(aws-lambda): deprecate feature flag @aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy introduced in pr-33291

[QuantumNeuralCoder]

Describe the bug

This issue is to deprecate the feature flag @aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy ie unset the default values due to a risk found as described below. PR-33291 introducing the feature flag.
In the current implementation, we have removed a dependency of the lambda function on the policy. In addition to this, a Role will be attached to the Policy instead of an inline policy being attached to the role.
This will create a data race condition in the CloudFormation template because the creation of the Lambda function no longer waits for the policy to be created.
We recommend to unset the feature flag if already set which will restore the original behavior.
sample-app

const fn = new lambda.Function(this, 'MyLambda', {
    code: new lambda.InlineCode('foo'),
    handler: 'index.handler',
    runtime: lambda.Runtime.NODEJS_20_X,
  });
  
  const userPool = new UserPool(this, 'myUserPoolTest', {
    lambdaTriggers: {
      fn,
    },
  });
  
  const cognitoPolicy = new iam.PolicyStatement({
    actions: ['cognito:*'],
    resources: [userPool.userPoolArn],
  });
  
  fn.addToRolePolicy(cognitoPolicy);

old template

Resources:
  MyLambdaServiceRole4539ECB6:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
        Version: "2012-10-17"
      ManagedPolicyArns:
        - Fn::Join:
            - ""
            - - "arn:"
              - Ref: AWS::Partition
              - :iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
    Metadata:
      aws:cdk:path: MyappStack/MyLambda/ServiceRole/Resource
  MyLambdaServiceRoleDefaultPolicy5BBC6F68:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action: cognito:*
            Effect: Allow
            Resource:
              Fn::GetAtt:
                - myUserPoolTestD44472FC
                - Arn
        Version: "2012-10-17"
      PolicyName: MyLambdaServiceRoleDefaultPolicy5BBC6F68
      Roles:
        - Ref: MyLambdaServiceRole4539ECB6
    Metadata:
      aws:cdk:path: MyappStack/MyLambda/ServiceRole/DefaultPolicy/Resource
  MyLambdaCCE802FB:
    Type: AWS::Lambda::Function
    Properties:
      Code:
        ZipFile: foo
      Handler: index.handler
      Role:
        Fn::GetAtt:
          - MyLambdaServiceRole4539ECB6
          - Arn
      Runtime: nodejs20.x
    DependsOn:
      - MyLambdaServiceRoleDefaultPolicy5BBC6F68
      - MyLambdaServiceRole4539ECB6
    Metadata:
      aws:cdk:path: MyappStack/MyLambda/Resource
  myUserPoolTestFnCognito7EF64C97:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName:
        Fn::GetAtt:
          - MyLambdaCCE802FB
          - Arn
      Principal: cognito-idp.amazonaws.com
      SourceArn:
        Fn::GetAtt:
          - myUserPoolTestD44472FC
          - Arn
    Metadata:
      aws:cdk:path: MyappStack/myUserPoolTest/FnCognito
  myUserPoolTestD44472FC:
    Type: AWS::Cognito::UserPool
    Properties:
      AccountRecoverySetting:
        RecoveryMechanisms:
          - Name: verified_phone_number
            Priority: 1
          - Name: verified_email
            Priority: 2
      AdminCreateUserConfig:
        AllowAdminCreateUserOnly: true
      EmailVerificationMessage: The verification code to your new account is {####}
      EmailVerificationSubject: Verify your new account
      LambdaConfig: {}
      SmsVerificationMessage: The verification code to your new account is {####}
      VerificationMessageTemplate:
        DefaultEmailOption: CONFIRM_WITH_CODE
        EmailMessage: The verification code to your new account is {####}
        EmailSubject: Verify your new account
        SmsMessage: The verification code to your new account is {####}
    UpdateReplacePolicy: Retain
    DeletionPolicy: Retain
    Metadata:
      aws:cdk:path: MyappStack/myUserPoolTest/Resource
  CDKMetadata:
    Type: AWS::CDK::Metadata
    Properties:
      Analytics: v2:deflate64:H4sIAAAAAAAA/4VRTUtDMRD8LeYoadSKiL1VQfD2qPUkRdJkfd02HyXJU0rIf3dfkxbBg6ckMzszu9mpuLl/ENcX8jtOlN5NDK5Ffk1S7ThBH9lIu9ZS5OfBqYTevWemvAY2Y5eMs4102kBorzC4hLZyZcWfPt1JNd47CBZjpFfhKK3IC2+A7GSMgwX9eGCzzPYBncK9NHOlPNk151ozCuZHvxrBmZVO9qA7b1AhRDYjv9/YYR5a7apwitJ66btTRK0YNY1NNPbmxRl0cOZI+w95HHRsjVd8RM+CpR+ZPz5/Ya3p0xNYcCm2lo7G1bNw5XuHyYv8FiF03huatO5mGbDvIZAql6o5lZTCFxD9EBS0IEerE9t49TW9FXe09W1EnLS1iUU9fwDTmWW+EgIAAA==
    Metadata:
      aws:cdk:path: MyappStack/CDKMetadata/Default
Parameters:
  BootstrapVersion:
    Type: AWS::SSM::Parameter::Value<String>
    Default: /cdk-bootstrap/hnb659fds/version
    Description: Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]

new template

Resources:
  MyLambdaServiceRole4539ECB6:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
        Version: "2012-10-17"
      ManagedPolicyArns:
        - Fn::Join:
            - ""
            - - "arn:"
              - Ref: AWS::Partition
              - :iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
    Metadata:
      aws:cdk:path: MyappStack/MyLambda/ServiceRole/Resource
  MyLambdaCCE802FB:
    Type: AWS::Lambda::Function
    Properties:
      Code:
        ZipFile: foo
      Handler: index.handler
      Role:
        Fn::GetAtt:
          - MyLambdaServiceRole4539ECB6
          - Arn
      Runtime: nodejs20.x
    DependsOn:
      - MyLambdaServiceRole4539ECB6
    Metadata:
      aws:cdk:path: MyappStack/MyLambda/Resource
  MyLambdainlinePolicyAddedToExecutionRole0E0144580:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action: cognito:*
            Effect: Allow
            Resource:
              Fn::GetAtt:
                - myUserPoolTestD44472FC
                - Arn
        Version: "2012-10-17"
      PolicyName: MyLambdainlinePolicyAddedToExecutionRole0E0144580
      Roles:
        - Ref: MyLambdaServiceRole4539ECB6
    Metadata:
      aws:cdk:path: MyappStack/MyLambda/inlinePolicyAddedToExecutionRole-0/Resource
  myUserPoolTestFnCognito7EF64C97:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName:
        Fn::GetAtt:
          - MyLambdaCCE802FB
          - Arn
      Principal: cognito-idp.amazonaws.com
      SourceArn:
        Fn::GetAtt:
          - myUserPoolTestD44472FC
          - Arn
    Metadata:
      aws:cdk:path: MyappStack/myUserPoolTest/FnCognito
  myUserPoolTestD44472FC:
    Type: AWS::Cognito::UserPool
    Properties:
      AccountRecoverySetting:
        RecoveryMechanisms:
          - Name: verified_phone_number
            Priority: 1
          - Name: verified_email
            Priority: 2
      AdminCreateUserConfig:
        AllowAdminCreateUserOnly: true
      EmailVerificationMessage: The verification code to your new account is {####}
      EmailVerificationSubject: Verify your new account
      LambdaConfig: {}
      SmsVerificationMessage: The verification code to your new account is {####}
      VerificationMessageTemplate:
        DefaultEmailOption: CONFIRM_WITH_CODE
        EmailMessage: The verification code to your new account is {####}
        EmailSubject: Verify your new account
        SmsMessage: The verification code to your new account is {####}
    UpdateReplacePolicy: Retain
    DeletionPolicy: Retain
    Metadata:
      aws:cdk:path: MyappStack/myUserPoolTest/Resource
  CDKMetadata:
    Type: AWS::CDK::Metadata
    Properties:
      Analytics: v2:deflate64:H4sIAAAAAAAA/4WRT0sDMRDFP4s5SjbWiiC9VUHwVrb1VIqkybidNn9KklVKyHd3ttlCxYOnJG/mvV+GmYr7p4mY3Mjv2Ch9aAxuRV4mqQ6cpI9spN1qKfJr71RC79aZKa+Bzdgt42wnnTYQxlfoXUJba2XDXz7dxTXcFxAsxkivwlFakVtvgOJkjL0F/Xxis8yOAZ3CozRzpTzFjcm1ZzDMz3kVwZmVTnagF96gQohsRnnX2mkext5N4YRKNNjuzRl0UOvkoOo/xfMoA5xXnSAxyQQWXIrjV8iv9fJKXedr5soP/j+03/KZUxGFK985TF7k9whh4b0hal3GKmDXQSBGLtVzaSmFtxB9HxSMIEe7Evt49zV9EI+05n1EbMY9ibaeP+lWiooDAgAA
    Metadata:
      aws:cdk:path: MyappStack/CDKMetadata/Default
Parameters:
  BootstrapVersion:
    Type: AWS::SSM::Parameter::Value<String>
    Default: /cdk-bootstrap/hnb659fds/version
    Description: Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]

Expected Policy attachment

{
    "RoleName": "MyExampleRole",
    "Policies": [
        {
            "PolicyName": "InlineS3AccessPolicy",
            "PolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Action": "s3:ListBucket",
                        "Resource": "arn:aws:s3:::example-bucket"
                    }
                ]
            }
        }
    ]
}

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Version

2.179.0

Expected Behavior

Expected Policy attachment

{
    "RoleName": "MyExampleRole",
    "Policies": [
        {
            "PolicyName": "InlineS3AccessPolicy",
            "PolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Action": "s3:ListBucket",
                        "Resource": "arn:aws:s3:::example-bucket"
                    }
                ]
            }
        }
    ]
}

Current Behavior

Described above

Reproduction Steps

Described above

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.1002.0

Framework Version

No response

Node.js Version

v23.5.0

OS

macOS

Language

TypeScript

Language Version

No response

Other information

No response

[pahud]

Thank you. Let me attach a mermaid chart to better explain this issue.

Making this a p1. We'll review your PR when it's ready.

flowchart TB
    title["Lambda Permissions Behavior Comparison"]
    title --> behavior1
    title --> behavior2
    
    subgraph behavior1["Original Behavior (Feature Flag OFF)"]
        direction TB
        A1[User Creates Lambda Function] --> B1[IAM Role Created]
        B1 --> C1[Default Policy Attached to Role]
        C1 --> D1["Lambda Function DependsOn Default Policy"]
        A1 --> E1["Function.addToRolePolicy() Called"]
        E1 --> F1["Updates Existing Default Policy"]
        D1 --> G1["Lambda Function Deployed AFTER Policies Ready"]
        F1 --> G1
    end
    
    subgraph behavior2["New Behavior (Feature Flag ON - Creates Race Condition)"]
        direction TB
        A2[User Creates Lambda Function] --> B2[IAM Role Created]
        A2 --> E2["Function.addToRolePolicy() Called"]
        B2 --> C2["Lambda Function Created Without Dependency on Policies"]
        E2 --> F2["Creates NEW Separate Policy and Attaches to Role"]
        C2 --> G2["Lambda Function May Deploy BEFORE Policies Ready"]
        F2 --> H2["Policy Created Later (Race Condition)"]
        G2 -- "Runtime Error Risk" --> X["⚠️ Missing Permissions at Runtime"]
    end
    
    subgraph circular["Circular Dependency Example"]
        direction TB
        A3[User Creates Lambda Function] --> B3[Lambda Added as Cognito Trigger]
        B3 --> C3[Cognito UserPool Created with Lambda Reference]
        C3 --> D3[UserPool ARN Available]
        D3 --> E3["Function.addToRolePolicy(cognito:* on UserPool)"]
        E3 --> F3["Creates Circular Dependency"]
        F3 -- "Flag ON" --> G3["Policy Detached: Deployable but Race Condition"]
        F3 -- "Flag OFF" --> H3["Static Dependency: Hard to Deploy"]
    end

Loading