From de086357c62050dceb7e16d980633e3e71af518e Mon Sep 17 00:00:00 2001
From: David Graesser <david.graesser@nelly-solutions.com>
Date: Tue, 10 Feb 2026 15:43:43 +0100
Subject: [PATCH 1/2] feat: Add privileged_mode variable to CodeBuild project
 configuration

- Introduced a new variable `privileged_mode` to control Docker daemon access within the build container.
- Updated the main.tf to utilize the new variable for the CodeBuild project.
- Enhanced documentation to include the new variable in copilot instructions.
---
 .github/copilot-instructions.md | 1 +
 main.tf                         | 2 +-
 variables.tf                    | 6 ++++++
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md
index 411022a..b11cc8b 100644
--- a/.github/copilot-instructions.md
+++ b/.github/copilot-instructions.md
@@ -64,6 +64,7 @@ The module creates an AWS CodeBuild Project and a webhook in a specific GitHub r
 - `environment_type`: Build environment type (default: LINUX_CONTAINER)
 - `environment_compute_type`: Compute resources (default: BUILD_GENERAL1_SMALL)
 - `environment_image`: Docker image (defaults to aws/codebuild/amazonlinux2-x86_64-standard:5.0)
+- `privileged_mode`: Enable Docker daemon inside the build container (default: false)
 - `create_ecr_repository`: Whether to create an ECR repository
 - `build_timeout`: Build timeout in minutes (default: 5)
 
diff --git a/main.tf b/main.tf
index ad9cc8a..e3e3dc5 100644
--- a/main.tf
+++ b/main.tf
@@ -44,7 +44,7 @@ resource "aws_codebuild_project" "this" {
       ? "CODEBUILD"
       : "SERVICE_ROLE"
     )
-    # privileged_mode             = true
+    privileged_mode = var.privileged_mode
   }
 
   logs_config {
diff --git a/variables.tf b/variables.tf
index 193c6c4..ef0b809 100644
--- a/variables.tf
+++ b/variables.tf
@@ -59,6 +59,12 @@ variable "environment_compute_type" {
   description = " Information about the compute resources the build project will use. Valid values: `BUILD_GENERAL1_SMALL`, `BUILD_GENERAL1_MEDIUM`, `BUILD_GENERAL1_LARGE`, `BUILD_GENERAL1_2XLARGE`, `BUILD_LAMBDA_1GB`, `BUILD_LAMBDA_2GB`, `BUILD_LAMBDA_4GB`, `BUILD_LAMBDA_8GB`, `BUILD_LAMBDA_10GB`. `BUILD_GENERAL1_SMALL` is only valid if type is set to `LINUX_CONTAINER`. When type is set to `LINUX_GPU_CONTAINER`, compute_type must be `BUILD_GENERAL1_LARGE`. When type is set to `LINUX_LAMBDA_CONTAINER` or `ARM_LAMBDA_CONTAINER`, compute_type must be `BUILD_LAMBDA_XGB`"
 }
 
+variable "privileged_mode" {
+  type        = bool
+  default     = false
+  description = "Whether to enable running the Docker daemon inside a Docker container. Set to true if the build project needs to build Docker images or run Docker containers (e.g., via docker-compose, Testcontainers, or LocalStack)."
+}
+
 variable "environment_image" {
   type        = string
   default     = null

From 0f7dab7fae333940fbd7b132315a60914e0de6de Mon Sep 17 00:00:00 2001
From: David Graesser <david.graesser@nelly-solutions.com>
Date: Wed, 11 Feb 2026 09:14:46 +0100
Subject: [PATCH 2/2] docs: Update README to include privileged_mode variable
 for Docker access in CodeBuild

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index a7f6150..fc5f5aa 100644
--- a/README.md
+++ b/README.md
@@ -326,6 +326,7 @@ module "github_runner_with_packer" {
 | <a name="input_ingress_with_source_security_group_id"></a> [ingress\_with\_source\_security\_group\_id](#input\_ingress\_with\_source\_security\_group\_id) | List of ingress rules to add to the default security group with source security group IDs | <pre>list(object({<br/>    from_port                = number<br/>    to_port                  = number<br/>    protocol                 = string<br/>    description              = string<br/>    source_security_group_id = string<br/>  }))</pre> | `[]` | no |
 | <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | The AWS KMS key to be used | `string` | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | Created resources will be named with this. | `string` | n/a | yes |
+| <a name="input_privileged_mode"></a> [privileged\_mode](#input\_privileged\_mode) | Whether to enable running the Docker daemon inside a Docker container. Set to true if the build project needs to build Docker images or run Docker containers (e.g., via docker-compose, Testcontainers, or LocalStack). | `bool` | `false` | no |
 | <a name="input_s3_logs_bucket_name"></a> [s3\_logs\_bucket\_name](#input\_s3\_logs\_bucket\_name) | Name of the S3 bucket to store logs in. If not specified then logging to S3 will be disabled. | `string` | `null` | no |
 | <a name="input_s3_logs_bucket_prefix"></a> [s3\_logs\_bucket\_prefix](#input\_s3\_logs\_bucket\_prefix) | Prefix to use for the logs in the S3 bucket | `string` | `""` | no |
 | <a name="input_security_group_ids"></a> [security\_group\_ids](#input\_security\_group\_ids) | The list of Security Group IDs for AWS CodeBuild to launch ephemeral EC2 instances in. | `list(string)` | `[]` | no |