CodeBuild with VPC settings fails to download CodeCommit source

amazon-web-services amazon-vpc aws-codecommit

Solution 1:

What a VPC-based CodeBuild can access depends on the subnet configuration that you're using for the CodeBuild container.

If you're placing it in a Private subnet make sure that the subnet is configured for internet access through NAT Gateway.

If you're running it in a Public subnet make sure that it is configured to assign Public IP by default.

Refer to this answer for more info: Public and private subnet in VPC

And also make sure that there are no other restrictions in place, e.g. the Security Group permits outbound access to the internet, there are no NACLs in place, etc.

Simple test: is to spin up a tiny EC2 instance in the same subnet where you're running your CodeBuild containers and test from there if it can reach the codebuild endpoint (e.g. curl https://mypipeline-artifactstorebucket.../PKGw3xs).

In other words: Yes, CodeBuild can be run in a VPC and still have access to CodeCommit but your subnet network config must be correct.

Hope that helps :)

Solution 2:

I had this same problem, trying to have CodeBuild retrieve code from CodeDeploy so it could deploy code to RDS in a VPC. When CodeBuild was outside the VPC it could connect to CodeCommit fine, but once I put CodeDeploy into VPC the error message was

CLIENT_ERROR: Get https://git-codecommit.ap-southeast-2.amazonaws.com/v1/repos/repo-name/info/refs?service=name: dial tcp 1.2.3.4:443: i/o timeout for primary source and source version refs/heads/master

I couldn't find any documentation about this at all, so I resorted to trial and error based on what is written above. I went through quite a few combinations of things to work out what worked and what didn't. Here's what I found:

  • CodeBuild needs to be associated with a VPC. I imagine that CodeBuild allocates an ENI (private IP address, effectively) in the VPC.
  • CodeBuild needs to be associated with a security group that allows egress to the VPC CIDR range. It doesn't seem to need ingress rules, which makes sense, as nothing is calling into CodeCommi.
  • You need a git-codecommit interface endpoint ( com.amazonaws.ap-southeast-2.git-codecommit )
  • The git-codecommit endpoint needs to be associated with a security group that allows ingress from CodeBuild. The easiest way to do this is probably just to allow ingress from the VPC range, but you can probably just reference the security group that CodeBuild uses for ingress.
  • It makes no difference whether an internet gateway / route to the internet is present. I was initially doing this in a private subnet with no internet access, but then added an internet gateway, associated it with the VPC, then routed the subnets to the internet gateway (0.0.0.0/0)

Hopefully this helps someone else connect CodeBuild or CodePipeline to a VPC to deploy to EC2, RDS, ECS, or other services.

Related

How to prevent or block other DHCP servers?
meaning of rx_queue_*_csum_err and rx_fifo_errors
How to block IPs that cause excessive 404 errors with Fail2ban?
Linux server dropping RX packets in __netif_receive_skb_core
DKIM with same key but different domains
Virtual Machine guest optimization tips
Can you force yum to ignore an exclude list?
554 5.7.1 <mail_addr>: Relay access denied centos postfix
FIO Benchmarking - Inconsistent and Slower than Anticipated: Are my RAIDs Misconfigured?
450 4.7.1 Client host rejected: cannot find your hostname
Convert a Smart Array RAID5 array to a RAID6 (ADG) variant
How to find the numbers in the thousands, hundreds, tens, and ones place in PYTHON for an input number? For example: 256 has 6 ones, 5 tens, etc