I originally had a simple CodePipeline setup triggered by commits to a CodeCommit repo, with a “Stage” that output the source code as an artifact and another “Stage” using CodeBuild to run some code from that source output. Now I want to access RDS in that CodeBuild “Stage”, so I added my RDS’s VPC settings to my CodeBuild project.
The problem is that now CodeBuild can no longer access the CodeCommit source. I am receiving the following error:
CLIENT_ERROR: RequestError: send request failed caused by: Get https://mypipeline-artifactstorebucket-twlrq7tj45fq.s3.amazonaws.com/MYPipeline-data-pipe/RepoSource/PKGw3xs: dial tcp 52.216.160.35:443: i/o timeout for primary source and source version arn:aws:s3:::mypipeline-artifactstorebucket-twlrq7tj45fq/MYPipeline-data-pipe/RepoSource/PKGw3xs
Does adding a VPC to a CodeBuild project also remove whatever the default settings are? (maybe it was originally using the default VPC?)
How can I allow CodeBuild to access both RDS and CodeCommit?
Answer
What a VPC-based CodeBuild can access depends on the subnet configuration that you’re using for the CodeBuild container.
If you’re placing it in a Private subnet make sure that the subnet is configured for internet access through NAT Gateway.
If you’re running it in a Public subnet make sure that it is configured to assign Public IP by default.
Refer to this answer for more info: Public and private subnet in VPC
And also make sure that there are no other restrictions in place, e.g. the Security Group permits outbound access to the internet, there are no NACLs in place, etc.
Simple test: is to spin up a tiny EC2 instance in the same subnet where you’re running your CodeBuild containers and test from there if it can reach the codebuild endpoint (e.g. curl https://mypipeline-artifactstorebucket.../PKGw3xs).
In other words: Yes, CodeBuild can be run in a VPC and still have access to CodeCommit but your subnet network config must be correct.
Hope that helps 🙂
Attribution
Source : Link , Question Author : twiz , Answer Author : MLu
