feat(codebuild): allow specifying principals and credentials for pulling build images

[Kaixiang-AWS]

When using an image that is hosted in a private Docker registry,
you have to pass the appropriate credentials in order to authenticate against that registry.
This change allows passing those credentials when creating a custom build image.

It also introduces the concept of the principal that CodeBuild will use to pull the image -
previously, CodeBuild would always use its own identity when pulling images,
which meant using it with an ECR-hosted image required changing the resource policy of the repository to trust CodeBuild's service principal.
Now, the default is to use the project's role when doing the pull of the image.

Fixes #2175

BREAKING CHANGE: codebuild.LinuxBuildImage.fromDockerHub() has been renamed to fromDockerRegistry()

• codebuild.WindowsBuildImage.fromDockerHub() has been renamed to fromDockerRegistry()

---

Pull Request Checklist

• Testing
  • Unit test added (prefer not to modify an existing test, otherwise, it's probably a breaking change)
  • CLI change?: coordinate update of integration tests with team
  • cdk-init template change?: coordinated update of integration tests with team
• Docs
  • jsdocs: All public APIs documented
  • README: README and/or documentation topic updated
  • Design: For significant features, design document added to design folder
• Title and Description
  • Change type: title prefixed with fix, feat and module name in parens, which will appear in changelog
  • Title: use lower-case and doesn't end with a period
  • Breaking?: last paragraph: "BREAKING CHANGE: <describe what changed + link for details>"
  • Issues: Indicate issues fixed via: "Fixes #xxx" or "Closes #xxx"
• Sensitive Modules (requires 2 PR approvers)
  • IAM Policy Document (in @aws-cdk/aws-iam)
  • EC2 Security Groups and ACLs (in @aws-cdk/aws-ec2)
  • Grant APIs (only if not based on official documentation with a reference)
    By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[skinny85]

I have some minor comments after the initial pass, but one big concern.

I see the implementation of LinuxBuildImage/WindowsBuildImage's fromAsset methods changed significantly. This is also reflected in the changes to the integ.ecr.lit.expect.json file (which should be rare). Can you post a rationale for doing these changes? Is this a difference in the behavior of CodeBuild's backend, that makes the current implementation possible? Or was just the "old" behavior always incorrect, in your mind? I would love to hear some details about this.

[Kaixiang-AWS]

I have some minor comments after the initial pass, but one big concern.

I see the implementation of LinuxBuildImage/WindowsBuildImage's fromAsset methods changed significantly. This is also reflected in the changes to the integ.ecr.lit.expect.json file (which should be rare). Can you post a rationale for doing these changes? Is this a difference in the behavior of CodeBuild's backend, that makes the current implementation possible? Or was just the "old" behavior always incorrect, in your mind? I would love to hear some details about this.

We want customers to use their own service role to pull ECR images instead of using codebuild's service role. Therefore, we need to move the role policy from customers ECR repo to their service role. Looks like I do make a mistake that policy was not added to customers service role correctly. I will update this PR later to fix it.

[eladb]

Looks good.

Can you please fix the PR title and follow the contribution guidelines with a clear description of what this PR is doing (not just a reference to an issue, but description of how you solved it)?

Also, would it make sense to also update the ECS module to use the same terminology (@rix0rrr)

[skinny85]

@eladb submitted a new revision which (I believe) addresses all your comments. Please re-review when you have a second. Thanks!