Add an option to pass an AWS profile to the codebuild command

[karaluh]

We're using multiple AWS profiles in our TF workflow that are configured on a provider level and because of that the aws codebuild command fails with "An error occurred (ResourceNotFoundException) when calling the StartBuild operation: Project cannot be found:" because it looks for the project on a different AWS account.

[alexjeen]

Hi,

Thanks for your feedback, you can upgrade to version 4.0.0 (I just pushed that). Then you need to set the region and account_id explicitly in the module.

Let me know if it works for you!

[alexjeen]

PS - I rather not accept the profile because it's not a good idea to init the provider block in modules, it can cause issues for other people.

[karaluh]

Unfortunately your fix doesn't change anything. I agree that configuring providers in child modules is a bad practice, but it isn't required here. I can configure different AWS profiles in the root module and everything related to TF creating AWS resources is working fine. All resources are created on correct AWS accounts and TF doesn't throw any error. The problem is with the aws codebuild command in init.tf file here:
provisioner "local-exec" { command = "aws codebuild start-build --project-name ${aws_codebuild_project.main.name} --region ${local.region} > /dev/null" }
Because it doesn't inherit the AWS profile from TF provider block it tries to start the build using default AWS profile which is different from the one used to create all the other resources.

[alexjeen]

I see. Sorry I misunderstood the problem.

I did not like the local_exec approach to begin with as it has some inherent flaws, it looks like I won't be able to solve this one consistently in the module, because local_exec always using the default profile (even if you would use roles instead of profiles):

• Pass credentials to local-exec OR extract credentials via properties hashicorp/terraform-provider-aws#8242
• local-exec provisioner doesn't run with the configured AWS provider account hashicorp/terraform#21983

Because if you would add just the profile to the AWS command, it still would not have the right credentials as local exec does not have context outside itself.

Im thinking to make the initial run with the local_exec optional, so you can run it outside the module with the correct name and the right profile (see the links above). The reason the automatic run of the build is in there so that the Docker images get updates if you change the input parameters (maybe you change a Docker command there and it needs to be rebuild).

I could also add on_failure = continue to the local exec to make it continue if it hits an error.

AFAIK the only way to start a CodeBuild project is with the local exec.

Happy to take suggestions if you have!

[karaluh]

You can add --profile switch to the codebuild command like so:

command = "aws codebuild start-build --project-name ${aws_codebuild_project.main.name} --region ${data.aws_region.current.name} --profile ${var.profile} > /dev/null"

with the variable definition:

variable "profile" {
  type        = string
  default     = "default"
}

This should work and be backwards compatible.

This is the only way it can be done, because AFAIK there is no way to access provider config in TF, unfortunately.

[alexjeen]

You can try 4.0.1 but I do not think it will work, just passing in the profile might not be enough (you might need to pass in the credentials as well). Feel free to give it a shot.

[karaluh]

Works as expected.