ENSURE_PROPERTY_TYPE_NOT_CHANGED false negative

[jlhood]

Running --stateful check on schema change, I have a situation where a property is going from accepting only type object to accepting type object or string. This seems like it should be considered backwards-compatible, but guard-rail is currently flagging it as a type change.

Repro steps:

1. Pull current IAM Role schema: aws cloudformation describe-type --type RESOURCE --type-name AWS::IAM::Role | jq -r .Schema > iam-role-schema.json
2. cp iam-role-schema.json iam-role-schema-modified.json
3. Manually modify iam-role-schema-modified.json so PolicyDocument property has "type": "object".
4. Run guard-rail --schema file:///path/to/iam-role-schema-modified.json --schema file:///path/to/iam-role-schema.json --stateful --format

Expected result

1. Schema passes stateful checks.
2. Actual result:

[FAILED]:

ENSURE_PROPERTY_TYPE_NOT_CHANGED:
    check-id: TP003
    message: cannot change TYPE of a property

[ammokhov]

That is indeed not a breaking change according to CloudFormation definition of a backward compatibility. However, CDK team insisted on having this marked as a breaking change