fix(cognito-identitypool-alpha): remove RoleAttachment construct

[Leo10Gama]

Issue # (if applicable)

Closes #23449

Reason for this change

What we had assumed was a bug from the service team had been investigated and revealed to be expected behaviour: an IdentityPool can only have a single IdentityPoolRoleAttachment attached to it. This went against our initial assumptions that were supported by previously-written code, which was that multiple of these attachments could be created. As such, to ensure clarity and prevent ambiguity, this library will be updated to abstract away the role attachment, as one is already created by default.

Description of changes

• Deleted identitypool-role-attachment.ts, moving or deleting its contents:
  • Removed IdentityPoolRoleAttachment class
  • IdentityPoolRoleAttachment.configureRoleMappings() function has been moved inside of IdentityPool
  • Removed IIdentityPoolRoleAttachment and IdentityPoolRoleAttachmentProps interfaces
  • Moved IdentityPoolRoleMapping, RoleMatchingMatchType, and RoleMappingRule to lib/identitypool.ts
• IdentityPool's private roleAttachmentCount attribute has been removed, as it never should have been there to begin with
• IdentityPool.addRoleMappings() method has been removed
• The logic for creating a default role attachment has been altered to create the L1 instead of the L2. This will trigger redeployments for all users of the IdentityPool construct.
• Unit tests have been tweaked to reflect this new behaviour

Describe any new or updated permissions being added

N/A

Description of how you validated changes

yarn test runs and the integ test snapshot was updated via yarn integ.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

BREAKING CHANGE: The IdentityPoolRoleAttachment construct and IdentityPool.addRoleMappings() function will no longer exist. This is to disambiguate that only one role attachment can exist per Identity Pool. If you are using the IdentityPool construct, this change will trigger a redeployment. If you need to add role mappings, please do so when the IdentityPool is created.

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 80.92%. Comparing base (fdd451c) to head (c1fb854).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #33305   +/-   ##
=======================================
  Coverage   80.92%   80.92%           
=======================================
  Files         236      236           
  Lines       14256    14256           
  Branches     2491     2491           
=======================================
  Hits        11537    11537           
  Misses       2434     2434           
  Partials      285      285           

Flag	Coverage Δ
suite.unit	80.92% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	79.74% <ø> (ø)
packages/aws-cdk-lib/core	82.20% <ø> (ø)

[kaizencc]

It feels like there's a bunch of breaking changes here. They need to be called out in the PR description so that they show up in the changelog.

didn't see em, sorry. i think the comment should have a remediation step for users tho

[paulhcsun]

The logic for creating a default role attachment has been altered to create the L1 instead of the L2. This will trigger redeployments for all users of the IdentityPool construct.

Can you elaborate on this decision to replace the L2 with the L1?

Overall looks good, just a few clarifying questions.

[paulhcsun]

Is this method the exact same implementation as the old one or were there any modifications made?

[Leo10Gama]

It's directly copy-pasted from the old IdentityPoolRoleAttachment class, so all the logic is preserved.

[Leo10Gama]

The logic for creating a default role attachment has been altered to create the L1 instead of the L2. This will trigger redeployments for all users of the IdentityPool construct.

Can you elaborate on this decision to replace the L2 with the L1?

Previously, the "role attachment" that links authenticated and unauthenticated roles to the identity pool were their own construct. The L1s exist separately, but since only one role attachment can exist for a given identity pool, the L2 is effectively useless, since we already create one by default. The IdentityPool L2 was previously creating an IdentityPoolRoleAttachment L2, but since we're removing that construct entirely, we can just create the L1 instead.

[paulhcsun]

Thanks for addressing the questions, the changes look good to me. I've approved and added the do-not-merge label for now. If replacing the L2 with the L1 will cause redeployments for anyone using this construct, this should also be called out in the BREAKING CHANGES section. You can remove the label after that's been addressed.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: c1fb854
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.