fix(codebuild): correctly pass the VPC subnet IDs to the Policy Statement's condition when using a VPC. (#2506)

skinny85 · web-flow · commit 145da285fbdc · 2019-05-10T09:35:44.000-07:00
Fixes #2335
diff --git a/packages/@aws-cdk/aws-codebuild/lib/project.ts b/packages/@aws-cdk/aws-codebuild/lib/project.ts
@@ -903,9 +903,9 @@ export class Project extends ProjectBase {
     this.addToRolePolicy(new iam.PolicyStatement()
       .addResource(`arn:aws:ec2:${Aws.region}:${Aws.accountId}:network-interface/*`)
       .addCondition('StringEquals', {
-        "ec2:Subnet": [
-          `arn:aws:ec2:${Aws.region}:${Aws.accountId}:subnet/[[subnets]]`
-        ],
+        "ec2:Subnet": props.vpc
+          .selectSubnets(props.subnetSelection).subnetIds
+          .map(si => `arn:aws:ec2:${Aws.region}:${Aws.accountId}:subnet/${si}`),
         "ec2:AuthorizedService": "codebuild.amazonaws.com"
       })
       .addAction('ec2:CreateNetworkInterfacePermission'));
diff --git a/packages/@aws-cdk/aws-codebuild/test/integ.project-vpc.expected.json b/packages/@aws-cdk/aws-codebuild/test/integ.project-vpc.expected.json
@@ -312,7 +312,10 @@
                           {
                             "Ref": "AWS::AccountId"
                           },
-                          ":subnet/[[subnets]]"
+                          ":subnet/",
+                          {
+                            "Ref": "MyVPCPrivateSubnet1Subnet641543F4"
+                          }
                         ]
                       ]
                     }

Original file line number	Diff line number	Diff line change
`@@ -312,7 +312,10 @@`
`312`	`312`	`{`
`313`	`313`	`"Ref": "AWS::AccountId"`
`314`	`314`	`},`
`315`		`- ":subnet/[[subnets]]"`
	`315`	`+ ":subnet/",`
	`316`	`+ {`
	`317`	`+ "Ref": "MyVPCPrivateSubnet1Subnet641543F4"`
	`318`	`+ }`
`316`	`319`	`]`
`317`	`320`	`]`
`318`	`321`	`}`