CodeBuild: A project with default role results in `Not authorized to perform DescribeSecurityGroups`

[thesurlydev]

Describe the bug
Creating a new CodeBuild project without defining a role, results in exception during deploy: "Not authorized to perform DescribeSecurityGroups (Service: AWSCodeBuild; Status Code: 400; Error Code: InvalidInputException".

Looking at the generated CF template, it appears there are two IAM policy documents that are generated and reference the CodeBuild project role. One is the default policy with a name similar to codebuildprojectRoleDefaultPolicy4FA15962 and another "CodeBuildEC2Policy" with a name similar to codebuildprojectPolicyDocument1DCF3D9B. Based on the exception it seems the "CodeBuildEC2Policy" is not recognized or perhaps a race condition?

After a brief search on the interwebs, I found this: https://stackoverflow.com/questions/52843460/receive-not-authorized-to-perform-describesecuritygroups-when-creating-new-pro which seems similar to the issue here.

To Reproduce
Using something like the following code will reproduce:

val projectProps = ProjectProps.builder()
            .withEnvironment(buildEnvironment)
            .withProjectName(appName)
            .withSource(gitHubEnterpriseSource)
            .withBuildSpec("buildspec.yml")
            .withVpc(props.vpc)
            .withArtifacts(NoBuildArtifacts())
            .withSecondaryArtifacts(
                listOf(
                    s3BucketBuildArtifacts
                )
            )
            .build()

        val project = Project(this, "code-build-project", projectProps)

Expected behavior
Using default role with CodeBuild project should not result in exception.

Version:

• Ubuntu 18.04
• Kotlin using Java CDK artifacts
• 0.32.0

[thesurlydev]

I reported a similar issue as part of #2605

[thesurlydev]

This screenshot from CloudFormation events seems to support the fact that the project attempts to get created just prior to the "CodeBuildEC2Policy":

[thesurlydev]

After further investigation, according to the AWS docs: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-roles some explicit DependsOn attribute values may need to be added to ensure the policies are available.

[skinny85]

Yes, there's definitely some race condition happening here (and/or an IAM propagation delay, but I think that's less probable).

[thesurlydev]

I've just verified that if I manually add a DependsOn to CodeBuild project of the IAM policy with the ec2:* bits, it works. Is there a way to add a DependsOn attribute via CDK as a workaround until a proper fix is in place?

[skinny85]

Unfortunately, I don't think there is :(

[thesurlydev]

Looks like you already have a fix. In the meantime, I was able to workaround using this super gross code:

val project = app.node.children.find { it.node.stack.name == "bruiser-code-build-bootstrap" }
        ?.node?.children?.find { it.node.typename == "Project" } as Project

    val cfnPolicy = (project.node?.children?.find { it.node.typename == "Policy"} as Policy)
        .node.findChild("Resource") as CfnPolicy

    (project.node.findChild("Resource") as CfnResource).addDependsOn(cfnPolicy)

    app.run()