feat(codebuild): allow specifying principals and credentials for pull…

…ing build images. (#3049)

When using an image that is hosted in a private Docker registry,
you have to pass the appropriate credentials in order to authenticate against that registry.
This change allows passing those credentials when creating a custom build image.

It also introduces the concept of the principal that CodeBuild will use to pull the image -
previously, CodeBuild would always use its own identity when pulling images,
which meant using it with an ECR-hosted image required changing the resource policy of the repository to trust CodeBuild's service principal.
Now, the default is to use the project's role when doing the pull of the image.

Fixes #2175

BREAKING CHANGE: `LinuxBuildImage.fromDockerHub()` has been renamed to `fromDockerRegistry()` and `WindowsBuildImage.fromDockerHub()` has been renamed to `fromDockerRegistry()`

allowed-breaking-changes.txt

@@ -1,4 +1,49 @@
 removed:@aws-cdk/aws-ec2.Port.toRuleJSON
+change-return-type:@aws-cdk/aws-codebuild.LinuxBuildImage.fromAsset
+removed:@aws-cdk/aws-codebuild.LinuxBuildImage.fromDockerHub
+change-return-type:@aws-cdk/aws-codebuild.LinuxBuildImage.fromEcrRepository
+changed-type:@aws-cdk/aws-codebuild.LinuxBuildImage.UBUNTU_14_04_OPEN_JDK_9
+changed-type:@aws-cdk/aws-codebuild.LinuxBuildImage.STANDARD_1_0
+changed-type:@aws-cdk/aws-codebuild.LinuxBuildImage.STANDARD_2_0
+changed-type:@aws-cdk/aws-codebuild.LinuxBuildImage.UBUNTU_14_04_ANDROID_JAVA8_24_4_1
+changed-type:@aws-cdk/aws-codebuild.LinuxBuildImage.UBUNTU_14_04_ANDROID_JAVA8_26_1_1
+changed-type:@aws-cdk/aws-codebuild.LinuxBuildImage.UBUNTU_14_04_BASE
+changed-type:@aws-cdk/aws-codebuild.LinuxBuildImage.UBUNTU_14_04_DOCKER_17_09_0
+changed-type:@aws-cdk/aws-codebuild.LinuxBuildImage.UBUNTU_14_04_DOCKER_18_09_0
+changed-type:@aws-cdk/aws-codebuild.LinuxBuildImage.UBUNTU_14_04_DOTNET_CORE_1_1
+changed-type:@aws-cdk/aws-codebuild.LinuxBuildImage.UBUNTU_14_04_DOTNET_CORE_2_0
+changed-type:@aws-cdk/aws-codebuild.LinuxBuildImage.UBUNTU_14_04_DOTNET_CORE_2_1
+changed-type:@aws-cdk/aws-codebuild.LinuxBuildImage.UBUNTU_14_04_GOLANG_1_10
+changed-type:@aws-cdk/aws-codebuild.LinuxBuildImage.UBUNTU_14_04_GOLANG_1_11
+changed-type:@aws-cdk/aws-codebuild.LinuxBuildImage.UBUNTU_14_04_NODEJS_10_1_0
+changed-type:@aws-cdk/aws-codebuild.LinuxBuildImage.UBUNTU_14_04_NODEJS_10_14_1
+changed-type:@aws-cdk/aws-codebuild.LinuxBuildImage.UBUNTU_14_04_NODEJS_6_3_1
+changed-type:@aws-cdk/aws-codebuild.LinuxBuildImage.UBUNTU_14_04_NODEJS_8_11_0
+changed-type:@aws-cdk/aws-codebuild.LinuxBuildImage.UBUNTU_14_04_OPEN_JDK_11
+changed-type:@aws-cdk/aws-codebuild.LinuxBuildImage.UBUNTU_14_04_OPEN_JDK_8
+changed-type:@aws-cdk/aws-codebuild.LinuxBuildImage.UBUNTU_14_04_PHP_5_6
+changed-type:@aws-cdk/aws-codebuild.LinuxBuildImage.UBUNTU_14_04_PHP_7_0
+changed-type:@aws-cdk/aws-codebuild.LinuxBuildImage.UBUNTU_14_04_PHP_7_1
+changed-type:@aws-cdk/aws-codebuild.LinuxBuildImage.UBUNTU_14_04_PYTHON_2_7_12
+changed-type:@aws-cdk/aws-codebuild.LinuxBuildImage.UBUNTU_14_04_PYTHON_3_3_6
+changed-type:@aws-cdk/aws-codebuild.LinuxBuildImage.UBUNTU_14_04_PYTHON_3_4_5
+changed-type:@aws-cdk/aws-codebuild.LinuxBuildImage.UBUNTU_14_04_PYTHON_3_5_2
+changed-type:@aws-cdk/aws-codebuild.LinuxBuildImage.UBUNTU_14_04_PYTHON_3_6_5
+changed-type:@aws-cdk/aws-codebuild.LinuxBuildImage.UBUNTU_14_04_PYTHON_3_7_1
+changed-type:@aws-cdk/aws-codebuild.LinuxBuildImage.UBUNTU_14_04_RUBY_2_2_5
+changed-type:@aws-cdk/aws-codebuild.LinuxBuildImage.UBUNTU_14_04_RUBY_2_3_1
+changed-type:@aws-cdk/aws-codebuild.LinuxBuildImage.UBUNTU_14_04_RUBY_2_5_1
+changed-type:@aws-cdk/aws-codebuild.LinuxBuildImage.UBUNTU_14_04_RUBY_2_5_3
+change-return-type:@aws-cdk/aws-codebuild.WindowsBuildImage.fromAsset
+removed:@aws-cdk/aws-codebuild.WindowsBuildImage.fromDockerHub
+change-return-type:@aws-cdk/aws-codebuild.WindowsBuildImage.fromEcrRepository
+changed-type:@aws-cdk/aws-codebuild.WindowsBuildImage.WIN_SERVER_CORE_2016_BASE
+change-return-type:@aws-cdk/aws-codebuild.Source.bitBucket
+change-return-type:@aws-cdk/aws-codebuild.Source.codeCommit
+change-return-type:@aws-cdk/aws-codebuild.Source.gitHub
+change-return-type:@aws-cdk/aws-codebuild.Source.gitHubEnterprise
+change-return-type:@aws-cdk/aws-codebuild.Source.s3
+change-return-type:@aws-cdk/aws-codebuild.Artifacts.s3
 change-return-type:@aws-cdk/aws-codebuild.PipelineProject.addSecondaryArtifact
 change-return-type:@aws-cdk/aws-codebuild.Project.addSecondaryArtifact
 removed:@aws-cdk/aws-ec2.Connections.allowFromAnyIPv4

packages/@aws-cdk/aws-codebuild/README.md

@@ -186,8 +186,7 @@ of the constants such as `WindowsBuildImage.WIN_SERVER_CORE_2016_BASE` or
 Alternatively, you can specify a custom image using one of the static methods on
 `XxxBuildImage`:
 
-* Use `.fromDockerHub(image)` to reference an image publicly available in Docker
-  Hub.
+* Use `.fromDockerRegistry(image[, { secretsManagerCredentials }])` to reference an image in any public or private Docker registry.
 * Use `.fromEcrRepository(repo[, tag])` to reference an image available in an
   ECR repository.
 * Use `.fromAsset(directory)` to use an image created from a
@@ -201,6 +200,10 @@ The following example shows how to define an image from an ECR repository:
 
 [ECR example](./test/integ.ecr.lit.ts)
 
+The following example shows how to define an image from a private docker registry:
+
+[Docker Registry example](./test/integ.docker-registry.lit.ts)
+
 ## Events
 
 CodeBuild projects can be used either as a source for events or be triggered

packages/@aws-cdk/aws-codebuild/lib/artifacts.ts

@@ -53,7 +53,7 @@ export interface ArtifactsProps {
  * Artifacts definition for a CodeBuild Project.
  */
 export abstract class Artifacts implements IArtifacts {
-  public static s3(props: S3ArtifactsProps): Artifacts {
+  public static s3(props: S3ArtifactsProps): IArtifacts {
     return new S3Artifacts(props);
   }