Terraform AWS Image Pipeline

This Terraform module provides a complete solution for building and managing AMIs and container images using AWS CodePipeline, CodeBuild, and associated services. It sets up a fully automated pipeline that supports Packer for image building, Ansible for configuration management, and Goss for testing.

Features

• Automated image building pipeline using AWS CodePipeline and CodeBuild
• Support for both AMI and container image creation
• Integrated configuration management using Ansible
• Automated testing using Goss
• Secure secret management using AWS Secrets Manager
• KMS encryption for artifacts and secrets
• VPC support for network isolation
• S3 artifact storage with encryption
• IAM role and policy management
• Support for custom build environments

Usage

module "image_pipeline" {
  source            = "HappyPathway/image-pipeline/aws"
  project_name      = "my-image-pipeline"
  builder_image     = "aws/codebuild/standard:7.0"
  create_new_role   = true
  ssh_user         = "ec2-user"
  
  # S3 bucket configurations for source artifacts
  packer_bucket = {
    name = "my-artifacts-bucket"
    key  = "packer-templates.zip"
  }
  
  ansible_bucket = {
    name = "my-artifacts-bucket"
    key  = "ansible-playbooks.zip"
  }
  
  goss_bucket = {
    name = "my-artifacts-bucket"
    key  = "goss-tests.zip"
  }

  # VPC Configuration
  vpc_config = {
    security_group_ids = ["sg-xxx"]
    subnets           = ["subnet-xxx"]
    vpc_id            = "vpc-xxx"
    region            = "us-west-2"
  }

  # Container image configuration (optional)
  image = {
    dest_tag           = "latest"
    dest_docker_repo   = "my-repo/my-image"
    source_image       = "amazonlinux"
    source_tag         = "2"
    source_docker_repo = "public.ecr.aws/amazonlinux/amazonlinux"
  }
}

Requirements

Name	Version
terraform	>= 1.0.0
aws	>= 4.20.1

Modules

Name	Description
codebuild_terraform	Manages CodeBuild projects for building and testing images
codepipeline_terraform	Manages the CI/CD pipeline for image creation
s3_artifacts_bucket	Manages S3 buckets for storing build artifacts
codepipeline_iam_role	Manages IAM roles and policies for the pipeline
codepipeline_kms	Manages KMS keys for encryption
build_user	Manages the build user credentials (optional)

Core Components

CodeBuild Projects

The module creates two main CodeBuild projects:

• build: Handles image building using Packer
• test: Executes Goss tests against the built image

S3 Storage

Creates and manages buckets for:

• Pipeline artifacts
• Build logs
• Source code archives
• Test results

Security

• KMS encryption for artifacts and secrets
• IAM roles with least privilege access
• VPC isolation support
• Secrets management for sensitive data

Input Variables

Required Variables

Name	Description	Type
project_name	Unique name for the pipeline	string
vpc_config	VPC configuration for build isolation	object
state	Backend state configuration	object

Optional Variables

Name	Description	Type	Default
builder_image	CodeBuild container image	string	"aws/codebuild/standard:7.0"
create_new_role	Create new IAM role	bool	true
docker_build	Enable container image building	bool	false
packer_version	Version of Packer to use	string	"1.10.3"
terraform_version	Version of Terraform to use	string	"1.3.10"
build_environment_variables	Additional environment variables	list(object)	null

Outputs

Name	Description
codepipeline_arn	ARN of the created CodePipeline
codebuild_project_names	Names of the created CodeBuild projects
s3_bucket	Name of the artifact S3 bucket
kms_arn	ARN of the KMS key used for encryption
role_name	Name of the IAM role used for builds

License

Apache 2.0

Authors

HappyPathway

Requirements

Name	Version
terraform	>= 1.0.0
aws	>= 4.20.1

Providers

Name	Version
aws	5.91.0
random	3.7.1
tls	4.0.6

Modules

Name	Source	Version
build_user	./modules/build_user	n/a
codebuild_terraform	./modules/codebuild	n/a
codepipeline_iam_role	./modules/iam-role	n/a
codepipeline_kms	./modules/kms	n/a
codepipeline_terraform	./modules/codepipeline	n/a
s3_artifacts_bucket	./modules/s3	n/a

Resources

Name	Type
aws_iam_instance_profile.build_user_instance_profile	resource
aws_iam_role.build_user_role	resource
aws_iam_role_policy.build_user_policy	resource
aws_key_pair.deployer	resource
aws_secretsmanager_secret.secrets	resource
aws_secretsmanager_secret.ssh_key	resource
aws_secretsmanager_secret_version.secrets	resource
aws_secretsmanager_secret_version.ssh_key	resource
aws_security_group.packer	resource
aws_security_group_rule.sg_rule	resource
aws_ssm_parameter.managed_parameters	resource
aws_vpc_security_group_egress_rule.allow_all_traffic_ipv4	resource
aws_vpc_security_group_egress_rule.allow_all_traffic_ipv6	resource
aws_vpc_security_group_ingress_rule.allow_all_ssh_ipv4	resource
random_pet.keyname	resource
tls_private_key.ssh	resource
aws_caller_identity.current	data source
aws_iam_policy_document.build_user_default	data source
aws_partition.current	data source
aws_region.current	data source

Inputs

Name	Description	Type	Default	Required
ami	n/a	object({ instance_type = string source_ami = string })	null	no
ansible_bucket	Ansible bucket details	object({ name = string, key = string, arn = string })	null	no
assets_bucket_name	Name of the S3 bucket used to store the deployment artifacts	string	"image-pipeline-assets"	no
build_environment_variables	n/a	list(object({ name = string value = string type = optional(string, "PLAINTEXT") }))	null	no
build_project_source	Source Code Repo for Playbook	string	"CODEPIPELINE"	no
build_projects	List of Names of the CodeBuild projects to be created	list(object({ name = string, vars = optional(map(string), {}) environment_variables = optional(list(object({ name = string value = string type = string })), []) buildspec = optional(string) }))	[ { "name": "build" }, { "name": "test" } ]	no
build_user_iam_policy	The IAM policy for the build user.	string	null	no
builder_compute_type	Relative path to the Apply and Destroy build spec file	string	"BUILD_GENERAL1_SMALL"	no
builder_image	Docker Image to be used by codebuild	string	"aws/codebuild/amazonlinux2-x86_64-standard:3.0"	no
builder_image_pull_credentials_type	Image pull credentials type used by codebuild project	string	"CODEBUILD"	no
builder_images	n/a	map(string)	{}	no
builder_type	Type of codebuild run environment	string	"LINUX_CONTAINER"	no
codepipeline_iam_role_name	Name of the IAM role to be used by the Codepipeline	string	"codepipeline-role"	no
create_build_user	Whether to create a build user. Set to false if you want to use an existing user.	bool	true	no
create_new_role	Whether to create a new IAM Role. Values are true or false. Defaulted to true always.	bool	true	no
docker_build	n/a	bool	false	no
extra_parameters	n/a	map(string)	{}	no
goss_binary	GOSS Profile to be used for testing	string	"goss-linux-amd64"	no
goss_bucket	Goss bucket details	object({ name = string, key = string, })	null	no
goss_profile	GOSS Profile to be used for testing	string	"goss"	no
image	n/a	object({ dest_tag = string dest_docker_repo = string source_image = string source_tag = string source_docker_repo = string })	null	no
image_volume_mapping	n/a	list(object({ device_name = string volume_size = number volume_type = string delete_on_termination = bool encrypted = optional(bool, false) iops = optional(number, null) snapshot_id = optional(string, null) throughput = optional(number, null) virtual_name = optional(string, null) kms_key_id = optional(string, null) mount_path = optional(string, null) }))	[]	no
instance_profile	n/a	string	null	no
kms_key_id	n/a	string	null	no
nonmanaged_parameters	n/a	list(string)	[ "dest_tag" ]	no
packer_bucket	Source bucket details	object({ name = string, arn = string, key = string })	null	no
packer_config	Name of Packer Config in Repo	string	"build.pkr.hcl"	no
packer_version	Terraform CLI Version	string	"1.10.3"	no
parameter_arns	n/a	list(string)	null	no
pip_bucket	Pip bucket details	object({ name = string, key = string, })	null	no
playbook	n/a	string	null	no
project_name	Unique name for this project	string	n/a	yes
required_packages	n/a	list(object({ src = string dest = string }))	[]	no
secret_arns	n/a	list(string)	null	no
secrets	n/a	map(string)	{}	no
shared_accounts	n/a	list(string)	null	no
shared_kms_key_arns	n/a	list(string)	[]	no
ssh_user	SSH username	string	null	no
state	n/a	object({ bucket = string key = string region = string dynamodb_table = string })	n/a	yes
terraform_version	n/a	string	"1.3.10"	no
test_project_source	Source Code Repo for Goss Testing Suite	string	"CODEPIPELINE"	no
troubleshoot	n/a	bool	false	no
userdata	n/a	string	null	no
vpc_config	n/a	object({ security_group_ids = list(string) subnets = list(string) vpc_id = string region = string })	null	no
winrm_credentials	n/a	object({ username = string password = string })	null	no

Outputs

Name	Description
codepipeline_arn	The ARN of the CodePipeline
codepipeline_name	The Name of the CodePipeline
iam_arn	The ARN of the IAM Role used by the CodePipeline
kms_arn	The KMS key ARN used in the codepipeline
managed_parameters	n/a
role_name	The name of the IAM role used for build and pipeline operations
s3_arn	The ARN of the S3 Bucket
s3_bucket	The Name of the S3 Bucket
sec_group	n/a
secrets	n/a