[AWS] DevTools Evangelism CodeBuild Edition [CodeBuild]
Source: Dev.to
Introduction
I’ve introduced several AWS DevTools in previous articles, but this time I’ll introduce AWS CodeBuild.
AWS CodeBuild is often used to automate routine tasks before deploying your work, such as testing and compiling source code.
It is frequently mentioned alongside AWS CodeCommit and AWS CodeDeploy as part of the same Code series.
Note: This article is not part of the Qiita Advent Calendar.
Prerequisites
Many people set up automated execution using tools like AWS CodePipeline or GitHub Actions.
This article aims to spread the word about DevTools, so it focuses on the basics of using CodeBuild directly.
What is AWS CodeBuild?
AWS CodeBuild compiles source code stored in S3, AWS CodeCommit, or GitHub, and runs unit tests.
It is commonly used to update artifact repositories and to test and compile code before deployment when implementing CI/CD.
What we’ll try in this article
Running AWS CloudFormation Guard tests with CodeBuild.
What is AWS CloudFormation Guard?
A tool that validates whether the definitions in a CloudFormation template meet the intended rules.
You write definition rules in YAML format, and Guard checks whether the rules match the template contents.
Examples of rules
- Ensure a Lambda function’s timeout is ≤ 90 seconds.
- Restrict the runtime to specific versions.
Configuring CodeBuild
Creating a CodeBuild Project
-
In the AWS CodeBuild console, click Create Project.
-
Enter a project name and keep the default settings.
-
Choose the source provider (the AWS CodeCommit repository created earlier).
-
For the environment, select a managed image and Lambda as the compute type (minimal configuration).
-
Enable Use buildspec file so the build follows the
buildspec.ymlstored in the repository.
Creating a Test Object
For this example we need three files in the repository:
- A CloudFormation template that defines a Lambda function.
- A Cfn‑Guard rule file that expresses the desired constraints.
- A buildspec.yml that tells CodeBuild how to run Guard.
CloudFormation Template
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Lambda function CloudFormation template'
Resources:
MyLambdaFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: MyLambdaFunction
Runtime: python3.9
Handler: index.lambda_handler
Role: !GetAtt LambdaExecutionRole.Arn
Timeout: 30
Code:
ZipFile: |
def lambda_handler(event, context):
return {
'statusCode': 200,
'body': 'Hello from Lambda!'
}
LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Outputs:
LambdaFunctionArn:
Description: 'Lambda Function ARN'
Value: !GetAtt MyLambdaFunction.ArnCfn‑Guard Rule File
# Lambda function security and best practices rules
# Ensure Lambda function has a timeout set and **Note:** Adjust the `runtime-versions` and any additional commands to match your project's requirements.With the project, source files, and buildspec.yml in place, start a build in the CodeBuild console. The build will compile the Guard binary, run the validation against the CloudFormation template, and report success or failures in the build logs.