chore: add retrospective integration test for Permissions Boundaries (#34899)

This is an integ test that would have caught the priority reversal problem introduced in #32333.

This integration test tests the case of a customer setting a permissions boundary using a custom aspect,
then trying to override at a more specific level using the PermissionsBoundary.of() API.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: rix0rrr

packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.custom-permissions-boundary-aspect.js.snapshot/cdk.out

@@ -0,0 +1,85 @@
+{
+ "Resources": {
+  "NormalRoleE03CFB68": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "sqs.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "PermissionsBoundary": "arn:aws:iam::aws:policy/ReadOnlyAccess"
+   }
+  },
+  "PowerRoleD07CA715": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "sqs.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "PermissionsBoundary": {
+     "Fn::Join": [
+      "",
+      [
+       "arn:",
+       {
+        "Ref": "AWS::Partition"
+       },
+       ":iam::aws:policy/AdministratorAccess"
+      ]
+     ]
+    }
+   }
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}

packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.custom-permissions-boundary-aspect.js.snapshot/integ-permissions-boundary.assets.json

@@ -0,0 +1,50 @@
+/**
+ * This integration test tests the case of a customer setting a permissions boundary using a custom aspect,
+ * then trying to override at a more specific level using the PermissionsBoundary.of() API.
+ *
+ * Overriding should work.
+ */
+import { App, Stack, IAspect, Aspects } from 'aws-cdk-lib';
+import { IntegTest } from '@aws-cdk/integ-tests-alpha';
+import { CfnRole, ManagedPolicy, PermissionsBoundary, Role, ServicePrincipal } from 'aws-cdk-lib/aws-iam';
+import { IConstruct } from 'constructs';
+
+class CustomAspect implements IAspect {
+  public visit(node: IConstruct): void {
+    if (node instanceof CfnRole) {
+      node.addPropertyOverride('PermissionsBoundary', 'arn:aws:iam::aws:policy/ReadOnlyAccess');
+    }
+  }
+}
+
+const app = new App({
+  postCliContext: {
+    // Force the intended behavior, from before we found this bug
+    '@aws-cdk/core:aspectPrioritiesMutating': false,
+  },
+});
+
+const stack = new Stack(app, 'integ-permissions-boundary', {
+  env: {
+    account: process.env.CDK_INTEG_ACCOUNT ?? process.env.CDK_DEFAULT_ACCOUNT,
+    region: process.env.CDK_INTEG_REGION ?? process.env.CDK_DEFAULT_REGION,
+  },
+});
+
+Aspects.of(stack).add(new CustomAspect());
+
+new Role(stack, 'NormalRole', {
+  assumedBy: new ServicePrincipal('sqs.amazonaws.com'),
+});
+
+const powerRole = new Role(stack, 'PowerRole', {
+  assumedBy: new ServicePrincipal('sqs.amazonaws.com'),
+});
+
+PermissionsBoundary.of(powerRole).apply(ManagedPolicy.fromAwsManagedPolicyName('AdministratorAccess'));
+
+new IntegTest(app, 'integ-test', {
+  testCases: [stack],
+});
+
+app.synth();