Periodic update - May 7, 2019

Author: markiver

doc_source/auth-and-access-control-iam-identity-based-access-control.md

@@ -311,7 +311,7 @@ The following example policy statement allows a user to get information about al
 
 ### Allow CodeBuild Access to AWS Services Required to Create a VPC Network Interface<a name="customer-managed-policies-example-create-vpc-network-interface"></a>
 
-The following example policy statement grants AWS CodeBuild permission to create a network interface in an Amazon VPC:
+The following example policy statement grants AWS CodeBuild permission to create a network interface in an Amazon VPC with two subnets:
 
 ```
 {
@@ -335,11 +335,12 @@ The following example policy statement grants AWS CodeBuild permission to create
             "Action": [
                 "ec2:CreateNetworkInterfacePermission"
             ],
-            "Resource": "arn:aws:ec2:{{region}}:{{account-id}}:network-interface/*",
+            "Resource": "arn:aws:ec2:region:account-id:network-interface/*",
             "Condition": {
                 "StringEquals": {
                     "ec2:Subnet": [
-                        "arn:aws:ec2:{{region}}:{{account-id}}:subnet/[[subnets]]"
+                        "arn:aws:ec2:region:account-id:subnet/subnet-id-1",
+                        "arn:aws:ec2:region:account-id:subnet/subnet-id-2"
                     ],
                     "ec2:AuthorizedService": "codebuild.amazonaws.com"
                 }

doc_source/build-caching.md

@@ -82,7 +82,7 @@ CodeBuildProject:
       Environment:
         Type: LINUX_CONTAINER
         ComputeType: BUILD_GENERAL1_SMALL
-        Image: aws/codebuild/standard:1.0
+        Image: aws/codebuild/standard:2.0
         Certificate: bucket/cert.zip
         # PrivilegedMode must be true if you specify LOCAL_DOCKER_LAYER_CACHE
         PrivilegedMode: true

doc_source/build-env-ref-available.md

@@ -7,21 +7,22 @@ AWS CodeBuild manages the following Docker images that are available in the Code
 
 | Platform | Programming language or framework | Image identifier | Definition | 
 | --- | --- | --- | --- | 
+| Ubuntu 18\.04 | \(Standard image\) | aws/codebuild/standard:2\.0 | [ubuntu/standard/2\.0](https://github.com/aws/aws-codebuild-docker-images/tree/master/ubuntu/standard/2.0) | 
 | Ubuntu 18\.04 | \(Standard image\) | aws/codebuild/standard:1\.0 | [ubuntu/standard/1\.0](https://github.com/aws/aws-codebuild-docker-images/tree/master/ubuntu/standard/1.0) | 
 | Windows Server Core 2016 | \(Base Image\) | aws/codebuild/windows\-base:1\.0 | N/A | 
 
- The standard image of the Ubuntu 18\.04 platform contains the following programming languages: 
+ The standard image of the Ubuntu 18\.04 platform contains the following programming languages\. If you use the Ubuntu Standard image 2\.0, you can specify your runtime in the `runtime-versions` section of your buildspec file\. For more information, see [Specify Runtime Versions in the Buildspec File](build-spec-ref.md#runtime-versions-buildspec-file)\. 
 
 
 ****  
 
-| Programming language | Runtime version | 
+| Programming language | Runtime version/versions | 
 | --- | --- | 
 | Ruby | 2\.x | 
 | Python | 3\.x | 
 | PHP | 7\.x | 
-| Node | 10\.x | 
-| Java | 8 | 
+| Node | 8\.x, 10\.x | 
+| Java | 8, 11 | 
 | Golang | 1\.x | 
 | \.NET Core | 2\.x | 
 | Docker | 18\.x | 

doc_source/build-env-ref-env-vars.md

@@ -5,7 +5,7 @@ AWS CodeBuild provides several environment variables that you can use in your bu
 + `AWS_REGION`: The AWS Region where the build is running \(for example, `us-east-1`\)\. This environment variable is used primarily by the AWS SDKs\.
 + `CODEBUILD_BUILD_ARN`: The Amazon Resource Name \(ARN\) of the build \(for example, `arn:aws:codebuild:region-ID:account-ID:build/codebuild-demo-project:b1e6661e-e4f2-4156-9ab9-82a19EXAMPLE`\)\.
 + `CODEBUILD_BUILD_ID`: The CodeBuild ID of the build \(for example, `codebuild-demo-project:b1e6661e-e4f2-4156-9ab9-82a19EXAMPLE`\)\.
-+ `CODEBUILD_BUILD_IMAGE`: The CodeBuild build image identifier \(for example, `aws/codebuild/standard:1.0`\)\.
++ `CODEBUILD_BUILD_IMAGE`: The CodeBuild build image identifier \(for example, `aws/codebuild/standard:2.0`\)\.
 + `CODEBUILD_BUILD_SUCCEEDING`: Whether the current build is succeeding\. Set to `0` if the build is failing, or `1` if the build is succeeding\.
 + `CODEBUILD_INITIATOR`: The entity that started the build\. If CodePipeline started the build, this is the pipeline's name \(for example, `codepipeline/my-demo-pipeline`\)\. If an IAM user started the build, this is the user's name \(for example, `MyUserName`\)\. If the Jenkins plugin for CodeBuild started the build, this is the string `CodeBuild-Jenkins-Plugin`\.
 + `CODEBUILD_KMS_KEY_ID`: The identifier of the AWS KMS key that CodeBuild is using to encrypt the build output artifact \(for example, `arn:aws:kms:region-ID:account-ID:key/key-ID` or `alias/key-alias`\)\.

doc_source/build-spec-ref.md

@@ -27,6 +27,9 @@ To override the default build spec file name, location, or both, do one of the f
 
 Build spec files must be expressed in [YAML](http://yaml.org/) format\.
 
+**Important**  
+If you use the Ubuntu standard image 2\.0 or later, you must specify `runtime-versions` in your buildspec file\. For more information, see [Specify Runtime Versions in the Buildspec File](#runtime-versions-buildspec-file)\.
+
 The build spec has the following syntax:
 
 ```
@@ -45,6 +48,9 @@ env:
 phases:
   install:
     run-as: Linux-user-name
+    runtime-versions:
+      runtime: version
+      runtime: version
     commands:
       - command
       - command
@@ -132,8 +138,24 @@ In build spec version 0\.1, CodeBuild runs each command in a separate instance o
   + `run-as`: Optional sequence\. Use in a build phase to specify a Linux user that runs its commands\. If `run-as` is also specified globally for all commands at the top of the buildspec file, then the phase\-level user takes precedence\. For example, if globally `run-as` specifies User\-1, and for the `install` phase only a `run-as` statement specifies User\-2, then all commands in then buildspec file are run as User\-1 *except* commands in the `install` phase, which are run as User\-2\.
 
   The allowed build phase names are:
-  + `install`: Optional sequence\. Represents the commands, if any, that CodeBuild runs during installation\. We recommend that you use the `install` phase only for installing packages in the build environment\. For example, you might use this phase to install a code testing framework such as Mocha or RSpec\.
-    + `commands`: Required sequence if `install` is specified\. Contains a sequence of scalars, where each scalar represents a single command that CodeBuild runs during installation\. CodeBuild runs each command, one at a time, in the order listed, from beginning to end\.
+  + `install`: Optional sequence\. Represents the commands, if any, that CodeBuild runs during installation\. We recommend that you use the `install` phase only for installing packages in the build environment\. For example, you might use this phase to install a code testing framework such as Mocha or RSpec\.<a name="runtime-versions-buildspec-file"></a>
+    + <a name="runtime-versions-in-build-spec"></a> `runtime-versions`: Required if using the Ubuntu Standard Image 2\.0\. A runtime version is not supported with a custom image or the Ubuntu Standard Image 1\.0\. If specified, at least one runtime must be included in this section\. Specify a runtime using a major version only, such as "java: openjdk11" or "ruby: 2\.6\." You can specify the runtime using a number or an environment variable\. For example, the following specifies that version 8 of `openjdk`, version 28 of `android`, and a version contained in an environment variable of `ruby` is installed\. For more information, see [Docker Images Provided by CodeBuild](build-env-ref-available.md)\. 
+**Note**  
+If you specify a `runtime-versions` section and use an image other than Ubuntu Standard Image 2\.0 or later, the build fails\.
+
+      ```
+      phases:
+        install:
+          runtime-versions:
+            java: openjdk8
+            android: 28
+            ruby: "$MY_RUBY_VAR"
+      ```
+      +  Some runtimes must include specific versions of other runtimes\. If a required runtime is not specified, the build fails\. For example, `android` version 28 requires version 8 of `openjdk`\. If `android: 28` is specified, and `openjdk: 8` is not, the build fails\.
+      + If two specified runtimes conflict, the build fails\. For example, `android: 8` and `java: openjdk11` conflict, so if both are specified, the build fails\.
+      +  The following runtimes can be specified\.     
+[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html)
+    + `commands`: Required sequence unless you specify `runtime-versions`\. Optional if you specify `runtime-versions`\. Contains a sequence of scalars, where each scalar represents a single command that CodeBuild runs during installation\. CodeBuild runs each command, one at a time, in the order listed, from beginning to end\.
   + `pre_build`: Optional sequence\. Represents the commands, if any, that CodeBuild runs before the build\. For example, you might use this phase to sign in to Amazon ECR, or you might install npm dependencies\. 
     + `commands`: Required sequence if `pre_build` is specified\. Contains a sequence of scalars, where each scalar represents a single command that CodeBuild runs before the build\. CodeBuild runs each command, one at a time, in the order listed, from beginning to end\.
   + `build`: Optional sequence\. Represents the commands, if any, that CodeBuild runs during the build\. For example, you might use this phase to run Mocha, RSpec, or sbt\.

doc_source/change-project.md

@@ -58,7 +58,8 @@ When you use the console to create or update a build project, you can create a C
 **Important**  
 We recommend that you store parameters in Amazon EC2 Systems Manager Parameter Store with parameter names that start with `/CodeBuild/` \(for example, `/CodeBuild/dockerLoginPassword`\)\. You can use the CodeBuild console to create a parameter in Amazon EC2 Systems Manager\. Choose **Create a parameter**, and then follow the instructions\. \(In that dialog box, for **KMS key**, you can optionally specify the ARN of an AWS KMS key in your account\. Amazon EC2 Systems Manager uses this key to encrypt the parameter's value during storage and decrypt during retrieval\.\) If you use the CodeBuild console to create a parameter, the console starts the parameter name with `/CodeBuild/` as it is being stored\. For more information, see [Systems Manager Parameter Store](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-paramstore.html) and [Systems Manager Parameter Store Console Walkthrough](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-walk.html#sysman-paramstore-console) in the *Amazon EC2 Systems Manager User Guide*\.  
 If your build project refers to parameters stored in Amazon EC2 Systems Manager Parameter Store, the build project's service role must allow the `ssm:GetParameters` action\. If you chose **Create a service role in your account** earlier, then CodeBuild includes this action in the default service role for your build project automatically\. However, if you chose **Choose an existing service role from your account**, then you must include this action to your service role separately\.  
-If your build project refers to parameters stored in Amazon EC2 Systems Manager Parameter Store with parameter names that do not start with `/CodeBuild/`, and you chose **Create a service role in your account**, then you must update that service role to allow access to parameter names that do not start with `/CodeBuild/`\. This is because that service role allows access only to parameter names that start with `/CodeBuild/`\.  
+If your build project refers to parameters stored in Amazon EC2 Systems Manager Parameter Store with parameter names that do not start with `/CodeBuild/`, and you chose **Create a service role in your account**, then you must update that service role to allow access to parameter names that do not start with `/CodeBuild/`\. This is because that service role allows access only to parameter names that start with `/CodeBuild/`\.   
+If you choose **Create a service role in your account**, the created service role includes permission to decrypt all parameters under the `/CodeBuild/` namespace in the Amazon EC2 Systems Manager Parameter Store\.  
 Environment variables you set replace existing environment variables\. For example, if the Docker image already contains an environment variable named `MY_VAR` with a value of `my_value`, and you set an environment variable named `MY_VAR` with a value of `other_value`, then `my_value` is replaced by `other_value`\. Similarly, if the Docker image already contains an environment variable named `PATH` with a value of `/usr/local/sbin:/usr/local/bin`, and you set an environment variable named `PATH` with a value of `$PATH:/usr/share/ant/bin`, then `/usr/local/sbin:/usr/local/bin` is replaced by the literal value `$PATH:/usr/share/ant/bin`\.  
 Do not set any environment variable with a name that begins with `CODEBUILD_`\. This prefix is reserved for internal use\.  
 If an environment variable with the same name is defined in multiple places, its value is determined as follows:  

doc_source/create-project.md

@@ -100,6 +100,7 @@ IMAGE\_TAG
 We recommend that you store parameters in Amazon EC2 Systems Manager Parameter Store with parameter names that start with `/CodeBuild/` \(for example, `/CodeBuild/dockerLoginPassword`\)\. You can use the CodeBuild console to create a parameter in Amazon EC2 Systems Manager\. Choose **Create parameter**, and then follow the instructions in the dialog box\. \(In that dialog box, for **KMS key**, you can optionally specify the ARN of an AWS KMS key in your account\. Amazon EC2 Systems Manager uses this key to encrypt the parameter's value during storage and decrypt during retrieval\.\) If you use the CodeBuild console to create a parameter, the console starts the parameter name with `/CodeBuild/` as it is being stored\. For more information, see [Systems Manager Parameter Store](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-paramstore.html) and [Systems Manager Parameter Store Console Walkthrough](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-walk.html#sysman-paramstore-console) in the *Amazon EC2 Systems Manager User Guide*\.  
 If your build project refers to parameters stored in Amazon EC2 Systems Manager Parameter Store, the build project's service role must allow the `ssm:GetParameters` action\. If you chose **New service role** earlier, then CodeBuild includes this action in the default service role for your build project automatically\. However, if you chose **Existing service role**, then you must include this action to your service role separately\.  
 If your build project refers to parameters stored in Amazon EC2 Systems Manager Parameter Store with parameter names that do not start with `/CodeBuild/`, and you chose **New service role**, then you must update that service role to allow access to parameter names that do not start with `/CodeBuild/`\. This is because that service role allows access only to parameter names that start with `/CodeBuild/`\.  
+If you choose **Create a service role in your account**, the created service role includes permission to decrypt all parameters under the `/CodeBuild/` namespace in the Amazon EC2 Systems Manager Parameter Store\.  
 Environment variables you set replace existing environment variables\. For example, if the Docker image already contains an environment variable named `MY_VAR` with a value of `my_value`, and you set an environment variable named `MY_VAR` with a value of `other_value`, then `my_value` is replaced by `other_value`\. Similarly, if the Docker image already contains an environment variable named `PATH` with a value of `/usr/local/sbin:/usr/local/bin`, and you set an environment variable named `PATH` with a value of `$PATH:/usr/share/ant/bin`, then `/usr/local/sbin:/usr/local/bin` is replaced by the literal value `$PATH:/usr/share/ant/bin`\.  
 Do not set any environment variable with a name that begins with `CODEBUILD_`\. This prefix is reserved for internal use\.  
 If an environment variable with the same name is defined in multiple places, the value is determined as follows:  
@@ -413,7 +414,7 @@ If you are using a region other than us\-east\-1, be sure to use it when you run
 If you are using a region other than us\-east\-1, be sure to use it when you run the command\.
    + For the required `environment` object, information about this project's build environment settings\. These settings include: 
      + *environment\-type*: Required value\. The type of build environment\. Valid values are `LINUX_CONTAINER` and `WINDOWS_CONTAINER`\.
-     + *image*: Required value\. The Docker image identifier used by this build environment\. Typically, this identifier is expressed as *image\-name*:*tag*\. For example, in the Docker repository that CodeBuild uses to manage its Docker images, this could be `aws/codebuild/standard:1.0`\. In Docker Hub, `maven:3.3.9-jdk-8`\. In Amazon ECR, `account-id.dkr.ecr.region-id.amazonaws.com/your-Amazon-ECR-repo-name:tag`\. For more information, see [Docker Images Provided by CodeBuild](build-env-ref-available.md)\. 
+     + *image*: Required value\. The Docker image identifier used by this build environment\. Typically, this identifier is expressed as *image\-name*:*tag*\. For example, in the Docker repository that CodeBuild uses to manage its Docker images, this could be `aws/codebuild/standard:2.0`\. In Docker Hub, `maven:3.3.9-jdk-8`\. In Amazon ECR, `account-id.dkr.ecr.region-id.amazonaws.com/your-Amazon-ECR-repo-name:tag`\. For more information, see [Docker Images Provided by CodeBuild](build-env-ref-available.md)\. 
      + *computeType*: Required value\. A category corresponding to the number of CPU cores and memory used by this build environment\. Allowed values include `BUILD_GENERAL1_SMALL`, `BUILD_GENERAL1_MEDIUM`, and `BUILD_GENERAL1_LARGE`\.
      + *certificate*: Optional value\. The ARN of the S3 bucket, path prefix and object key that contains the PEM\-encoded certificate\. The object key can be either just the \.pem file or a \.zip file containing the pem\-encoded certificate\. For example, if your Amazon S3 bucket name is my\-bucket, your path prefix is cert, and your object key name is certificate\.pem, then acceptable formats for your *certificate* are my\-bucket/cert/certificate\.pem or arn:aws:s3:::my\-bucket/cert/certificate\.pem\.
      + For the optional `environmentVariables` array, information about any environment variables you want to specify for this build environment\. Each environment variable is expressed as an object that contains a `name`, `value`, and `type` of *environmentVariable\-name*, *environmentVariable\-value*, and *environmentVariable\-type*\.