feat(cdk): introduce the new cfn-changeset-review-role for the diff command

[sakurai-ryo]

Issue # (if applicable)

Closes #29767
Closes #29936

Reason for this change

The cdk diff command needs to assume the deploy-role to create the changeset, but the deploy-role has strong privileges, such as deleting the cfn stack.
Granting developers the ability to be able to assume the deploy-role to use the cdk diff command is a problem that some organizations should avoid.
To avoid this, creating a new role in the Bootstrapping process with only limited privileges is necessary to avoid using the deploy-role when using the cdk diff command.

Description of changes

Introducing a new role

Introduce a new cfn-changeset-review-role and give the cdk diff command the permissions it needs to create changesets.
With this change, the required roles for each operation are as follows

Operation	CDK Bootstrap Roles to Assume
Lookup	lookup-role
Diff	lookup-role cfn-changeset-review-role
Deploy	cfn-exec-role lookup-role deploy-role file-publishing-role image-publishing-role

The cfn-changeset-review-role has the following permissions.

Action	Description
cloudformation:CreateChangeSet	Creates a changeset.
cloudformation:DeleteChangeSet	Deletes a specified changeset.
cloudformation:DescribeChangeSet	Returns the description of the specified change set.
cloudformation:DescribeStacks	Check for the existence of the specified stack.
s3:PutObject*	Upload to S3 when a template exceeding 51,200 bytes is specified.
s3:GetObject*	Download a template uploaded to S3
kms:GenerateDataKey*	Upload files to the staging bucket in SSE-KMS encryption mode.

The cloud-assembly-schema is modified to allow users to use this role.
It will be added to manifest.json in the same format as the existing lookup-role.
Retaining the role's Arn and the requiresBootstrapStackVersion will help if permissions are changed in the future.

Change behavior when executing `cdk diff

Currently, we assume to deploy-role before creating the changeset, but changing it to assume to the new changeset-role.
If for some reason it is not possible to assume to changeset-role, it will fall back to assume the deploy-role.
For example, when changeset-role does not exist.
This allows the cdk diff to work in environments without the latest Bootstrap version.

app-staging-synthesizer module

With the introduction of the new changeset-role, I modified the app-staging-synthesizer module so that it can be used in the same way.

Description of how you validated changes

Added cli-integ test to verify successful upload of cfn template and creation of changeset using the new role, plus several other unit tests.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[sakurai-ryo]

The require.resolve function searches under node_modules, so we were not able to use fake npm to use local packages.

[aws-cdk-automation]

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

[sakurai-ryo]

If we use ??, the right side will not be returned if Number(~) returns NaN when the IMAGE_COPIES is undefined.

[sakurai-ryo]

Because CloudFormation cannot assume the cfn-changeset-review-role.

[sakurai-ryo]

Exemption Request
Wait for the maintainer to run the test.

[sakurai-ryo]

hmm, the pr-linter/exemption-requested label is not attached.

[aws-cdk-automation]

This PR has been in the CHANGES REQUESTED state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.

[aws-cdk-automation]

The pull request linter fails with the following errors:

❌ CLI code has changed. A maintainer must run the code through the testing pipeline (git fetch origin pull/30329/head && git push -f origin FETCH_HEAD:test-main-pipeline), then add the 'pr-linter/cli-integ-tested' label when the pipeline succeeds.

PRs must pass status checks before we can provide a meaningful review.

If you would like to request an exemption from the status checks or clarification on feedback, please leave a comment on this PR containing Exemption Request and/or Clarification Request.

✅ A exemption request has been requested. Please wait for a maintainer's review.

[mergify]

⚠️ The sha of the head commit of this PR conflicts with #30568. Mergify cannot evaluate rules on this PR. ⚠️

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 2b28865
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

⚠️ The sha of the head commit of this PR conflicts with #30568. Mergify cannot evaluate rules on this PR. ⚠️

[mergify]

⚠️ The sha of the head commit of this PR conflicts with #30568. Mergify cannot evaluate rules on this PR. ⚠️

[mergify]

⚠️ The sha of the head commit of this PR conflicts with #30568. Mergify cannot evaluate rules on this PR. ⚠️