fix(codebuild): grant the Project's Role permissions to the KMS Key i…

…f it was passed. (#2715)

Without those permissions, uploading the Artifacts after the build will fail.

packages/@aws-cdk/aws-codebuild/lib/project.ts

@@ -494,6 +494,7 @@ export interface CommonProjectProps {
    */
   readonly allowAllOutbound?: boolean;
 }
+
 export interface ProjectProps extends CommonProjectProps {
   /**
    * The source of the build.
@@ -711,6 +712,10 @@ export class Project extends ProjectBase {
     this.projectName = resource.projectName;
 
     this.addToRolePolicy(this.createLoggingPermission());
+
+    if (props.encryptionKey) {
+      props.encryptionKey.grantEncryptDecrypt(this);
+    }
   }
 
   public get securityGroups(): ec2.ISecurityGroup[] {

packages/@aws-cdk/aws-codebuild/test/test.codebuild.ts

@@ -1,6 +1,7 @@
 import { expect, haveResource, haveResourceLike } from '@aws-cdk/assert';
 import codecommit = require('@aws-cdk/aws-codecommit');
 import ec2 = require('@aws-cdk/aws-ec2');
+import kms = require('@aws-cdk/aws-kms');
 import s3 = require('@aws-cdk/aws-s3');
 import cdk = require('@aws-cdk/cdk');
 import { Test } from 'nodeunit';
@@ -714,7 +715,47 @@ export = {
         })
       , /Configure 'allowAllOutbound' directly on the supplied SecurityGroup/);
       test.done();
-    }
+    },
+
+    'with a KMS Key adds decrypt permissions to the CodeBuild Role'(test: Test) {
+      const stack = new cdk.Stack();
+
+      const key = new kms.Key(stack, 'MyKey');
+
+      new codebuild.PipelineProject(stack, 'MyProject', {
+        encryptionKey: key,
+      });
+
+      expect(stack).to(haveResourceLike('AWS::IAM::Policy', {
+        "PolicyDocument": {
+          "Statement": [
+            {}, // CloudWatch logs
+            {
+              "Action": [
+                "kms:Decrypt",
+                "kms:Encrypt",
+                "kms:ReEncrypt*",
+                "kms:GenerateDataKey*",
+              ],
+              "Effect": "Allow",
+              "Resource": {
+                "Fn::GetAtt": [
+                  "MyKey6AB29FA6",
+                  "Arn",
+                ],
+              },
+            },
+          ],
+        },
+        "Roles": [
+          {
+            "Ref": "MyProjectRole9BBE5233",
+          },
+        ],
+      }));
+
+      test.done();
+    },
   },
 
   'using timeout and path in S3 artifacts sets it correctly'(test: Test) {

packages/decdk/test/__snapshots__/synth.test.js.snap

@@ -1787,6 +1787,21 @@ Object {
                 },
               ],
             },
+            Object {
+              "Action": Array [
+                "kms:Decrypt",
+                "kms:Encrypt",
+                "kms:ReEncrypt*",
+                "kms:GenerateDataKey*",
+              ],
+              "Effect": "Allow",
+              "Resource": Object {
+                "Fn::GetAtt": Array [
+                  "Key961B73FD",
+                  "Arn",
+                ],
+              },
+            },
             Object {
               "Action": Array [
                 "s3:GetObject*",
@@ -1889,6 +1904,24 @@ Object {
               },
               "Resource": "*",
             },
+            Object {
+              "Action": Array [
+                "kms:Decrypt",
+                "kms:Encrypt",
+                "kms:ReEncrypt*",
+                "kms:GenerateDataKey*",
+              ],
+              "Effect": "Allow",
+              "Principal": Object {
+                "AWS": Object {
+                  "Fn::GetAtt": Array [
+                    "BuildProjectRoleAA92C755",
+                    "Arn",
+                  ],
+                },
+              },
+              "Resource": "*",
+            },
           ],
           "Version": "2012-10-17",
         },