuild con…
Browse files Browse the repository at this point in the history 
…nectivity

Root cause of 'Connect timeout on codebuild.us-gov-west-1.amazonaws.com':
- Lambda is in a VPC with no NAT gateway path to CodeBuild's public endpoint
- Lambda role was missing codebuild:StartBuild / codebuild:BatchGetBuilds perms

Fix:
- aws_vpc_endpoint.codebuild[0]: interface endpoint for CodeBuild in the Lambda
  VPC with private DNS enabled (Lambda API calls resolve to private IPs)
- aws_iam_role_policy.codebuild_access: StartBuild + BatchGetBuilds on the
  eks-terragrunt-repo-creator project ARN only
  • Loading branch information
Your Name committed Apr 6, 2026
1 parent 52ebef0 commit aee6987
Show file tree
Hide file tree
Showing 3 changed files with 407 additions and 27 deletions.
37 changes: 37 additions & 0 deletions deploy/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,43 @@ resource "aws_codebuild_project" "eks_repo_creator" {
tags = var.tags
}

# ── IAM: allow Lambda to start and poll the CodeBuild job ────────────────────
resource "aws_iam_role_policy" "codebuild_access" {
name = "eks-repo-creator-codebuild-access"
role = module.eks_terragrunt_repo_generator.lambda_role_id

policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Sid = "StartAndPollBuild"
Effect = "Allow"
Action = [
"codebuild:StartBuild",
"codebuild:BatchGetBuilds",
]
Resource = aws_codebuild_project.eks_repo_creator.arn
}
]
})
}

# ── VPC endpoint: CodeBuild (interface) ──────────────────────────────────────
# The Lambda runs inside a VPC; without this endpoint the CodeBuild API call
# times out because there is no NAT/internet path for codebuild.amazonaws.com.
resource "aws_vpc_endpoint" "codebuild" {
count = var.enable_vpc ? 1 : 0

vpc_id = var.codebuild_vpc_id
service_name = "com.amazonaws.${var.aws_region}.codebuild"
vpc_endpoint_type = "Interface"
subnet_ids = var.subnet_ids
security_group_ids = var.security_group_ids
private_dns_enabled = true

tags = merge(var.tags, { Name = "eks-terragrunt-codebuild-endpoint" })
}

# Outputs
output "lambda_function_arn" {
description = "ARN of the deployed Lambda function - use this as ServiceToken in CloudFormation"
Expand Down
134 changes: 123 additions & 11 deletions deploy/terraform.tfstate
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"version": 4,
"terraform_version": "1.9.1",
"serial": 191,
"serial": 195,
"lineage": "637f189b-ce2c-766c-35d1-8b43eb7ae216",
"outputs": {
"api_endpoint": {
Expand Down Expand Up @@ -259,6 +259,31 @@
}
]
},
{
"mode": "managed",
"type": "aws_iam_role_policy",
"name": "codebuild_access",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"id": "eks-terragrunt-repo-gen-lambda-role:eks-repo-creator-codebuild-access",
"name": "eks-repo-creator-codebuild-access",
"name_prefix": "",
"policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"codebuild:StartBuild\",\"codebuild:BatchGetBuilds\"],\"Effect\":\"Allow\",\"Resource\":\"arn:aws-us-gov:codebuild:us-gov-west-1:229685449397:project/eks-terragrunt-repo-creator\",\"Sid\":\"StartAndPollBuild\"}]}",
"role": "eks-terragrunt-repo-gen-lambda-role"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"aws_codebuild_project.eks_repo_creator",
"module.eks_terragrunt_repo_generator.aws_iam_role.lambda",
"module.eks_terragrunt_repo_generator.data.aws_partition.current"
]
}
]
},
{
"mode": "managed",
"type": "aws_iam_role_policy",
Expand Down Expand Up @@ -523,6 +548,89 @@
}
]
},
{
"mode": "managed",
"type": "aws_vpc_endpoint",
"name": "codebuild",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"index_key": 0,
"schema_version": 0,
"attributes": {
"arn": "arn:aws-us-gov:ec2:us-gov-west-1:229685449397:vpc-endpoint/vpce-0e2a877f8ef17a404",
"auto_accept": null,
"cidr_blocks": [],
"dns_entry": [
{
"dns_name": "vpce-0e2a877f8ef17a404-bx1tfjab.codebuild.us-gov-west-1.vpce.amazonaws.com",
"hosted_zone_id": "Z12529ZODG2B6H"
},
{
"dns_name": "vpce-0e2a877f8ef17a404-bx1tfjab-us-gov-west-1a.codebuild.us-gov-west-1.vpce.amazonaws.com",
"hosted_zone_id": "Z12529ZODG2B6H"
},
{
"dns_name": "codebuild.us-gov-west-1.amazonaws.com",
"hosted_zone_id": "Z0032114FCSKWRU3K1CW"
}
],
"dns_options": [
{
"dns_record_ip_type": "ipv4",
"private_dns_only_for_inbound_resolver_endpoint": false
}
],
"id": "vpce-0e2a877f8ef17a404",
"ip_address_type": "ipv4",
"network_interface_ids": [
"eni-08b50691ecd508c05"
],
"owner_id": "229685449397",
"policy": "{\"Statement\":[{\"Action\":\"*\",\"Effect\":\"Allow\",\"Principal\":\"*\",\"Resource\":\"*\"}]}",
"prefix_list_id": null,
"private_dns_enabled": true,
"requester_managed": false,
"resource_configuration_arn": "",
"route_table_ids": [],
"security_group_ids": [
"sg-0641c697588b9aa6b"
],
"service_name": "com.amazonaws.us-gov-west-1.codebuild",
"service_network_arn": "",
"service_region": "",
"state": "available",
"subnet_configuration": [
{
"ipv4": "10.252.192.37",
"ipv6": "",
"subnet_id": "subnet-0b1992a84536c581b"
}
],
"subnet_ids": [
"subnet-0b1992a84536c581b"
],
"tags": {
"Environment": "production",
"ManagedBy": "Terraform",
"Name": "eks-terragrunt-codebuild-endpoint",
"Purpose": "EKSTerragruntRepoGenerator"
},
"tags_all": {
"Environment": "production",
"ManagedBy": "Terraform",
"Name": "eks-terragrunt-codebuild-endpoint",
"Purpose": "EKSTerragruntRepoGenerator"
},
"timeouts": null,
"vpc_endpoint_type": "Interface",
"vpc_id": "vpc-00576a396ec570b94"
},
"sensitive_attributes": [],
"private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDAsImRlbGV0ZSI6NjAwMDAwMDAwMDAwLCJ1cGRhdGUiOjYwMDAwMDAwMDAwMH19"
}
]
},
{
"module": "module.eks_terragrunt_repo_generator",
"mode": "data",
Expand Down Expand Up @@ -855,6 +963,10 @@
"force_detach_policies": false,
"id": "eks-terragrunt-repo-gen-lambda-role",
"inline_policy": [
{
"name": "eks-repo-creator-codebuild-access",
"policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"codebuild:StartBuild\",\"codebuild:BatchGetBuilds\"],\"Effect\":\"Allow\",\"Resource\":\"arn:aws-us-gov:codebuild:us-gov-west-1:229685449397:project/eks-terragrunt-repo-creator\",\"Sid\":\"StartAndPollBuild\"}]}"
},
{
"name": "eks-terragrunt-repo-gen-kms-access-policy",
"policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"kms:Decrypt\",\"kms:DescribeKey\"],\"Effect\":\"Allow\",\"Resource\":[\"*\"]}]}"
Expand Down Expand Up @@ -1043,7 +1155,7 @@
"x86_64"
],
"arn": "arn:aws-us-gov:lambda:us-gov-west-1:229685449397:function:eks-terragrunt-repo-gen-template-automation",
"code_sha256": "af0b5eedce3615cd1411857c54c548ae89c8dbd0593fb6e71716bf81812049b1",
"code_sha256": "2e16bf46a2f11897e0aa8542802533a893c215d575725b48752bd99f783e1f89",
"code_signing_config_arn": null,
"dead_letter_config": [],
"description": "",
Expand Down Expand Up @@ -1075,7 +1187,7 @@
"image_uri": "229685449397.dkr.ecr.us-gov-west-1.amazonaws.com/eks-terragrunt-repo-generator/lambda:latest",
"invoke_arn": "arn:aws-us-gov:apigateway:us-gov-west-1:lambda:path/2015-03-31/functions/arn:aws-us-gov:lambda:us-gov-west-1:229685449397:function:eks-terragrunt-repo-gen-template-automation/invocations",
"kms_key_arn": "",
"last_modified": "2026-04-06T17:55:08.000+0000",
"last_modified": "2026-04-06T17:58:08.000+0000",
"layers": [],
"logging_config": [
{
Expand Down Expand Up @@ -1338,13 +1450,13 @@
[
{
"type": "get_attr",
"value": "value_wo"
"value": "value"
}
],
[
{
"type": "get_attr",
"value": "value"
"value": "value_wo"
}
]
],
Expand Down Expand Up @@ -1432,13 +1544,13 @@
[
{
"type": "get_attr",
"value": "value"
"value": "value_wo"
}
],
[
{
"type": "get_attr",
"value": "value_wo"
"value": "value"
}
]
],
Expand Down Expand Up @@ -1479,13 +1591,13 @@
[
{
"type": "get_attr",
"value": "value"
"value": "value_wo"
}
],
[
{
"type": "get_attr",
"value": "value_wo"
"value": "value"
}
]
],
Expand Down Expand Up @@ -1573,13 +1685,13 @@
[
{
"type": "get_attr",
"value": "value"
"value": "value_wo"
}
],
[
{
"type": "get_attr",
"value": "value_wo"
"value": "value"
}
]
],
Expand Down

0 comments on commit aee6987

Please sign in to comment.