AWS CodeBuild error on DOWNLOAD_SOURCE: CLIENT_ERROR: repository not found for primary source and source version

Question

I'm trying to create a CodeBuild project using Terraform, but when I build I'm getting the following error on the DOWNLOAD_SOURCE step:

CLIENT_ERROR: repository not found for primary source and source version

This project uses a CodeCommit repository as the source. It's odd because all of the links to the repository from the CodeCommit console GUI work fine for this build - I can see the commits, click on the link and get to the CodeCommit repo, etc so the Source setup seems to be fine. The policy used for the build has "codecommit:GitPull" permissions on the repository.

Strangely, if I go to the build in the console and uncheck the "Allow AWS CodeBuild to modify this service role so it can be used with this build project" checkbox then Update Sources, the build will work! But I can't find any way to set this from Terraform, and it will default back on if you go back to the Update Sources screen.

Here is the Terraform code I'm using to create the build.

# IAM role for CodeBuild 
resource "aws_iam_role" "codebuild_myapp_build_role" {
  name = "mycompany-codebuild-myapp-build-service-role"
  description = "Managed by Terraform"
  path = "/service-role/"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "codebuild.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

# IAM policy for the CodeBuild role
resource "aws_iam_policy" "codebuild_myapp_build_policy" {
  name = "mycompany-codebuild-policy-myapp-build-us-east-1"
  description = "Managed by Terraform"
  policy = <<POLICY
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ecr:BatchCheckLayerAvailability",
                "ecr:CompleteLayerUpload",
                "ecr:GetAuthorizationToken",
                "ecr:InitiateLayerUpload",
                "ecr:PutImage",
                "ecr:UploadLayerPart"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "logs:CreateLogStream",
                "codecommit:GitPull",
                "logs:PutLogEvents",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:logs:us-east-1:000000000000:log-group:/aws/codebuild/myapp-build",
                "arn:aws:logs:us-east-1:000000000000:log-group:/aws/codebuild/myapp-build:*",
                "arn:aws:s3:::codepipeline-us-east-1-*",
                "arn:aws:codecommit:us-east-1:000000000000:mycompany-devops-us-east-1"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "logs:CreateLogGroup",
            "Resource": [
                "arn:aws:logs:us-east-1:000000000000:log-group:/aws/codebuild/myapp-build",
                "arn:aws:logs:us-east-1:000000000000:log-group:/aws/codebuild/myapp-build:*"
            ]
        }
    ]
}
POLICY
}

# attach the policy
resource "aws_iam_role_policy_attachment" "codebuild_myapp_build_policy_att" {
    role       = "${aws_iam_role.codebuild_myapp_build_role.name}"
    policy_arn = "${aws_iam_policy.codebuild_myapp_build_policy.arn}"
}

# codebuild project
resource "aws_codebuild_project" "codebuild_myapp_build" {
    name = "myapp-build"
    build_timeout = "60"
    service_role = "${aws_iam_role.codebuild_myapp_build_role.arn}"

    artifacts {
        type = "NO_ARTIFACTS"
    }

    environment {
        compute_type = "BUILD_GENERAL1_SMALL"
        image = "aws/codebuild/docker:17.09.0"
        type = "LINUX_CONTAINER"
        privileged_mode = "true"

        environment_variable {
            "name" = "AWS_DEFAULT_REGION"
            "value" = "us-east-1"
        }

        environment_variable {
            "name" = "AWS_ACCOUNT_ID"
            "value" = "000000000000"
        }

        environment_variable {
            "name" = "IMAGE_REPO_NAME"
            "value" = "myapp-build"
        }

        environment_variable {
            "name" = "IMAGE_TAG"
            "value" = "latest"
        }

        environment_variable {
            "name" = "DOCKERFILE_PATH"
            "value" = "docker/codebuild/myapp_build_agent"
        }
    }

    source {
        type = "CODECOMMIT"
        location = "mycompany-devops-us-east-1"
        git_clone_depth = "1"
        buildspec = "docker/myapp/myapp_build/buildspec.yml"
    }

    tags {
        Name = "myapp-build"
        Environment = "${var.env_name}"   
        Region = "${var.aws_region}"
        ResourceType = "CodeBuild Project"
        ManagedBy = "Terraform"
    }
}

Answer 1

Your problem is the specification of the source:

source {
    type = "CODECOMMIT"
    location = "mycompany-devops-us-east-1"

Here's the Amazon documentation for the source, what's relevant with some emphasis:

For source code in an AWS CodeCommit repository, the HTTPS clone URL to the repository that contains the source code and the build spec (for example, https://git-codecommit.region-ID.amazonaws.com/v1/repos/repo-name ).

In your case, that is probably something like this, using the 'clone url' found in the codecommit console:

https://git-codecommit.us-east-1.amazonaws.com/v1/repos/mycompany-devops-us-east-1

I ran into this while using a private github repository source. In my case I gave the URL, not the clone link to github, so the problem was very similar:

bad:  https://github.com/privaterepo/reponame
good: https://github.com/privaterepo/reponame.git