codebuild: Multiple entries in FilterGroup.inEventOf generates incorrect CloudFormation entry

[ewanmellor]

Describe the bug

const project = new Project(this, 'MyProject', {
    source: Source.gitHub({
        webhook: true,
        webhookFilters: [
            FilterGroup.inEventOf(
                    EventAction.PULL_REQUEST_CREATED,
                    EventAction.PULL_REQUEST_UPDATED,
            ),
        ]
    })
})

This results in a CloudFormation template like this:

     Triggers:
        FilterGroups:
          - - Pattern: PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED
              Type: EVENT

Note the space after the comma.

This doesn't actually work when deployed to AWS using cdk deploy; only the first entry is honored, and the CodeBuild UI just shows PULL_REQUEST_CREATED as the trigger.

I have confirmed that the space is the issue, by using the following escape hatch, which generates without the space and works correctly on AWS:

        const cfnProject = project.node.defaultChild as CfnProject
        const triggers = cfnProject.triggers as CfnProject.ProjectTriggersProperty
        const filterGroups = triggers.filterGroups as CfnProject.WebhookFilterProperty[][]
        filterGroups[0].pop()
        filterGroups[0].push({
            type: 'EVENT',
            pattern: 'PULL_REQUEST_CREATED,PULL_REQUEST_UPDATED',
        })

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

Correct CodeFormation template to be generated.

Current Behavior

Incorrect CodeFormation template was generated.

Reproduction Steps

As above.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.177.0 (build b396961)

Framework Version

aws-cdk and aws-cdk-lib both 2.177.0

Node.js Version

v20.14.0

OS

macOS 15.1.1 (24B91)

Language

TypeScript

Language Version

TypeScript 5.5.4

Other information

No response

[ashishdhingra]

Using below customer provided code:

import * as cdk from 'aws-cdk-lib';
import * as codebuild from "aws-cdk-lib/aws-codebuild";

export class CdktestStackNew extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const project = new codebuild.Project(this, 'MyProject', {
      source: codebuild.Source.gitHub({
        webhook: true,
        webhookFilters: [
          codebuild.FilterGroup.inEventOf(
            codebuild.EventAction.PULL_REQUEST_CREATED,
            codebuild.EventAction.PULL_REQUEST_UPDATED,
          ),
        ],
        owner: 'SomeGitHubUser'
      })
    });
  }
}

This generates the below CFN template:

Resources:
  MyProjectRole9BBE5233:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service: codebuild.amazonaws.com
        Version: "2012-10-17"
    Metadata:
      aws:cdk:path: CdktestStackNew/MyProject/Role/Resource
  MyProjectRoleDefaultPolicyB19B7C29:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action:
              - logs:CreateLogGroup
              - logs:CreateLogStream
              - logs:PutLogEvents
            Effect: Allow
            Resource:
              - Fn::Join:
                  - ""
                  - - arn:aws:logs:us-east-2:<<ACCOUNT-ID>>:log-group:/aws/codebuild/
                    - Ref: MyProject39F7B0AE
                    - :*
              - Fn::Join:
                  - ""
                  - - arn:aws:logs:us-east-2:<<ACCOUNT-ID>>:log-group:/aws/codebuild/
                    - Ref: MyProject39F7B0AE
          - Action:
              - codebuild:BatchPutCodeCoverages
              - codebuild:BatchPutTestCases
              - codebuild:CreateReport
              - codebuild:CreateReportGroup
              - codebuild:UpdateReport
            Effect: Allow
            Resource:
              Fn::Join:
                - ""
                - - arn:aws:codebuild:us-east-2:<<ACCOUNT-ID>>:report-group/
                  - Ref: MyProject39F7B0AE
                  - -*
        Version: "2012-10-17"
      PolicyName: MyProjectRoleDefaultPolicyB19B7C29
      Roles:
        - Ref: MyProjectRole9BBE5233
    Metadata:
      aws:cdk:path: CdktestStackNew/MyProject/Role/DefaultPolicy/Resource
  MyProject39F7B0AE:
    Type: AWS::CodeBuild::Project
    Properties:
      Artifacts:
        Type: NO_ARTIFACTS
      Cache:
        Type: NO_CACHE
      EncryptionKey: alias/aws/s3
      Environment:
        ComputeType: BUILD_GENERAL1_SMALL
        Image: aws/codebuild/standard:7.0
        ImagePullCredentialsType: CODEBUILD
        PrivilegedMode: false
        Type: LINUX_CONTAINER
      ServiceRole:
        Fn::GetAtt:
          - MyProjectRole9BBE5233
          - Arn
      Source:
        Location: CODEBUILD_DEFAULT_WEBHOOK_SOURCE_LOCATION
        ReportBuildStatus: true
        Type: GITHUB
      Triggers:
        FilterGroups:
          - - Pattern: PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED
              Type: EVENT
        ScopeConfiguration:
          Name: SomeGitHubUser
        Webhook: true
    Metadata:
      aws:cdk:path: CdktestStackNew/MyProject/Resource
  CDKMetadata:
    Type: AWS::CDK::Metadata
    Properties:
      Analytics: v2:deflate64:H4sIAAAAAAAA/y2KSwrDIBQAz5K9viahkO57gWAPEIy+wjNGwU9DEe9earKaYZgRhmmCvpNH5Epv3NIK5ZWk2pg84lKU17hmshrKHLxBldjz7S6tjOQORXiL/9o4e0vq26ZmtTKB0eegzufyypzXCCbePsMDxh7unYlEPGSXaEcQJ3+ZrH9SnwAAAA==
    Metadata:
      aws:cdk:path: CdktestStackNew/CDKMetadata/Default
Parameters:
  BootstrapVersion:
    Type: AWS::SSM::Parameter::Value<String>
    Default: /cdk-bootstrap/hnb659fds/version
    Description: Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]

Per AWS::CodeBuild::Project WebhookFilter, Pattern property has description that for a WebHookFilter that uses EVENT type, a comma-separated string that specifies one or more events. For example, the webhook filter PUSH, PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED allows all push, pull request created, and pull request updated events to trigger a build.
Notice that in the example string, it has space character after comma.

FilterGroups are rendered by calling _toJson() here. FilterGroup._toJson() joins the items in the Set using , as delimiter.

@ewanmellor I would suggest opening an issue in https://github.com/aws-cloudformation/cloudformation-coverage-roadmap to get confirmation from CloudFormation team if space after comma delimiter is not supported (ideally it should be handled and trimmed per example in CloudFormation docs).