aws-iam: Role.customizeRoles does not work with constructs that calls applyRemovalPolicy internally #31651
Description
Describe the bug
Role.customizeRoles throws an Error if there is a construct that calls applyRemovalPolicy internally. This means users cannot use with some constructs like RestApi.
Error: Cannot apply RemovalPolicy: no child or not a CfnResource. Apply the removal policy on the CfnResource directly.
Based on the unit test code, this appears to be the intended behavior by design. However, in practice, it is difficult for users to check whether customizeRoles has been called when using Role and avoid calling applyRemovalPolicy.
aws-cdk/packages/aws-cdk-lib/aws-iam/test/role.test.ts
Lines 250 to 252 in 18eb3eb
For example, RestApi calls applyRemovalPolicy internally.
Regression Issue
- Select this option if this issue appears to be a regression.
Last Known Working CDK Version
No response
Expected Behavior
Ensure that the cloud assembly synthesis succeeds even if Role.applyRemovalPolicy is called.
Current Behavior
Throws error:
Error: Cannot apply RemovalPolicy: no child or not a CfnResource. Apply the removal policy on the CfnResource directly.
Reproduction Steps
const app = new App();
Role.customizeRoles(app);
const stack = new Stack(app, 'Stack');
new RestApi(stack, 'RestApi');and synthesize it.
Possible Solution
While it might be possible to fix RestApi, there could be other constructs within aws-cdk-lib that also call Role.applyRemovalPolicy. Moreover, it's nearly impossible to make library users aware of this.
Since Role implements the IResource interface, it has the responsibility to respond to the applyRemovalPolicy call. Therefore, I think it would be good to override applyRemovalPolicy in the Role class.
Additional Information/Context
No response
CDK CLI Version
2.161.0 (build be5ad8b)
Framework Version
2.161.0
Node.js Version
v20.13.1
OS
macOS Sonoma
Language
TypeScript
Language Version
TypeScript v5.6.2
Other information
No response