Resolving “CodeBuild VPC Configuration Breaks CodeCommit Source Access” in AWS Pipeline Setup


2 views

When integrating AWS CodeBuild with VPC settings to access RDS instances, many developers encounter unexpected connectivity issues with CodeCommit sources. The timeout error typically manifests when the VPC configuration lacks proper internet access or endpoint configurations.

The core issue stems from these simultaneous requirements:

  • Private connectivity to RDS within a VPC
  • Public internet access to CodeCommit/S3 artifacts

When you specify VPC settings in CodeBuild, it overrides the default network configuration, placing your build instances entirely within your specified VPC.

To maintain both connections, you need these VPC elements:

# Infrastructure-as-code example (CloudFormation)
Resources:
  CodeBuildVPCEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      VpcId: !Ref YourVPC
      ServiceName: com.amazonaws.${AWS::Region}.s3
      RouteTableIds:
        - !Ref PrivateRouteTable
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal: "*"
            Action: "*"
            Resource: "*"

1. Configure VPC Endpoints: Create S3 Gateway endpoints to allow VPC resources to access S3 without internet access.

2. Validate Security Groups: Ensure your CodeBuild security group has these outbound rules:

# Terraform example
resource "aws_security_group" "codebuild_sg" {
  egress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  egress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

3. NAT Gateway Setup (Alternative): For dynamic internet access requirements:

// AWS CLI commands to verify NAT configuration
aws ec2 describe-nat-gateways --filter "Name=vpc-id,Values=vpc-12345678"
aws ec2 describe-route-tables --filters "Name=vpc-id,Values=vpc-12345678"
  • Verify VPC endpoint association with correct route tables
  • Check security group egress rules for port 443
  • Validate IAM permissions for both CodeBuild and CodeCommit
  • Test network connectivity from a test EC2 instance in the same VPC

For complex scenarios, consider using AWS CodeArtifact as an intermediary storage solution between CodeCommit and CodeBuild, which can simplify network configuration while maintaining security boundaries.

When integrating AWS CodeBuild with VPC settings to access RDS instances, many developers encounter unexpected connectivity issues with CodeCommit sources. The error typically manifests as timeout errors when attempting to download source artifacts from S3 buckets or directly from CodeCommit repositories.

By default, CodeBuild projects operate in AWS's managed environment with internet access. When you specify VPC settings:


{
  "vpcConfig": {
    "vpcId": "vpc-12345678",
    "subnets": ["subnet-12345678", "subnet-87654321"],
    "securityGroupIds": ["sg-12345678"]
  }
}

The project becomes bound by the VPC's networking rules, losing its default internet egress unless properly configured.

For proper functionality, your VPC requires:


// Required endpoints in the VPC
{
  "Service": "com.amazonaws.region.codecommit",
  "Service": "com.amazonaws.region.s3",
  "Service": "com.amazonaws.region.logs",
  "Service": "com.amazonaws.region.ecr"
}

Here's a complete CloudFormation template demonstrating proper VPC configuration:


Resources:
  CodeBuildProject:
    Type: AWS::CodeBuild::Project
    Properties:
      Name: MySecureBuildProject
      ServiceRole: !Ref BuildRole
      VpcConfig:
        VpcId: !Ref MyVPC
        Subnets:
          - !Ref PrivateSubnet1
          - !Ref PrivateSubnet2
        SecurityGroupIds:
          - !Ref BuildSecurityGroup
      Source:
        Type: CODECOMMIT
        Location: !Sub codecommit::${AWS::Region}://${RepositoryName}

  BuildSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: "Allow outbound to VPC endpoints"
      VpcId: !Ref MyVPC
      SecurityGroupEgress:
        - IpProtocol: -1
          CidrIp: 0.0.0.0/0

When facing connectivity issues:

  1. Verify VPC endpoints are properly configured for all required services
  2. Check security group egress rules
  3. Confirm NAT gateway configuration (if using private subnets)
  4. Test network connectivity from EC2 instances in same subnets

For temporary debugging, you might configure a public subnet with NAT gateway:


aws codebuild update-project --name MyProject \
--vpc-config vpcId=vpc-12345678,subnets=subnet-public1,subnet-public2,securityGroupIds=sg-12345678

Remember to revert this change after debugging for security compliance.