├── CODE_OF_CONDUCT.md
├── CONTRIBUTING.md
├── LICENSE
├── README.md
├── backend.tf
├── buildspec-apply.yaml
├── buildspec-plan.yaml
├── iam.tf
├── lambda
    ├── main.py
    └── main.zip
├── main.tf
├── provider.tf
└── variable.tf


/CODE_OF_CONDUCT.md:
--------------------------------------------------------------------------------
1 | ## Code of Conduct
2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct).
3 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact
4 | opensource-codeofconduct@amazon.com with any additional questions or comments.
5 | 


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # Contributing Guidelines
 2 | 
 3 | Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional
 4 | documentation, we greatly value feedback and contributions from our community.
 5 | 
 6 | Please read through this document before submitting any issues or pull requests to ensure we have all the necessary
 7 | information to effectively respond to your bug report or contribution.
 8 | 
 9 | 
10 | ## Reporting Bugs/Feature Requests
11 | 
12 | We welcome you to use the GitHub issue tracker to report bugs or suggest features.
13 | 
14 | When filing an issue, please check existing open, or recently closed, issues to make sure somebody else hasn't already
15 | reported the issue. Please try to include as much information as you can. Details like these are incredibly useful:
16 | 
17 | * A reproducible test case or series of steps
18 | * The version of our code being used
19 | * Any modifications you've made relevant to the bug
20 | * Anything unusual about your environment or deployment
21 | 
22 | 
23 | ## Contributing via Pull Requests
24 | Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that:
25 | 
26 | 1. You are working against the latest source on the *main* branch.
27 | 2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already.
28 | 3. You open an issue to discuss any significant work - we would hate for your time to be wasted.
29 | 
30 | To send us a pull request, please:
31 | 
32 | 1. Fork the repository.
33 | 2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change.
34 | 3. Ensure local tests pass.
35 | 4. Commit to your fork using clear commit messages.
36 | 5. Send us a pull request, answering any default questions in the pull request interface.
37 | 6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation.
38 | 
39 | GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and
40 | [creating a pull request](https://help.github.com/articles/creating-a-pull-request/).
41 | 
42 | 
43 | ## Finding contributions to work on
44 | Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any 'help wanted' issues is a great place to start.
45 | 
46 | 
47 | ## Code of Conduct
48 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct).
49 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact
50 | opensource-codeofconduct@amazon.com with any additional questions or comments.
51 | 
52 | 
53 | ## Security issue notifications
54 | If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue.
55 | 
56 | 
57 | ## Licensing
58 | 
59 | See the [LICENSE](LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution.
60 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT No Attribution
 2 | 
 3 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy of
 6 | this software and associated documentation files (the "Software"), to deal in
 7 | the Software without restriction, including without limitation the rights to
 8 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
 9 | the Software, and to permit persons to whom the Software is furnished to do so.
10 | 
11 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
12 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
13 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
14 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
15 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
16 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
17 | 
18 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # aws-codebuild-terraform
 2 | 
 3 | This repo was created as part of the blog - "Best practices for managing Terraform State files in AWS CI/CD Pipeline" 
 4 | 
 5 | ## Best Practices for handling state files
 6 | 
 7 | The recommended practice for managing state files is to use terraform’s built-in support for remote backends.
 8 | 
 9 | Remote backend on Amazon Simple Storage Service (Amazon S3): 
10 | You can configure terraform to store state files in an Amazon S3 bucket which provides a durable and scalable storage solution for your state files. Storing on Amazon S3 also enables collaboration that allows you to share state file with others.
11 | 
12 | Remote backend on Amazon S3 with Amazon DynamoDB: 
13 | In addition to using an Amazon S3 bucket for managing the files, you can use an Amazon DynamoDB table to lock the state file so that only one person can modify a particular state file at any given time. This will help to avoid conflicts and enable safe concurrent access to the state file.
14 | 
15 | When deploying terraform on AWS, the preferred choice of managing state is using Amazon S3 with Amazon DynamoDB.
16 | 
17 | ## AWS configurations for managing state files
18 | 
19 | 1. Create an Amazon S3 bucket using terraform. Implement security measures for Amazon S3 bucket by creating an AWS Identity and Access Management (AWS IAM) policy or Amazon S3 Bucket Policy for restricting access, configuring object versioning for data protection and recovery, and enabling AES256 encryption with SSE-KMS for encryption control.
20 | 
21 | 2. Next create an Amazon DynamoDB table using terraform with Primary key set to LockID and any additional configuration options such as read/write capacity units. Once the table is created, you will configure the terraform backend to use it for state locking by specifying the table name in the terraform block of your configuration.
22 | 
23 | 3. For a single AWS account with multiple environments and projects, you can use a single Amazon S3 bucket. If you have multiple applications in multiple environments across multiple AWS accounts, you can create one Amazon S3 bucket for each account. In that Amazon S3 bucket, you can create appropriate folders for each environment, storing project state files with specific prefixes.
24 | 
25 | This repo will explain how you can manage terraform state files efficiently in your Continuous Integration pipeline in AWS when used with AWS Developer Tools like AWS CodeCommit and AWS CodeBuild. 
26 | 
27 | 
28 | 


--------------------------------------------------------------------------------
/backend.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   backend "s3" {
 3 |     bucket         = "tfbackend-bucket"
 4 |     key            = "terraform.tfstate"
 5 |     region         = "eu-central-1"
 6 |     dynamodb_table = "tfstate-lock"
 7 |     encrypt        = true
 8 |   }
 9 | }
10 | 


--------------------------------------------------------------------------------
/buildspec-apply.yaml:
--------------------------------------------------------------------------------
 1 | version: 0.2
 2 | phases:
 3 |   pre_build:
 4 |     commands:
 5 |       - terraform init
 6 |       - terraform validate
 7 |  
 8 |   build:
 9 |     commands:
10 |       - terraform apply -auto-approve
11 | 
12 |   post_build:
13 |     commands:
14 |       - echo "Terraform apply completed on `date`"
15 | 


--------------------------------------------------------------------------------
/buildspec-plan.yaml:
--------------------------------------------------------------------------------
 1 | version: 0.2
 2 | phases:
 3 |   pre_build:
 4 |     commands:
 5 |       - terraform init
 6 |       - terraform validate
 7 |  
 8 |   build:
 9 |     commands:
10 |       - terraform plan
11 | 
12 |   post_build:
13 |     commands:
14 |       - echo "Terraform plan completed on `date`"
15 | 


--------------------------------------------------------------------------------
/iam.tf:
--------------------------------------------------------------------------------
  1 | #### CodeBuild permissions
  2 | 
  3 | data "aws_iam_policy_document" "codebuild_policy_document" {
  4 |   statement {
  5 |     actions   = ["logs:*"]
  6 |     resources = ["arn:aws:logs:*:*:*"]
  7 |     effect    = "Allow"
  8 |   }
  9 |   statement {
 10 |     actions = [
 11 |       "s3:List*",
 12 |       "s3:Get*",
 13 |       "s3:Put*",
 14 |       "s3:DeleteObject",
 15 |       "s3:DeleteObjectVersion"
 16 |     ]
 17 |     resources = [
 18 |       "${aws_s3_bucket.s3_bucket_backend.arn}/*",
 19 |       "${aws_s3_bucket.s3_bucket_backend.arn}"
 20 |     ]
 21 |     effect = "Allow"
 22 |   }
 23 |   statement {
 24 |     effect = "Allow"
 25 |     actions = [
 26 |       "dynamodb:BatchGetItem",
 27 |       "dynamodb:Query",
 28 |       "dynamodb:PutItem",
 29 |       "dynamodb:UpdateItem",
 30 |       "dynamodb:DeleteItem",
 31 |       "dynamodb:BatchWriteItem",
 32 |       "dynamodb:Describe*",
 33 |       "dynamodb:Get*",
 34 |       "dynamodb:List*"
 35 |     ]
 36 |     resources = ["${aws_dynamodb_table.dynamodb_tfstate_lock.arn}"]
 37 |   }
 38 | }
 39 | 
 40 | resource "aws_iam_policy" "codebuild_policy" {
 41 |   name   = var.codebuild_policy_name
 42 |   path   = "/"
 43 |   policy = data.aws_iam_policy_document.codebuild_policy_document.json
 44 | }
 45 | 
 46 | resource "aws_iam_role" "codebuild_role" {
 47 |   name = var.codebuild_role_name
 48 | 
 49 |   assume_role_policy = <<EOF
 50 | {
 51 |   "Version": "2012-10-17",
 52 |   "Statement": [
 53 |     {
 54 |       "Action": "sts:AssumeRole",
 55 |       "Principal": {
 56 |         "Service": "codebuild.amazonaws.com"
 57 |       },
 58 |       "Effect": "Allow",
 59 |       "Sid": ""
 60 |     }
 61 |   ]
 62 | }
 63 | EOF
 64 | }
 65 | 
 66 | resource "aws_iam_role_policy_attachment" "codebuild_policy_attachment1" {
 67 |   policy_arn = aws_iam_policy.codebuild_policy.arn
 68 |   role       = aws_iam_role.codebuild_role.id
 69 | }
 70 | 
 71 | resource "aws_iam_role_policy_attachment" "codebuild_policy_attachment2" {
 72 |   policy_arn = "arn:aws:iam::aws:policy/AWSLambda_FullAccess"
 73 |   role       = aws_iam_role.codebuild_role.id
 74 | }
 75 | 
 76 | resource "aws_iam_role_policy_attachment" "codebuild_policy_attachment3" {
 77 |   policy_arn = "arn:aws:iam::aws:policy/AWSCodeCommitFullAccess"
 78 |   role       = aws_iam_role.codebuild_role.id
 79 | }
 80 | 
 81 | resource "aws_iam_role_policy_attachment" "codebuild_policy_attachment4" {
 82 |   policy_arn = "arn:aws:iam::aws:policy/AWSCodeBuildDeveloperAccess"
 83 |   role       = aws_iam_role.codebuild_role.id
 84 | }
 85 | 
 86 | #### Lambda permissions
 87 | 
 88 | data "aws_iam_policy_document" "lambda_assume_role" {
 89 |   statement {
 90 |     sid     = "LambdaTrustPolicy"
 91 |     effect  = "Allow"
 92 |     actions = ["sts:AssumeRole"]
 93 |     principals {
 94 |       type        = "Service"
 95 |       identifiers = ["lambda.amazonaws.com"]
 96 |     }
 97 |   }
 98 | }
 99 | 
100 | data "aws_iam_policy_document" "lambda_policy_document" {
101 |   statement {
102 |     sid    = "LambdaPolicy"
103 |     effect = "Allow"
104 |     actions = [
105 |       "logs:PutLogEvents",
106 |       "logs:CreateLogGroup",
107 |       "logs:CreateLogStream",
108 |     ]
109 |     resources = ["arn:aws:logs:${var.aws_region}:*:*"]
110 |   }
111 | }
112 | 
113 | resource "aws_iam_role" "lambda_role" {
114 |   name               = var.lambda_role_name
115 |   assume_role_policy = data.aws_iam_policy_document.lambda_assume_role.json
116 | }
117 | 
118 | resource "aws_iam_policy" "lambda_policy" {
119 |   name   = var.lambda_policy_name
120 |   policy = data.aws_iam_policy_document.lambda_policy_document.json
121 | }
122 | 
123 | resource "aws_iam_role_policy_attachment" "lambda_policy_attachment" {
124 |   role       = aws_iam_role.lambda_role.name
125 |   policy_arn = aws_iam_policy.lambda_policy.arn
126 | }
127 | 


--------------------------------------------------------------------------------
/lambda/main.py:
--------------------------------------------------------------------------------
1 | import json
2 | 
3 | def lambda_handler(event, context):
4 |     return {
5 |         'statusCode': 200,
6 |         'body': json.dumps('Hello from AWS Lambda !')
7 |     }
8 | 


--------------------------------------------------------------------------------
/lambda/main.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/manage-terraform-statefiles-in-aws-pipeline/45822f13a2994166a3d79a169be97b3056169c97/lambda/main.zip


--------------------------------------------------------------------------------
/main.tf:
--------------------------------------------------------------------------------
  1 | #### S3
  2 | 
  3 | resource "aws_s3_bucket" "s3_bucket_backend" {
  4 |   #checkov:skip=CKV_AWS_145: Lifecycle configuration not required for TF state bucket
  5 |   #checkov:skip=CKV2_AWS_61: Lifecycle configuration not required for TF state bucket
  6 |   #checkov:skip=CKV_AWS_144: Cross-region replication not required for TF state bucket
  7 |   #checkov:skip=CKV2_AWS_62: Event notifications not required for TF state bucket
  8 |   #checkov:skip=CKV_AWS_145: No KMS encryption needed for TF state bucket
  9 |   #checkov:skip=CKV_AWS_21: No versioning needed for TF state bucket
 10 |   #checkov:skip=CKV_AWS_18: No logging needed for TF state bucket
 11 |   bucket = var.s3_bucket_name
 12 | }
 13 | 
 14 | resource "aws_s3_bucket_acl" "s3_bucket_backend_acl" {
 15 |   depends_on = [aws_s3_bucket_ownership_controls.s3_bucket_acl_ownership]
 16 |   bucket     = aws_s3_bucket.s3_bucket_backend.id
 17 |   acl        = "private"
 18 | }
 19 | 
 20 | resource "aws_s3_bucket_ownership_controls" "s3_bucket_acl_ownership" {
 21 |   bucket = aws_s3_bucket.s3_bucket_backend.id
 22 |   rule {
 23 |     object_ownership = "ObjectWriter"
 24 |   }
 25 | }
 26 | 
 27 | resource "aws_s3_bucket_versioning" "s3_bucket_version" {
 28 |   bucket = aws_s3_bucket.s3_bucket_backend.id
 29 |   versioning_configuration {
 30 |     status = "Enabled"
 31 |   }
 32 | }
 33 | 
 34 | resource "aws_s3_object" "terraform_folder" {
 35 |   bucket = aws_s3_bucket.s3_bucket_backend.id
 36 |   key    = "terraform.tfstate"
 37 | }
 38 | 
 39 | resource "aws_s3_bucket_public_access_block" "s3_bucket_access" {
 40 |   bucket                  = aws_s3_bucket.s3_bucket_backend.bucket
 41 |   block_public_acls       = true
 42 |   block_public_policy     = true
 43 |   ignore_public_acls      = true
 44 |   restrict_public_buckets = true
 45 | }
 46 | 
 47 | #### CodeCommit
 48 | 
 49 | resource "aws_codecommit_repository" "codecommit_repo" {
 50 |   #checkov:skip=CKV2_AWS_37: CodeCommit approval step not needed
 51 |   repository_name = "codebuild-terraform"
 52 |   description     = "Repository for application source code"
 53 | }
 54 | 
 55 | #### CodeBuild
 56 | 
 57 | resource "aws_codebuild_project" "codebuild_project_plan" {
 58 |   name         = var.codebuild_plan_project_name
 59 |   description  = "Terraform plan for deploying lambda"
 60 |   service_role = aws_iam_role.codebuild_role.arn
 61 | 
 62 |   artifacts {
 63 |     type = "NO_ARTIFACTS"
 64 |   }
 65 | 
 66 |   environment {
 67 |     compute_type = var.compute_type
 68 |     image        = var.image
 69 |     type         = var.container_type
 70 |   }
 71 | 
 72 |   source {
 73 |     type            = "CODECOMMIT"
 74 |     buildspec       = var.buildspec_plan
 75 |     location        = aws_codecommit_repository.codecommit_repo.clone_url_http
 76 |     git_clone_depth = 0
 77 |   }
 78 | 
 79 |   logs_config {
 80 |     cloudwatch_logs {
 81 |       group_name  = var.codebuild_plan_loggroup_name
 82 |       stream_name = var.codebuild_plan_stream_name
 83 |     }
 84 |   }
 85 | }
 86 | 
 87 | resource "aws_codebuild_project" "codebuild_project_apply" {
 88 |   name         = var.codebuild_apply_project_name
 89 |   description  = "Terraform apply for deploying lambda"
 90 |   service_role = aws_iam_role.codebuild_role.arn
 91 | 
 92 |   artifacts {
 93 |     type = "NO_ARTIFACTS"
 94 |   }
 95 | 
 96 |   environment {
 97 |     compute_type = var.compute_type
 98 |     image        = var.image
 99 |     type         = var.container_type
100 |   }
101 | 
102 |   source {
103 |     type            = "CODECOMMIT"
104 |     buildspec       = var.buildspec_apply
105 |     location        = aws_codecommit_repository.codecommit_repo.clone_url_http
106 |     git_clone_depth = 0
107 |   }
108 | 
109 |   logs_config {
110 |     cloudwatch_logs {
111 |       group_name  = var.codebuild_apply_loggroup_name
112 |       stream_name = var.codebuild_apply_stream_name
113 |     }
114 |   }
115 | }
116 | 
117 | #### Lambda
118 | 
119 | # Commented for the first run, uncomment it in your second run when you prepare your application
120 | 
121 | # data "archive_file" "lambda_archive_file" {
122 | #   type        = "zip"
123 | #   source_dir  = "${path.module}/lambda/"
124 | #   output_path = "${path.module}/lambda/main.zip"
125 | # }
126 | 
127 | # resource "aws_lambda_function" "lambda" {
128 | #   #checkov:skip=CKV_AWS_50: X-ray tracing not required
129 | #   #checkov:skip=CKV_AWS_115: This lambda function doesnt need function-level concurrent execution limit
130 | #   #checkov:skip=CKV_AWS_117: This lambda function doesnt need to access any resources within VPC
131 | #   #checkov:skip=CKV_AWS_116: Dead Letter Queue(DLQ) not required for this lambda
132 | #   #checkov:skip=CKV_AWS_173: Lambda stores environment variables securely by encrypting them at rest
133 | #   #checkov:skip=CKV_AWS_272: code-signing not needed
134 | #   description      = "Sample Lambda function"
135 | #   filename         = join("", data.archive_file.lambda_archive_file.*.output_path)
136 | #   function_name    = "tf-codebuild"
137 | #   role             = aws_iam_role.lambda_role.arn
138 | #   handler          = "main.lambda_handler"
139 | #   source_code_hash = join("", data.archive_file.lambda_archive_file.*.output_base64sha256)
140 | #   runtime          = "python3.9"
141 | # }
142 | 
143 | #### DynamoDB
144 | 
145 | resource "aws_dynamodb_table" "dynamodb_tfstate_lock" {
146 |   #checkov:skip=CKV2_AWS_16: Auto Scaling not required for TF state bucket
147 |   #checkov:skip=CKV_AWS_28: Dynamodb point in time recovery not required for TF state bucket
148 |   #checkov:skip=CKV_AWS_119: KMS Customer Managed CMK not required for TF state bucket
149 |   name           = "tfstate-lock"
150 |   hash_key       = "LockID"
151 |   read_capacity  = 20
152 |   write_capacity = 20
153 | 
154 |   attribute {
155 |     name = "LockID"
156 |     type = "S"
157 |   }
158 | 
159 |   server_side_encryption {
160 |     enabled = true
161 |   }
162 | 
163 | }
164 | 
165 | #### Cloudwatch log group
166 | 
167 | resource "aws_cloudwatch_log_group" "lambda_loggroup" {
168 |   name              = "/aws/lambda/logs"
169 |   retention_in_days = 14
170 | }
171 | 
172 | resource "aws_cloudwatch_log_group" "codebuild_loggroup" {
173 |   name              = "/aws/codebuild/logs"
174 |   retention_in_days = 14
175 | }
176 | 
177 | 


--------------------------------------------------------------------------------
/provider.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 |   region = var.aws_region
3 | }
4 | 


--------------------------------------------------------------------------------
/variable.tf:
--------------------------------------------------------------------------------
 1 | variable "aws_region" {
 2 |   type    = string
 3 |   default = "eu-central-1"
 4 | }
 5 | 
 6 | variable "codecommit_repository_url" {
 7 |   type    = string
 8 |   default = "https://git-codecommit.eu-central-1.amazonaws.com/v1/repos/codebuild-terraform"
 9 | }
10 | 
11 | variable "s3_bucket_name" {
12 |   type    = string
13 |   default = "tfbackend-bucket"
14 | }
15 | 
16 | variable "compute_type" {
17 |   type    = string
18 |   default = "BUILD_GENERAL1_SMALL"
19 | }
20 | 
21 | variable "image" {
22 |   type    = string
23 |   default = "hashicorp/terraform:latest"
24 | }
25 | 
26 | variable "container_type" {
27 |   type    = string
28 |   default = "LINUX_CONTAINER"
29 | }
30 | 
31 | variable "codebuild_role_name" {
32 |   type    = string
33 |   default = "codebuild_tf_role"
34 | }
35 | 
36 | variable "codebuild_policy_name" {
37 |   type    = string
38 |   default = "codebuild_tf_policy"
39 | }
40 | 
41 | variable "codebuild_plan_project_name" {
42 |   type    = string
43 |   default = "codebuild_tf_plan"
44 | }
45 | 
46 | variable "codebuild_apply_project_name" {
47 |   type    = string
48 |   default = "codebuild_tf_apply"
49 | }
50 | 
51 | variable "buildspec_plan" {
52 |   type    = string
53 |   default = "buildspec-plan.yaml"
54 | }
55 | 
56 | variable "buildspec_apply" {
57 |   type    = string
58 |   default = "buildspec-apply.yaml"
59 | }
60 | 
61 | variable "lambda_role_name" {
62 |   type    = string
63 |   default = "lambda_tf_role"
64 | }
65 | 
66 | variable "lambda_policy_name" {
67 |   type    = string
68 |   default = "lambda_tf_policy"
69 | }
70 | 
71 | variable "codebuild_plan_loggroup_name" {
72 |   type    = string
73 |   default = "codebuild-plan-loggroup"
74 | }
75 | 
76 | variable "codebuild_plan_stream_name" {
77 |   type    = string
78 |   default = "codebuild-plan-stream"
79 | }
80 | 
81 | variable "codebuild_apply_loggroup_name" {
82 |   type    = string
83 |   default = "codebuild-apply-loggroup"
84 | }
85 | 
86 | variable "codebuild_apply_stream_name" {
87 |   type    = string
88 |   default = "codebuild-apply-stream"
89 | }
90 | 
91 | 
92 | 


--------------------------------------------------------------------------------