fix(codepipeline): replace account root principal with current pipeline role in the trust policy under ff: @aws-cdk/pipelines:reduceStageRoleTrustScope

[QuantumNeuralCoder]

Issue # (if applicable)

aws-codepipeline creates roles with broad trust policies.

Closes #33709

Reason for this change

Captured in Description of the issue.

Description of changes

1. Introduced feature flag @aws-cdk/pipelines:reduceStageRoleTrustScope (default: true).
2. Under the feature flag when enabled, the root account principal will not be added to the trust policy of stage role. Instead the stage role can now be assumed by the current role created for the pipeline.

Describe any new or updated permissions being added

Described above.

Description of how you validated changes

integ test snapshots are being updated.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

(This review is outdated)

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 82.38%. Comparing base (5687d85) to head (0ce944a).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #33742   +/-   ##
=======================================
  Coverage   82.38%   82.38%           
=======================================
  Files         120      120           
  Lines        6937     6937           
  Branches     1170     1170           
=======================================
  Hits         5715     5715           
  Misses       1119     1119           
  Partials      103      103           

Flag	Coverage Δ
suite.unit	82.38% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	∅ <ø> (∅)
packages/aws-cdk-lib/core	82.38% <ø> (ø)

🚀 New features to boost your workflow:

• ❄ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[paulhcsun]

For the failing test I think you just need to add [feats.PIPELINE_REDUCE_STAGE_ROLE_TRUST_SCOPE]: true, to this test: https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/cx-api/test/features.test.ts#L24

[paulhcsun]

Integ test snapshot in the aws-scheduler-targets-alpha needs to be updated. Deploying that now and will push the changes.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 0ce944a
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[samson-keung]

What are the rationales that some tests have '@aws-cdk/pipelines:reduceStageRoleTrustScope': false while the others do not (and therefore is implicitly using '@aws-cdk/pipelines:reduceStageRoleTrustScope': true) ?

[paulhcsun]

This is because Code Repository doesn't allow new code repos, so we would not be able to deploy these tests.

[samson-keung]

Note that this does not invoke the CodePipeline and therefore, will not reveal permission misconfiguration. Since I know we have manually tested this, I am okay without assertions but please consider adding assertions.

[paulhcsun]

Agreed, we can add assertions in a follow up PR.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.