fix(custom-resources): fix circular dependency when a custom role provided to Provider

[GavinZZ]

Issue # (if applicable)

Closes #20360

Reason for this change

When users specify a isCompletehandler and specifies a custom role for the provider framework, the output template is not deployable due to circular dependencies.

Description of changes

The change here is to deprecate the old role property because this role is shared between the 3 framework lambda functions. The state machine will depends on the sfn default policy. The default policy depends on isCompleteLambda (granting invoke function permission). isCompleteLambda depends on common default role policy. The common role default policy has startExecution permission to SFN.

The solution is to deprecate role and introduce new roles for the onEvent lambda and isComplete/onTimeout lambda

Describe any new or updated permissions being added

N/A

Description of how you validated changes

New tests

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[GavinZZ]

Creating this PR on behalf of @swachter #32404 by adding integration test.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 82.24%. Comparing base (7f5bf4e) to head (ddd8768).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #33600   +/-   ##
=======================================
  Coverage   82.24%   82.24%           
=======================================
  Files         119      119           
  Lines        6875     6875           
  Branches     1161     1161           
=======================================
  Hits         5654     5654           
  Misses       1118     1118           
  Partials      103      103           

Flag	Coverage Δ
suite.unit	82.24% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	∅ <ø> (∅)
packages/aws-cdk-lib/core	82.24% <ø> (ø)

🚀 New features to boost your workflow:

• ❄ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: ddd8768
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.