From 77ce45d878f2d1cb453e36ae4d83228bee878ef1 Mon Sep 17 00:00:00 2001
From: Benura Abeywardena <43112139+BLasan@users.noreply.github.com>
Date: Tue, 23 Mar 2021 02:36:58 +0530
Subject: [PATCH] fix(codepipeline-actions): BitBucketAction fails with S3
 "Access denied" error (#13637)

Previously access control lists for putObject was not called.
This had led in getting access denied issue when trying to upload
objects into the s3 bucket

fixes #13557


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---
 .../lib/bitbucket/source-action.ts            |  1 +
 .../bitbucket/bitbucket-source-action.test.ts | 34 +++++++++++++++++--
 2 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/packages/@aws-cdk/aws-codepipeline-actions/lib/bitbucket/source-action.ts b/packages/@aws-cdk/aws-codepipeline-actions/lib/bitbucket/source-action.ts
index 085ff15e9f162..bdaca541dbf05 100644
--- a/packages/@aws-cdk/aws-codepipeline-actions/lib/bitbucket/source-action.ts
+++ b/packages/@aws-cdk/aws-codepipeline-actions/lib/bitbucket/source-action.ts
@@ -117,6 +117,7 @@ export class BitBucketSourceAction extends Action {
 
     // the action needs to write the output to the pipeline bucket
     options.bucket.grantReadWrite(options.role);
+    options.bucket.grantPutAcl(options.role);
 
     // if codeBuildCloneOutput is true,
     // save the connectionArn in the Artifact instance
diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/bitbucket/bitbucket-source-action.test.ts b/packages/@aws-cdk/aws-codepipeline-actions/test/bitbucket/bitbucket-source-action.test.ts
index eccbb53970d33..ef5a06305bd56 100644
--- a/packages/@aws-cdk/aws-codepipeline-actions/test/bitbucket/bitbucket-source-action.test.ts
+++ b/packages/@aws-cdk/aws-codepipeline-actions/test/bitbucket/bitbucket-source-action.test.ts
@@ -1,4 +1,4 @@
-import { expect, haveResourceLike } from '@aws-cdk/assert';
+import { arrayWith, expect, haveResourceLike, objectLike } from '@aws-cdk/assert';
 import * as codebuild from '@aws-cdk/aws-codebuild';
 import * as codepipeline from '@aws-cdk/aws-codepipeline';
 import { Stack } from '@aws-cdk/core';
@@ -82,7 +82,37 @@ nodeunitShim({
 
     test.done();
   },
-
+  'grant s3 putObjectACL to the following CodeBuild Project'(test: Test) {
+    const stack = new Stack();
+    createBitBucketAndCodeBuildPipeline(stack, {
+      codeBuildCloneOutput: true,
+    });
+    expect(stack).to(haveResourceLike('AWS::IAM::Policy', {
+      'PolicyDocument': {
+        'Statement': arrayWith(
+          objectLike({
+            'Action': 's3:PutObjectAcl',
+            'Effect': 'Allow',
+            'Resource': {
+              'Fn::Join': [
+                '',
+                [
+                  {
+                    'Fn::GetAtt': [
+                      'PipelineArtifactsBucket22248F97',
+                      'Arn',
+                    ],
+                  },
+                  '/*',
+                ],
+              ],
+            },
+          }),
+        ),
+      },
+    }));
+    test.done();
+  },
   'setting triggerOnPush=false reflects in the configuration'(test: Test) {
     const stack = new Stack();