(iam): configure OpenIdConnectProvider custom resource role

[ThomasLarge]

Describe the feature

When using the OpenIdConnectProvider it would be great to be able to pass a role or role ARN that is used to execute the lambda function.

Use Case

When you use the OpenIdConnectProvider you are able to pass 3 props these are:

• url
• clientIds
• thumbprints

Ideally, this is all you need but the OpenIdConnectProvider creates a custom resource and this includes the OIDC, a lambda function, and a role for the lambda function. It would be great for us to also provide a role or roleArn to this method. This will help with users that need to pass more details to the role that is created like permission boundaries.

Proposed Solution

const roleArn = iam.ManagedPolicy.fromManagedPolicyName(
      this,
      'customLambdaRole',
      'RoleName'
    );

new iam.OpenIdConnectProvider(this, 'name', {
      url: '',
      roleArn
    });

Other Information

I'm not really sure why the OpenIdConnectProvider creates a lambda and role when it only needs to create the Identity provider. 🤷‍♂️

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.24.1 (build 585f9ca)

Environment details (OS name and version, etc.)

macOS Monterey. Version: 12.3.1

[rix0rrr]

If this is truly only about Permission Boundaries, you can use the permission boundaries aspect to configure it.

But yes, I can see how the role must be configurable.