AWS CodeBuild has no CloudWatch logs


AWS Codebuild can work inside or outside a VPC now, it used to be outside VPC only. If your VPC requires a proxy to access Internet, then you need to set it up properly in the Codebuild project, otherwise you may notice that the project is unable to output logs to CloudWatch (Here let’s assume all IAM permissions are configured properly). For example as below:

There are two places you can add proxy settings, one is at project level, the other is inside the buildspec.yml file. But to make the CloudWatch logs work, the proxy has to be set at the project level. Refer HTTP_PROXY, HTTPS_PROXY and NO_PROXY in the EnvironmentVariables section of the following sample CloudFormation file.

  CodeBuildProject:
    Type: AWS::CodeBuild::Project
    Properties:
      Description: Use Packer to bake AMI 
      Name: !Ref ProjectName
      Artifacts:
        Type: NO_ARTIFACTS
      Environment: 
        Type: LINUX_CONTAINER
        ComputeType: BUILD_GENERAL1_SMALL
        Image: aws/codebuild/standard:3.0
        EnvironmentVariables:
          - Name: HTTP_PROXY
            Value: http://proxy.mydomain.com:8080
          - Name: HTTPS_PROXY
            Value: http://proxy.mydomain.com:8080
          - Name: NO_PROXY
            Value: 169.254.169.254,169.254.170.2,localhost,127.0.0.1
      ServiceRole: !Ref CodeBuildServiceRole
      Source: 
        Type: S3
        Location: !Sub ${DeploymentBucketName}/AWS/AMI/
      VpcConfig:
        SecurityGroupIds: 
          - "Fn::ImportValue": !Join [ "-", [ !Ref VpcName, ApplicationSubnetsEc2SecurityGroup ] ]
        Subnets: 
          - "Fn::ImportValue": !Join [ "-", [ !Ref VpcName, SubnetApplicationA ] ] 
          - "Fn::ImportValue": !Join [ "-", [ !Ref VpcName, SubnetApplicationB ] ] 
          - "Fn::ImportValue": !Join [ "-", [ !Ref VpcName, SubnetApplicationC ] ]
        VpcId: 
          "Fn::ImportValue": !Ref VpcName

The env section in the buildspec.yaml file is for the scripts that run in the phases.

---
version: 0.2

env:
  variables:
    http_proxy: "http://proxy.mydomain.com:8080"
    https_proxy: "http://proxy.mydomain.com:8080"
    no_proxy: "169.254.169.254,169.254.170.2,localhost,127.0.0.1"
    DEPLOY_BUCKET: "my-deploy-bucket"

proxy:
    upload-artifacts: yes
    logs: yes

phases:
  pre_build:
    commands:
      - echo "Installing HashiCorp Packer..."
      - curl -o packer.zip https://releases.hashicorp.com/packer/1.5.4/packer_1.5.4_linux_amd64.zip && unzip packer.zip
      - echo "Installing jq..."
      - curl -qL -o jq https://stedolan.github.io/jq/download/linux64/jq && chmod +x ./jq
      - echo "Downloading commit id..."
      - aws s3 sync s3://${DEPLOY_BUCKET}/version version
...

Under the hood, Codebuild uses ECS as the build agents. My understanding is that CloudWatch agent is installed in the ECS nodes, and the buildspec runs inside the containers/ECS tasks. The containers output the build logs to a file that can be read by the CloudWatch agent on the node. As buildspec only applies inside a container, the proxy settings for the CloudWatch agent have to stay outside it. Make sense?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s