feat(cli-lib-alpha): support hotswap deployments

[amine-mf]

Closes #26785.

Exemption Request: The cli-lib-alpha README does not currently specify the exhaustive list of arguments, which looks like a choice, thus I did not add the new argument. Currently, no integration tests were implemented for this lib, only unit tests which I did update/add.

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

[ajhool]

I recently submitted an issue related to the bootstrap roles and Hotswap in the CDK CLI (linked above, #26978). I'm not sure whether CDK CLI and CDK Lib use the same approach to assuming CDK Boostrap IAM roles, but if they do then I think that issue also affects CDK Lib.

TLDR: The CDK bootstrap roles don't have necessary permissions for Hotswap to work, so for hotswap you would need to create a custom IAM role that has all required permissions (like UpdateLambda-type permissions). The #26978 is a request for the hotswap team to create a CDK role that includes the necessary permissions so that users don't need to manage custom IAM users / roles.

PS. First time seeing that CDK Lib is in alpha and I'm really excited!

[amine-mf]

I recently submitted an issue related to the bootstrap roles and Hotswap in the CDK CLI (linked above, #26978). I'm not sure whether CDK CLI and CDK Lib use the same approach to assuming CDK Boostrap IAM roles, but if they do then I think that issue also affects CDK Lib.

TLDR: The CDK bootstrap roles don't have necessary permissions for Hotswap to work, so for hotswap you would need to create a custom IAM role that has all required permissions (like UpdateLambda-type permissions). The #26978 is a request for the hotswap team to create a CDK role that includes the necessary permissions so that users don't need to manage custom IAM users / roles.

PS. First time seeing that CDK Lib is in alpha and I'm really excited!

We never faced the issue before, we run the hotswap as admins as we do it only on our dev sandboxes (talking about lambdas). Using the cli-lib-alpha, we hotswap state machines, and we did not face any issue related to access rights (this runs inside a lambda with a specific role).
I think this lib and the cli do share code and the problem is probably more global but for me it is out of this PR's scope. Especially that it is very urgent for our team to have it merged.

[aws-cdk-automation]

This PR has been in the CHANGES REQUESTED state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.

[amine-mf]

Can anybody add pr-linter/exempt-integ-test and pr-linter/exempt-readme labels as per the Exemption Request on the first comment? (This will give a more accurate state of the PR and remove the change request status).
Thanks

[mrgrain]

@amine-mf Apologies. I have been busy this week. Should be able to get to it next week.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: ccf7887
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).