Brings Codebuild Back to AWS 4.x

To be tagged v4.1.4

base/codebuild_artifact/main.tf

@@ -34,6 +34,10 @@ resource "aws_codebuild_project" "this" {
   }
 
   tags = merge(var.standard_tags, var.tags)
+
+  # Govcloud incompatible with "project visibility"
+  # See https://github.com/hashicorp/terraform-provider-aws/issues/22473#issuecomment-1081187035
+  lifecycle { ignore_changes = [ project_visibility ] }
 }
 
 resource "aws_codebuild_webhook" "this" {

base/codebuild_ecr_base/s3.tf

@@ -1,24 +1,24 @@
 #S3 bucket for codebuild output
-#resource "aws_s3_bucket" "artifacts" {
-# bucket        = "xdr-codebuild-artifacts"
-#  force_destroy = true
-#}
+resource "aws_s3_bucket" "artifacts" {
+  bucket        = "xdr-codebuild-artifacts"
+  force_destroy = true
+}
 
-#resource "aws_s3_bucket_acl" "s3_acl_artifacts" {
-#  bucket = aws_s3_bucket.artifacts.id
-#  acl    = "private"
-#}
+resource "aws_s3_bucket_acl" "s3_acl_artifacts" {
+  bucket = aws_s3_bucket.artifacts.id
+  acl    = "private"
+}
 
-#resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_artifacts" {
-#  bucket = aws_s3_bucket.artifacts.id
-#  
-#  rule {
-#    apply_server_side_encryption_by_default {
-#      kms_master_key_id = aws_kms_key.s3_codebuild_artifacts.arn
-#      sse_algorithm     = "aws:kms"
-#      }
-#    }
-#}
+resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_artifacts" {
+  bucket = aws_s3_bucket.artifacts.id
+  
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = aws_kms_key.s3_codebuild_artifacts.arn
+      sse_algorithm     = "aws:kms"
+    }
+  }
+}
 
 resource "aws_s3_bucket_policy" "artifacts" {
   bucket = aws_s3_bucket.artifacts.id
@@ -37,20 +37,3 @@ data "aws_iam_policy_document" "artifacts" {
     }
   }
 }
-
-//AWS Provider outdated arguments <4.4.0
-resource "aws_s3_bucket" "artifacts" {
-  bucket        = "xdr-codebuild-artifacts"
-  force_destroy = true
-  acl           = "private"
-
-  server_side_encryption_configuration {
-    rule {
-      apply_server_side_encryption_by_default {
-        kms_master_key_id = aws_kms_key.s3_codebuild_artifacts.arn
-        sse_algorithm     = "aws:kms"
-      }
-    }
-  }
-}
-

base/codebuild_ecr_customer_portal/main.tf

@@ -33,6 +33,10 @@ resource "aws_codebuild_project" "this_no_artifact" {
   }
 
   tags = merge(var.standard_tags, var.tags)
+
+  # Govcloud incompatible with "project visibility"
+  # See https://github.com/hashicorp/terraform-provider-aws/issues/22473#issuecomment-1081187035
+  lifecycle { ignore_changes = [ project_visibility ] }
 }
  
 resource "aws_ecr_repository" "this-server" {

base/codebuild_ecr_project/main.tf

@@ -35,6 +35,10 @@ resource "aws_codebuild_project" "this_no_artifact" {
   }
 
   tags = merge(var.standard_tags, var.tags)
+
+  # Govcloud incompatible with "project visibility"
+  # See https://github.com/hashicorp/terraform-provider-aws/issues/22473#issuecomment-1081187035
+  lifecycle { ignore_changes = [ project_visibility ] }
 }
  
 resource "aws_ecr_repository" "this" {

base/codebuild_portal_lambda/README-FIX.md

@@ -1,73 +0,0 @@
-
-Codebuild issue: AWS 4.4.0 - Doesn't support project_visibility = "PRIVATE" in GovCloud. Temp fix only in test/aws-us-gov-/mdr-test-c2/380-codebuild-portal-lambda . Hoping fix comes out in a soon 4.x fix (or that AWS will role it out to GovCloud). If you need to fix others, copy changes in codebuild-portal-lambda's terragrunt.hcl to your module, and use terragrunt-local state rm <module> to remove the invalid schema objects from the current state.
-
-
-These errors will show up when using AWS provider version 3.x with the latest code 
-```
-Error: Unsupported argument
-│
-│   on main.tf line 12, in resource "aws_codebuild_project" "this":
-│   12:   project_visibility     = "PRIVATE"
-│
-│ An argument named "project_visibility" is not expected here.
-╵
-╷
-│ Error: Unsupported argument
-│
-│   on provider.tf line 51, in provider "aws":
-│   51:   use_fips_endpoint = true
-│
-│ An argument named "use_fips_endpoint" is not expected here.
-╵
-╷
-│ Error: Invalid resource type
-│
-│   on s3.tf line 15, in resource "aws_s3_bucket_acl" "s3_acl_bucket":
-│   15: resource "aws_s3_bucket_acl" "s3_acl_bucket" {
-│
-│ The provider hashicorp/aws does not support resource type
-│ "aws_s3_bucket_acl".
-╵
-╷
-│ Error: Invalid resource type
-│
-│   on s3.tf line 21, in resource "aws_s3_bucket_versioning" "s3_version_bucket":
-│   21: resource "aws_s3_bucket_versioning" "s3_version_bucket" {
-│
-│ The provider hashicorp/aws does not support resource type
-│ "aws_s3_bucket_versioning".
-╵
-╷
-│ Error: Invalid resource type
-│
-│   on s3.tf line 29, in resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_bucket":
-│   29: resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_bucket" {
-│
-│ The provider hashicorp/aws does not support resource type
-│ "aws_s3_bucket_server_side_encryption_configuration".
-```
-
-These errors will show up after the AWS provider version is correct and the TF code is correct, but the TF state contains the incorrect objects from AWS provider v4.
-```
-Error: no schema available for aws_s3_bucket_acl.s3_acl_bucket while reading state; this is a bug in Terraform and should be reported
-│
-│
-╵
-╷
-│ Error: no schema available for aws_s3_bucket_versioning.s3_version_bucket while reading state; this is a bug in Terraform and should be reported
-│
-│
-╵
-╷
-│ Error: no schema available for aws_s3_bucket_server_side_encryption_configuration.s3_sse_bucket while reading state; this is a bug in Terraform and should be reported
-```
-
-
-Remove the objects from the TF state using these commands. 
-```
-terragrunt-local state rm aws_s3_bucket_acl.s3_acl_bucket
-terragrunt-local state rm aws_s3_bucket_versioning.s3_version_bucket
-terragrunt-local state rm aws_s3_bucket_server_side_encryption_configuration.s3_sse_bucket
-```
-
-See test/aws-us-gov/mdr-test-c2/380-codebuild-portal-lambda/terragrunt.hcl for the changes that need to be made.

base/codebuild_portal_lambda/main.tf

@@ -23,8 +23,6 @@ resource "aws_codebuild_project" "this" {
 
   source_version = var.source_version
 
-
-
   environment {
     compute_type        = "BUILD_GENERAL1_SMALL"
     image               = "aws/codebuild/standard:5.0"
@@ -48,6 +46,10 @@ resource "aws_codebuild_project" "this" {
   }
   
   tags = merge(var.standard_tags, var.tags)
+
+  # Govcloud incompatible with "project visibility"
+  # See https://github.com/hashicorp/terraform-provider-aws/issues/22473#issuecomment-1081187035
+  lifecycle { ignore_changes = [ project_visibility ] }
 }
 
 resource "aws_codebuild_webhook" "this" {

base/codebuild_portal_lambda/s3.tf

@@ -8,48 +8,31 @@ locals {
 resource "aws_s3_bucket" "bucket" {
   bucket        = local.bucket_name
   force_destroy = true
-  acl           = "private"
   tags = merge(var.standard_tags, var.tags)
+}
+
+resource "aws_s3_bucket_acl" "s3_acl_bucket" {
+  bucket = aws_s3_bucket.bucket.id
+  acl    = "private"
+}
 
-  versioning {
-    enabled = false
+resource "aws_s3_bucket_versioning" "s3_version_bucket" {
+  bucket   = aws_s3_bucket.bucket.id
+  versioning_configuration {
+    status = "Suspended"
   }
+}
 
-  server_side_encryption_configuration {
-    rule {
-      apply_server_side_encryption_by_default {
-        kms_master_key_id = aws_kms_key.s3_codebuild.arn
-        sse_algorithm     = "aws:kms"
+resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_bucket" {
+  bucket = aws_s3_bucket.bucket.id
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = aws_kms_key.s3_codebuild.arn
+      sse_algorithm     = "aws:kms"
       }
     }
-  }
 }
 
-# resource "aws_s3_bucket_acl" "s3_acl_bucket" {
-#   #provider = aws.common # COMMON SERVICES
-#   bucket = aws_s3_bucket.bucket.id
-#   acl    = "private"
-# }
-
-# resource "aws_s3_bucket_versioning" "s3_version_bucket" {
-#   #provider = aws.common # COMMON SERVICES
-#   bucket   = aws_s3_bucket.bucket.id
-#   versioning_configuration {
-#     status = "Suspended"
-#   }
-# }
-
-# resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_bucket" {
-#   #provider = aws.common # COMMON SERVICES
-#   bucket = aws_s3_bucket.bucket.id
-#   rule {
-#     apply_server_side_encryption_by_default {
-#       kms_master_key_id = aws_kms_key.s3_codebuild.arn
-#       sse_algorithm     = "aws:kms"
-#       }
-#     }
-# }
-
 resource "aws_s3_bucket_public_access_block" "public_access_block" {
   bucket                  = aws_s3_bucket.bucket.id
   block_public_acls       = true
@@ -79,25 +62,3 @@ data "aws_iam_policy_document" "artifacts" {
     }
   }
 }
-
-//AWS Provider outdated arguments <4.4.0
-/*resource "aws_s3_bucket" "bucket" {
-  bucket        = local.bucket_name
-  force_destroy = true
-  acl           = "private"
-  tags = merge(var.standard_tags, var.tags)
-
-  versioning {
-    enabled = false
-  }
-
-  server_side_encryption_configuration {
-    rule {
-      apply_server_side_encryption_by_default {
-        kms_master_key_id = aws_kms_key.s3_codebuild.arn
-        sse_algorithm     = "aws:kms"
-      }
-    }
-  }
-}
-*/

base/codebuild_project_no_artifact/codebuild.tf

@@ -28,11 +28,8 @@ resource "aws_codebuild_project" "this" {
         name = each.key
         value = each.value["value"]
         type = try(each.value["type"],"PLAINTEXT")
-
       }
-
     }
-
   }
 
   artifacts {
@@ -40,6 +37,10 @@ resource "aws_codebuild_project" "this" {
   }
 
   tags = merge(var.standard_tags, var.tags)
+
+  # Govcloud incompatible with "project visibility"
+  # See https://github.com/hashicorp/terraform-provider-aws/issues/22473#issuecomment-1081187035
+  lifecycle { ignore_changes = [ project_visibility ] }
 }
 
 # Only build the cloudwatch trigger if it's needed
@@ -63,4 +64,3 @@ resource "aws_codebuild_webhook" "this" {
   branch_filter = var.webhook_branch_filter
   depends_on    = [ aws_codebuild_project.this ]
 }
-

base/codebuild_splunk_apps/main.tf

@@ -54,6 +54,10 @@ resource "aws_codebuild_project" "this" {
   }
 
   tags = merge(var.standard_tags, var.tags)
+
+  # Govcloud incompatible with "project visibility"
+  # See https://github.com/hashicorp/terraform-provider-aws/issues/22473#issuecomment-1081187035
+  lifecycle { ignore_changes = [ project_visibility ] }
 }
 
 locals {

submodules/codebuild/codebuild-ecr-image/codebuild.tf

@@ -30,11 +30,8 @@ resource "aws_codebuild_project" "this" {
         name = each.key
         value = each.value["value"]
         type = try(each.value["type"],"PLAINTEXT")
-
       }
-
     }
-
   }
 
   artifacts {
@@ -42,6 +39,10 @@ resource "aws_codebuild_project" "this" {
   }
 
   tags = merge(var.standard_tags, var.tags)
+
+  # Govcloud incompatible with "project visibility"
+  # See https://github.com/hashicorp/terraform-provider-aws/issues/22473#issuecomment-1081187035
+  lifecycle { ignore_changes = [ project_visibility ] }
 }
 
 resource "aws_cloudwatch_event_rule" "schedule_rule" {