feat(cli): diff now uses the lookup Role for new-style synthesis

packages/@aws-cdk/cloud-assembly-schema/lib/cloud-assembly/artifact-schema.ts

@@ -56,6 +56,13 @@ export interface AwsCloudFormationStackProperties {
    */
   readonly cloudFormationExecutionRoleArn?: string;
 
+  /**
+   * The role to use to look up values from the target AWS account
+   *
+   * @default - No role is assumed (current credentials are used)
+   */
+  readonly lookupRoleArn?: string;
+
   /**
    * If the stack template has already been included in the asset manifest, its asset URL
    *

packages/@aws-cdk/cloud-assembly-schema/schema/cloud-assembly.schema.json

@@ -307,6 +307,10 @@
                     "description": "The role that is passed to CloudFormation to execute the change set (Default - No role is passed (currently assumed role/credentials are used))",
                     "type": "string"
                 },
+                "lookupRoleArn": {
+                    "description": "The role to use to look up values from the target AWS account (Default - No role is assumed (current credentials are used))",
+                    "type": "string"
+                },
                 "stackTemplateAssetObjectUrl": {
                     "description": "If the stack template has already been included in the asset manifest, its asset URL (Default - Not uploaded yet, upload just before deploying)",
                     "type": "string"
@@ -598,7 +602,7 @@
                     }
                 },
                 "returnAsymmetricSubnets": {
-                    "description": "Whether to populate the subnetGroups field of the {@link VpcContextResponse},\nwhich contains potentially asymmetric subnet groups.",
+                    "description": "Whether to populate the subnetGroups field of the{@linkVpcContextResponse},\nwhich contains potentially asymmetric subnet groups.",
                     "default": false,
                     "type": "boolean"
                 },

packages/@aws-cdk/cloud-assembly-schema/schema/cloud-assembly.version.json

@@ -1 +1 @@
-{"version":"15.0.0"}
+{"version":"16.0.0"}

packages/@aws-cdk/core/lib/stack-synthesizers/stack-synthesizer.ts

@@ -100,6 +100,13 @@ export interface SynthesizeStackArtifactOptions {
    */
   readonly cloudFormationExecutionRoleArn?: string;
 
+  /**
+   * The role to use to look up values from the target AWS account
+   *
+   * @default - None
+   */
+  readonly lookupRoleArn?: string;
+
   /**
    * If the stack template has already been included in the asset manifest, its asset URL
    *

packages/@aws-cdk/cx-api/lib/artifacts/cloudformation-artifact.ts

@@ -5,6 +5,32 @@ import { CloudArtifact } from '../cloud-artifact';
 import { CloudAssembly } from '../cloud-assembly';
 import { Environment, EnvironmentUtils } from '../environment';
 
+/**
+ * Information needed to access an IAM role created
+ * as part of the bootstrap process
+ */
+export interface BootstrapRole {
+  /**
+   * The ARN of the IAM role created as part of bootrapping
+   * e.g. lookupRoleArn
+   */
+  readonly arn: string;
+
+  /**
+   * Version of bootstrap stack required to use this role
+   *
+   * @default - No bootstrap stack required
+   */
+  readonly requiresBootstrapStackVersion?: number;
+
+  /**
+   * Name of SSM parameter with bootstrap stack version
+   *
+   * @default - Discover SSM parameter by reading stack
+   */
+  readonly bootstrapStackVersionSsmParameter?: string;
+}
+
 export class CloudFormationStackArtifact extends CloudArtifact {
   /**
    * The file name of the template.
@@ -75,6 +101,13 @@ export class CloudFormationStackArtifact extends CloudArtifact {
    */
   public readonly cloudFormationExecutionRoleArn?: string;
 
+  /**
+   * The role to use to look up values from the target AWS account
+   *
+   * @default - No role is assumed (current credentials are used)
+   */
+  public readonly lookupRole?: BootstrapRole;
+
   /**
    * If the stack template has already been included in the asset manifest, its asset URL
    *
@@ -135,6 +168,12 @@ export class CloudFormationStackArtifact extends CloudArtifact {
     this.bootstrapStackVersionSsmParameter = properties.bootstrapStackVersionSsmParameter;
     this.terminationProtection = properties.terminationProtection;
     this.validateOnSynth = properties.validateOnSynth;
+    this.lookupRole = properties.lookupRoleArn ? {
+      arn: properties.lookupRoleArn,
+      // the lookup role was given ReadOnlyAccess in bootstrap version 8
+      requiresBootstrapStackVersion: 8,
+      bootstrapStackVersionSsmParameter: properties.bootstrapStackVersionSsmParameter,
+    } : undefined;
 
     this.stackName = properties.stackName || artifactId;
     this.assets = this.findMetadataByType(cxschema.ArtifactMetadataEntryType.ASSET).map(e => e.data as cxschema.AssetMetadataEntry);