chore: replace a real IRole with a type intersection (#35885)

This re-applies #35770 (which was reverted in #35871).

Contains an upgrade to a fixed version of `jsii-pacmak`.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: rix0rrr

allowed-breaking-changes.txt

@@ -966,6 +966,3 @@ removed:aws-cdk-lib.lambda_layer_kubectl.KubectlLayer
 # Fixing the JsonSchema interface to be consistent with JSON Schema spec
 changed-type:aws-cdk-lib.aws_apigateway.JsonSchema.additionalItems
 strengthened:aws-cdk-lib.aws_apigateway.JsonSchema
-
-# Revert a failing change
-strengthened:aws-cdk-lib.aws_stepfunctions.StateMachineProps

package.json

@@ -26,9 +26,9 @@
     "fs-extra": "^9.1.0",
     "graceful-fs": "^4.2.11",
     "jest-junit": "^13.2.0",
-    "jsii-diff": "1.116.0",
-    "jsii-pacmak": "1.116.0",
-    "jsii-reflect": "1.116.0",
+    "jsii-diff": "1.118.0",
+    "jsii-pacmak": "1.118.0",
+    "jsii-reflect": "1.118.0",
     "lerna": "^8.2.4",
     "nx": "^20",
     "semver": "^7.7.2",

packages/aws-cdk-lib/aws-stepfunctions/lib/state-machine.ts

@@ -117,7 +117,7 @@ export interface StateMachineProps {
    *
    * @default A role is automatically created
    */
-  readonly role?: iam.IRole;
+  readonly role?: iam.IRoleRef & iam.IGrantable;
 
   /**
    * Maximum run time for this state machine
@@ -427,11 +427,6 @@ export class StateMachine extends StateMachineBase {
    */
   public static readonly PROPERTY_INJECTION_ID: string = 'aws-cdk-lib.aws-stepfunctions.StateMachine';
 
-  /**
-   * Execution role of this state machine
-   */
-  public readonly role: iam.IRole;
-
   /**
    * The name of the state machine
    * @attribute
@@ -455,6 +450,11 @@ export class StateMachine extends StateMachineBase {
    */
   public readonly stateMachineRevisionId: string;
 
+  /**
+   * Execution role of this state machine
+   */
+  private readonly _role: iam.IRoleRef & iam.IGrantable;
+
   constructor(scope: Construct, id: string, props: StateMachineProps) {
     super(scope, id, {
       physicalName: props.stateMachineName,
@@ -476,7 +476,7 @@ export class StateMachine extends StateMachineBase {
       this.validateLogOptions(props.logs);
     }
 
-    this.role = props.role || new iam.Role(this, 'Role', {
+    this._role = props.role || new iam.Role(this, 'Role', {
       assumedBy: new iam.ServicePrincipal('states.amazonaws.com'),
     });
 
@@ -494,7 +494,7 @@ export class StateMachine extends StateMachineBase {
     }
 
     if (props.encryptionConfiguration instanceof CustomerManagedEncryptionConfiguration) {
-      this.role.addToPrincipalPolicy(new iam.PolicyStatement({
+      this._role.grantPrincipal.addToPrincipalPolicy(new iam.PolicyStatement({
         effect: iam.Effect.ALLOW,
         actions: [
           'kms:Decrypt', 'kms:GenerateDataKey',
@@ -513,7 +513,7 @@ export class StateMachine extends StateMachineBase {
       }));
 
       if (props.logs && props.logs.level !== LogLevel.OFF) {
-        this.role.addToPrincipalPolicy(new iam.PolicyStatement({
+        this._role.grantPrincipal.addToPrincipalPolicy(new iam.PolicyStatement({
           effect: iam.Effect.ALLOW,
           actions: [
             'kms:GenerateDataKey',
@@ -540,10 +540,10 @@ export class StateMachine extends StateMachineBase {
     const resource = new CfnStateMachine(this, 'Resource', {
       stateMachineName: this.physicalName,
       stateMachineType: props.stateMachineType ?? undefined,
-      roleArn: this.role.roleArn,
+      roleArn: this._role.roleRef.roleArn,
       loggingConfiguration: props.logs ? this.buildLoggingConfiguration(props.logs) : undefined,
       tracingConfiguration: this.buildTracingConfiguration(props.tracingEnabled),
-      ...definitionBody.bind(this, this.role, props, graph),
+      ...definitionBody.bind(this, this._role.grantPrincipal, props, graph),
       definitionSubstitutions: props.definitionSubstitutions,
       encryptionConfiguration: buildEncryptionConfiguration(props.encryptionConfiguration),
     });
@@ -569,15 +569,27 @@ export class StateMachine extends StateMachineBase {
    * The principal this state machine is running as
    */
   public get grantPrincipal() {
-    return this.role.grantPrincipal;
+    return this._role.grantPrincipal;
+  }
+
+  /**
+   * Execution role of this state machine
+   *
+   * Will throw if the Role object that was given does not implement IRole
+   */
+  public get role(): iam.IRole {
+    if (!isIRole(this._role)) {
+      throw new ValidationError(`The role given to this StateMachine is not an IRole, but ${this._role.constructor.name}`, this);
+    }
+    return this._role;
   }
 
   /**
    * Add the given statement to the role's policy
    */
   @MethodMetadata()
   public addToRolePolicy(statement: iam.PolicyStatement) {
-    this.role.addToPrincipalPolicy(statement);
+    this._role.grantPrincipal.addToPrincipalPolicy(statement);
   }
 
   private validateStateMachineName(stateMachineName: string) {
@@ -846,3 +858,9 @@ export class ChainDefinitionBody extends DefinitionBody {
     };
   }
 }
+
+function isIRole(x: iam.IRoleRef): x is iam.IRole {
+  const xx = x as iam.IRole;
+  return (!!xx.addManagedPolicy && !!xx.addToPrincipalPolicy && !!xx.assumeRoleAction && !!xx.attachInlinePolicy
+   && !!xx.grant && !!xx.policyFragment);
+}

packages/awslint/bin/awslint.ts

@@ -2,12 +2,15 @@
 /* eslint-disable no-console */
 import * as child_process from 'child_process';
 import * as path from 'path';
+import { JsiiFeature } from '@jsii/spec';
 import * as chalk from 'chalk';
 import * as fs from 'fs-extra';
 import * as reflect from 'jsii-reflect';
 import * as yargs from 'yargs';
 import { ALL_RULES_LINTER, DiagnosticLevel, RuleFilterSet } from '../lib';
 
+const FEATURES: JsiiFeature[] = ['intersection-types'];
+
 let stackTrace = false;
 
 async function main() {
@@ -247,7 +250,7 @@ main().catch(e => {
 
 async function loadModule(dir: string) {
   const ts = new reflect.TypeSystem();
-  await ts.load(dir, { validate: false }); // Don't validate to save 66% of execution time (20s vs 1min).
+  await ts.load(dir, { validate: false, supportedFeatures: FEATURES }); // Don't validate to save 66% of execution time (20s vs 1min).
   // We run 'awslint' during build time, assemblies are guaranteed to be ok.
 
   // We won't load any more assemblies. Lock the typesystem to benefit from performance improvements.

packages/awslint/lib/rules/api.ts

@@ -139,6 +139,11 @@ apiLinter.add({
         return;
       }
 
+      if (type.intersectionOfTypes) {
+        // Type intersections are okay
+        return;
+      }
+
       throw new Error(`invalid type reference: ${type.toString()}`);
     }
   },

scripts/run-rosetta.sh

@@ -73,7 +73,7 @@ time $ROSETTA extract \
 
 if $infuse; then
     echo "💎 Generating synthetic examples for the remainder" >&2
-    time npx cdk-generate-synthetic-examples@^0.1.292 \
+    time npx cdk-generate-synthetic-examples \
         $(cat $jsii_pkgs_file)
 
     time $ROSETTA extract \

tools/@aws-cdk/cdk-build-tools/package.json

@@ -63,8 +63,8 @@
     "jest-junit": "^13.2.0",
     "jsii": "~5.9.8",
     "jsii-rosetta": "~5.9.9",
-    "jsii-pacmak": "1.116.0",
-    "jsii-reflect": "1.116.0",
+    "jsii-pacmak": "1.118.0",
+    "jsii-reflect": "1.118.0",
     "markdownlint-cli": "^0.45.0",
     "nyc": "^15.1.0",
     "semver": "^7.7.2",

yarn.lock

@@ -3518,6 +3518,14 @@
     chalk "^4.1.2"
     semver "^7.7.2"
 
+"@jsii/[email protected]":
+  version "1.118.0"
+  resolved "https://registry.npmjs.org/@jsii/check-node/-/check-node-1.118.0.tgz#0be4fef43c7058764e3b4d146c6fbc80306de6bd"
+  integrity sha512-8IaXtUO6oq3Dmi9rxXqsBRnKxqbe0OARGt4tw46Li7kR5/GXE/DBGPKZ2rOvi2CekOh8b3VGBU+wd84RQciTAA==
+  dependencies:
+    chalk "^4.1.2"
+    semver "^7.7.2"
+
 "@jsii/[email protected]":
   version "1.114.1"
   resolved "https://registry.npmjs.org/@jsii/spec/-/spec-1.114.1.tgz#9c064d57f062d913bcfda25b5496bdf4c9c95c46"
@@ -3539,6 +3547,13 @@
   dependencies:
     ajv "^8.17.1"
 
+"@jsii/[email protected]":
+  version "1.118.0"
+  resolved "https://registry.npmjs.org/@jsii/spec/-/spec-1.118.0.tgz#66d6da3089e002ee3ee89dcc6e9d284a039acf94"
+  integrity sha512-aVe535/sN1EW88DYiEO3r0gqkKJ7ob0yfWC8+c1GVEayAecuvBjmwzzc7oDIIOthZ7PT3OBJ2xPqGqtbCyR3Uw==
+  dependencies:
+    ajv "^8.17.1"
+
 "@lerna/[email protected]":
   version "8.2.4"
   resolved "https://registry.npmjs.org/@lerna/create/-/create-8.2.4.tgz#59a050f58681e9236db38cc5bcc6986ae79d1389"
@@ -6654,10 +6669,10 @@ code-block-writer@^13.0.3:
   resolved "https://registry.npmjs.org/code-block-writer/-/code-block-writer-13.0.3.tgz#90f8a84763a5012da7af61319dd638655ae90b5b"
   integrity sha512-Oofo0pq3IKnsFtuHqSF7TqBfr71aeyZDVJ0HpmqB7FBM2qEigL0iPONSCZSO9pE9dZTAxANe5XHG9Uy0YMv8cg==
 
-codemaker@^1.116.0:
-  version "1.116.0"
-  resolved "https://registry.npmjs.org/codemaker/-/codemaker-1.116.0.tgz#1fccbcb720f987ac3d21b0fb92ad6e749eedb6b3"
-  integrity sha512-o23BKz+Y0Yam/czEbe3UAXVqSY4HFKgUYTffx3YW6yPtAVSX0d50BgIU0RxCUGIWmFD9Go3tXqraRDpo7TxMLg==
+codemaker@^1.118.0:
+  version "1.118.0"
+  resolved "https://registry.npmjs.org/codemaker/-/codemaker-1.118.0.tgz#2587611d167bdece0beff9f2748b2baae04c655b"
+  integrity sha512-d6ddG2oKNwkYBRJtsdEaKbJLBaxZJO0ImSG89wi6j5y549olTB3ERsqGGRZ47HlRuaVpkbOXnG/kb8I6ELxtMA==
   dependencies:
     camelcase "^6.3.0"
     decamelize "^5.0.1"
@@ -10064,37 +10079,37 @@ jsesc@^3.0.2:
   resolved "https://registry.npmjs.org/jsesc/-/jsesc-3.1.0.tgz#74d335a234f67ed19907fdadfac7ccf9d409825d"
   integrity sha512-/sM3dO2FOzXjKQhJuo0Q173wf2KOo8t4I8vHy6lF9poUp7bKT0/NHE8fPX23PwfhnykfqnC2xRxOnVw5XuGIaA==
 
-jsii-diff@1.116.0:
-  version "1.116.0"
-  resolved "https://registry.npmjs.org/jsii-diff/-/jsii-diff-1.116.0.tgz#0445d7492e42f7b27c7c7e08703181a3cbcca5cf"
-  integrity sha512-6t7MJe9gWo/vnkQrHNLlOdOO7ZRnqqGoC2uk8M1C2Gc/Yc8mBuyQhF9Fj0+hPmChURI5cqHsFatFce9P79fS0Q==
+jsii-diff@1.118.0:
+  version "1.118.0"
+  resolved "https://registry.npmjs.org/jsii-diff/-/jsii-diff-1.118.0.tgz#d91be0448a29dc0aacca0b2350d20186dfb1243d"
+  integrity sha512-Po0jJU5ib3G7IZ411OZbILyTFcJ1veb1O1NK1OSg2iejquhEnViNhrZSwEgbCWIZyfu+BKTgrW7rG3KYgPgAhA==
   dependencies:
-    "@jsii/check-node" "1.116.0"
-    "@jsii/spec" "1.116.0"
+    "@jsii/check-node" "1.118.0"
+    "@jsii/spec" "1.118.0"
     fs-extra "^10.1.0"
-    jsii-reflect "^1.116.0"
+    jsii-reflect "^1.118.0"
     log4js "^6.9.1"
     yargs "^17.7.2"
 
-jsii-pacmak@1.116.0:
-  version "1.116.0"
-  resolved "https://registry.npmjs.org/jsii-pacmak/-/jsii-pacmak-1.116.0.tgz#c94d0141d56dbd4f3e9c0d6a5234a9a72ab28215"
-  integrity sha512-X3UQouUnp05/CbtZzORrBIDQBb26ChX6Ms5q3dXxsJyk5/DEJaCkd6pAnU3wiya7Tsrd8K09mSiuseMzxFvs8Q==
+jsii-pacmak@1.118.0:
+  version "1.118.0"
+  resolved "https://registry.npmjs.org/jsii-pacmak/-/jsii-pacmak-1.118.0.tgz#a4ad053535ffc4142a544c797272082e98289801"
+  integrity sha512-RY7l//WI8G3IN2u1R8S6rFDT2jcNwjiR3RWyWu6NtcPchn+V/8aqX+8j1PmyRGfop8qAKcPc0AL3rAx2OmcmAw==
   dependencies:
-    "@jsii/check-node" "1.116.0"
-    "@jsii/spec" "1.116.0"
+    "@jsii/check-node" "1.118.0"
+    "@jsii/spec" "1.118.0"
     clone "^2.1.2"
-    codemaker "^1.116.0"
+    codemaker "^1.118.0"
     commonmark "^0.31.2"
     escape-string-regexp "^4.0.0"
     fs-extra "^10.1.0"
-    jsii-reflect "^1.116.0"
+    jsii-reflect "^1.118.0"
     semver "^7.7.2"
     spdx-license-list "^6.10.0"
     xmlbuilder "^15.1.1"
     yargs "^17.7.2"
 
-[email protected], jsii-reflect@^1.116.0:
+[email protected]:
   version "1.116.0"
   resolved "https://registry.npmjs.org/jsii-reflect/-/jsii-reflect-1.116.0.tgz#2dda056b311b9b7eed49ac27c45743f64f0057d7"
   integrity sha512-ZIHznFUMHQinqNLu48JibrnB0O0EeINCUgtkgV+SqEN7wsM1kxT3SBLHEbCQqPzB5ZsQzrdl9JW1vMi14/YqGA==
@@ -10106,6 +10121,18 @@ [email protected], jsii-reflect@^1.116.0:
     oo-ascii-tree "^1.116.0"
     yargs "^17.7.2"
 
+[email protected], jsii-reflect@^1.118.0:
+  version "1.118.0"
+  resolved "https://registry.npmjs.org/jsii-reflect/-/jsii-reflect-1.118.0.tgz#ff33ffba10090e5903dd9ddb2a5c6252c1fbf1c3"
+  integrity sha512-P3iASRGS8j87uT66MZ2jQvxPZRLdXBMoSEBECn3+krKCauaZntymXm/iQmWCgTnpt43cwz+eYkY1D3KA1sGjzA==
+  dependencies:
+    "@jsii/check-node" "1.118.0"
+    "@jsii/spec" "1.118.0"
+    chalk "^4"
+    fs-extra "^10.1.0"
+    oo-ascii-tree "^1.118.0"
+    yargs "^17.7.2"
+
 jsii-reflect@^1.115.0:
   version "1.115.0"
   resolved "https://registry.npmjs.org/jsii-reflect/-/jsii-reflect-1.115.0.tgz#debe523fa2de0ba020d54d41a2f7b0e0bc8ef048"
@@ -11752,6 +11779,11 @@ oo-ascii-tree@^1.116.0:
   resolved "https://registry.npmjs.org/oo-ascii-tree/-/oo-ascii-tree-1.116.0.tgz#2bd95d7de16b842289e01bd83e29f93ea463eaf5"
   integrity sha512-GI0n8coDIoZPywmZp5l2qPO1tqZxN40/tFPYBxWD2vpPeciKiB/nxZ7blDjp97ejxtmdkNouvAmtg4nCYgZihg==
 
+oo-ascii-tree@^1.118.0:
+  version "1.118.0"
+  resolved "https://registry.npmjs.org/oo-ascii-tree/-/oo-ascii-tree-1.118.0.tgz#1d222c348358f96362c6b65f766f2af39a42bb9c"
+  integrity sha512-ATGzZ+AxeHuGdNlniQNn9xvaVDo8IfET84Xep0XS33KXr19EZum7VpzBuKtcfNM/NQ7uk1d4ePXMqyiHeA9Dxw==
+
 open@^8.4.0:
   version "8.4.2"
   resolved "https://registry.npmjs.org/open/-/open-8.4.2.tgz#5b5ffe2a8f793dcd2aad73e550cb87b59cb084f9"