fix(pipelines): propagate CodeBuild fleet and certificate (#35673)

### Issue # (if applicable)

Closes #35664.

### Reason for this change

You can't use Fleets or certificates currently in CDK pipelines.

### Description of changes

These properties were simply overlooked. I added a TypeScript `satisfies` assertion to ensure that newly added properties are not missed here.

### Describe any new or updated permissions being added
N/A

### Description of how you validated changes

Unit and integration tests.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: isker

packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-variables.js.snapshot/VariablePipelineStack.assets.json

@@ -142,6 +142,14 @@
     "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092"
    ]
   },
+  "Fleet30813DF3": {
+   "Type": "AWS::CodeBuild::Fleet",
+   "Properties": {
+    "BaseCapacity": 1,
+    "ComputeType": "BUILD_GENERAL1_SMALL",
+    "EnvironmentType": "LINUX_CONTAINER"
+   }
+  },
   "PipelineArtifactsBucketAEA9A052": {
    "Type": "AWS::S3::Bucket",
    "Properties": {
@@ -728,7 +736,29 @@
     "Description": "Pipeline step VariablePipelineStack/Pipeline/Build/Synth",
     "EncryptionKey": "alias/aws/s3",
     "Environment": {
+     "Certificate": {
+      "Fn::Join": [
+       "",
+       [
+        {
+         "Fn::GetAtt": [
+          "SourceBucketDDD2130A",
+          "Arn"
+         ]
+        },
+        "/my-certificate.pem"
+       ]
+      ]
+     },
      "ComputeType": "BUILD_GENERAL1_SMALL",
+     "Fleet": {
+      "FleetArn": {
+       "Fn::GetAtt": [
+        "Fleet30813DF3",
+        "Arn"
+       ]
+      }
+     },
      "Image": "aws/codebuild/standard:7.0",
      "ImagePullCredentialsType": "CODEBUILD",
      "PrivilegedMode": false,
@@ -962,7 +992,29 @@
     "Description": "Pipeline step VariablePipelineStack/Pipeline/MyWave/Produce",
     "EncryptionKey": "alias/aws/s3",
     "Environment": {
+     "Certificate": {
+      "Fn::Join": [
+       "",
+       [
+        {
+         "Fn::GetAtt": [
+          "SourceBucketDDD2130A",
+          "Arn"
+         ]
+        },
+        "/my-certificate.pem"
+       ]
+      ]
+     },
      "ComputeType": "BUILD_GENERAL1_SMALL",
+     "Fleet": {
+      "FleetArn": {
+       "Fn::GetAtt": [
+        "Fleet30813DF3",
+        "Arn"
+       ]
+      }
+     },
      "Image": "aws/codebuild/standard:7.0",
      "ImagePullCredentialsType": "CODEBUILD",
      "PrivilegedMode": false,
@@ -1196,7 +1248,29 @@
     "Description": "Pipeline step VariablePipelineStack/Pipeline/MyWave/Consume",
     "EncryptionKey": "alias/aws/s3",
     "Environment": {
+     "Certificate": {
+      "Fn::Join": [
+       "",
+       [
+        {
+         "Fn::GetAtt": [
+          "SourceBucketDDD2130A",
+          "Arn"
+         ]
+        },
+        "/my-certificate.pem"
+       ]
+      ]
+     },
      "ComputeType": "BUILD_GENERAL1_SMALL",
+     "Fleet": {
+      "FleetArn": {
+       "Fn::GetAtt": [
+        "Fleet30813DF3",
+        "Arn"
+       ]
+      }
+     },
      "Image": "aws/codebuild/standard:7.0",
      "ImagePullCredentialsType": "CODEBUILD",
      "PrivilegedMode": false,

packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-variables.js.snapshot/VariablePipelineStack.template.json

@@ -23,6 +23,19 @@ class PipelineStack extends Stack {
         // }),
         commands: ['mkdir cdk.out', 'touch cdk.out/dummy'],
       }),
+      codeBuildDefaults: {
+        buildEnvironment: {
+          fleet: new codebuild.Fleet(this, 'Fleet', {
+            baseCapacity: 1,
+            computeType: codebuild.FleetComputeType.SMALL,
+            environmentType: codebuild.EnvironmentType.LINUX_CONTAINER,
+          }),
+          certificate: {
+            bucket: sourceBucket,
+            objectKey: 'my-certificate.pem',
+          },
+        },
+      },
       selfMutation: false,
     });
 

packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-variables.js.snapshot/integ.json

@@ -439,7 +439,7 @@ export function mergeCodeBuildOptions(...opts: Array<CodeBuildOptions | undefine
       cache: b.cache ?? a.cache,
       fileSystemLocations: definedArray([...a.fileSystemLocations ?? [], ...b.fileSystemLocations ?? []]),
       logging: b.logging ?? a.logging,
-    };
+    } satisfies OptionalToUndefined<CodeBuildOptions>;
   }
 }
 
@@ -452,15 +452,25 @@ function mergeBuildEnvironments(a?: codebuild.BuildEnvironment, b?: codebuild.Bu
   return {
     buildImage: b.buildImage ?? a.buildImage,
     computeType: b.computeType ?? a.computeType,
+    dockerServer: b.dockerServer ?? a.dockerServer,
+    fleet: b.fleet ?? a.fleet,
+    privileged: b.privileged ?? a.privileged,
+    certificate: b.certificate ?? a.certificate,
     environmentVariables: {
       ...a.environmentVariables,
       ...b.environmentVariables,
     },
-    privileged: b.privileged ?? a.privileged,
-    dockerServer: b.dockerServer ?? a.dockerServer,
-  };
+  } satisfies OptionalToUndefined<codebuild.BuildEnvironment>;
 }
 
+// Turns `{ foo?: boolean, bar: number }` into `{ foo: boolean | undefined, bar:
+// number }`. Lets us assert that we are enumerating all properties on a type.
+//
+// Ref: https://stackoverflow.com/a/52973675
+type OptionalToUndefined<T> = {
+  [K in keyof Required<T>]: T[K];
+};
+
 function isDefined<A>(x: A | undefined): x is NonNullable<A> {
   return x !== undefined;
 }

packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-variables.js.snapshot/manifest.json

@@ -164,6 +164,12 @@ test('CodeBuild: environment variables specified in multiple places are correctl
   const securityGroup = new ec2.SecurityGroup(pipelineStack, 'SecurityGroup', {
     vpc,
   });
+  const bucket = s3.Bucket.fromBucketArn(pipelineStack, 'Bucket', 'arn:aws:s3:::this-particular-bucket');
+  const fleet = new cbuild.Fleet(pipelineStack, 'Fleet', {
+    baseCapacity: 1,
+    computeType: cbuild.FleetComputeType.SMALL,
+    environmentType: cbuild.EnvironmentType.LINUX_CONTAINER,
+  });
 
   new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk-1', {
     synth: new CodeBuildStep('Synth', {
@@ -186,6 +192,8 @@ test('CodeBuild: environment variables specified in multiple places are correctl
           computeType: cbuild.DockerServerComputeType.SMALL,
           securityGroups: [securityGroup],
         },
+        certificate: { bucket, objectKey: 'my-certificate' },
+        fleet,
       },
     }),
   });
@@ -233,6 +241,10 @@ test('CodeBuild: environment variables specified in multiple places are correctl
           'Fn::GetAtt': ['SecurityGroupDD263621', 'GroupId'],
         }],
       },
+      Certificate: 'arn:aws:s3:::this-particular-bucket/my-certificate',
+      Fleet: {
+        FleetArn: { 'Fn::GetAtt': [Match.stringLikeRegexp('Fleet.*'), 'Arn'] },
+      },
     }),
     Source: {
       BuildSpec: Match.serializedJson(Match.objectLike({