feat(pipelines): Allow adding PolicyStatements to CodeBuild Project role

Fixes aws#9163

packages/@aws-cdk/pipelines/README.md

@@ -422,6 +422,41 @@ const validationAction = new ShellScriptAction({
 });
 ```
 
+#### Add Additional permissions to the CodeBuild Project Role for building and synthing
+
+You can customize the role permissions used by the CodeBuild project so it has access to
+the needed resources. eg: Adding CodeArtifact repo permissions so we pull npm packages
+from the CA repo instead of NPM.
+
+```ts
+class MyPipelineStack extends Stack {
+  constructor(scope: Construct, id: string, props?: StackProps) {
+    ...
+    const pipeline = new CdkPipeline(this, 'Pipeline', {
+      ...
+      synthAction: SimpleSynthAction.standardNpmSynth({
+        sourceArtifact,
+        cloudAssemblyArtifact,
+
+        // Use this to customize and a permissions required for the build
+        // and synth
+        rolePolicyStatements: [
+          new PolicyStatement({
+            actions: ['codeartifact:*', 'sts:GetServiceBearerToken'],
+            resources: ['arn:codeartifact:repo:arn'],
+          }),
+        ],
+
+        // Then you can login to codeartifact repository
+        // and npm will now pull packages from your repository
+        // Note the codeartifact login command requires more params to work.
+        buildCommand: 'aws codeartifact login --tool npm && npm run build',
+      }),
+    });
+  }
+}
+```
+
 ## CDK Environment Bootstrapping
 
 An *environment* is an *(account, region)* pair where you want to deploy a

packages/@aws-cdk/pipelines/lib/synths/simple-synth-action.ts

@@ -245,7 +245,7 @@ export class SimpleSynthAction implements codepipeline.IAction {
       },
     });
 
-    if (this.props.rolePolicyStatements != undefined) {
+    if (this.props.rolePolicyStatements !== undefined) {
       this.props.rolePolicyStatements.forEach(policyStatement => {
         project.addToRolePolicy(policyStatement);
       });