chore: replace a real IRole with a type intersection (#35770)

This replaces a real `IRole` instance with a type intersection (`IRoleRef & IGrantable`, which is good enough for 90% of cases).

Just on StateMachine, to test it out.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: rix0rrr

package.json

@@ -21,7 +21,7 @@
     "@types/prettier": "2.6.0",
     "@yarnpkg/lockfile": "^1.1.0",
     "aws-sdk-js-codemod": "^2.4.5",
-    "cdk-generate-synthetic-examples": "^0.2.29",
+    "cdk-generate-synthetic-examples": "^0.2.32",
     "conventional-changelog-cli": "^2.2.2",
     "fs-extra": "^9.1.0",
     "graceful-fs": "^4.2.11",

packages/aws-cdk-lib/aws-stepfunctions/lib/state-machine.ts

@@ -117,7 +117,7 @@ export interface StateMachineProps {
    *
    * @default A role is automatically created
    */
-  readonly role?: iam.IRole;
+  readonly role?: iam.IRoleRef & iam.IGrantable;
 
   /**
    * Maximum run time for this state machine
@@ -427,11 +427,6 @@ export class StateMachine extends StateMachineBase {
    */
   public static readonly PROPERTY_INJECTION_ID: string = 'aws-cdk-lib.aws-stepfunctions.StateMachine';
 
-  /**
-   * Execution role of this state machine
-   */
-  public readonly role: iam.IRole;
-
   /**
    * The name of the state machine
    * @attribute
@@ -455,6 +450,11 @@ export class StateMachine extends StateMachineBase {
    */
   public readonly stateMachineRevisionId: string;
 
+  /**
+   * Execution role of this state machine
+   */
+  private readonly _role: iam.IRoleRef & iam.IGrantable;
+
   constructor(scope: Construct, id: string, props: StateMachineProps) {
     super(scope, id, {
       physicalName: props.stateMachineName,
@@ -476,7 +476,7 @@ export class StateMachine extends StateMachineBase {
       this.validateLogOptions(props.logs);
     }
 
-    this.role = props.role || new iam.Role(this, 'Role', {
+    this._role = props.role || new iam.Role(this, 'Role', {
       assumedBy: new iam.ServicePrincipal('states.amazonaws.com'),
     });
 
@@ -494,7 +494,7 @@ export class StateMachine extends StateMachineBase {
     }
 
     if (props.encryptionConfiguration instanceof CustomerManagedEncryptionConfiguration) {
-      this.role.addToPrincipalPolicy(new iam.PolicyStatement({
+      this._role.grantPrincipal.addToPrincipalPolicy(new iam.PolicyStatement({
         effect: iam.Effect.ALLOW,
         actions: [
           'kms:Decrypt', 'kms:GenerateDataKey',
@@ -513,7 +513,7 @@ export class StateMachine extends StateMachineBase {
       }));
 
       if (props.logs && props.logs.level !== LogLevel.OFF) {
-        this.role.addToPrincipalPolicy(new iam.PolicyStatement({
+        this._role.grantPrincipal.addToPrincipalPolicy(new iam.PolicyStatement({
           effect: iam.Effect.ALLOW,
           actions: [
             'kms:GenerateDataKey',
@@ -540,10 +540,10 @@ export class StateMachine extends StateMachineBase {
     const resource = new CfnStateMachine(this, 'Resource', {
       stateMachineName: this.physicalName,
       stateMachineType: props.stateMachineType ?? undefined,
-      roleArn: this.role.roleArn,
+      roleArn: this._role.roleRef.roleArn,
       loggingConfiguration: props.logs ? this.buildLoggingConfiguration(props.logs) : undefined,
       tracingConfiguration: this.buildTracingConfiguration(props.tracingEnabled),
-      ...definitionBody.bind(this, this.role, props, graph),
+      ...definitionBody.bind(this, this._role.grantPrincipal, props, graph),
       definitionSubstitutions: props.definitionSubstitutions,
       encryptionConfiguration: buildEncryptionConfiguration(props.encryptionConfiguration),
     });
@@ -569,15 +569,27 @@ export class StateMachine extends StateMachineBase {
    * The principal this state machine is running as
    */
   public get grantPrincipal() {
-    return this.role.grantPrincipal;
+    return this._role.grantPrincipal;
+  }
+
+  /**
+   * Execution role of this state machine
+   *
+   * Will throw if the Role object that was given does not implement IRole
+   */
+  public get role(): iam.IRole {
+    if (!isIRole(this._role)) {
+      throw new ValidationError(`The role given to this StateMachine is not an IRole, but ${this._role.constructor.name}`, this);
+    }
+    return this._role;
   }
 
   /**
    * Add the given statement to the role's policy
    */
   @MethodMetadata()
   public addToRolePolicy(statement: iam.PolicyStatement) {
-    this.role.addToPrincipalPolicy(statement);
+    this._role.grantPrincipal.addToPrincipalPolicy(statement);
   }
 
   private validateStateMachineName(stateMachineName: string) {
@@ -846,3 +858,9 @@ export class ChainDefinitionBody extends DefinitionBody {
     };
   }
 }
+
+function isIRole(x: iam.IRoleRef): x is iam.IRole {
+  const xx = x as iam.IRole;
+  return (!!xx.addManagedPolicy && !!xx.addToPrincipalPolicy && !!xx.assumeRoleAction && !!xx.attachInlinePolicy
+   && !!xx.grant && !!xx.policyFragment);
+}

packages/awslint/bin/awslint.ts

@@ -2,12 +2,15 @@
 /* eslint-disable no-console */
 import * as child_process from 'child_process';
 import * as path from 'path';
+import { JsiiFeature } from '@jsii/spec';
 import * as chalk from 'chalk';
 import * as fs from 'fs-extra';
 import * as reflect from 'jsii-reflect';
 import * as yargs from 'yargs';
 import { ALL_RULES_LINTER, DiagnosticLevel, RuleFilterSet } from '../lib';
 
+const FEATURES: JsiiFeature[] = ['intersection-types'];
+
 let stackTrace = false;
 
 async function main() {
@@ -247,7 +250,7 @@ main().catch(e => {
 
 async function loadModule(dir: string) {
   const ts = new reflect.TypeSystem();
-  await ts.load(dir, { validate: false }); // Don't validate to save 66% of execution time (20s vs 1min).
+  await ts.load(dir, { validate: false, supportedFeatures: FEATURES }); // Don't validate to save 66% of execution time (20s vs 1min).
   // We run 'awslint' during build time, assemblies are guaranteed to be ok.
 
   // We won't load any more assemblies. Lock the typesystem to benefit from performance improvements.

packages/awslint/lib/rules/api.ts

@@ -139,6 +139,11 @@ apiLinter.add({
         return;
       }
 
+      if (type.intersectionOfTypes) {
+        // Type intersections are okay
+        return;
+      }
+
       throw new Error(`invalid type reference: ${type.toString()}`);
     }
   },

scripts/run-rosetta.sh

@@ -73,7 +73,7 @@ time $ROSETTA extract \
 
 if $infuse; then
     echo "💎 Generating synthetic examples for the remainder" >&2
-    time npx cdk-generate-synthetic-examples@^0.1.292 \
+    time npx cdk-generate-synthetic-examples \
         $(cat $jsii_pkgs_file)
 
     time $ROSETTA extract \

yarn.lock

@@ -3494,14 +3494,6 @@
     "@jridgewell/resolve-uri" "^3.1.0"
     "@jridgewell/sourcemap-codec" "^1.4.14"
 
-"@jsii/check-node@1.113.0":
-  version "1.113.0"
-  resolved "https://registry.npmjs.org/@jsii/check-node/-/check-node-1.113.0.tgz#13075880ea626ba8738ee3a220fa6d83fe710091"
-  integrity sha512-6iPLiQiSVn8/D89ycIpj78cMfmxOIU/F9RUTVYwLqKPw4cxpR+BCC4N83WKyGkZxhOxULLa9f5q+rkWq/vAMpA==
-  dependencies:
-    chalk "^4.1.2"
-    semver "^7.7.2"
-
 "@jsii/check-node@1.114.1":
   version "1.114.1"
   resolved "https://registry.npmjs.org/@jsii/check-node/-/check-node-1.114.1.tgz#9ff05988721cdee3d295b80a131e10e449e0571d"
@@ -3533,7 +3525,7 @@
   dependencies:
     ajv "^8.17.1"
 
-"@jsii/spec@1.115.0", "@jsii/spec@^1.114.1":
+"@jsii/spec@1.115.0", "@jsii/spec@^1.114.1", "@jsii/spec@^1.115.0":
   version "1.115.0"
   resolved "https://registry.npmjs.org/@jsii/spec/-/spec-1.115.0.tgz#be0818bd31509687cb6445873d1ec65e8d24bd24"
   integrity sha512-qnicuByM0G5L6ZF2yO/e5cHwT6pb5E0aUvgHBycFPHBkgf5yjtvm+Wtk6q61srNuRASYI25BiTOonyABNeRjlw==
@@ -3547,13 +3539,6 @@
   dependencies:
     ajv "^8.17.1"
 
-"@jsii/spec@^1.113.0":
-  version "1.113.0"
-  resolved "https://registry.npmjs.org/@jsii/spec/-/spec-1.113.0.tgz#cc9960a69c285466088c370f8e47d07c5ae73fb4"
-  integrity sha512-OAQNfJHzMmE42ySJpelOFFKCgnh6hxcKLnmgtaYEzsFW9UxH9gc945FFOXff52GbhUcigGElCqJ3MclrbgXoGw==
-  dependencies:
-    ajv "^8.17.1"
-
 "@lerna/create@8.2.4":
   version "8.2.4"
   resolved "https://registry.npmjs.org/@lerna/create/-/create-8.2.4.tgz#59a050f58681e9236db38cc5bcc6986ae79d1389"
@@ -6442,13 +6427,13 @@ case@1.6.3, case@^1.6.3:
   resolved "https://registry.npmjs.org/case/-/case-1.6.3.tgz#0a4386e3e9825351ca2e6216c60467ff5f1ea1c9"
   integrity sha512-mzDSXIPaFwVDvZAHqZ9VlbyF4yyXRuX6IvB06WvPYkqJVO24kX1PPhv9bfpKNFZyxYFmmgo03HUiD8iklmJYRQ==
 
-cdk-generate-synthetic-examples@^0.2.29:
-  version "0.2.29"
-  resolved "https://registry.npmjs.org/cdk-generate-synthetic-examples/-/cdk-generate-synthetic-examples-0.2.29.tgz#5dae1ec8f43b6797259e081eb6c6aa69e16158cd"
-  integrity sha512-JP3/2wL0drTcQLgoEJeewWCneBYEcOWmLtwPvvScvXNt3lRApOfhBGcqplM7w/YS2pgKAzort2w2tSzFBTmlzA==
+cdk-generate-synthetic-examples@^0.2.32:
+  version "0.2.32"
+  resolved "https://registry.npmjs.org/cdk-generate-synthetic-examples/-/cdk-generate-synthetic-examples-0.2.32.tgz#e79900e3b1f6ecc7fdb5141086561eb847fd9184"
+  integrity sha512-Uj7s8dHNv2xUM3E9iLMeSaNwWp1oJ3PmW3fZQ3wlyhUoAielOJP2eH3aMsY81FNy7vJa5KxvGZjWHi101stuWQ==
   dependencies:
-    "@jsii/spec" "^1.113.0"
-    jsii-reflect "^1.113.0"
+    "@jsii/spec" "^1.115.0"
+    jsii-reflect "^1.115.0"
     yargs "^17.7.2"
 
 cdk8s-plus-27@2.9.5:
@@ -10121,17 +10106,17 @@ jsii-reflect@1.116.0, jsii-reflect@^1.116.0:
     oo-ascii-tree "^1.116.0"
     yargs "^17.7.2"
 
-jsii-reflect@^1.113.0:
-  version "1.113.0"
-  resolved "https://registry.npmjs.org/jsii-reflect/-/jsii-reflect-1.113.0.tgz#35f6e2c9e285710edbebeb4c405b8c1fde0e9cba"
-  integrity sha512-YS0ewXfjFGTuvp8Rrd40yhPc9yYIoF2zMu8xZpWbdwCtgBabAfzra5mwNPeLBWvR4qI4PHE+A2qEGarx3Tufnw==
+jsii-reflect@^1.115.0:
+  version "1.115.0"
+  resolved "https://registry.npmjs.org/jsii-reflect/-/jsii-reflect-1.115.0.tgz#debe523fa2de0ba020d54d41a2f7b0e0bc8ef048"
+  integrity sha512-svWvulZ8IH035sLR0aEt3UiN4Ejqh99zSBfVTFsr3bjBfDZqcxIlExFI/fMb7O+a7XwT0WdTakTuX/aajQt3cg==
   dependencies:
-    "@jsii/check-node" "1.113.0"
-    "@jsii/spec" "^1.113.0"
+    "@jsii/check-node" "1.115.0"
+    "@jsii/spec" "1.115.0"
     chalk "^4"
     fs-extra "^10.1.0"
-    oo-ascii-tree "^1.113.0"
-    yargs "^16.2.0"
+    oo-ascii-tree "^1.115.0"
+    yargs "^17.7.2"
 
 jsii-rosetta@~5.9.9:
   version "5.9.9"
@@ -11757,10 +11742,10 @@ onetime@^5.1.0, onetime@^5.1.2:
   dependencies:
     mimic-fn "^2.1.0"
 
-oo-ascii-tree@^1.113.0:
-  version "1.113.0"
-  resolved "https://registry.npmjs.org/oo-ascii-tree/-/oo-ascii-tree-1.113.0.tgz#69b40e2b52d812be78141119d3010f62f3d198fe"
-  integrity sha512-9hGp+3S8qy0MSdBzp5pX2448Iv+w6QyXI6KBVihdt+Sb8nw1MxNu6ErMadTAXmyfCwZzZoEpn9hybTHEQuSJcQ==
+oo-ascii-tree@^1.115.0:
+  version "1.115.0"
+  resolved "https://registry.npmjs.org/oo-ascii-tree/-/oo-ascii-tree-1.115.0.tgz#60a28f29cc449cd4274140f5d939c08a18c5ac8b"
+  integrity sha512-KbZpipKiCQ5Ws2GryfOUWBxuVpVYosqAi85mtplgMyhQuueOZAO8qeTmNqYYHUxBHOz9O+kKCCjidEkLmCDhLQ==
 
 oo-ascii-tree@^1.116.0:
   version "1.116.0"