fix(lambda): deprecate feature flag @aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy

packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.dns-validated-certificate.ts

@@ -26,7 +26,11 @@ if (!hostedZoneName) throw new Error('For this test you must provide your own Ho
 const domainName = process.env.CDK_INTEG_DOMAIN_NAME ?? process.env.DOMAIN_NAME;
 if (!domainName) throw new Error('For this test you must provide your own DomainName as an env var "DOMAIN_NAME". See framework-integ/README.md for details.');
 
-const app = new App();
+const app = new App({
+  postCliContext: {
+    '@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy': true,
+  },
+});
 const stack = new Stack(app, 'integ-dns-validated-certificate');
 const hostedZone = PublicHostedZone.fromHostedZoneAttributes(stack, 'HostedZone', {
   hostedZoneId,

packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-lambda-node-runtime.ts

@@ -6,6 +6,7 @@ import { CustomResourceConfig } from 'aws-cdk-lib/custom-resources';
 
 const app = new cdk.App({
   postCliContext: {
+    '@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy': true,
     '@aws-cdk/aws-dynamodb:retainTableReplica': true,
   },
 });

packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/provider-framework/integ.provider-with-waiter-state-machine-custom-role.ts

@@ -47,7 +47,11 @@ class TestStack extends Stack {
   }
 }
 
-const app = new App();
+const app = new App({
+  postCliContext: {
+    '@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy': true,
+  },
+});
 const stack = new TestStack(app, 'integ-provider-with-waiter-state-machine-custom-role');
 
 new integ.IntegTest(app, 'IntegProviderWithWaiterStateMachineCustomRole', {

packages/@aws-cdk/aws-eks-v2-alpha/test/integ.eks-auto.ts

@@ -78,7 +78,11 @@ export class EksAutoModeNodePoolsStack extends Stack {
   }
 }
 
-const app = new App();
+const app = new App({
+  postCliContext: {
+    '@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy': true,
+  },
+});
 
 const stack1 = new EksAutoModeBaseStack(app, 'eks-auto-mode-stack', { env: { region: 'us-east-1' } });
 const stack2 = new EksAutoModeNodePoolsStack(app, 'eks-auto-mode-empty-nodepools-stack', { env: { region: 'us-east-1' } });

packages/@aws-cdk/aws-redshift-alpha/test/integ.cluster-maintenance-track-name.ts

@@ -29,7 +29,11 @@ class RedshiftStack extends Stack {
   }
 }
 
-const app = new App();
+const app = new App({
+  postCliContext: {
+    '@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy': true,
+  },
+});
 
 new integ.IntegTest(app, 'RedshiftMaintenanceTrackNameInteg', {
   testCases: [new RedshiftStack(app, 'RedshiftMaintenanceTrackNameIntegStack')],

packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md

@@ -89,7 +89,7 @@ Flags come in three types:
 | [@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault](#aws-cdkaws-elasticloadbalancingv2albdualstackwithoutpublicipv4securitygrouprulesdefault) | When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere | 2.176.0 | (fix) |
 | [@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections](#aws-cdkaws-iamoidcrejectunauthorizedconnections) | When enabled, the default behaviour of OIDC provider will reject unauthorized connections | 2.177.0 | (fix) |
 | [@aws-cdk/core:enableAdditionalMetadataCollection](#aws-cdkcoreenableadditionalmetadatacollection) | When enabled, CDK will expand the scope of usage data collected to better inform CDK development and improve communication for security concerns and emerging issues. | 2.178.0 | (config) |
-| [@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy](#aws-cdkaws-lambdacreatenewpolicieswithaddtorolepolicy) | When enabled, Lambda will create new inline policies with AddToRolePolicy instead of adding to the Default Policy Statement | 2.180.0 | (fix) |
+| [@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy](#aws-cdkaws-lambdacreatenewpolicieswithaddtorolepolicy) | [Deprecated]When enabled, Lambda will create new inline policies with AddToRolePolicy instead of adding to the Default Policy Statement | 2.180.0 | (fix) |
 | [@aws-cdk/aws-s3:setUniqueReplicationRoleName](#aws-cdkaws-s3setuniquereplicationrolename) | When enabled, CDK will automatically generate a unique role name that is used for s3 object replication. | 2.182.0 | (fix) |
 | [@aws-cdk/pipelines:reduceStageRoleTrustScope](#aws-cdkpipelinesreducestageroletrustscope) | Remove the root account principal from Stage addActions trust policy | 2.184.0 | (default) |
 | [@aws-cdk/aws-events:requireEventBusPolicySid](#aws-cdkaws-eventsrequireeventbuspolicysid) | When enabled, grantPutEventsTo() will use resource policies with Statement IDs for service principals. | 2.186.0 | (fix) |
@@ -172,6 +172,8 @@ The following json shows the current recommended set of flags, as `cdk init` wou
     "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": true,
     "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": true,
     "@aws-cdk/core:enableAdditionalMetadataCollection": true,
+    "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": false,
+    "@aws-cdk/aws-s3:setUniqueReplicationRoleName": true,
     "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": true,
     "@aws-cdk/aws-s3:setUniqueReplicationRoleName": true,
     "@aws-cdk/aws-events:requireEventBusPolicySid": true,
@@ -1701,17 +1703,20 @@ When this feature flag is enabled, CDK expands the scope of usage data collectio
 
 ### @aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy
 
-*When enabled, Lambda will create new inline policies with AddToRolePolicy instead of adding to the Default Policy Statement* (fix)
+*[Deprecated]When enabled, Lambda will create new inline policies with AddToRolePolicy instead of adding to the Default Policy Statement* (fix)
 
-When this feature flag is enabled, Lambda will create new inline policies with AddToRolePolicy. 
+[Deprecated default feature] When this feature flag is enabled, Lambda will create new inline policies with AddToRolePolicy. 
 The purpose of this is to prevent lambda from creating a dependency on the Default Policy Statement.
 This solves an issue where a circular dependency could occur if adding lambda to something like a Cognito Trigger, then adding the User Pool to the lambda execution role permissions.
+However in the current implementation, we have removed a dependency of the lambda function on the policy. In addition to this, a Role will be attached to the Policy instead of an inline policy being attached to the role. 
+This will create a data race condition in the CloudFormation template because the creation of the Lambda function no longer waits for the policy to be created. Having said that, we are not deprecating the feature (we are defaulting the feature flag to false for new stacks) since this feature can still be used to get around the circular dependency issue (issue-7016) particularly in cases where the lambda resource creation doesnt need to depend on the policy resource creation. 
+We recommend to unset the feature flag if already set which will restore the original behavior.
 
 
 | Since | Default | Recommended |
 | ----- | ----- | ----- |
 | (not in v1) |  |  |
-| 2.180.0 | `false` | `true` |
+| 2.180.0 | `false` | `false` |
 
 
 ### @aws-cdk/aws-s3:setUniqueReplicationRoleName

packages/aws-cdk-lib/cx-api/README.md

@@ -615,16 +615,19 @@ _cdk.json_
 
 * `@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy`
 
-When this feature flag is enabled, Lambda will create new inline policies with AddToRolePolicy. 
+[Deprecated default feature] When this feature flag is enabled, Lambda will create new inline policies with AddToRolePolicy. 
 The purpose of this is to prevent lambda from creating a dependency on the Default Policy Statement.
 This solves an issue where a circular dependency could occur if adding lambda to something like a Cognito Trigger, then adding the User Pool to the lambda execution role permissions.
+However in the current implementation, we have removed a dependency of the lambda function on the policy. In addition to this, a Role will be attached to the Policy instead of an inline policy being attached to the role. 
+This will create a data race condition in the CloudFormation template because the creation of the Lambda function no longer waits for the policy to be created. Having said that, we are not deprecating the feature (we are defaulting the feature flag to false for new stacks) since this feature can still be used to get around the circular dependency issue (issue-7016) particularly in cases where the lambda resource creation doesnt need to depend on the policy resource creation. 
+We recommend to unset the feature flag if already set which will restore the original behavior. 
 
 _cdk.json_
 
 ```json
 {
   "context": {
-    "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": true
+    "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": false
   }
 }
 ```

packages/aws-cdk-lib/cx-api/lib/features.ts

@@ -1396,14 +1396,17 @@ export const FLAGS: Record<string, FlagInfo> = {
   //////////////////////////////////////////////////////////////////////
   [LAMBDA_CREATE_NEW_POLICIES_WITH_ADDTOROLEPOLICY]: {
     type: FlagType.BugFix,
-    summary: 'When enabled, Lambda will create new inline policies with AddToRolePolicy instead of adding to the Default Policy Statement',
+    summary: '[Deprecated]When enabled, Lambda will create new inline policies with AddToRolePolicy instead of adding to the Default Policy Statement',
     detailsMd: `
-      When this feature flag is enabled, Lambda will create new inline policies with AddToRolePolicy. 
+      [Deprecated default feature] When this feature flag is enabled, Lambda will create new inline policies with AddToRolePolicy. 
       The purpose of this is to prevent lambda from creating a dependency on the Default Policy Statement.
       This solves an issue where a circular dependency could occur if adding lambda to something like a Cognito Trigger, then adding the User Pool to the lambda execution role permissions.
+      However in the current implementation, we have removed a dependency of the lambda function on the policy. In addition to this, a Role will be attached to the Policy instead of an inline policy being attached to the role. 
+      This will create a data race condition in the CloudFormation template because the creation of the Lambda function no longer waits for the policy to be created. Having said that, we are not deprecating the feature (we are defaulting the feature flag to false for new stacks) since this feature can still be used to get around the circular dependency issue (issue-7016) particularly in cases where the lambda resource creation doesnt need to depend on the policy resource creation. 
+      We recommend to unset the feature flag if already set which will restore the original behavior.  
     `,
     introducedIn: { v2: '2.180.0' },
-    recommendedValue: true,
+    recommendedValue: false,
   },
 
   //////////////////////////////////////////////////////////////////////

packages/aws-cdk-lib/recommended-feature-flags.json

@@ -65,6 +65,8 @@
   "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": true,
   "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": true,
   "@aws-cdk/core:enableAdditionalMetadataCollection": true,
+  "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": false,
+  "@aws-cdk/aws-s3:setUniqueReplicationRoleName": true,
   "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": true,
   "@aws-cdk/aws-s3:setUniqueReplicationRoleName": true,
   "@aws-cdk/aws-events:requireEventBusPolicySid": true,