cdk codebuild

    // create codebuild project
    const codeBuildProject = new codebuild.Project(
      scope,
      `${props.environment}-${props.pipelineNamePrefix}-validation`,
      {
        projectName: `${props.environment}-${props.pipelineNamePrefix}-validation`,
        source: githubSource,
        buildSpec: codebuild.BuildSpec.fromSourceFilename('buildspec_pull_request.yml'),
        environment: {
          buildImage: codebuild.LinuxBuildImage.AMAZON_LINUX_2,
          privileged: true,
          environmentVariables: buildEnvVariables,
          computeType: props.computeType,
        },
      }
    );

    // Attach permissions to codebuild role
    codeBuildProject.addToRolePolicy(
      new PolicyStatement({
        effect: Effect.ALLOW,
        resources: [props.deploymentRoleArn],
        actions: ['sts:AssumeRole'],
      })
    );

    // attach a separated policy that allows getParam from parameter store.
    codeBuildProject.addToRolePolicy(
      new PolicyStatement({
        effect: Effect.ALLOW,
        resources: ['*'],
        actions: [
          'ssm:GetParameterHistory',
          'ssm:GetParametersByPath',
          'ssm:GetParameters',
          'ssm:GetParameter',
          'ssm:DescribeParameters',
        ],
      })
    );

    return codeBuildProject;
  }