Terraform with AWS provider unable to create CodeBuild

Question

I am trying to create a AWS CodeBuild using Terraform.

resource "aws_codebuild_project" "cicd_codebuild" {
  name          = "cicd-${var.profile}-build"
  description   = "cicd ${var.profile} CodeBuild"
  service_role  = "${aws_iam_role.cicd_role.arn}"

  source {
    type = "GITHUB_ENTERPRISE"
    location = "https://git.xxx.com/yyy/zzz.git"
    git_clone_depth = 0
    buildspec = "NO_SOURCE"
  }

  environment {
    compute_type                = "BUILD_GENERAL1_MEDIUM"
    image                       = "aws/codebuild/windows-base:2019-1.0"
    type                        = "WINDOWS_SERVER_2019_CONTAINER"
    image_pull_credentials_type = "CODEBUILD"
  }

  artifacts {
    type = "NO_ARTIFACTS"
  }
}

Upon terraform apply I get error:

Error: aws_codebuild_project.cicd_codebuild: expected environment.0.type to be one of [LINUX_CONTAINER LINUX_GPU_CONTAINER WINDOWS_CONTAINER ARM_CONTAINER], got WINDOWS_SERVER_2019_CONTAINER

And when I change value of environment.0.type = "WINDOWS_CONTAINER" I get below error:

Error: Error applying plan:

1 error occurred:
        * aws_codebuild_project.cicd_codebuild: 1 error occurred:
        * aws_codebuild_project.cicd_codebuild: Error creating CodeBuild project: InvalidInputException: The environment type WINDOWS_CONTAINER is deprecated for new projects or existing project environment updates. Please consider using Windows Server 2019 instead.

I found on GitHub that this issue has been addressed in next versions. So, I know upgrading provider version can solve this but do we have any workaround to fix this issue in same version of Terraform and Provider.

Thanks.

Answer 1

Terraform has plan time validation on many resource parameters that allows for catching where you are passing an invalid parameter before you get to the point of trying to apply it.

Normally this is beneficial but if you are not able to keep up to date with the provider versions it means that that list of allowed values can get out of date with what is actually allowed by the backing service the provider is talking to.

In this specific case a pull request added the WINDOWS_SERVER_2019_CONTAINER as a plan time validation option after AWS added that functionality in July 2020.

Unfortunately for you, this work was merged and released as part of the v3.20.0 release of the AWS provider and the v3 releases only support Terraform 0.12 and up:

BREAKING CHANGES

• provider: New versions of the provider can only be automatically installed on Terraform 0.12 and later (#14143)

If you want to be able to use Windows containers in CodeBuild you either need to upgrade to a more recent version of Terraform and the AWS provider or you need to use a different tool for creating the CodeBuild project.

One potential workaround here is to use CloudFormation to create the CodeBuild project which you could run via Terraform using the aws_cloudformation_stack resource.