Adding inline policy to PDKPipeline

[mteichtahl]

When creating a PDKPipeline it seems there is no way to customise the role.

For example, adding a policy statement to the pipeline role throws an error.

export class PipelineStack extends Stack {
  readonly pipeline: PDKPipeline;

  constructor(scope: Construct, id: string, props: StackProps) {
    super(scope, id, props);

    this.pipeline = new PDKPipeline(this, "ApplicationPipeline", {
      primarySynthDirectory: "packages/infra/cdk.out",
      repositoryName: this.node.tryGetContext("repositoryName") || "monorepo",
      publishAssetsInParallel: false,
      crossAccountKeys: true,
      synth: {},
      sonarCodeScannerConfig: this.node.tryGetContext("sonarqubeScannerConfig"),
    })

    this.pipeline.pipeline.role.attachInlinePolicy(new Policy(this, 'test', {
      statements: [
        new PolicyStatement({
          effect: Effect.ALLOW,
          resources: ["arn:aws:ec2:*:*:prefix-list/*"],
          actions: ["ec2:GetManagedPrefixListEntries"]
        })
      ]
    }))
  }
}

   👾 build » post-compile » synth:silent | cdk synth -q
       Error: Pipeline not created yet
           at PDKPipeline.get pipeline [as pipeline] (/Volumes/workplace/prototyping/galaxi/node_modules/aws-cdk-lib/pipelines/lib/codepipeline/codepipeline.js:1:2140)
           at new PipelineStack (/Volumes/workplace/prototyping/galaxi/packages/infra/src/pipeline-stack.ts:36:19)
           at /Volumes/workplace/prototyping/galaxi/packages/infra/src/pipeline.ts:73:25
           at Object.<anonymous> (/Volumes/workplace/prototyping/galaxi/packages/infra/src/pipeline.ts:104:3)
           at Module._compile (node:internal/modules/cjs/loader:1105:14)
           at Module.m._compile (/Volumes/workplace/prototyping/galaxi/node_modules/ts-node/src/index.ts:1618:23)
           at Module._extensions..js (node:internal/modules/cjs/loader:1159:10)
           at Object.require.extensions.<computed> [as .ts] (/Volumes/workplace/prototyping/galaxi/node_modules/ts-node/src/index.ts:1621:12)
           at Module.load (node:internal/modules/cjs/loader:981:32)
           at Function.Module._load (node:internal/modules/cjs/loader:822:12)

[mteichtahl]

CDK pipelines only generates the pipeline resources (including the associated roles) on app.synth().

Therefore, if you want to update a policy you need to do this after pipelineStack.pipeline.buildPipeline(); but before app.synth(). For example

 pipelineStack.pipeline.addStage(devStage);

  pipelineStack.pipeline.buildPipeline(); 

  pipelineStack.pipeline.synthProject.addToRolePolicy(
    new PolicyStatement({
      sid: "AllowGetManagedPrfixList",
      effect: Effect.ALLOW,
      resources: pipelineStack.node.tryGetContext("applPrefixLists"),
      actions: ["ec2:GetManagedPrefixListEntries"],
    })
  );
  app.synth();