1

I have an AWS CloudFormation CodeBuild template that I'd like to pass an array of environment variables as Parameters so I can reuse the template for multiple CloudFormation projects.

I'd like to pass this section as a parameter. How do I do this?

"environmentVariables": [{
    "name": "$S3_BUCKET",
    "value": "Parameter_Store_Variable_name",
    "type": "PARAMETER_STORE"}
],

Here is more template for the larger context...

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Automate provisioning of CodeBuild with CodePipeline CodeCommit and CodeDeploy.",
  "Parameters": {
    "SourceLocation": {
        "Type": "String",
        "Description": "https://github.com/<account>/<repo>"
    },
    "AppName": {
        "Type": "String",
        "Description": "Name of the application."
    }
  },
  "Resources": {
    "CodeBuild": {
      "Type": "AWS::CodeBuild::Project",
      "DependsOn": "CodeBuildRole",
      "Properties": {
        "name": "test-project-name",
        "description": "description",
        "source": {
          "type": "GITHUB",
          "location": {
            "Ref": "SourceLocation"
          },
          "gitCloneDepth": 1,
          "buildspec": "",
          "badgeEnabled": true,
          "auth": {
            "type": "OAUTH"
          }
        },
        "artifacts": {
          "type": "artifacts-type",
          "location": "artifacts-location",
          "path": "path",
          "namespaceType": "namespaceType",
          "name": "artifacts-name",
          "packaging": "packaging"
        },
        "cache": {
          "type": "NONE"
        },
        "ServiceRole": {
          "Ref": "CodeBuildRole"
        },
        "timeoutInMinutes": 10,
        "environment": {
          "type": "LINUX_CONTAINER",
          "image": "aws/codebuild/nodejs:8.11.0",
          "computeType": "BUILD_GENERAL1_SMALL",
          "environmentVariables": [{
            "name": "$S3_BUCKET",
            "value": "PARAMETERSTOREVARIABLENAMEHERE",
            "type": "PARAMETER_STORE"
          }],
          "privilegedMode": false
        }
      }
    },
    "CodeBuildRole": {
      "Description": "Creating service role in IAM for AWS CodeBuild",
      "Type": "AWS::IAM::Role",
      "Properties": {
        "RoleName": {
          "Fn::Sub": "codebuild-role-${AppName}"
        },
        "AssumeRolePolicyDocument": {
          "Statement": [{
            "Effect": "Allow",
            "Principal": {
              "Service": [
                "codebuild.amazonaws.com"
              ]
            },
            "Action": "sts:AssumeRole"
          }]
        },
        "Path": "/"
      }
    },
    "CodeBuildPolicy": {
      "Type": "AWS::IAM::Policy",
      "DependsOn": "CodeBuildRole",
      "Description": "Setting IAM policy for the service role for AWS CodeBuild",
      "Properties": {
        "PolicyName": {
          "Fn::Sub": "codebuild-policy-${AppName}"
        },
        "PolicyDocument": {
          "Statement": [{
              "Effect": "Allow",
              "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
              ],
              "Resource": [
                "*"
              ]
            },
            {
              "Effect": "Allow",
              "Resource": [
                "*"
              ],
              "Action": [
                "s3:*"
              ]
            },
            {
              "Effect": "Allow",
              "Resource": [
                "*"
              ],
              "Action": [
                "kms:GenerateDataKey*",
                "kms:Encrypt",
                "kms:Decrypt"
              ]
            },
            {
              "Effect": "Allow",
              "Resource": [
                "*"
              ],
              "Action": [
                "sns:SendMessage"
              ]
            }
          ]
        },
        "Roles": [{
          "Ref": "CodeBuildRole"
        }]
      }
    }
  },
  "Outputs": {
    "CodeBuildURL": {
      "Description": "CodeBuild URL",
      "Value": {
        "Fn::Join": [
          "", [
            "https://console.aws.amazon.com/codebuild/home?region=",
            {
              "Ref": "AWS::Region"
            },
            "#/projects/",
            {
              "Ref": "CodeBuild"
            },
            "/view"
          ]
        ]
      }
    }
  }
}

Thanks for the help!

Improve this question

1 Answer 1

Reset to default
0

If your question is really about reusing SSM parameters and not reusing snippets, then I suggest you leverage the direct support ssm in codebuild. It can read your ssm parameters and make them available as environment variables. Here is an example of me connecting to gitlab with my user name and password.

env:
 variables:
   GITLAB_USER: 'jeshan'
 parameter-store:
   GITLAB_PASSWORD: 'gitlab-password'

In this case, jeshan is a plain value while gitlab-password is the name of my SSM parameter. Doing it this way will avoid hardcoding variable in your codebuild project and the parameter can later be updated without redeploying your codebuild project.

Make sure that your codebuild's role has permission to read your parameters.

Related question: How to read SSM parameters when using AWS Codebuild?

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

This is great! Thanks @Jeshan. I was trying to pass in the variables to the buildspec.yml file when I can just request them right from the file. Thank you!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.