app-staging-synthesizer-alpha: Uses default bootstrap exec role when bootstrapQualifier is supplied

[BrianFarnhill]

Describe the bug

Consider the following use of the AppStagingSynthesizer:

defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({
    appId: 'UniqueAppId',
    bootstrapQualifier: 'Custom',
    deploymentIdentities: DeploymentIdentities.defaultBootstrapRoles({
      bootstrapRegion: 'ap-southeast-2',
    }),
  }),

In this scenario I'm trying to avoid the use of the default qualifier at all (to meet a customer requirement, each bootstrap uses a unique qualifier that enforces a specific permission boundary for each app that is deployed). When I deploy this the app works and my main CDK stacks all use the CFN exec role that goes with the 'Custom' qualifier in this case, but the Staging Stack itself still relies on the exec role from the default bootstrap. I would expect that given I've specified a qualifier here that it would use that for the staging stack as well, but if that assumption is wrong, having an option to specific the exec role for the staging stack would also address the concern.

Expected Behavior

I would expect the deployment role used on the staging stack to match that of the Custom bootstrap qualifier that was deployed in to the account.

Current Behavior

It deploys with the default bootstrap qualifier instead (being hnb659fds and the role arn:aws:iam::{ACCOUNT}:role/cdk-hnb659fds-cfn-exec-role-{ACCOUNT}-{REGION} if you don't customise the bootstrap)

Reproduction Steps

Use the code snippet from the example - you'll need to create a secondary bootstrap qualifier as well as the default one though, so the flow would be:

1. Deploy the default bootstrap with cdk bootstrap aws://ACCOUNT-NUMBER-1/REGION-1 (using your account number and region)
2. Deploy a custom bootstrap with cdk bootstrap --qualifier Custom aws://ACCOUNT-NUMBER-1/REGION-1 (using your account number and region)
3. Use the snippet above with the qualifier name and appropriate region name
4. Deploy any CDK stack against that synthesiser

Go in here and look at the deployed stack, you'll see the StagingStack uses the default qualifier. You'll also see that role called out in the manifest.json file in the cdk.out directory for the staging stack:

"cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.100.0 (build e1b5c77)

Framework Version

No response

Node.js Version

v18.18.0

OS

Linux and MacOs

Language

TypeScript

Language Version

TypeScript (5.5.2)

Other information

No response

[pahud]

Yes I can reproduce this, it's still deploying with the role using hnb659fds qualifier.

[sakurai-ryo]

We are using BootstraplessSynthesizer to deploy the StagingStack, but we can't pass qualifier to it like we can to DefaultStackSynthesizer .
So need to update the BootstraplessSynthesizerProps to accept arguments such as qualifier.

aws-cdk/packages/@aws-cdk/app-staging-synthesizer-alpha/lib/default-staging-stack.ts

Line 262 in 358cead

synthesizer: new BootstraplessSynthesizer(),

I'll submit a PR when I have time.