fix(aws-stepfunctions-tasks): missing permission to get build status (#…

…10081) The execution role for the CodeBuild StartBuild task is missing permissions to check the status of the running build. It results in a timeout of the step functions. Adding `codebuild:BatchGetBuilds` and `codebuild:BatchGetReports` following this [AWS news blog article](https://aws.amazon.com/blogs/aws/new-building-a-continuous-integration-workflow-with-step-functions-and-aws-codebuild/) solves the issue. Closes #8043 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Sep 1, 2020 · cbdd084 · cbdd084
1 parent 3f80ae6
commit cbdd084
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/lib/codebuild/start-build.ts b/packages/@aws-cdk/aws-stepfunctions-tasks/lib/codebuild/start-build.ts
@@ -60,6 +60,8 @@ export class CodeBuildStartBuild extends sfn.TaskStateBase {
         actions: [
           'codebuild:StartBuild',
           'codebuild:StopBuild',
+          'codebuild:BatchGetBuilds',
+          'codebuild:BatchGetReports',
         ],
       }),
     ];

diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/codebuild/integ.start-build.expected.json b/packages/@aws-cdk/aws-stepfunctions-tasks/test/codebuild/integ.start-build.expected.json
@@ -191,7 +191,9 @@
             {
               "Action": [
                 "codebuild:StartBuild",
-                "codebuild:StopBuild"
+                "codebuild:StopBuild",
+                "codebuild:BatchGetBuilds",
+                "codebuild:BatchGetReports"
               ],
               "Effect": "Allow",
               "Resource": {