AWS Developer Tools & CI/CD
CodeBuild
Fully managed build service that compiles source code, runs tests, and produces artifacts
AWS CodeBuild is a fully managed build service that compiles source code, runs unit tests, and produces deployment artifacts, eliminating the need to provision and manage build servers like Jenkins. It scales automatically - each build runs in a fresh, isolated container - so there are no queuing delays even during concurrent builds.
How CodeBuild Executes a Build
Every CodeBuild build follows a defined lifecycle. Understanding the phases is critical for debugging failed builds.
| Phase | Purpose | buildspec.yml Key |
|---|---|---|
| SUBMITTED | Build queued | - |
| PROVISIONING | Container starting up | - |
| DOWNLOAD_SOURCE | Source code pulled from source provider | - |
| INSTALL | Install dependencies and tools | install.commands |
| PRE_BUILD | Pre-build steps (login to ECR, etc.) | pre_build.commands |
| BUILD | Compile, test, package | build.commands |
| POST_BUILD | Push artifacts, notifications | post_build.commands |
| UPLOAD_ARTIFACTS | Send artifacts to S3 | artifacts section |
| FINALIZING | Cleanup | - |
| COMPLETED | Build done | - |
The buildspec.yml file is the heart of CodeBuild. It lives at the root of your repository (or you can inline it in the project definition):
version: 0.2
env:
variables:
NODE_ENV: "test"
secrets-manager:
DB_PASSWORD: "arn:aws:secretsmanager:us-east-1:123456789:secret:my-secret:password"
phases:
install:
runtime-versions:
nodejs: 18
commands:
- npm ci
pre_build:
commands:
- aws ecr get-login-password | docker login --username AWS --password-stdin $ECR_REPO
build:
commands:
- npm run test
- npm run build
- docker build -t $ECR_REPO:$CODEBUILD_RESOLVED_SOURCE_VERSION .
- docker push $ECR_REPO:$CODEBUILD_RESOLVED_SOURCE_VERSION
post_build:
commands:
- echo "Build complete"
artifacts:
files:
- '**/*'
base-directory: dist
cache:
paths:
- node_modules/**/*Compute Types and Build Environments
CodeBuild offers several compute options. Choosing the right size directly affects build duration and cost.
| Compute Type | vCPU | Memory | Disk | Use Case |
|---|---|---|---|---|
| BUILD_GENERAL1_SMALL | 3 | 4 GB | 64 GB | Simple builds, linting, unit tests |
| BUILD_GENERAL1_MEDIUM | 7 | 16 GB | 128 GB | Most application builds |
| BUILD_GENERAL1_LARGE | 8 | 32 GB | 128 GB | Heavy builds, Docker, parallel tests |
| BUILD_GENERAL1_2XLARGE | 72 | 144 GB | 824 GB | GPU builds, large monorepos |
| BUILD_LAMBDA_1GB | N/A | 1 GB | 512 MB | Fast Lambda-backed builds (lower cold start) |
For the build environment image, AWS provides curated images (aws/codebuild/standard:7.0 for latest) or you can bring your own Docker image from ECR or Docker Hub. Custom images let you pre-install tools to reduce install phase time.
If your build needs to run Docker commands (docker build, docker push), enable "Privileged mode" on the build project. Without this, the Docker daemon is not available inside the build container.
Build Caching Strategies
CodeBuild supports three caching mechanisms. Caching is one of the most impactful optimizations for build speed.
| Cache Type | How It Works | Best For | Invalidation |
|---|---|---|---|
| S3 cache | Tar and upload specified paths to S3 between builds | node_modules, .m2, pip cache | Manual or cache key change |
| Local cache | Reuse layers in the build container (same fleet) | Docker layer cache, custom source | Per-fleet, not guaranteed |
| Local + S3 | Local first, fall back to S3 | Highest hit rate | Both mechanisms |
Define the cache in buildspec.yml under the cache key. S3 cache paths are compressed and stored as zip files named by a hash of the cache key.
# In buildspec.yml - cache node_modules to S3
cache:
paths:
- node_modules/**/*
- .npm/**/*
# In CodeBuild project (console/Terraform) - enable S3 cache
# cache:
# type: S3
# location: my-bucket/codebuild-cacheS3 caching adds upload/download time at the start and end of each build. For small projects, this overhead can exceed the time saved. Benchmark with and without cache to confirm it helps.
VPC Access, IAM, and Secrets
By default, CodeBuild runs in an AWS-managed network with internet access. When builds need to reach resources inside your VPC (RDS, internal APIs, Elasticache), you must configure VPC mode.
| Requirement | Configuration |
|---|---|
| Access RDS or internal services | Enable VPC mode - specify VPC, subnets, security group |
| Outbound internet in VPC mode | Private subnets must have a NAT Gateway |
| Pull from ECR in VPC mode | ECR VPC endpoint OR NAT Gateway |
| Read Secrets Manager | IAM role permission + optionally Secrets Manager VPC endpoint |
| Access S3 artifacts | S3 VPC endpoint recommended (avoids NAT costs) |
The CodeBuild service role needs permissions for everything the build does. Common additions beyond the AWS-managed policy:
# Common IAM additions for CodeBuild service role
# ECR push/pull
ecr:GetAuthorizationToken
ecr:BatchCheckLayerAvailability
ecr:InitiateLayerUpload
ecr:UploadLayerPart
ecr:CompleteLayerUpload
ecr:PutImage
# Secrets Manager
secretsmanager:GetSecretValue
# Parameter Store
ssm:GetParameters
ssm:GetParametersByPath
# S3 artifact bucket
s3:GetObject
s3:PutObject
s3:GetBucketAcl
s3:GetBucketLocationNever put secrets in environment variables as plaintext in the project definition - they appear in build logs. Always use Secrets Manager or Parameter Store with the secrets-manager or parameter-store keys in buildspec.yml env section.
Pricing Model and Cost Optimization
| Compute Type | Price per Build Minute |
|---|---|
| BUILD_GENERAL1_SMALL (Linux) | $0.005 |
| BUILD_GENERAL1_MEDIUM (Linux) | $0.010 |
| BUILD_GENERAL1_LARGE (Linux) | $0.020 |
| BUILD_GENERAL1_2XLARGE (Linux) | $0.080 |
| BUILD_GENERAL1_SMALL (Windows) | $0.011 |
| BUILD_LAMBDA_1GB | $0.00002 per second |
Billing is per minute, rounded up. The free tier includes 100 build minutes per month on BUILD_GENERAL1_SMALL.
Cost optimization strategies: use S3 caching to reduce build duration; use the smallest compute type that completes within an acceptable time; parallelize test suites using batch builds rather than running them sequentially.
Interview Focus Points
- 1What are the phases of a CodeBuild build and what happens in each phase?
- 2How do you pass secrets to a CodeBuild build without exposing them in logs?
- 3When would you use a custom Docker image vs the AWS standard image?
- 4What is privileged mode and when is it required?
- 5How does CodeBuild VPC mode work and what network components are required?
- 6What caching strategies does CodeBuild support and what are the trade-offs?
- 7How do you run Docker builds inside CodeBuild?
- 8How would you configure CodeBuild to run tests in parallel?
- 9How does CodeBuild pricing work - what are you actually billed for?