From cbdd084d7b3eb92a311da48c279b5423e1ae22a2 Mon Sep 17 00:00:00 2001
From: Alban Esc <DaWyz@users.noreply.github.com>
Date: Mon, 31 Aug 2020 23:04:15 -0700
Subject: [PATCH] fix(aws-stepfunctions-tasks): missing permission to get build
 status (#10081)

The execution role for the CodeBuild StartBuild task is missing permissions to check the status of the running build. It results in a timeout of the step functions.

Adding `codebuild:BatchGetBuilds` and `codebuild:BatchGetReports` following this [AWS news blog article](https://aws.amazon.com/blogs/aws/new-building-a-continuous-integration-workflow-with-step-functions-and-aws-codebuild/) solves the issue.

Closes #8043

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---
 .../aws-stepfunctions-tasks/lib/codebuild/start-build.ts      | 2 ++
 .../test/codebuild/integ.start-build.expected.json            | 4 +++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/lib/codebuild/start-build.ts b/packages/@aws-cdk/aws-stepfunctions-tasks/lib/codebuild/start-build.ts
index f4341a3e7c521..1a361405843ee 100644
--- a/packages/@aws-cdk/aws-stepfunctions-tasks/lib/codebuild/start-build.ts
+++ b/packages/@aws-cdk/aws-stepfunctions-tasks/lib/codebuild/start-build.ts
@@ -60,6 +60,8 @@ export class CodeBuildStartBuild extends sfn.TaskStateBase {
         actions: [
           'codebuild:StartBuild',
           'codebuild:StopBuild',
+          'codebuild:BatchGetBuilds',
+          'codebuild:BatchGetReports',
         ],
       }),
     ];
diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/codebuild/integ.start-build.expected.json b/packages/@aws-cdk/aws-stepfunctions-tasks/test/codebuild/integ.start-build.expected.json
index 9720f657969e2..a3a245b0ddfd8 100644
--- a/packages/@aws-cdk/aws-stepfunctions-tasks/test/codebuild/integ.start-build.expected.json
+++ b/packages/@aws-cdk/aws-stepfunctions-tasks/test/codebuild/integ.start-build.expected.json
@@ -191,7 +191,9 @@
             {
               "Action": [
                 "codebuild:StartBuild",
-                "codebuild:StopBuild"
+                "codebuild:StopBuild",
+                "codebuild:BatchGetBuilds",
+                "codebuild:BatchGetReports"
               ],
               "Effect": "Allow",
               "Resource": {