override codebuild defaults (#31)

jakebark · web-flow · commit 51e6e88cac15 · 2025-07-18T21:24:37.000+01:00
Optional override for plan and apply CodeBuild buildspecs and images
diff --git a/README.md b/README.md
@@ -74,6 +74,13 @@ module "pipeline" {
   checkov_version   = "3.2.0"
   tflint_version    = "0.55.0"
 
+  build_override = {
+    plan_buildspec  = file("./my_plan.yml")
+    plan_image      = "aws/codebuild/amazonlinux2-x86_64-standard:5.0"
+    apply_buildspec = file("./my_apply.yml")
+    apply_image     = "hashicorp/terraform:latest"
+  }
+
   vpc = {
     vpc_id             = "vpc-011a22334455bb66c",
     subnets            = ["subnet-011aabbcc2233d4ef"],
diff --git a/codebuild.tf b/codebuild.tf
@@ -8,7 +8,7 @@ module "validation" {
   codebuild_role        = aws_iam_role.codebuild_validate.arn
   environment_variables = var.tags == "" ? local.env_var : local.conditional_env_var
   build_timeout         = var.build_timeout
-  build_spec            = "${each.key}.yml"
+  build_spec            = file("${path.module}/modules/codebuild/buildspecs/${each.key}.yml")
   log_group             = aws_cloudwatch_log_group.this.name
   image                 = each.value
   vpc                   = var.vpc
@@ -20,9 +20,9 @@ module "plan" {
   codebuild_role        = aws_iam_role.codebuild_execution.arn
   environment_variables = local.env_var
   build_timeout         = var.build_timeout
-  build_spec            = "plan.yml"
+  build_spec            = var.build_override["plan_buildspec"] != null ? var.build_override["plan_buildspec"] : file("${path.module}/modules/codebuild/buildspecs/plan.yml")
   log_group             = aws_cloudwatch_log_group.this.name
-  image                 = "hashicorp/terraform:${var.terraform_version}"
+  image                 = var.build_override["plan_image"] != null ? var.build_override["plan_image"] : "hashicorp/terraform:${var.terraform_version}"
   vpc                   = var.vpc
 }
 
@@ -32,9 +32,9 @@ module "apply" {
   codebuild_role        = aws_iam_role.codebuild_execution.arn
   environment_variables = local.env_var
   build_timeout         = var.build_timeout
-  build_spec            = "apply.yml"
+  build_spec            = var.build_override["apply_buildspec"] != null ? var.build_override["apply_buildspec"] : file("${path.module}/modules/codebuild/buildspecs/apply.yml")
   log_group             = aws_cloudwatch_log_group.this.name
-  image                 = "hashicorp/terraform:${var.terraform_version}"
+  image                 = var.build_override["apply_image"] != null ? var.build_override["apply_image"] : "hashicorp/terraform:${var.terraform_version}"
   vpc                   = var.vpc
 }
 
diff --git a/docs/optional_inputs.md b/docs/optional_inputs.md
@@ -24,6 +24,8 @@
 
 `tflint_version` controls the [tflint](https://github.com/terraform-linters/tflint) version. It defaults to 0.48.0.
 
+`build_override` can replace the existing CodeBuild buildspecs and images with your own. 
+
 `vpc` configures the CodeBuild projects to [run in a VPC](https://docs.aws.amazon.com/codebuild/latest/userguide/vpc-support.html).  
 
 `notifications` creates a [CodeStar notification](https://docs.aws.amazon.com/dtconsole/latest/userguide/welcome.html) for the pipeline. `sns_topic` is the SNS topic arn. `events` are the [notification events](https://docs.aws.amazon.com/dtconsole/latest/userguide/concepts.html#events-ref-pipeline). `detail_type` is either BASIC or FULL. The SNS topic must allow [codestar-notifications.amazonaws.com to publush to the topic](https://docs.aws.amazon.com/dtconsole/latest/userguide/notification-target-create.html). 
diff --git a/modules/codebuild/main.tf b/modules/codebuild/main.tf
@@ -33,7 +33,7 @@ resource "aws_codebuild_project" "this" {
 
   source {
     type                = "CODEPIPELINE"
-    buildspec           = file("${path.module}/buildspecs/${var.build_spec}")
+    buildspec           = var.build_spec
     git_clone_depth     = 0
     insecure_ssl        = false
     report_build_status = false
diff --git a/variables.tf b/variables.tf
@@ -36,6 +36,17 @@ variable "build_timeout" {
   default     = 10
 }
 
+variable "build_override" {
+  description = "Override CodeBuild images and buildspecs"
+  type = object({
+    plan_buildspec  = optional(string)
+    plan_image      = optional(string)
+    apply_buildspec = optional(string)
+    apply_image     = optional(string)
+  })
+  default = {}
+}
+
 variable "checkov_skip" {
   description = "list of checkov checks to skip"
   type        = list(string)
@@ -65,22 +76,18 @@ variable "detect_changes" {
   default     = false
 }
 
+variable "kms_key" {
+  description = "AWS KMS key ARN"
+  type        = string
+  default     = null
+}
+
 variable "log_retention" {
   description = "CloudWatch log group retention, in days"
   type        = number
   default     = 90
 }
 
-variable "notifications" {
-  description = "SNS notification configuration"
-  type = object({
-    sns_topic   = string
-    events      = list(string)
-    detail_type = string
-  })
-  default = null
-}
-
 variable "mode" {
   description = "pipeline execution mode"
   type        = string
@@ -95,10 +102,14 @@ variable "mode" {
   }
 }
 
-variable "kms_key" {
-  description = "AWS KMS key ARN"
-  type        = string
-  default     = null
+variable "notifications" {
+  description = "SNS notification configuration"
+  type = object({
+    sns_topic   = string
+    events      = list(string)
+    detail_type = string
+  })
+  default = null
 }
 
 variable "tags" {
