2.1.1.3. Build Processes with AWS CodeBuild

2.1.1.3. Build Processes with AWS CodeBuild

CodeBuild eliminates the need to maintain Jenkins servers or EC2-based build agents. It provisions a fresh container for every build, executes your buildspec.yml instructions, and tears down the environment — guaranteeing clean, reproducible builds.

The buildspec.yml lifecycle has four phases that execute in order:

version: 0.2
env:
  secrets-manager:
    DB_PASSWORD: prod/db:password  # Pull secrets at build time
phases:
  install:
    runtime-versions:
      java: corretto17
    commands:
      - echo "Installing dependencies..."
  pre_build:
    commands:
      - echo "Running linter..."
      - mvn checkstyle:check
  build:
    commands:
      - mvn package -DskipTests=false
  post_build:
    commands:
      - echo "Build completed on $(date)"
artifacts:
  files:
    - target/my-app.jar
  discard-paths: yes
cache:
  paths:
    - '/root/.m2/**/*'  # Cache Maven dependencies between builds

Build environments use managed Docker images. Choose aws/codebuild/standard for general builds or aws/codebuild/amazonlinux2 for Amazon Linux workloads. For custom toolchains, specify your own ECR image. CodeBuild supports compute types from BUILD_GENERAL1_SMALL (3 GB RAM) to BUILD_GENERAL1_2XLARGE (145 GB RAM) — right-sizing prevents both OOM failures and wasted spend.

Caching is critical for build speed. Local caching reuses the build container's filesystem across builds on the same host. S3 caching persists across hosts but adds download time. Cache Maven/Gradle repos, node_modules, and Docker layers to cut build times by 40-60%.

Exam Trap: CodeBuild's buildspec.yml can reference secrets from Secrets Manager and Parameter Store in the env section — but the CodeBuild service role must have secretsmanager:GetSecretValue or ssm:GetParameters permissions. A missing IAM permission here causes builds to fail at the install phase with a cryptic "access denied" error.