feat(codebuild): add support for setting a BuildEnvironment Certifica…

…te (#15738) fixes #15701 Add certificate as optional parameter to codebuild project Environment. The certificate option supports including an additional PEM certificate for on-prem DNS / SSL of codebuild projects. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Jul 27, 2021 · 76fb481 · 76fb481
1 parent 2cefe57
commit 76fb481
Show file tree

Hide file tree

Showing 3 changed files with 63 additions and 0 deletions.
diff --git a/packages/@aws-cdk/aws-codebuild/README.md b/packages/@aws-cdk/aws-codebuild/README.md
@@ -225,6 +225,7 @@ can use the `environment` property to customize the build environment:
 
 * `buildImage` defines the Docker image used. See [Images](#images) below for
   details on how to define build images.
+* `certificate` defines the location of a PEM encoded certificate to import.
 * `computeType` defines the instance type used for the build.
 * `privileged` can be set to `true` to allow privileged access.
 * `environmentVariables` can be set at this level (and also at the project
@@ -262,6 +263,11 @@ which can be either `WindowsImageType.STANDARD`, the default, or `WindowsImageTy
 new codebuild.Project(this, 'Project', {
   environment: {
     buildImage: codebuild.WindowsBuildImage.fromEcrRepository(ecrRepository, 'v1.0', codebuild.WindowsImageType.SERVER_2019),
+    // optional certificate to include in the build image
+    certificate: {
+      bucket: s3.Bucket.fromBucketName(this, 'Bucket', 'my-bucket'),
+      objectKey: 'path/to/cert.pem',
+    },
   },
   ...
 })

diff --git a/packages/@aws-cdk/aws-codebuild/lib/project.ts b/packages/@aws-cdk/aws-codebuild/lib/project.ts
@@ -39,6 +39,20 @@ export interface BatchBuildConfig {
   readonly role: iam.IRole;
 }
 
+/**
+ * Location of a PEM certificate on S3
+ */
+export interface BuildEnvironmentCertificate {
+  /**
+   * The bucket where the certificate is
+   */
+  readonly bucket: s3.IBucket;
+  /**
+   * The full path and name of the key file
+   */
+  readonly objectKey: string;
+}
+
 /**
  * Additional options to pass to the notification rule.
  */
@@ -1312,6 +1326,7 @@ export class Project extends ProjectBase {
           credential: secret.secretFullArn ?? secret.secretName,
         }
         : undefined,
+      certificate: env.certificate?.bucket.arnForObjects(env.certificate.objectKey),
       privilegedMode: env.privileged || false,
       computeType: env.computeType || this.buildImage.defaultComputeType,
       environmentVariables: hasEnvironmentVars
@@ -1542,6 +1557,13 @@ export interface BuildEnvironment {
    */
   readonly privileged?: boolean;
 
+  /**
+   * The location of the PEM-encoded certificate for the build project
+   *
+   * @default - No external certificate is added to the project
+   */
+  readonly certificate?: BuildEnvironmentCertificate;
+
   /**
    * The environment variables that your builds can use.
    */

diff --git a/packages/@aws-cdk/aws-codebuild/test/test.project.ts b/packages/@aws-cdk/aws-codebuild/test/test.project.ts
@@ -797,6 +797,41 @@ export = {
 
       test.done();
     },
+
+    'certificate arn'(test: Test) {
+      // GIVEN
+      const stack = new cdk.Stack();
+      const bucket = s3.Bucket.fromBucketName(stack, 'Bucket', 'my-bucket'); // (stack, 'Bucket');
+
+      // WHEN
+      new codebuild.Project(stack, 'Project', {
+        source: codebuild.Source.s3({
+          bucket,
+          path: 'path',
+        }),
+        environment: {
+          certificate: {
+            bucket,
+            objectKey: 'path',
+          },
+        },
+      });
+
+      // THEN
+      expect(stack).to(haveResourceLike('AWS::CodeBuild::Project', {
+        Environment: objectLike({
+          Certificate: {
+            'Fn::Join': ['', [
+              'arn:',
+              { 'Ref': 'AWS::Partition' },
+              ':s3:::my-bucket/path',
+            ]],
+          },
+        }),
+      }));
+
+      test.done();
+    },
   },
 
   'EnvironmentVariables': {