From 180167f961bc187a751fc31ba2752fdffbecd5cc Mon Sep 17 00:00:00 2001 From: Adam Ruka Date: Wed, 8 May 2019 17:32:04 -0700 Subject: [PATCH] fix(codebuild): correctly pass the VPC subnet IDs to the Policy Statement's condition when using a VPC. Fixes #2335 --- packages/@aws-cdk/aws-codebuild/lib/project.ts | 6 +++--- .../aws-codebuild/test/integ.project-vpc.expected.json | 5 ++++- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/packages/@aws-cdk/aws-codebuild/lib/project.ts b/packages/@aws-cdk/aws-codebuild/lib/project.ts index 17610638cd83e..0c09011bde2dc 100644 --- a/packages/@aws-cdk/aws-codebuild/lib/project.ts +++ b/packages/@aws-cdk/aws-codebuild/lib/project.ts @@ -903,9 +903,9 @@ export class Project extends ProjectBase { this.addToRolePolicy(new iam.PolicyStatement() .addResource(`arn:aws:ec2:${Aws.region}:${Aws.accountId}:network-interface/*`) .addCondition('StringEquals', { - "ec2:Subnet": [ - `arn:aws:ec2:${Aws.region}:${Aws.accountId}:subnet/[[subnets]]` - ], + "ec2:Subnet": props.vpc + .selectSubnets(props.subnetSelection).subnetIds + .map(si => `arn:aws:ec2:${Aws.region}:${Aws.accountId}:subnet/${si}`), "ec2:AuthorizedService": "codebuild.amazonaws.com" }) .addAction('ec2:CreateNetworkInterfacePermission')); diff --git a/packages/@aws-cdk/aws-codebuild/test/integ.project-vpc.expected.json b/packages/@aws-cdk/aws-codebuild/test/integ.project-vpc.expected.json index 2bd7159044e5b..0a42b9adfb276 100644 --- a/packages/@aws-cdk/aws-codebuild/test/integ.project-vpc.expected.json +++ b/packages/@aws-cdk/aws-codebuild/test/integ.project-vpc.expected.json @@ -312,7 +312,10 @@ { "Ref": "AWS::AccountId" }, - ":subnet/[[subnets]]" + ":subnet/", + { + "Ref": "MyVPCPrivateSubnet1Subnet641543F4" + } ] ] }