fix: prevent cyclic dependencies created by custom resource provider by swachter · Pull Request #32404 · aws/aws-cdk

swachter · 2024-12-06T14:35:55Z

Reason for this change

If both, the isCompleteHandler and the role is set in custom resource ProviderProps then a resource dependencies cycle results.

If role is specified then that role is used for all 3 framework lambdas (i.e. onEventFunction, isCompleteFunction, and timeoutFunction). In order to grant additional required permissions to these functions, a policy is created under the hood. That policy is called DefaultPolicy.

The DefaultPolicy is attached to the given role and includes the lambda:InvokeFunction permissions for the two handler functions (onEventHandler and isCompleteHandler). In addition, the DefaultPolicy includes the states:StartExecution permission that is granted to the onEventFunction by the call `waiterStateMachine.grantStartExecution(onEventFunction);.

This results in the following dependencies cycle:

waiter state machine --(via its description)--> isCompleteFunction / timeoutFunction --(via explicits dependsOn)--> DefaultPolicy --(via resource constraint)--> waiter state machine

If the resource constraint is dropped from the states:StartExecution grant then the cyclic dependency is cut.

Description of changes

Drop the resource constraint from the states:StartExecution grant if an execution role for the framework lambdas is specified.

Description of how you validated changes

I tried the following workaround locally:

(role as any).node._children.DefaultPolicy.document.statements[1] = new PolicyStatement({
    actions: ['states:StartExecution'],
    resources: ['*']
});

This workaround applies the proposed modification to the created DefaultPolicy.

Checklist

My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

aws-cdk-automation

The pull request linter fails with the following errors:

❌ Fixes must contain a change to an integration test file and the resulting snapshot.

If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.

✅ A exemption request has been requested. Please wait for a maintainer's review.

swachter · 2024-12-06T17:19:46Z

Clarification Request

There seems to exist no integration test for custom resource providers.

aws-cdk-automation · 2024-12-28T00:11:47Z

This PR has been in the CHANGES REQUESTED state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.

swachter · 2024-12-28T11:00:49Z

Exemption Request
There seem to be no integration tests for custom resource providers.

GavinZZ

Hello, thanks for drafting this PR. I'd like to understand what issue were you seeing prior to this change. Is the cyclic dependency causing the deployment to fail?

ghost · 2025-01-22T20:51:16Z

Yes, the deployment fails with a cyclic dependency error.

aws-cdk-automation · 2025-01-23T00:11:10Z

This PR has been deemed to be abandoned, and will be automatically closed. Please create a new PR for these changes if you think this decision has been made in error.

github-actions · 2025-01-23T00:11:29Z

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

codecov · 2025-01-23T00:29:43Z

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 82.17%. Comparing base (eab2918) to head (f506356).
Report is 33 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #32404   +/-   ##
=======================================
  Coverage   82.17%   82.17%           
=======================================
  Files         119      119           
  Lines        6862     6862           
  Branches     1158     1158           
=======================================
  Hits         5639     5639           
  Misses       1120     1120           
  Partials      103      103

Flag	Coverage Δ
suite.unit	`82.17% <ø> (ø)`

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	`∅ <ø> (∅)`
packages/aws-cdk-lib/core	`82.17% <ø> (ø)`

GavinZZ · 2025-01-23T01:56:48Z

Thanks for the quick response. I think this is a great place to add an integ test to make sure now it's deployable if we supply a custom role property. The provider module doesn't have integ test directly because it's usually coupled with other modules that use the custom resource provider. I'd like to request to add an integ test if you can and feel free to ping me if you need help with the integ test.

ghost · 2025-01-23T06:50:24Z

Unfortunately, I have no clue how an integration test for a custom resource provider could be set up. I would appreciate your help a lot.

aws-cdk-automation · 2025-01-24T00:11:31Z

This PR has been deemed to be abandoned, and will be automatically closed. Please create a new PR for these changes if you think this decision has been made in error.

aws-cdk-automation · 2025-02-07T00:11:56Z

This PR has been deemed to be abandoned, and will be automatically closed. Please create a new PR for these changes if you think this decision has been made in error.

github-actions · 2025-02-07T00:12:08Z

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

aws-cdk-automation · 2025-02-11T00:11:26Z

This PR has been deemed to be abandoned, and will be automatically closed. Please create a new PR for these changes if you think this decision has been made in error.

github-actions · 2025-02-11T00:11:39Z

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

GavinZZ · 2025-02-19T01:41:58Z

@swachter I can't push to your branch for some reason. Here's the git diff patch file. Feel free to copy this change & use git apply to apply the diff change. Make sure you pull latest remote main branch before you apply the diff:

git pull origin main to pull latest origin's main change
copy the below content into a diff.patch file in aws-cdk repo
From aws-cdk repo, run git apply diff.patch
Commit & Push to this PR

diff --git a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/provider-framework/integ.provider-with-waiter-state-machine.js.snapshot/integ-provider-with-waiter-state-machine.assets.json b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/provider-framework/integ.provider-with-waiter-state-machine.js.snapshot/integ-provider-with-waiter-state-machine.assets.json
index 64e2c8d366..09f48a1959 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/provider-framework/integ.provider-with-waiter-state-machine.js.snapshot/integ-provider-with-waiter-state-machine.assets.json
+++ b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/provider-framework/integ.provider-with-waiter-state-machine.js.snapshot/integ-provider-with-waiter-state-machine.assets.json
@@ -27,7 +27,7 @@
         }
       }
     },
-    "6330e595b2bc97a2630dc371c14c8beed1c96a06c34db2d6293f478839aad8c1": {
+    "3cced4600f04e7ed3fcff70ab3c21ec01c4b947a4dfc88f17be65927809b6a78": {
       "source": {
         "path": "integ-provider-with-waiter-state-machine.template.json",
         "packaging": "file"
@@ -35,7 +35,7 @@
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "6330e595b2bc97a2630dc371c14c8beed1c96a06c34db2d6293f478839aad8c1.json",
+          "objectKey": "3cced4600f04e7ed3fcff70ab3c21ec01c4b947a4dfc88f17be65927809b6a78.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }
diff --git a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/provider-framework/integ.provider-with-waiter-state-machine.js.snapshot/integ-provider-with-waiter-state-machine.template.json b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/provider-framework/integ.provider-with-waiter-state-machine.js.snapshot/integ-provider-with-waiter-state-machine.template.json
index 423253f511..f05107c593 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/provider-framework/integ.provider-with-waiter-state-machine.js.snapshot/integ-provider-with-waiter-state-machine.template.json
+++ b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/provider-framework/integ.provider-with-waiter-state-machine.js.snapshot/integ-provider-with-waiter-state-machine.template.json
@@ -1415,6 +1415,420 @@
     "MyProviderwaiterstatemachineRole6453DD81"
    ]
   },
+  "MyRoleF48FFE04": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "lambda.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "ManagedPolicyArns": [
+     {
+      "Fn::Join": [
+       "",
+       [
+        "arn:",
+        {
+         "Ref": "AWS::Partition"
+        },
+        ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+       ]
+      ]
+     }
+    ]
+   }
+  },
+  "MyRoleDefaultPolicyA36BE1DD": {
+   "Type": "AWS::IAM::Policy",
+   "Properties": {
+    "PolicyDocument": {
+     "Statement": [
+      {
+       "Action": "lambda:InvokeFunction",
+       "Effect": "Allow",
+       "Resource": [
+        {
+         "Fn::GetAtt": [
+          "IsComplete544AE5AD",
+          "Arn"
+         ]
+        },
+        {
+         "Fn::GetAtt": [
+          "OnEvent74718524",
+          "Arn"
+         ]
+        },
+        {
+         "Fn::Join": [
+          "",
+          [
+           {
+            "Fn::GetAtt": [
+             "IsComplete544AE5AD",
+             "Arn"
+            ]
+           },
+           ":*"
+          ]
+         ]
+        },
+        {
+         "Fn::Join": [
+          "",
+          [
+           {
+            "Fn::GetAtt": [
+             "OnEvent74718524",
+             "Arn"
+            ]
+           },
+           ":*"
+          ]
+         ]
+        }
+       ]
+      },
+      {
+       "Action": "lambda:GetFunction",
+       "Effect": "Allow",
+       "Resource": [
+        {
+         "Fn::GetAtt": [
+          "IsComplete544AE5AD",
+          "Arn"
+         ]
+        },
+        {
+         "Fn::GetAtt": [
+          "OnEvent74718524",
+          "Arn"
+         ]
+        }
+       ]
+      },
+      {
+       "Action": "states:StartExecution",
+       "Effect": "Allow",
+       "Resource": "*"
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "PolicyName": "MyRoleDefaultPolicyA36BE1DD",
+    "Roles": [
+     {
+      "Ref": "MyRoleF48FFE04"
+     }
+    ]
+   }
+  },
+  "MyProviderWithCustomRoleframeworkonEventCE6B50CD": {
+   "Type": "AWS::Lambda::Function",
+   "Properties": {
+    "Code": {
+     "S3Bucket": {
+      "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
+     },
+     "S3Key": "39472b1c2875cf306d4ba429aeccdd34cb49bcf59dbde81f7e6b6cb9deac23a6.zip"
+    },
+    "Description": "AWS CDK resource provider framework - onEvent (integ-provider-with-waiter-state-machine/MyProviderWithCustomRole)",
+    "Environment": {
+     "Variables": {
+      "USER_ON_EVENT_FUNCTION_ARN": {
+       "Fn::GetAtt": [
+        "OnEvent74718524",
+        "Arn"
+       ]
+      },
+      "USER_IS_COMPLETE_FUNCTION_ARN": {
+       "Fn::GetAtt": [
+        "IsComplete544AE5AD",
+        "Arn"
+       ]
+      },
+      "WAITER_STATE_MACHINE_ARN": {
+       "Ref": "MyProviderWithCustomRolewaiterstatemachineA313C5FC"
+      }
+     }
+    },
+    "Handler": "framework.onEvent",
+    "Role": {
+     "Fn::GetAtt": [
+      "MyRoleF48FFE04",
+      "Arn"
+     ]
+    },
+    "Runtime": {
+     "Fn::FindInMap": [
+      "LatestNodeRuntimeMap",
+      {
+       "Ref": "AWS::Region"
+      },
+      "value"
+     ]
+    },
+    "Timeout": 900
+   },
+   "DependsOn": [
+    "MyRoleDefaultPolicyA36BE1DD",
+    "MyRoleF48FFE04"
+   ]
+  },
+  "MyProviderWithCustomRoleframeworkisComplete10E48A2A": {
+   "Type": "AWS::Lambda::Function",
+   "Properties": {
+    "Code": {
+     "S3Bucket": {
+      "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
+     },
+     "S3Key": "39472b1c2875cf306d4ba429aeccdd34cb49bcf59dbde81f7e6b6cb9deac23a6.zip"
+    },
+    "Description": "AWS CDK resource provider framework - isComplete (integ-provider-with-waiter-state-machine/MyProviderWithCustomRole)",
+    "Environment": {
+     "Variables": {
+      "USER_ON_EVENT_FUNCTION_ARN": {
+       "Fn::GetAtt": [
+        "OnEvent74718524",
+        "Arn"
+       ]
+      },
+      "USER_IS_COMPLETE_FUNCTION_ARN": {
+       "Fn::GetAtt": [
+        "IsComplete544AE5AD",
+        "Arn"
+       ]
+      }
+     }
+    },
+    "Handler": "framework.isComplete",
+    "Role": {
+     "Fn::GetAtt": [
+      "MyRoleF48FFE04",
+      "Arn"
+     ]
+    },
+    "Runtime": {
+     "Fn::FindInMap": [
+      "LatestNodeRuntimeMap",
+      {
+       "Ref": "AWS::Region"
+      },
+      "value"
+     ]
+    },
+    "Timeout": 900
+   },
+   "DependsOn": [
+    "MyRoleDefaultPolicyA36BE1DD",
+    "MyRoleF48FFE04"
+   ]
+  },
+  "MyProviderWithCustomRoleframeworkonTimeout1A7D4C59": {
+   "Type": "AWS::Lambda::Function",
+   "Properties": {
+    "Code": {
+     "S3Bucket": {
+      "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
+     },
+     "S3Key": "39472b1c2875cf306d4ba429aeccdd34cb49bcf59dbde81f7e6b6cb9deac23a6.zip"
+    },
+    "Description": "AWS CDK resource provider framework - onTimeout (integ-provider-with-waiter-state-machine/MyProviderWithCustomRole)",
+    "Environment": {
+     "Variables": {
+      "USER_ON_EVENT_FUNCTION_ARN": {
+       "Fn::GetAtt": [
+        "OnEvent74718524",
+        "Arn"
+       ]
+      },
+      "USER_IS_COMPLETE_FUNCTION_ARN": {
+       "Fn::GetAtt": [
+        "IsComplete544AE5AD",
+        "Arn"
+       ]
+      }
+     }
+    },
+    "Handler": "framework.onTimeout",
+    "Role": {
+     "Fn::GetAtt": [
+      "MyRoleF48FFE04",
+      "Arn"
+     ]
+    },
+    "Runtime": {
+     "Fn::FindInMap": [
+      "LatestNodeRuntimeMap",
+      {
+       "Ref": "AWS::Region"
+      },
+      "value"
+     ]
+    },
+    "Timeout": 900
+   },
+   "DependsOn": [
+    "MyRoleDefaultPolicyA36BE1DD",
+    "MyRoleF48FFE04"
+   ]
+  },
+  "MyProviderWithCustomRolewaiterstatemachineRoleED93441A": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "states.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    }
+   }
+  },
+  "MyProviderWithCustomRolewaiterstatemachineRoleDefaultPolicy4808872B": {
+   "Type": "AWS::IAM::Policy",
+   "Properties": {
+    "PolicyDocument": {
+     "Statement": [
+      {
+       "Action": "lambda:InvokeFunction",
+       "Effect": "Allow",
+       "Resource": [
+        {
+         "Fn::GetAtt": [
+          "MyProviderWithCustomRoleframeworkisComplete10E48A2A",
+          "Arn"
+         ]
+        },
+        {
+         "Fn::GetAtt": [
+          "MyProviderWithCustomRoleframeworkonTimeout1A7D4C59",
+          "Arn"
+         ]
+        },
+        {
+         "Fn::Join": [
+          "",
+          [
+           {
+            "Fn::GetAtt": [
+             "MyProviderWithCustomRoleframeworkisComplete10E48A2A",
+             "Arn"
+            ]
+           },
+           ":*"
+          ]
+         ]
+        },
+        {
+         "Fn::Join": [
+          "",
+          [
+           {
+            "Fn::GetAtt": [
+             "MyProviderWithCustomRoleframeworkonTimeout1A7D4C59",
+             "Arn"
+            ]
+           },
+           ":*"
+          ]
+         ]
+        }
+       ]
+      },
+      {
+       "Action": [
+        "logs:CreateLogDelivery",
+        "logs:CreateLogStream",
+        "logs:DeleteLogDelivery",
+        "logs:DescribeLogGroups",
+        "logs:DescribeResourcePolicies",
+        "logs:GetLogDelivery",
+        "logs:ListLogDeliveries",
+        "logs:PutLogEvents",
+        "logs:PutResourcePolicy",
+        "logs:UpdateLogDelivery"
+       ],
+       "Effect": "Allow",
+       "Resource": "*"
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "PolicyName": "MyProviderWithCustomRolewaiterstatemachineRoleDefaultPolicy4808872B",
+    "Roles": [
+     {
+      "Ref": "MyProviderWithCustomRolewaiterstatemachineRoleED93441A"
+     }
+    ]
+   }
+  },
+  "MyProviderWithCustomRolewaiterstatemachineA313C5FC": {
+   "Type": "AWS::StepFunctions::StateMachine",
+   "Properties": {
+    "DefinitionString": {
+     "Fn::Join": [
+      "",
+      [
+       "{\"StartAt\":\"framework-isComplete-task\",\"States\":{\"framework-isComplete-task\":{\"End\":true,\"Retry\":[{\"ErrorEquals\":[\"States.ALL\"],\"IntervalSeconds\":5,\"MaxAttempts\":360,\"BackoffRate\":1}],\"Catch\":[{\"ErrorEquals\":[\"States.ALL\"],\"Next\":\"framework-onTimeout-task\"}],\"Type\":\"Task\",\"Resource\":\"",
+       {
+        "Fn::GetAtt": [
+         "MyProviderWithCustomRoleframeworkisComplete10E48A2A",
+         "Arn"
+        ]
+       },
+       "\"},\"framework-onTimeout-task\":{\"End\":true,\"Type\":\"Task\",\"Resource\":\"",
+       {
+        "Fn::GetAtt": [
+         "MyProviderWithCustomRoleframeworkonTimeout1A7D4C59",
+         "Arn"
+        ]
+       },
+       "\"}}}"
+      ]
+     ]
+    },
+    "LoggingConfiguration": {
+     "Destinations": [
+      {
+       "CloudWatchLogsLogGroup": {
+        "LogGroupArn": {
+         "Fn::GetAtt": [
+          "LogGroupF5B46931",
+          "Arn"
+         ]
+        }
+       }
+      }
+     ],
+     "IncludeExecutionData": true,
+     "Level": "ALL"
+    },
+    "RoleArn": {
+     "Fn::GetAtt": [
+      "MyProviderWithCustomRolewaiterstatemachineRoleED93441A",
+      "Arn"
+     ]
+    }
+   },
+   "DependsOn": [
+    "MyProviderWithCustomRolewaiterstatemachineRoleDefaultPolicy4808872B",
+    "MyProviderWithCustomRolewaiterstatemachineRoleED93441A"
+   ]
+  },
   "MyProviderWithoutLogOptionsframeworkonEventServiceRole42DA2E00": {
    "Type": "AWS::IAM::Role",
    "Properties": {
diff --git a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/provider-framework/integ.provider-with-waiter-state-machine.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/provider-framework/integ.provider-with-waiter-state-machine.js.snapshot/manifest.json
index ae3021e7c3..ad284b5093 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/provider-framework/integ.provider-with-waiter-state-machine.js.snapshot/manifest.json
+++ b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/provider-framework/integ.provider-with-waiter-state-machine.js.snapshot/manifest.json
@@ -18,7 +18,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/6330e595b2bc97a2630dc371c14c8beed1c96a06c34db2d6293f478839aad8c1.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/3cced4600f04e7ed3fcff70ab3c21ec01c4b947a4dfc88f17be65927809b6a78.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [
@@ -1160,6 +1160,481 @@
             "data": "MyProviderwaiterstatemachineC1FBB9F9"
           }
         ],
+        "/integ-provider-with-waiter-state-machine/MyRole": [
+          {
+            "type": "aws:cdk:analytics:construct",
+            "data": {
+              "assumedBy": {
+                "principalAccount": "*",
+                "assumeRoleAction": "*"
+              },
+              "managedPolicies": [
+                {
+                  "managedPolicyArn": "*"
+                }
+              ]
+            }
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "addToPrincipalPolicy": [
+                {}
+              ]
+            }
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "attachInlinePolicy": [
+                "*"
+              ]
+            }
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "attachInlinePolicy": [
+                "*"
+              ]
+            }
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "addToPrincipalPolicy": [
+                {}
+              ]
+            }
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "addToPrincipalPolicy": [
+                {}
+              ]
+            }
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "addToPrincipalPolicy": [
+                {}
+              ]
+            }
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "addToPrincipalPolicy": [
+                {}
+              ]
+            }
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "addToPrincipalPolicy": [
+                {}
+              ]
+            }
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "addToPrincipalPolicy": [
+                {}
+              ]
+            }
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "addToPrincipalPolicy": [
+                {}
+              ]
+            }
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "addToPrincipalPolicy": [
+                {}
+              ]
+            }
+          }
+        ],
+        "/integ-provider-with-waiter-state-machine/MyRole/ImportMyRole": [
+          {
+            "type": "aws:cdk:analytics:construct",
+            "data": "*"
+          }
+        ],
+        "/integ-provider-with-waiter-state-machine/MyRole/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "MyRoleF48FFE04"
+          }
+        ],
+        "/integ-provider-with-waiter-state-machine/MyRole/DefaultPolicy": [
+          {
+            "type": "aws:cdk:analytics:construct",
+            "data": "*"
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "attachToRole": [
+                "*"
+              ]
+            }
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "attachToRole": [
+                "*"
+              ]
+            }
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "addStatements": [
+                {}
+              ]
+            }
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "addStatements": [
+                {}
+              ]
+            }
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "addStatements": [
+                {}
+              ]
+            }
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "addStatements": [
+                {}
+              ]
+            }
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "addStatements": [
+                {}
+              ]
+            }
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "addStatements": [
+                {}
+              ]
+            }
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "addStatements": [
+                {}
+              ]
+            }
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "addStatements": [
+                {}
+              ]
+            }
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "addStatements": [
+                {}
+              ]
+            }
+          }
+        ],
+        "/integ-provider-with-waiter-state-machine/MyRole/DefaultPolicy/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "MyRoleDefaultPolicyA36BE1DD"
+          }
+        ],
+        "/integ-provider-with-waiter-state-machine/MyProviderWithCustomRole/framework-onEvent": [
+          {
+            "type": "aws:cdk:analytics:construct",
+            "data": {
+              "code": "*",
+              "description": "*",
+              "runtime": "*",
+              "handler": "*",
+              "timeout": "*",
+              "logGroup": "*",
+              "vpc": "*",
+              "vpcSubnets": "*",
+              "securityGroups": "*",
+              "role": "*",
+              "functionName": "*",
+              "environmentEncryption": "*"
+            }
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "addEnvironment": [
+                "*",
+                "*"
+              ]
+            }
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "addEnvironment": [
+                "*",
+                "*"
+              ]
+            }
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "addEnvironment": [
+                "*",
+                "*"
+              ]
+            }
+          }
+        ],
+        "/integ-provider-with-waiter-state-machine/MyProviderWithCustomRole/framework-onEvent/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "MyProviderWithCustomRoleframeworkonEventCE6B50CD"
+          }
+        ],
+        "/integ-provider-with-waiter-state-machine/MyProviderWithCustomRole/framework-isComplete": [
+          {
+            "type": "aws:cdk:analytics:construct",
+            "data": {
+              "code": "*",
+              "description": "*",
+              "runtime": "*",
+              "handler": "*",
+              "timeout": "*",
+              "logGroup": "*",
+              "vpc": "*",
+              "vpcSubnets": "*",
+              "securityGroups": "*",
+              "role": "*",
+              "functionName": "*",
+              "environmentEncryption": "*"
+            }
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "addEnvironment": [
+                "*",
+                "*"
+              ]
+            }
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "addEnvironment": [
+                "*",
+                "*"
+              ]
+            }
+          }
+        ],
+        "/integ-provider-with-waiter-state-machine/MyProviderWithCustomRole/framework-isComplete/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "MyProviderWithCustomRoleframeworkisComplete10E48A2A"
+          }
+        ],
+        "/integ-provider-with-waiter-state-machine/MyProviderWithCustomRole/framework-onTimeout": [
+          {
+            "type": "aws:cdk:analytics:construct",
+            "data": {
+              "code": "*",
+              "description": "*",
+              "runtime": "*",
+              "handler": "*",
+              "timeout": "*",
+              "logGroup": "*",
+              "vpc": "*",
+              "vpcSubnets": "*",
+              "securityGroups": "*",
+              "role": "*",
+              "functionName": "*",
+              "environmentEncryption": "*"
+            }
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "addEnvironment": [
+                "*",
+                "*"
+              ]
+            }
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "addEnvironment": [
+                "*",
+                "*"
+              ]
+            }
+          }
+        ],
+        "/integ-provider-with-waiter-state-machine/MyProviderWithCustomRole/framework-onTimeout/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "MyProviderWithCustomRoleframeworkonTimeout1A7D4C59"
+          }
+        ],
+        "/integ-provider-with-waiter-state-machine/MyProviderWithCustomRole/waiter-state-machine/Role": [
+          {
+            "type": "aws:cdk:analytics:construct",
+            "data": {
+              "assumedBy": {
+                "principalAccount": "*",
+                "assumeRoleAction": "*"
+              }
+            }
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "addToPrincipalPolicy": [
+                {}
+              ]
+            }
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "attachInlinePolicy": [
+                "*"
+              ]
+            }
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "attachInlinePolicy": [
+                "*"
+              ]
+            }
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "addToPrincipalPolicy": [
+                {}
+              ]
+            }
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "addToPrincipalPolicy": [
+                {}
+              ]
+            }
+          }
+        ],
+        "/integ-provider-with-waiter-state-machine/MyProviderWithCustomRole/waiter-state-machine/Role/ImportRole": [
+          {
+            "type": "aws:cdk:analytics:construct",
+            "data": "*"
+          }
+        ],
+        "/integ-provider-with-waiter-state-machine/MyProviderWithCustomRole/waiter-state-machine/Role/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "MyProviderWithCustomRolewaiterstatemachineRoleED93441A"
+          }
+        ],
+        "/integ-provider-with-waiter-state-machine/MyProviderWithCustomRole/waiter-state-machine/Role/DefaultPolicy": [
+          {
+            "type": "aws:cdk:analytics:construct",
+            "data": "*"
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "attachToRole": [
+                "*"
+              ]
+            }
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "attachToRole": [
+                "*"
+              ]
+            }
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "addStatements": [
+                {}
+              ]
+            }
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "addStatements": [
+                {}
+              ]
+            }
+          },
+          {
+            "type": "aws:cdk:analytics:method",
+            "data": {
+              "addStatements": [
+                {}
+              ]
+            }
+          }
+        ],
+        "/integ-provider-with-waiter-state-machine/MyProviderWithCustomRole/waiter-state-machine/Role/DefaultPolicy/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "MyProviderWithCustomRolewaiterstatemachineRoleDefaultPolicy4808872B"
+          }
+        ],
+        "/integ-provider-with-waiter-state-machine/MyProviderWithCustomRole/waiter-state-machine/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "MyProviderWithCustomRolewaiterstatemachineA313C5FC"
+          }
+        ],
         "/integ-provider-with-waiter-state-machine/MyProviderWithoutLogOptions/framework-onEvent": [
           {
             "type": "aws:cdk:analytics:construct",
diff --git a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/provider-framework/integ.provider-with-waiter-state-machine.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/provider-framework/integ.provider-with-waiter-state-machine.js.snapshot/tree.json
index ae8763c96f..88865c6dff 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/provider-framework/integ.provider-with-waiter-state-machine.js.snapshot/tree.json
+++ b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/provider-framework/integ.provider-with-waiter-state-machine.js.snapshot/tree.json
@@ -2574,6 +2574,938 @@
               "version": "0.0.0"
             }
           },
+          "MyRole": {
+            "id": "MyRole",
+            "path": "integ-provider-with-waiter-state-machine/MyRole",
+            "children": {
+              "ImportMyRole": {
+                "id": "ImportMyRole",
+                "path": "integ-provider-with-waiter-state-machine/MyRole/ImportMyRole",
+                "constructInfo": {
+                  "fqn": "aws-cdk-lib.Resource",
+                  "version": "0.0.0",
+                  "metadata": [
+                    "*"
+                  ]
+                }
+              },
+              "Resource": {
+                "id": "Resource",
+                "path": "integ-provider-with-waiter-state-machine/MyRole/Resource",
+                "attributes": {
+                  "aws:cdk:cloudformation:type": "AWS::IAM::Role",
+                  "aws:cdk:cloudformation:props": {
+                    "assumeRolePolicyDocument": {
+                      "Statement": [
+                        {
+                          "Action": "sts:AssumeRole",
+                          "Effect": "Allow",
+                          "Principal": {
+                            "Service": "lambda.amazonaws.com"
+                          }
+                        }
+                      ],
+                      "Version": "2012-10-17"
+                    },
+                    "managedPolicyArns": [
+                      {
+                        "Fn::Join": [
+                          "",
+                          [
+                            "arn:",
+                            {
+                              "Ref": "AWS::Partition"
+                            },
+                            ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+                          ]
+                        ]
+                      }
+                    ]
+                  }
+                },
+                "constructInfo": {
+                  "fqn": "aws-cdk-lib.aws_iam.CfnRole",
+                  "version": "0.0.0"
+                }
+              },
+              "DefaultPolicy": {
+                "id": "DefaultPolicy",
+                "path": "integ-provider-with-waiter-state-machine/MyRole/DefaultPolicy",
+                "children": {
+                  "Resource": {
+                    "id": "Resource",
+                    "path": "integ-provider-with-waiter-state-machine/MyRole/DefaultPolicy/Resource",
+                    "attributes": {
+                      "aws:cdk:cloudformation:type": "AWS::IAM::Policy",
+                      "aws:cdk:cloudformation:props": {
+                        "policyDocument": {
+                          "Statement": [
+                            {
+                              "Action": "lambda:InvokeFunction",
+                              "Effect": "Allow",
+                              "Resource": [
+                                {
+                                  "Fn::GetAtt": [
+                                    "IsComplete544AE5AD",
+                                    "Arn"
+                                  ]
+                                },
+                                {
+                                  "Fn::GetAtt": [
+                                    "OnEvent74718524",
+                                    "Arn"
+                                  ]
+                                },
+                                {
+                                  "Fn::Join": [
+                                    "",
+                                    [
+                                      {
+                                        "Fn::GetAtt": [
+                                          "IsComplete544AE5AD",
+                                          "Arn"
+                                        ]
+                                      },
+                                      ":*"
+                                    ]
+                                  ]
+                                },
+                                {
+                                  "Fn::Join": [
+                                    "",
+                                    [
+                                      {
+                                        "Fn::GetAtt": [
+                                          "OnEvent74718524",
+                                          "Arn"
+                                        ]
+                                      },
+                                      ":*"
+                                    ]
+                                  ]
+                                }
+                              ]
+                            },
+                            {
+                              "Action": "lambda:GetFunction",
+                              "Effect": "Allow",
+                              "Resource": [
+                                {
+                                  "Fn::GetAtt": [
+                                    "IsComplete544AE5AD",
+                                    "Arn"
+                                  ]
+                                },
+                                {
+                                  "Fn::GetAtt": [
+                                    "OnEvent74718524",
+                                    "Arn"
+                                  ]
+                                }
+                              ]
+                            },
+                            {
+                              "Action": "states:StartExecution",
+                              "Effect": "Allow",
+                              "Resource": "*"
+                            }
+                          ],
+                          "Version": "2012-10-17"
+                        },
+                        "policyName": "MyRoleDefaultPolicyA36BE1DD",
+                        "roles": [
+                          {
+                            "Ref": "MyRoleF48FFE04"
+                          }
+                        ]
+                      }
+                    },
+                    "constructInfo": {
+                      "fqn": "aws-cdk-lib.aws_iam.CfnPolicy",
+                      "version": "0.0.0"
+                    }
+                  }
+                },
+                "constructInfo": {
+                  "fqn": "aws-cdk-lib.aws_iam.Policy",
+                  "version": "0.0.0",
+                  "metadata": [
+                    "*",
+                    {
+                      "attachToRole": [
+                        "*"
+                      ]
+                    },
+                    {
+                      "attachToRole": [
+                        "*"
+                      ]
+                    },
+                    {
+                      "addStatements": [
+                        {}
+                      ]
+                    },
+                    {
+                      "addStatements": [
+                        {}
+                      ]
+                    },
+                    {
+                      "addStatements": [
+                        {}
+                      ]
+                    },
+                    {
+                      "addStatements": [
+                        {}
+                      ]
+                    },
+                    {
+                      "addStatements": [
+                        {}
+                      ]
+                    },
+                    {
+                      "addStatements": [
+                        {}
+                      ]
+                    },
+                    {
+                      "addStatements": [
+                        {}
+                      ]
+                    },
+                    {
+                      "addStatements": [
+                        {}
+                      ]
+                    },
+                    {
+                      "addStatements": [
+                        {}
+                      ]
+                    }
+                  ]
+                }
+              }
+            },
+            "constructInfo": {
+              "fqn": "aws-cdk-lib.aws_iam.Role",
+              "version": "0.0.0",
+              "metadata": [
+                {
+                  "assumedBy": {
+                    "principalAccount": "*",
+                    "assumeRoleAction": "*"
+                  },
+                  "managedPolicies": [
+                    {
+                      "managedPolicyArn": "*"
+                    }
+                  ]
+                },
+                {
+                  "addToPrincipalPolicy": [
+                    {}
+                  ]
+                },
+                {
+                  "attachInlinePolicy": [
+                    "*"
+                  ]
+                },
+                {
+                  "attachInlinePolicy": [
+                    "*"
+                  ]
+                },
+                {
+                  "addToPrincipalPolicy": [
+                    {}
+                  ]
+                },
+                {
+                  "addToPrincipalPolicy": [
+                    {}
+                  ]
+                },
+                {
+                  "addToPrincipalPolicy": [
+                    {}
+                  ]
+                },
+                {
+                  "addToPrincipalPolicy": [
+                    {}
+                  ]
+                },
+                {
+                  "addToPrincipalPolicy": [
+                    {}
+                  ]
+                },
+                {
+                  "addToPrincipalPolicy": [
+                    {}
+                  ]
+                },
+                {
+                  "addToPrincipalPolicy": [
+                    {}
+                  ]
+                },
+                {
+                  "addToPrincipalPolicy": [
+                    {}
+                  ]
+                }
+              ]
+            }
+          },
+          "MyProviderWithCustomRole": {
+            "id": "MyProviderWithCustomRole",
+            "path": "integ-provider-with-waiter-state-machine/MyProviderWithCustomRole",
+            "children": {
+              "framework-onEvent": {
+                "id": "framework-onEvent",
+                "path": "integ-provider-with-waiter-state-machine/MyProviderWithCustomRole/framework-onEvent",
+                "children": {
+                  "Code": {
+                    "id": "Code",
+                    "path": "integ-provider-with-waiter-state-machine/MyProviderWithCustomRole/framework-onEvent/Code",
+                    "children": {
+                      "Stage": {
+                        "id": "Stage",
+                        "path": "integ-provider-with-waiter-state-machine/MyProviderWithCustomRole/framework-onEvent/Code/Stage",
+                        "constructInfo": {
+                          "fqn": "aws-cdk-lib.AssetStaging",
+                          "version": "0.0.0"
+                        }
+                      },
+                      "AssetBucket": {
+                        "id": "AssetBucket",
+                        "path": "integ-provider-with-waiter-state-machine/MyProviderWithCustomRole/framework-onEvent/Code/AssetBucket",
+                        "constructInfo": {
+                          "fqn": "aws-cdk-lib.aws_s3.BucketBase",
+                          "version": "0.0.0",
+                          "metadata": []
+                        }
+                      }
+                    },
+                    "constructInfo": {
+                      "fqn": "aws-cdk-lib.aws_s3_assets.Asset",
+                      "version": "0.0.0"
+                    }
+                  },
+                  "Resource": {
+                    "id": "Resource",
+                    "path": "integ-provider-with-waiter-state-machine/MyProviderWithCustomRole/framework-onEvent/Resource",
+                    "attributes": {
+                      "aws:cdk:cloudformation:type": "AWS::Lambda::Function",
+                      "aws:cdk:cloudformation:props": {
+                        "code": {
+                          "s3Bucket": {
+                            "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
+                          },
+                          "s3Key": "39472b1c2875cf306d4ba429aeccdd34cb49bcf59dbde81f7e6b6cb9deac23a6.zip"
+                        },
+                        "description": "AWS CDK resource provider framework - onEvent (integ-provider-with-waiter-state-machine/MyProviderWithCustomRole)",
+                        "environment": {
+                          "variables": {
+                            "USER_ON_EVENT_FUNCTION_ARN": {
+                              "Fn::GetAtt": [
+                                "OnEvent74718524",
+                                "Arn"
+                              ]
+                            },
+                            "USER_IS_COMPLETE_FUNCTION_ARN": {
+                              "Fn::GetAtt": [
+                                "IsComplete544AE5AD",
+                                "Arn"
+                              ]
+                            },
+                            "WAITER_STATE_MACHINE_ARN": {
+                              "Ref": "MyProviderWithCustomRolewaiterstatemachineA313C5FC"
+                            }
+                          }
+                        },
+                        "handler": "framework.onEvent",
+                        "role": {
+                          "Fn::GetAtt": [
+                            "MyRoleF48FFE04",
+                            "Arn"
+                          ]
+                        },
+                        "runtime": {
+                          "Fn::FindInMap": [
+                            "LatestNodeRuntimeMap",
+                            {
+                              "Ref": "AWS::Region"
+                            },
+                            "value"
+                          ]
+                        },
+                        "timeout": 900
+                      }
+                    },
+                    "constructInfo": {
+                      "fqn": "aws-cdk-lib.aws_lambda.CfnFunction",
+                      "version": "0.0.0"
+                    }
+                  }
+                },
+                "constructInfo": {
+                  "fqn": "aws-cdk-lib.aws_lambda.Function",
+                  "version": "0.0.0",
+                  "metadata": [
+                    {
+                      "code": "*",
+                      "description": "*",
+                      "runtime": "*",
+                      "handler": "*",
+                      "timeout": "*",
+                      "logGroup": "*",
+                      "vpc": "*",
+                      "vpcSubnets": "*",
+                      "securityGroups": "*",
+                      "role": "*",
+                      "functionName": "*",
+                      "environmentEncryption": "*"
+                    },
+                    {
+                      "addEnvironment": [
+                        "*",
+                        "*"
+                      ]
+                    },
+                    {
+                      "addEnvironment": [
+                        "*",
+                        "*"
+                      ]
+                    },
+                    {
+                      "addEnvironment": [
+                        "*",
+                        "*"
+                      ]
+                    }
+                  ]
+                }
+              },
+              "framework-isComplete": {
+                "id": "framework-isComplete",
+                "path": "integ-provider-with-waiter-state-machine/MyProviderWithCustomRole/framework-isComplete",
+                "children": {
+                  "Code": {
+                    "id": "Code",
+                    "path": "integ-provider-with-waiter-state-machine/MyProviderWithCustomRole/framework-isComplete/Code",
+                    "children": {
+                      "Stage": {
+                        "id": "Stage",
+                        "path": "integ-provider-with-waiter-state-machine/MyProviderWithCustomRole/framework-isComplete/Code/Stage",
+                        "constructInfo": {
+                          "fqn": "aws-cdk-lib.AssetStaging",
+                          "version": "0.0.0"
+                        }
+                      },
+                      "AssetBucket": {
+                        "id": "AssetBucket",
+                        "path": "integ-provider-with-waiter-state-machine/MyProviderWithCustomRole/framework-isComplete/Code/AssetBucket",
+                        "constructInfo": {
+                          "fqn": "aws-cdk-lib.aws_s3.BucketBase",
+                          "version": "0.0.0",
+                          "metadata": []
+                        }
+                      }
+                    },
+                    "constructInfo": {
+                      "fqn": "aws-cdk-lib.aws_s3_assets.Asset",
+                      "version": "0.0.0"
+                    }
+                  },
+                  "Resource": {
+                    "id": "Resource",
+                    "path": "integ-provider-with-waiter-state-machine/MyProviderWithCustomRole/framework-isComplete/Resource",
+                    "attributes": {
+                      "aws:cdk:cloudformation:type": "AWS::Lambda::Function",
+                      "aws:cdk:cloudformation:props": {
+                        "code": {
+                          "s3Bucket": {
+                            "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
+                          },
+                          "s3Key": "39472b1c2875cf306d4ba429aeccdd34cb49bcf59dbde81f7e6b6cb9deac23a6.zip"
+                        },
+                        "description": "AWS CDK resource provider framework - isComplete (integ-provider-with-waiter-state-machine/MyProviderWithCustomRole)",
+                        "environment": {
+                          "variables": {
+                            "USER_ON_EVENT_FUNCTION_ARN": {
+                              "Fn::GetAtt": [
+                                "OnEvent74718524",
+                                "Arn"
+                              ]
+                            },
+                            "USER_IS_COMPLETE_FUNCTION_ARN": {
+                              "Fn::GetAtt": [
+                                "IsComplete544AE5AD",
+                                "Arn"
+                              ]
+                            }
+                          }
+                        },
+                        "handler": "framework.isComplete",
+                        "role": {
+                          "Fn::GetAtt": [
+                            "MyRoleF48FFE04",
+                            "Arn"
+                          ]
+                        },
+                        "runtime": {
+                          "Fn::FindInMap": [
+                            "LatestNodeRuntimeMap",
+                            {
+                              "Ref": "AWS::Region"
+                            },
+                            "value"
+                          ]
+                        },
+                        "timeout": 900
+                      }
+                    },
+                    "constructInfo": {
+                      "fqn": "aws-cdk-lib.aws_lambda.CfnFunction",
+                      "version": "0.0.0"
+                    }
+                  }
+                },
+                "constructInfo": {
+                  "fqn": "aws-cdk-lib.aws_lambda.Function",
+                  "version": "0.0.0",
+                  "metadata": [
+                    {
+                      "code": "*",
+                      "description": "*",
+                      "runtime": "*",
+                      "handler": "*",
+                      "timeout": "*",
+                      "logGroup": "*",
+                      "vpc": "*",
+                      "vpcSubnets": "*",
+                      "securityGroups": "*",
+                      "role": "*",
+                      "functionName": "*",
+                      "environmentEncryption": "*"
+                    },
+                    {
+                      "addEnvironment": [
+                        "*",
+                        "*"
+                      ]
+                    },
+                    {
+                      "addEnvironment": [
+                        "*",
+                        "*"
+                      ]
+                    }
+                  ]
+                }
+              },
+              "framework-onTimeout": {
+                "id": "framework-onTimeout",
+                "path": "integ-provider-with-waiter-state-machine/MyProviderWithCustomRole/framework-onTimeout",
+                "children": {
+                  "Code": {
+                    "id": "Code",
+                    "path": "integ-provider-with-waiter-state-machine/MyProviderWithCustomRole/framework-onTimeout/Code",
+                    "children": {
+                      "Stage": {
+                        "id": "Stage",
+                        "path": "integ-provider-with-waiter-state-machine/MyProviderWithCustomRole/framework-onTimeout/Code/Stage",
+                        "constructInfo": {
+                          "fqn": "aws-cdk-lib.AssetStaging",
+                          "version": "0.0.0"
+                        }
+                      },
+                      "AssetBucket": {
+                        "id": "AssetBucket",
+                        "path": "integ-provider-with-waiter-state-machine/MyProviderWithCustomRole/framework-onTimeout/Code/AssetBucket",
+                        "constructInfo": {
+                          "fqn": "aws-cdk-lib.aws_s3.BucketBase",
+                          "version": "0.0.0",
+                          "metadata": []
+                        }
+                      }
+                    },
+                    "constructInfo": {
+                      "fqn": "aws-cdk-lib.aws_s3_assets.Asset",
+                      "version": "0.0.0"
+                    }
+                  },
+                  "Resource": {
+                    "id": "Resource",
+                    "path": "integ-provider-with-waiter-state-machine/MyProviderWithCustomRole/framework-onTimeout/Resource",
+                    "attributes": {
+                      "aws:cdk:cloudformation:type": "AWS::Lambda::Function",
+                      "aws:cdk:cloudformation:props": {
+                        "code": {
+                          "s3Bucket": {
+                            "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
+                          },
+                          "s3Key": "39472b1c2875cf306d4ba429aeccdd34cb49bcf59dbde81f7e6b6cb9deac23a6.zip"
+                        },
+                        "description": "AWS CDK resource provider framework - onTimeout (integ-provider-with-waiter-state-machine/MyProviderWithCustomRole)",
+                        "environment": {
+                          "variables": {
+                            "USER_ON_EVENT_FUNCTION_ARN": {
+                              "Fn::GetAtt": [
+                                "OnEvent74718524",
+                                "Arn"
+                              ]
+                            },
+                            "USER_IS_COMPLETE_FUNCTION_ARN": {
+                              "Fn::GetAtt": [
+                                "IsComplete544AE5AD",
+                                "Arn"
+                              ]
+                            }
+                          }
+                        },
+                        "handler": "framework.onTimeout",
+                        "role": {
+                          "Fn::GetAtt": [
+                            "MyRoleF48FFE04",
+                            "Arn"
+                          ]
+                        },
+                        "runtime": {
+                          "Fn::FindInMap": [
+                            "LatestNodeRuntimeMap",
+                            {
+                              "Ref": "AWS::Region"
+                            },
+                            "value"
+                          ]
+                        },
+                        "timeout": 900
+                      }
+                    },
+                    "constructInfo": {
+                      "fqn": "aws-cdk-lib.aws_lambda.CfnFunction",
+                      "version": "0.0.0"
+                    }
+                  }
+                },
+                "constructInfo": {
+                  "fqn": "aws-cdk-lib.aws_lambda.Function",
+                  "version": "0.0.0",
+                  "metadata": [
+                    {
+                      "code": "*",
+                      "description": "*",
+                      "runtime": "*",
+                      "handler": "*",
+                      "timeout": "*",
+                      "logGroup": "*",
+                      "vpc": "*",
+                      "vpcSubnets": "*",
+                      "securityGroups": "*",
+                      "role": "*",
+                      "functionName": "*",
+                      "environmentEncryption": "*"
+                    },
+                    {
+                      "addEnvironment": [
+                        "*",
+                        "*"
+                      ]
+                    },
+                    {
+                      "addEnvironment": [
+                        "*",
+                        "*"
+                      ]
+                    }
+                  ]
+                }
+              },
+              "waiter-state-machine": {
+                "id": "waiter-state-machine",
+                "path": "integ-provider-with-waiter-state-machine/MyProviderWithCustomRole/waiter-state-machine",
+                "children": {
+                  "Role": {
+                    "id": "Role",
+                    "path": "integ-provider-with-waiter-state-machine/MyProviderWithCustomRole/waiter-state-machine/Role",
+                    "children": {
+                      "ImportRole": {
+                        "id": "ImportRole",
+                        "path": "integ-provider-with-waiter-state-machine/MyProviderWithCustomRole/waiter-state-machine/Role/ImportRole",
+                        "constructInfo": {
+                          "fqn": "aws-cdk-lib.Resource",
+                          "version": "0.0.0",
+                          "metadata": [
+                            "*"
+                          ]
+                        }
+                      },
+                      "Resource": {
+                        "id": "Resource",
+                        "path": "integ-provider-with-waiter-state-machine/MyProviderWithCustomRole/waiter-state-machine/Role/Resource",
+                        "attributes": {
+                          "aws:cdk:cloudformation:type": "AWS::IAM::Role",
+                          "aws:cdk:cloudformation:props": {
+                            "assumeRolePolicyDocument": {
+                              "Statement": [
+                                {
+                                  "Action": "sts:AssumeRole",
+                                  "Effect": "Allow",
+                                  "Principal": {
+                                    "Service": "states.amazonaws.com"
+                                  }
+                                }
+                              ],
+                              "Version": "2012-10-17"
+                            }
+                          }
+                        },
+                        "constructInfo": {
+                          "fqn": "aws-cdk-lib.aws_iam.CfnRole",
+                          "version": "0.0.0"
+                        }
+                      },
+                      "DefaultPolicy": {
+                        "id": "DefaultPolicy",
+                        "path": "integ-provider-with-waiter-state-machine/MyProviderWithCustomRole/waiter-state-machine/Role/DefaultPolicy",
+                        "children": {
+                          "Resource": {
+                            "id": "Resource",
+                            "path": "integ-provider-with-waiter-state-machine/MyProviderWithCustomRole/waiter-state-machine/Role/DefaultPolicy/Resource",
+                            "attributes": {
+                              "aws:cdk:cloudformation:type": "AWS::IAM::Policy",
+                              "aws:cdk:cloudformation:props": {
+                                "policyDocument": {
+                                  "Statement": [
+                                    {
+                                      "Action": "lambda:InvokeFunction",
+                                      "Effect": "Allow",
+                                      "Resource": [
+                                        {
+                                          "Fn::GetAtt": [
+                                            "MyProviderWithCustomRoleframeworkisComplete10E48A2A",
+                                            "Arn"
+                                          ]
+                                        },
+                                        {
+                                          "Fn::GetAtt": [
+                                            "MyProviderWithCustomRoleframeworkonTimeout1A7D4C59",
+                                            "Arn"
+                                          ]
+                                        },
+                                        {
+                                          "Fn::Join": [
+                                            "",
+                                            [
+                                              {
+                                                "Fn::GetAtt": [
+                                                  "MyProviderWithCustomRoleframeworkisComplete10E48A2A",
+                                                  "Arn"
+                                                ]
+                                              },
+                                              ":*"
+                                            ]
+                                          ]
+                                        },
+                                        {
+                                          "Fn::Join": [
+                                            "",
+                                            [
+                                              {
+                                                "Fn::GetAtt": [
+                                                  "MyProviderWithCustomRoleframeworkonTimeout1A7D4C59",
+                                                  "Arn"
+                                                ]
+                                              },
+                                              ":*"
+                                            ]
+                                          ]
+                                        }
+                                      ]
+                                    },
+                                    {
+                                      "Action": [
+                                        "logs:CreateLogDelivery",
+                                        "logs:CreateLogStream",
+                                        "logs:DeleteLogDelivery",
+                                        "logs:DescribeLogGroups",
+                                        "logs:DescribeResourcePolicies",
+                                        "logs:GetLogDelivery",
+                                        "logs:ListLogDeliveries",
+                                        "logs:PutLogEvents",
+                                        "logs:PutResourcePolicy",
+                                        "logs:UpdateLogDelivery"
+                                      ],
+                                      "Effect": "Allow",
+                                      "Resource": "*"
+                                    }
+                                  ],
+                                  "Version": "2012-10-17"
+                                },
+                                "policyName": "MyProviderWithCustomRolewaiterstatemachineRoleDefaultPolicy4808872B",
+                                "roles": [
+                                  {
+                                    "Ref": "MyProviderWithCustomRolewaiterstatemachineRoleED93441A"
+                                  }
+                                ]
+                              }
+                            },
+                            "constructInfo": {
+                              "fqn": "aws-cdk-lib.aws_iam.CfnPolicy",
+                              "version": "0.0.0"
+                            }
+                          }
+                        },
+                        "constructInfo": {
+                          "fqn": "aws-cdk-lib.aws_iam.Policy",
+                          "version": "0.0.0",
+                          "metadata": [
+                            "*",
+                            {
+                              "attachToRole": [
+                                "*"
+                              ]
+                            },
+                            {
+                              "attachToRole": [
+                                "*"
+                              ]
+                            },
+                            {
+                              "addStatements": [
+                                {}
+                              ]
+                            },
+                            {
+                              "addStatements": [
+                                {}
+                              ]
+                            },
+                            {
+                              "addStatements": [
+                                {}
+                              ]
+                            }
+                          ]
+                        }
+                      }
+                    },
+                    "constructInfo": {
+                      "fqn": "aws-cdk-lib.aws_iam.Role",
+                      "version": "0.0.0",
+                      "metadata": [
+                        {
+                          "assumedBy": {
+                            "principalAccount": "*",
+                            "assumeRoleAction": "*"
+                          }
+                        },
+                        {
+                          "addToPrincipalPolicy": [
+                            {}
+                          ]
+                        },
+                        {
+                          "attachInlinePolicy": [
+                            "*"
+                          ]
+                        },
+                        {
+                          "attachInlinePolicy": [
+                            "*"
+                          ]
+                        },
+                        {
+                          "addToPrincipalPolicy": [
+                            {}
+                          ]
+                        },
+                        {
+                          "addToPrincipalPolicy": [
+                            {}
+                          ]
+                        }
+                      ]
+                    }
+                  },
+                  "Resource": {
+                    "id": "Resource",
+                    "path": "integ-provider-with-waiter-state-machine/MyProviderWithCustomRole/waiter-state-machine/Resource",
+                    "attributes": {
+                      "aws:cdk:cloudformation:type": "AWS::StepFunctions::StateMachine",
+                      "aws:cdk:cloudformation:props": {
+                        "definitionString": {
+                          "Fn::Join": [
+                            "",
+                            [
+                              "{\"StartAt\":\"framework-isComplete-task\",\"States\":{\"framework-isComplete-task\":{\"End\":true,\"Retry\":[{\"ErrorEquals\":[\"States.ALL\"],\"IntervalSeconds\":5,\"MaxAttempts\":360,\"BackoffRate\":1}],\"Catch\":[{\"ErrorEquals\":[\"States.ALL\"],\"Next\":\"framework-onTimeout-task\"}],\"Type\":\"Task\",\"Resource\":\"",
+                              {
+                                "Fn::GetAtt": [
+                                  "MyProviderWithCustomRoleframeworkisComplete10E48A2A",
+                                  "Arn"
+                                ]
+                              },
+                              "\"},\"framework-onTimeout-task\":{\"End\":true,\"Type\":\"Task\",\"Resource\":\"",
+                              {
+                                "Fn::GetAtt": [
+                                  "MyProviderWithCustomRoleframeworkonTimeout1A7D4C59",
+                                  "Arn"
+                                ]
+                              },
+                              "\"}}}"
+                            ]
+                          ]
+                        },
+                        "loggingConfiguration": {
+                          "destinations": [
+                            {
+                              "cloudWatchLogsLogGroup": {
+                                "logGroupArn": {
+                                  "Fn::GetAtt": [
+                                    "LogGroupF5B46931",
+                                    "Arn"
+                                  ]
+                                }
+                              }
+                            }
+                          ],
+                          "includeExecutionData": true,
+                          "level": "ALL"
+                        },
+                        "roleArn": {
+                          "Fn::GetAtt": [
+                            "MyProviderWithCustomRolewaiterstatemachineRoleED93441A",
+                            "Arn"
+                          ]
+                        }
+                      }
+                    },
+                    "constructInfo": {
+                      "fqn": "aws-cdk-lib.aws_stepfunctions.CfnStateMachine",
+                      "version": "0.0.0"
+                    }
+                  }
+                },
+                "constructInfo": {
+                  "fqn": "aws-cdk-lib.custom_resources.WaiterStateMachine",
+                  "version": "0.0.0"
+                }
+              }
+            },
+            "constructInfo": {
+              "fqn": "aws-cdk-lib.custom_resources.Provider",
+              "version": "0.0.0"
+            }
+          },
           "MyProviderWithoutLogOptions": {
             "id": "MyProviderWithoutLogOptions",
             "path": "integ-provider-with-waiter-state-machine/MyProviderWithoutLogOptions",
diff --git a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/provider-framework/integ.provider-with-waiter-state-machine.ts b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/provider-framework/integ.provider-with-waiter-state-machine.ts
index 6a8c51bcf7..379a4975a1 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/provider-framework/integ.provider-with-waiter-state-machine.ts
+++ b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/provider-framework/integ.provider-with-waiter-state-machine.ts
@@ -7,6 +7,7 @@ import { Code, Function, Runtime } from 'aws-cdk-lib/aws-lambda';
 import { Provider } from 'aws-cdk-lib/custom-resources';
 import { LogLevel } from 'aws-cdk-lib/aws-stepfunctions';
 import { LogGroup } from 'aws-cdk-lib/aws-logs';
+import { ManagedPolicy, Role, ServicePrincipal } from 'aws-cdk-lib/aws-iam';
 
 class TestStack extends Stack {
   constructor(scope: Construct, id: string) {
@@ -39,6 +40,22 @@ class TestStack extends Stack {
       },
     });
 
+    new Provider(this, 'MyProviderWithCustomRole', {
+      role: new Role(this, 'MyRole', {
+        assumedBy: new ServicePrincipal('lambda.amazonaws.com'),
+        managedPolicies: [
+          ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSLambdaBasicExecutionRole'),
+        ],
+      }),
+      onEventHandler,
+      isCompleteHandler,
+      waiterStateMachineLogOptions: {
+        destination: logGroup,
+        includeExecutionData: true,
+        level: LogLevel.ALL,
+      },
+    });
+
     new Provider(this, 'MyProviderWithoutLogOptions', {
       onEventHandler,
       isCompleteHandler,

ghost · 2025-02-21T07:31:35Z

Many thanks for working on the issue, @GavinZZ ! I am sorry that you can not push into the PR branch. The "Allow edits and access to secrets by maintainers" option is checked.

I tried to apply the patch this morning. I synced my fork and rebased the branch. Then I tried to apply the patch. First on the PR branch and after this did not work on the main branch. Unfortunately, both times I get the same error:

error: patch failed: packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/provider-framework/integ.provider-with-waiter-state-machine.js.snapshot/integ-provider-with-waiter-state-machine.assets.json:27
error: packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/provider-framework/integ.provider-with-waiter-state-machine.js.snapshot/integ-provider-with-waiter-state-machine.assets.json: patch does not apply
error: patch failed: packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/provider-framework/integ.provider-with-waiter-state-machine.js.snapshot/manifest.json:18
error: packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/provider-framework/integ.provider-with-waiter-state-machine.js.snapshot/manifest.json: patch does not apply

Maybe it is easiest, if you just open a new PR.

aws-cdk-automation · 2025-02-21T07:32:02Z

AWS CodeBuild CI Report

CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
Commit ID: f506356
Result: FAILED
Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

GavinZZ · 2025-02-26T21:30:34Z

Thanks for getting back to me. I'll create a new PR and reference this old PR.

github-actions · 2025-02-27T01:29:45Z

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

GavinZZ · 2025-02-27T01:29:47Z

Closing this in favour of #33600.

aws-cdk-automation requested a review from a team December 6, 2024 14:36

github-actions bot added p2 beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK labels Dec 6, 2024

aws-cdk-automation requested changes Dec 6, 2024

View reviewed changes

fix: prevent cyclic dependencies created by custom resource provider

763b0f2

ghost force-pushed the fix-cyclic-dependency branch from 9cf34ea to 763b0f2 Compare December 6, 2024 17:04

aws-cdk-automation added pr/reviewer-clarification-requested The contributor has requested clarification on feedback, a failing build, or a failing PR Linter run pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. labels Dec 6, 2024

aws-cdk-automation added the pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback. label Dec 28, 2024

github-actions bot mentioned this pull request Jan 1, 2025

Monthly PR metrics report #32703

Closed

GavinZZ reviewed Jan 22, 2025

View reviewed changes

aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Jan 22, 2025

aws-cdk-automation added the closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. label Jan 23, 2025

aws-cdk-automation closed this Jan 23, 2025

github-actions bot locked as resolved and limited conversation to collaborators Jan 23, 2025

GavinZZ reopened this Jan 23, 2025

aws unlocked this conversation Jan 23, 2025

aws unlocked this conversation Feb 6, 2025

aws-cdk-automation closed this Feb 7, 2025

github-actions bot locked as resolved and limited conversation to collaborators Feb 7, 2025

georeeve mentioned this pull request Feb 7, 2025

(meta): Review stale pull request closure policy #33335

Open

1 task

aaythapa reopened this Feb 10, 2025

aaythapa added the pr/reviewer-clarification-requested The contributor has requested clarification on feedback, a failing build, or a failing PR Linter run label Feb 10, 2025

aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Feb 10, 2025

aws unlocked this conversation Feb 10, 2025

aws-cdk-automation closed this Feb 11, 2025

github-actions bot locked as resolved and limited conversation to collaborators Feb 11, 2025

aaythapa reopened this Feb 19, 2025

aaythapa added the pr-linter/do-not-close The PR linter will not close this PR while this label is present label Feb 19, 2025

aws unlocked this conversation Feb 19, 2025

GavinZZ self-assigned this Feb 19, 2025

GavinZZ removed the closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. label Feb 19, 2025

samson-keung removed the pr/reviewer-clarification-requested The contributor has requested clarification on feedback, a failing build, or a failing PR Linter run label Feb 20, 2025

aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Feb 20, 2025

Merge branch 'aws:main' into fix-cyclic-dependency

f506356

GavinZZ closed this Feb 27, 2025

github-actions bot locked as resolved and limited conversation to collaborators Feb 27, 2025

Conversation

swachter commented Dec 6, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Reason for this change

Description of changes

Description of how you validated changes

Checklist

Uh oh!

aws-cdk-automation left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

swachter commented Dec 6, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

aws-cdk-automation commented Dec 28, 2024

Uh oh!

swachter commented Dec 28, 2024

Uh oh!

GavinZZ left a comment

Choose a reason for hiding this comment

Uh oh!

ghost commented Jan 22, 2025

Uh oh!

aws-cdk-automation commented Jan 23, 2025

Uh oh!

github-actions bot commented Jan 23, 2025

Uh oh!

codecov bot commented Jan 23, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

GavinZZ commented Jan 23, 2025

Uh oh!

ghost commented Jan 23, 2025

Uh oh!

aws-cdk-automation commented Jan 24, 2025

Uh oh!

aws-cdk-automation commented Feb 7, 2025

Uh oh!

github-actions bot commented Feb 7, 2025

Uh oh!

aws-cdk-automation commented Feb 11, 2025

Uh oh!

github-actions bot commented Feb 11, 2025

Uh oh!

GavinZZ commented Feb 19, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ghost commented Feb 21, 2025

Uh oh!

aws-cdk-automation commented Feb 21, 2025

AWS CodeBuild CI Report

Uh oh!

GavinZZ commented Feb 26, 2025

Uh oh!

github-actions bot commented Feb 27, 2025

Uh oh!

GavinZZ commented Feb 27, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

swachter commented Dec 6, 2024 •

edited

Loading

aws-cdk-automation left a comment •

edited

Loading

swachter commented Dec 6, 2024 •

edited

Loading

codecov bot commented Jan 23, 2025 •

edited

Loading

GavinZZ commented Feb 19, 2025 •

edited

Loading