CodeBuild with VPC settings fails to download CodeCommit source
Solution 1:
What a VPC-based CodeBuild can access depends on the subnet configuration that you're using for the CodeBuild container.
If you're placing it in a Private subnet make sure that the subnet is configured for internet access through NAT Gateway.
If you're running it in a Public subnet make sure that it is configured to assign Public IP by default.
Refer to this answer for more info: Public and private subnet in VPC
And also make sure that there are no other restrictions in place, e.g. the Security Group permits outbound access to the internet, there are no NACLs in place, etc.
Simple test: is to spin up a tiny EC2 instance in the same subnet where you're running your CodeBuild containers and test from there if it can reach the codebuild endpoint (e.g. curl https://mypipeline-artifactstorebucket.../PKGw3xs
).
In other words: Yes, CodeBuild can be run in a VPC and still have access to CodeCommit but your subnet network config must be correct.
Hope that helps :)
Solution 2:
I had this same problem, trying to have CodeBuild retrieve code from CodeDeploy so it could deploy code to RDS in a VPC. When CodeBuild was outside the VPC it could connect to CodeCommit fine, but once I put CodeDeploy into VPC the error message was
CLIENT_ERROR: Get https://git-codecommit.ap-southeast-2.amazonaws.com/v1/repos/repo-name/info/refs?service=name: dial tcp 1.2.3.4:443: i/o timeout for primary source and source version refs/heads/master
I couldn't find any documentation about this at all, so I resorted to trial and error based on what is written above. I went through quite a few combinations of things to work out what worked and what didn't. Here's what I found:
- CodeBuild needs to be associated with a VPC. I imagine that CodeBuild allocates an ENI (private IP address, effectively) in the VPC.
- CodeBuild needs to be associated with a security group that allows egress to the VPC CIDR range. It doesn't seem to need ingress rules, which makes sense, as nothing is calling into CodeCommi.
- You need a git-codecommit interface endpoint ( com.amazonaws.ap-southeast-2.git-codecommit )
- The git-codecommit endpoint needs to be associated with a security group that allows ingress from CodeBuild. The easiest way to do this is probably just to allow ingress from the VPC range, but you can probably just reference the security group that CodeBuild uses for ingress.
- It makes no difference whether an internet gateway / route to the internet is present. I was initially doing this in a private subnet with no internet access, but then added an internet gateway, associated it with the VPC, then routed the subnets to the internet gateway (0.0.0.0/0)
Hopefully this helps someone else connect CodeBuild or CodePipeline to a VPC to deploy to EC2, RDS, ECS, or other services.