CodeBuild with VPC settings fails to download CodeCommit source

amazon-web-services amazon-vpc aws-codecommit
8,024

Solution 1

I had this same problem, trying to have CodeBuild retrieve code from CodeDeploy so it could deploy code to RDS in a VPC. When CodeBuild was outside the VPC it could connect to CodeCommit fine, but once I put CodeDeploy into VPC the error message was

CLIENT_ERROR: Get https://git-codecommit.ap-southeast-2.amazonaws.com/v1/repos/repo-name/info/refs?service=name: dial tcp 1.2.3.4:443: i/o timeout for primary source and source version refs/heads/master

I couldn't find any documentation about this at all, so I resorted to trial and error based on what is written above. I went through quite a few combinations of things to work out what worked and what didn't. Here's what I found:

  • CodeBuild needs to be associated with a VPC. I imagine that CodeBuild allocates an ENI (private IP address, effectively) in the VPC.
  • CodeBuild needs to be associated with a security group that allows egress to the VPC CIDR range. It doesn't seem to need ingress rules, which makes sense, as nothing is calling into CodeCommi.
  • You need a git-codecommit interface endpoint ( com.amazonaws.ap-southeast-2.git-codecommit )
  • The git-codecommit endpoint needs to be associated with a security group that allows ingress from CodeBuild. The easiest way to do this is probably just to allow ingress from the VPC range, but you can probably just reference the security group that CodeBuild uses for ingress.
  • It makes no difference whether an internet gateway / route to the internet is present. I was initially doing this in a private subnet with no internet access, but then added an internet gateway, associated it with the VPC, then routed the subnets to the internet gateway (0.0.0.0/0)

Hopefully this helps someone else connect CodeBuild or CodePipeline to a VPC to deploy to EC2, RDS, ECS, or other services.

Solution 2

What a VPC-based CodeBuild can access depends on the subnet configuration that you're using for the CodeBuild container.

If you're placing it in a Private subnet make sure that the subnet is configured for internet access through NAT Gateway.

If you're running it in a Public subnet make sure that it is configured to assign Public IP by default.

Refer to this answer for more info: Public and private subnet in VPC

And also make sure that there are no other restrictions in place, e.g. the Security Group permits outbound access to the internet, there are no NACLs in place, etc.

Simple test: is to spin up a tiny EC2 instance in the same subnet where you're running your CodeBuild containers and test from there if it can reach the codebuild endpoint (e.g. curl https://mypipeline-artifactstorebucket.../PKGw3xs).

In other words: Yes, CodeBuild can be run in a VPC and still have access to CodeCommit but your subnet network config must be correct.

Hope that helps :)

Share:
8,024

Related videos on Youtube

twiz
Author by

twiz

Updated on September 18, 2022

Comments

  • twiz
    twiz over 1 year

    I originally had a simple CodePipeline setup triggered by commits to a CodeCommit repo, with a "Stage" that output the source code as an artifact and another "Stage" using CodeBuild to run some code from that source output. Now I want to access RDS in that CodeBuild "Stage", so I added my RDS's VPC settings to my CodeBuild project.

    The problem is that now CodeBuild can no longer access the CodeCommit source. I am receiving the following error:

    CLIENT_ERROR: RequestError: send request failed caused by: Get https://mypipeline-artifactstorebucket-twlrq7tj45fq.s3.amazonaws.com/MYPipeline-data-pipe/RepoSource/PKGw3xs: dial tcp 52.216.160.35:443: i/o timeout for primary source and source version arn:aws:s3:::mypipeline-artifactstorebucket-twlrq7tj45fq/MYPipeline-data-pipe/RepoSource/PKGw3xs

    Does adding a VPC to a CodeBuild project also remove whatever the default settings are? (maybe it was originally using the default VPC?)

    How can I allow CodeBuild to access both RDS and CodeCommit?

  • twiz
    twiz over 5 years
    Thanks! I think this pointed me in the right direction, but now I am wondering if this can also be accomplished using a "VPC Endpoint" for S3: docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.html I'm experimenting with it, but haven't yet had success. Do you have any insight about using endpoints to accomplish this?
  • twiz
    twiz about 5 years
    So I did eventually get this working. This answer was really helpful, but has a couple issues. Apparently AWS prevents CodeBuild from working on public subnets, so you need to use a private one. Testing on EC2 is a good suggestion, but it is a bit complicated since it needs to be on a private subnet. Also, I think maybe my question doesn't have a definite answer beyond "setup your VPC correctly". If anyone is confused about VPCs like I was, I highly recommend watching the AWS training video "Subnets, Gateways, and Route Tables Explained" at aws.training
  • DrkStr
    DrkStr over 3 years
    Thank you very much. That was super helpful. Any idea why I can't see any build logs when have the build project in. VPC?
  • DrkStr
    DrkStr over 3 years
    Note: you will need to create another endpoint with com.amazonaws.<region>.logs if you want to see your build logs

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to use IPSec / Openswan with Amazon's Virtual Private Cloud (VPC) and EC2?
clone AWS codecommit repo via HTTP
AWS RDS Writer Endpoint vs Reader Endpoint
Does VPC Peering Cost you in same region?
How to assign EIP to Autoscaling Group of VPC in Cloudformation template
can't connect aws VPC private instance to internet through NAT
Configuring multiple ENIs on an EC2 instance
Routing between the instances in AWS
port forwarding through AWS VPC NAT
How can two AWS VPCs using the same Customer Gateway for a VPN connection