4

I am now getting a Failure for CodeBuild on the DOWNLOAD_SOURCE phase.

CLIENT_ERROR: RequestError: send request failed caused by: Get "https://codepipeline-us-east-1-215861945190.s3.amazonaws.com/diag-upload-pipe/SourceArti/jiUJWyf": dial tcp 52.217.106.244:443: i/o timeout for primary source and source version arn:aws:s3:::codepipeline-us-east-1-215861945190/diag-upload-pipe/SourceArti/jiUJWyf

I have tried adding S3 permissions for full access to no avail. I've also tried following the advice from Ryan Williams in the comments here: DOWNLOAD_SOURCE Failed AWS CodeBuild

Still unable to get past this error.

I have my VPC

  • Main route table for the VPC(rtb05b) Routes - 10.0.0.0/16 with a local target and 0.0.0.0/0 with nat-0ad target
  • Subnet associations - subnet-0a7
  • subnet-0a7 routes 10.0.0.0/16 with a local target and 0.0.0.0/0 with nat-0ad target
  • Mixed route route table - rtb-026 routes 10.0.0.0/16 with a local target and 0.0.0.0/0 with internet gateway igw-0305 target
  • Associated subnets for the mixed route table are a Private and Public subnet

I feel like there has to be a problem with the routing since there's an i/o timeout but I can't for the life of me figure out where I went wrong.

Heats
  • 123
  • 1
  • 3
  • 10
  • Which subnets are private and which are public? – Marcin Feb 20 '22 at 06:29
  • It's better if you have a simple diagram. Did you create a build project with vpc config? If yes, can you create a VM in that subnet (used for CodeBuild) and download that file stored in s3? How about the security group applied for CodeBuild? – Franxi Hidro Feb 20 '22 at 11:10
  • @Marcin two subnets that were made via the VPC Wizard. I chose the option for public and private subnets. We'll refer to them as subnet-02e for public and subnet oe1 for private. – Heats Feb 20 '22 at 15:30
  • @FranxiHidro hi again :) Yes I created a build project with the VPC config. I think I'd need to make a bastion host to really test that since the subnet is private right? Trying to avoid spinning up more infrastructure but if that's what I have to do I'll do it. – Heats Feb 20 '22 at 15:40
  • @FranxiHidro I didn't see anything in the build project to define a security group. Just the role. I did create a security group overall and that has in inbound rule with port 8000 because that's the port in the Dockerfile for the service. Outbound is all traffic. – Heats Feb 20 '22 at 15:44
  • In Build project --> Environment --> Additional configuration, you can see VPC, Subnets, security groups, compute ... I think the common issues related to permission or networking, and T2.micro is enough for testing. – Franxi Hidro Feb 20 '22 at 16:57

2 Answers2

0

I faced exactly the same problem. In my case, it was due to the Security Group Egress setting in CodeBuild.

Here is what I did when I built the resource using CloudFormation.

Step 1: Create a SecurityGroup for CodeBuild

  CodeBuildSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      VpcId: !Ref VPC

Step 2: Set up an Egress to allow all outbound traffic to the SecurityGroup created in Step 1.

  CodeBuildEgressAllAccess:
    Type: AWS::EC2::SecurityGroupEgress
    Properties:
      GroupId: !Ref CodeBuildSecurityGroup
      CidrIp: '0.0.0.0/0'
      FromPort: -1
      ToPort: -1
      IpProtocol: '-1'

Step 3: Set up an egress to allow outbound traffic to connect to RDS MySQL.

  CodeBuildEgressToMySQL:
    Type: AWS::EC2::SecurityGroupEgress
    Properties:
      GroupId: !Ref CodeBuildSecurityGroup
      DestinationSecurityGroupId: !Ref RdsMySQLSecurityGroup
      FromPort: 3306
      ToPort: 3306
      IpProtocol: tcp

When I deployed the stack with this content, the only outbound traffic allowed to the SecurityGroup for CodeBuild is RDS MySQL.

All allowed Egress Rule created in Step 2 was ignored. So outbound traffic such as Internet, S3 and others will be denied.

goldeneggg
  • 1
  • 2
0

Your build project environment should belongs to ONLY private subnet, which has 0.0.0.0/0 route to NAT in the route table. Also check their security group to allow https requests.

Vasily
  • 141
  • 6