aws
diff --git a/‎packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-variables.js.snapshot/VariablePipelineStack.assets.json‎
Lines changed: 3 additions & 3 deletions b/‎packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-variables.js.snapshot/VariablePipelineStack.assets.json‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-variables.js.snapshot/VariablePipelineStack.template.json‎
Lines changed: 74 additions & 0 deletions b/‎packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-variables.js.snapshot/VariablePipelineStack.template.json‎
Lines changed: 74 additions & 0 deletions
diff --git a/‎packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-variables.js.snapshot/manifest.json‎
Lines changed: 17 additions & 1 deletion b/‎packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-variables.js.snapshot/manifest.json‎
Lines changed: 17 additions & 1 deletion
diff --git a/‎packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-variables.js.snapshot/tree.json‎
Lines changed: 1 addition & 1 deletion b/‎packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-variables.js.snapshot/tree.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-variables.ts‎
Lines changed: 13 additions & 0 deletions b/‎packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-variables.ts‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎packages/aws-cdk-lib/pipelines/lib/codepipeline/private/codebuild-factory.ts‎
Lines changed: 14 additions & 4 deletions b/‎packages/aws-cdk-lib/pipelines/lib/codepipeline/private/codebuild-factory.ts‎
Lines changed: 14 additions & 4 deletions
diff --git a/‎packages/aws-cdk-lib/pipelines/test/compliance/synths.test.ts‎
Lines changed: 12 additions & 0 deletions b/‎packages/aws-cdk-lib/pipelines/test/compliance/synths.test.ts‎
Lines changed: 12 additions & 0 deletions
@@ -150,6 +150,14 @@
     "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092"
    ]
   },
+  "Fleet30813DF3": {
+   "Type": "AWS::CodeBuild::Fleet",
+   "Properties": {
+    "BaseCapacity": 1,
+    "ComputeType": "BUILD_GENERAL1_SMALL",
+    "EnvironmentType": "LINUX_CONTAINER"
+   }
+  },
   "PipelineArtifactsBucketAEA9A052": {
    "Type": "AWS::S3::Bucket",
    "Properties": {
@@ -736,7 +744,29 @@
     "Description": "Pipeline step VariablePipelineStack/Pipeline/Build/Synth",
     "EncryptionKey": "alias/aws/s3",
     "Environment": {
+     "Certificate": {
+      "Fn::Join": [
+       "",
+       [
+        {
+         "Fn::GetAtt": [
+          "SourceBucketDDD2130A",
+          "Arn"
+         ]
+        },
+        "/my-certificate.pem"
+       ]
+      ]
+     },
      "ComputeType": "BUILD_GENERAL1_SMALL",
+     "Fleet": {
+      "FleetArn": {
+       "Fn::GetAtt": [
+        "Fleet30813DF3",
+        "Arn"
+       ]
+      }
+     },
      "Image": "aws/codebuild/standard:7.0",
      "ImagePullCredentialsType": "CODEBUILD",
      "PrivilegedMode": false,
@@ -970,7 +1000,29 @@
     "Description": "Pipeline step VariablePipelineStack/Pipeline/MyWave/Produce",
     "EncryptionKey": "alias/aws/s3",
     "Environment": {
+     "Certificate": {
+      "Fn::Join": [
+       "",
+       [
+        {
+         "Fn::GetAtt": [
+          "SourceBucketDDD2130A",
+          "Arn"
+         ]
+        },
+        "/my-certificate.pem"
+       ]
+      ]
+     },
      "ComputeType": "BUILD_GENERAL1_SMALL",
+     "Fleet": {
+      "FleetArn": {
+       "Fn::GetAtt": [
+        "Fleet30813DF3",
+        "Arn"
+       ]
+      }
+     },
      "Image": "aws/codebuild/standard:7.0",
      "ImagePullCredentialsType": "CODEBUILD",
      "PrivilegedMode": false,
@@ -1204,7 +1256,29 @@
     "Description": "Pipeline step VariablePipelineStack/Pipeline/MyWave/Consume",
     "EncryptionKey": "alias/aws/s3",
     "Environment": {
+     "Certificate": {
+      "Fn::Join": [
+       "",
+       [
+        {
+         "Fn::GetAtt": [
+          "SourceBucketDDD2130A",
+          "Arn"
+         ]
+        },
+        "/my-certificate.pem"
+       ]
+      ]
+     },
      "ComputeType": "BUILD_GENERAL1_SMALL",
+     "Fleet": {
+      "FleetArn": {
+       "Fn::GetAtt": [
+        "Fleet30813DF3",
+        "Arn"
+       ]
+      }
+     },
      "Image": "aws/codebuild/standard:7.0",
      "ImagePullCredentialsType": "CODEBUILD",
      "PrivilegedMode": false,
 
@@ -23,6 +23,19 @@ class PipelineStack extends Stack {
         // }),
         commands: ['mkdir cdk.out', 'touch cdk.out/dummy'],
       }),
+      codeBuildDefaults: {
+        buildEnvironment: {
+          fleet: new codebuild.Fleet(this, 'Fleet', {
+            baseCapacity: 1,
+            computeType: codebuild.FleetComputeType.SMALL,
+            environmentType: codebuild.EnvironmentType.LINUX_CONTAINER,
+          }),
+          certificate: {
+            bucket: sourceBucket,
+            objectKey: 'my-certificate.pem',
+          },
+        },
+      },
       selfMutation: false,
     });
 
 
@@ -440,7 +440,7 @@ export function mergeCodeBuildOptions(...opts: Array<CodeBuildOptions | undefine
       cache: b.cache ?? a.cache,
       fileSystemLocations: definedArray([...a.fileSystemLocations ?? [], ...b.fileSystemLocations ?? []]),
       logging: b.logging ?? a.logging,
-    };
+    } satisfies OptionalToUndefined<CodeBuildOptions>;
   }
 }
 
@@ -453,13 +453,23 @@ function mergeBuildEnvironments(a?: codebuild.BuildEnvironment, b?: codebuild.Bu
   return {
     buildImage: b.buildImage ?? a.buildImage,
     computeType: b.computeType ?? a.computeType,
+    dockerServer: b.dockerServer ?? a.dockerServer,
+    fleet: b.fleet ?? a.fleet,
+    privileged: b.privileged ?? a.privileged,
+    certificate: b.certificate ?? a.certificate,
     environmentVariables: {
       ...a.environmentVariables,
       ...b.environmentVariables,
     },
-    privileged: b.privileged ?? a.privileged,
-    dockerServer: b.dockerServer ?? a.dockerServer,
-  };
+  } satisfies OptionalToUndefined<codebuild.BuildEnvironment>;
+}
+
+// Turns `{ foo?: boolean, bar: number }` into `{ foo: boolean | undefined, bar:
+// number }`. Lets us assert that we are enumerating all properties on a type.
+//
+// Ref: https://stackoverflow.com/a/52973675
+type OptionalToUndefined<T> = {
+  [K in keyof Required<T>]: T[K];
 }
 
 function isDefined<A>(x: A | undefined): x is NonNullable<A> {
 
@@ -164,6 +164,12 @@ test('CodeBuild: environment variables specified in multiple places are correctl
   const securityGroup = new ec2.SecurityGroup(pipelineStack, 'SecurityGroup', {
     vpc,
   });
+  const bucket = s3.Bucket.fromBucketArn(pipelineStack, 'Bucket', 'arn:aws:s3:::this-particular-bucket');
+  const fleet = new cbuild.Fleet(pipelineStack, 'Fleet', {
+    baseCapacity: 1,
+    computeType: cbuild.FleetComputeType.SMALL,
+    environmentType: cbuild.EnvironmentType.LINUX_CONTAINER,
+  });
 
   new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk-1', {
     synth: new CodeBuildStep('Synth', {
@@ -186,6 +192,8 @@ test('CodeBuild: environment variables specified in multiple places are correctl
           computeType: cbuild.DockerServerComputeType.SMALL,
           securityGroups: [securityGroup],
         },
+        certificate: { bucket, objectKey: 'my-certificate' },
+        fleet,
       },
     }),
   });
@@ -233,6 +241,10 @@ test('CodeBuild: environment variables specified in multiple places are correctl
           'Fn::GetAtt': ['SecurityGroupDD263621', 'GroupId'],
         }],
       },
+      Certificate: 'arn:aws:s3:::this-particular-bucket/my-certificate',
+      Fleet: {
+        FleetArn: { 'Fn::GetAtt': [Match.stringLikeRegexp('Fleet.*'), 'Arn'] },
+      },
     }),
     Source: {
       BuildSpec: Match.serializedJson(Match.objectLike({