feat(iam): support Role.fromLookup() method

packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role-from-lookup.js.snapshot/LookupRoleStack.template.json

@@ -0,0 +1,62 @@
+{
+ "Resources": {
+  "HelloPolicyD59007DF": {
+   "Type": "AWS::IAM::Policy",
+   "Properties": {
+    "PolicyDocument": {
+     "Statement": [
+      {
+       "Action": "ec2:*",
+       "Effect": "Allow",
+       "Resource": "*"
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "PolicyName": "Default",
+    "Roles": [
+     "MyLookupTestRole"
+    ]
+   }
+  }
+ },
+ "Outputs": {
+  "LookupRoleName": {
+   "Value": "MyLookupTestRole"
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}

packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role-from-lookup.ts

@@ -0,0 +1,35 @@
+import { App, CfnOutput, Stack } from 'aws-cdk-lib';
+import { IntegTest } from '@aws-cdk/integ-tests-alpha';
+import { Policy, PolicyStatement, Role } from 'aws-cdk-lib/aws-iam';
+
+const roleName = 'MyLookupTestRole';
+
+const app = new App();
+
+const stack = new Stack(app, 'LookupRoleStack', {
+  env: {
+    account: process.env.CDK_INTEG_ACCOUNT ?? process.env.CDK_DEFAULT_ACCOUNT,
+    region: process.env.CDK_INTEG_REGION ?? process.env.CDK_DEFAULT_REGION,
+  },
+});
+
+const lookupRole = Role.fromLookup(stack, 'LookupRole', {
+  roleName,
+});
+
+const policy = new Policy(stack, 'HelloPolicy', { policyName: 'Default' });
+policy.addStatements(new PolicyStatement({ actions: ['ec2:*'], resources: ['*'] }));
+policy.attachToRole(lookupRole);
+
+new CfnOutput(stack, 'LookupRoleName', { value: lookupRole.roleName });
+
+new IntegTest(app, 'integ-iam-role-from-lookup', {
+  enableLookups: true,
+  stackUpdateWorkflow: false,
+  testCases: [stack],
+  // create the role before the test and delete it after
+  hooks: {
+    preDeploy: [`aws iam create-role --role-name ${roleName} --assume-role-policy-document file://policy-document.json`],
+    postDestroy: [`aws iam delete-role --role-name ${roleName}`],
+  },
+});

packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/policy-document.json

@@ -0,0 +1,12 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "Service": "sqs.amazonaws.com"
+            },
+            "Action": "sts:AssumeRole"
+        }
+    ]
+}