diff --git a/packages/@aws-cdk/aws-codebuild/lib/project.ts b/packages/@aws-cdk/aws-codebuild/lib/project.ts index b7535f8af7bb2..7355ce328becc 100644 --- a/packages/@aws-cdk/aws-codebuild/lib/project.ts +++ b/packages/@aws-cdk/aws-codebuild/lib/project.ts @@ -494,6 +494,7 @@ export interface CommonProjectProps { */ readonly allowAllOutbound?: boolean; } + export interface ProjectProps extends CommonProjectProps { /** * The source of the build. @@ -711,6 +712,10 @@ export class Project extends ProjectBase { this.projectName = resource.projectName; this.addToRolePolicy(this.createLoggingPermission()); + + if (props.encryptionKey) { + props.encryptionKey.grantEncryptDecrypt(this); + } } public get securityGroups(): ec2.ISecurityGroup[] { diff --git a/packages/@aws-cdk/aws-codebuild/test/test.codebuild.ts b/packages/@aws-cdk/aws-codebuild/test/test.codebuild.ts index bb4149c8ad9f4..8683696cf804b 100644 --- a/packages/@aws-cdk/aws-codebuild/test/test.codebuild.ts +++ b/packages/@aws-cdk/aws-codebuild/test/test.codebuild.ts @@ -1,6 +1,7 @@ import { expect, haveResource, haveResourceLike } from '@aws-cdk/assert'; import codecommit = require('@aws-cdk/aws-codecommit'); import ec2 = require('@aws-cdk/aws-ec2'); +import kms = require('@aws-cdk/aws-kms'); import s3 = require('@aws-cdk/aws-s3'); import cdk = require('@aws-cdk/cdk'); import { Test } from 'nodeunit'; @@ -714,7 +715,47 @@ export = { }) , /Configure 'allowAllOutbound' directly on the supplied SecurityGroup/); test.done(); - } + }, + + 'with a KMS Key adds decrypt permissions to the CodeBuild Role'(test: Test) { + const stack = new cdk.Stack(); + + const key = new kms.Key(stack, 'MyKey'); + + new codebuild.PipelineProject(stack, 'MyProject', { + encryptionKey: key, + }); + + expect(stack).to(haveResourceLike('AWS::IAM::Policy', { + "PolicyDocument": { + "Statement": [ + {}, // CloudWatch logs + { + "Action": [ + "kms:Decrypt", + "kms:Encrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "MyKey6AB29FA6", + "Arn", + ], + }, + }, + ], + }, + "Roles": [ + { + "Ref": "MyProjectRole9BBE5233", + }, + ], + })); + + test.done(); + }, }, 'using timeout and path in S3 artifacts sets it correctly'(test: Test) { diff --git a/packages/decdk/test/__snapshots__/synth.test.js.snap b/packages/decdk/test/__snapshots__/synth.test.js.snap index ffc700b178f15..4ff4e5d64b382 100644 --- a/packages/decdk/test/__snapshots__/synth.test.js.snap +++ b/packages/decdk/test/__snapshots__/synth.test.js.snap @@ -1787,6 +1787,21 @@ Object { }, ], }, + Object { + "Action": Array [ + "kms:Decrypt", + "kms:Encrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + ], + "Effect": "Allow", + "Resource": Object { + "Fn::GetAtt": Array [ + "Key961B73FD", + "Arn", + ], + }, + }, Object { "Action": Array [ "s3:GetObject*", @@ -1889,6 +1904,24 @@ Object { }, "Resource": "*", }, + Object { + "Action": Array [ + "kms:Decrypt", + "kms:Encrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + ], + "Effect": "Allow", + "Principal": Object { + "AWS": Object { + "Fn::GetAtt": Array [ + "BuildProjectRoleAA92C755", + "Arn", + ], + }, + }, + "Resource": "*", + }, ], "Version": "2012-10-17", },