IaC Bazaar
Get started
AWSLive-tested

CodePipeline + CodeBuild CI/CD

AWS-native CI/CD: CodePipeline orchestrating a CodeBuild project, with an encrypted private artifact bucket and least-privilege roles. Sources from S3 (or GitHub).

terraformAWS#aws
aws-codepipelineterraform v1.7

Verification

Live-tested

Really deployed, verified, idempotent and destroyed in a cloud sandbox.

Conformance

  • Static validation (fmt · validate · tflint)
  • Security scan (Checkov)
  • Plan tests (mocked: validation rules · outputs)

Provenance

  • SHA-256 checksum
  • Signature (pending)

Functional

  • Live-tested — applied, verified, destroyed

Last verified 2026-06-29 · how we verify

Documentation

aws-codepipeline

An AWS CodePipeline (V1) CI/CD pipeline — a Source stage (S3 by default, GitHub via CodeConnections opt-in) feeding a Build stage backed by a CodeBuild project — together with the private, encrypted artifact bucket and the least-privilege IAM service roles both services need. Self-contained: no pre-existing bucket, object, or role required.

Status: static-validated, live-test pending. Validated with tofu validate

  • tflint + checkov (STATIC_OK). Ships liveTestable: quarantine per the locked v1 decision; ready to live-test on any AWS account via tests/live.tfvars (CodePipeline/CodeBuild have no standing cost — only per-build-minute charges, of which the live test runs none).

What it provisions

  • aws_codepipeline (V1) with two stages:
    • Source — reads source_object_key (default source.zip) from the artifact bucket (source_type = "S3"), or a GitHub repo via a CodeConnections connection (source_type = "GitHub").
    • Build — runs the CodeBuild project.
  • aws_codebuild_projectLINUX_CONTAINER, aws/codebuild/amazonlinux2-x86_64-standard:5.0, BUILD_GENERAL1_SMALL (smallest tier), unprivileged, with an inline buildspec (a minimal placeholder unless you supply your own) and CloudWatch logs.
  • aws_s3_bucket artifact store — private, public access fully blocked, encrypted (SSE-S3 or SSE-KMS), versioned (required by the S3 source action), and TLS-only via a bucket policy. force_destroy is opt-in.
  • Two IAM service roles (pipeline + CodeBuild), each scoped to exactly the artifact bucket, this build project, and this pipeline's log group — no wildcards on resources.

Secure defaults

  • No public access anywhere; artifact bucket denies non-TLS requests.
  • Encryption on by default; supply kms_key_arn to use a customer-managed key across the bucket, the pipeline artifact store, CodeBuild, and the log group.
  • CodeBuild runs with privileged_mode = false (no Docker-in-Docker).
  • Least-privilege IAM (resource-scoped S3, log, CodeBuild, and connection grants).
  • poll_for_source_changes defaults to false (trigger manually or via EventBridge) instead of polling.

Usage

module "pipeline" {
  source = "github.com/ITfreak/iacbazaar//artifacts/terraform/aws-codepipeline"

  name                      = "demo-app"
  source_type               = "S3"
  create_seed_source_object = true # seeds a placeholder source.zip
  force_destroy             = true

  buildspec = <<-YAML
    version: 0.2
    phases:
      build:
        commands:
          - make build
  YAML
}

GitHub source (via a CodeConnections connection you create/authorize once):

module "pipeline" {
  source = "github.com/ITfreak/iacbazaar//artifacts/terraform/aws-codepipeline"

  name                      = "demo-app"
  source_type               = "GitHub"
  github_connection_arn     = aws_codestarconnections_connection.gh.arn
  github_full_repository_id = "my-org/my-repo"
  github_branch             = "main"
}

See examples/basic for a complete configuration.

Key inputs

VariableDescriptionDefault
namePipeline name + resource prefixrequired
source_typeS3 or GitHubS3
source_object_keyS3 source object keysource.zip
create_seed_source_objectUpload a placeholder source objectfalse
github_connection_arn / github_full_repository_id / github_branchGitHub source via CodeConnectionsnull / null / main
artifact_bucket_nameArtifact bucket name (auto-derived if null)null
force_destroyDelete the artifact bucket even if non-emptyfalse
buildspecInline buildspec YAMLminimal placeholder
compute_type / build_image / build_timeoutCodeBuild sizing/image/timeoutBUILD_GENERAL1_SMALL / amazonlinux2 std 5.0 / 60
environment_variablesPlaintext build env vars (no secrets){}
kms_key_arnCustomer-managed KMS key for all encryptionnull
log_retention_daysCodeBuild log retention365
tagsTags for all resources{}

Outputs

pipeline_name, pipeline_arn, codebuild_project, codebuild_project_arn, artifact_bucket, artifact_bucket_arn, pipeline_role_arn, codebuild_role_arn, log_group_name.

Provider

hashicorp/aws >= 6.0, < 7.0. Requires Terraform/OpenTofu >= 1.6.

License

Commercial — LicenseRef-IaCBazaar-Commercial. See the IaC Bazaar terms.