CodeBuild: Associating an existing IAM role to a CodeBuild project results in exception

[thesurlydev]

Describe the bug
Creating a new CodeBuild project and associating an existing IAM role results in: Policy must be attached to at least one principal: user, group or role during synthesis. My best guess is that the default policy generated by CDK is getting orphaned instead of disregarded in the case where an existing IAM role is specified?

To Reproduce
Using the following code to make the association:

val codeBuildProjectRole = Role.fromRoleArn(
            this,
            "code-build-project-role",
            "arn:aws:iam::1234567890:role/service-role/codebuild-bruiser-service-role"
        )

        val projectProps = ProjectProps.builder()
            .withEnvironment(buildEnvironment)
            .withProjectName(appName)
            .withSource(gitHubEnterpriseSource)
            .withBuildSpec("buildspec.yml")
            .withVpc(props.vpc)
            .withRole(codeBuildProjectRole)
            .withArtifacts(NoBuildArtifacts())
            .withSecondaryArtifacts(
                listOf(
                    s3BucketBuildArtifacts
                )
            )
            .build()

        val project = Project(this, "code-build-project", projectProps)

Expected behavior
Associating a valid existing role to a CodeBuild project should not result in exception.

Version:

• Ubuntu 18.04
• Kotlin using Java CDK artifacts
• 0.32.0

[thesurlydev]

This was an attempt at a workaround for #2652

[skinny85]

Thanks for the report @digitalsanctum. Confirming this is indeed a bug - I was able to reproduce it locally. I'll be working on a fix.