From 1539bfe359eb085c2808b369d00f8399296317cd Mon Sep 17 00:00:00 2001
From: epolon <epolon@amazon.com>
Date: Sun, 15 Sep 2024 11:06:56 +0300
Subject: [PATCH] mid work

---
 .../stack-synthesizers/default-synthesizer.ts   |  5 +++--
 .../lib/stack-synthesizers/stack-synthesizer.ts |  6 ++++--
 packages/aws-cdk-lib/core/lib/stack.ts          | 17 +++++++++++++++--
 .../aws-cdk/lib/api/aws-auth/sdk-provider.ts    |  2 +-
 4 files changed, 23 insertions(+), 7 deletions(-)

diff --git a/packages/aws-cdk-lib/core/lib/stack-synthesizers/default-synthesizer.ts b/packages/aws-cdk-lib/core/lib/stack-synthesizers/default-synthesizer.ts
index 750e8a0ba1d22..2b4e4203a3466 100644
--- a/packages/aws-cdk-lib/core/lib/stack-synthesizers/default-synthesizer.ts
+++ b/packages/aws-cdk-lib/core/lib/stack-synthesizers/default-synthesizer.ts
@@ -463,7 +463,7 @@ export class DefaultStackSynthesizer extends StackSynthesizer implements IReusab
    * Synthesize the stack template to the given session, passing the configured lookup role ARN
    */
   protected synthesizeStackTemplate(stack: Stack, session: ISynthesisSession) {
-    stack._synthesizeTemplate(session, this.lookupRoleArn, this.props.lookupRoleAdditionalOptions);
+    stack._synthesizeTemplate(session, this.lookupRoleArn, this.props.lookupRoleExternalId, this.props.lookupRoleAdditionalOptions);
   }
 
   /**
@@ -490,7 +490,8 @@ export class DefaultStackSynthesizer extends StackSynthesizer implements IReusab
       this.addBootstrapVersionRule(this._requiredBootstrapVersionForDeployment, this.bootstrapStackVersionSsmParameter!);
     }
 
-    const templateAssetSource = this.synthesizeTemplate(session, this.lookupRoleArn, this.props.lookupRoleAdditionalOptions);
+    const templateAssetSource = this.synthesizeTemplate(session, this.lookupRoleArn,
+      this.props.lookupRoleExternalId, this.props.lookupRoleAdditionalOptions);
     const templateAsset = this.addFileAsset(templateAssetSource);
 
     const assetManifestId = this.assetManifest.emitManifest(this.boundStack, session, {
diff --git a/packages/aws-cdk-lib/core/lib/stack-synthesizers/stack-synthesizer.ts b/packages/aws-cdk-lib/core/lib/stack-synthesizers/stack-synthesizer.ts
index 1877a7eb99fc9..3cde73d8b8933 100644
--- a/packages/aws-cdk-lib/core/lib/stack-synthesizers/stack-synthesizer.ts
+++ b/packages/aws-cdk-lib/core/lib/stack-synthesizers/stack-synthesizer.ts
@@ -107,9 +107,11 @@ export abstract class StackSynthesizer implements IStackSynthesizer {
    * the credentials will be the same identity that is doing the `UpdateStack`
    * call, which may not have the right permissions to write to S3.
    */
-  protected synthesizeTemplate(session: ISynthesisSession, lookupRoleArn?: string,
+  protected synthesizeTemplate(session: ISynthesisSession,
+    lookupRoleArn?: string,
+    lookupRoleExternalId?: string,
     lookupRoleAdditionalOptions?: { [key: string]: any }): FileAssetSource {
-    this.boundStack._synthesizeTemplate(session, lookupRoleArn, lookupRoleAdditionalOptions);
+    this.boundStack._synthesizeTemplate(session, lookupRoleArn, lookupRoleExternalId, lookupRoleAdditionalOptions);
     return stackTemplateFileAsset(this.boundStack, session);
   }
 
diff --git a/packages/aws-cdk-lib/core/lib/stack.ts b/packages/aws-cdk-lib/core/lib/stack.ts
index a507b6def0c97..2a5947e38b31d 100644
--- a/packages/aws-cdk-lib/core/lib/stack.ts
+++ b/packages/aws-cdk-lib/core/lib/stack.ts
@@ -1061,7 +1061,10 @@ export class Stack extends Construct implements ITaggable {
    * Synthesizes the cloudformation template into a cloud assembly.
    * @internal
    */
-  public _synthesizeTemplate(session: ISynthesisSession, lookupRoleArn?: string, lookupRoleAdditionalOptions?: { [key: string]: any }): void {
+  public _synthesizeTemplate(session: ISynthesisSession,
+    lookupRoleArn?: string,
+    lookupRoleExternalId?: string,
+    lookupRoleAdditionalOptions?: { [key: string]: any }): void {
     // In principle, stack synthesis is delegated to the
     // StackSynthesis object.
     //
@@ -1104,7 +1107,17 @@ export class Stack extends Construct implements ITaggable {
     fs.writeFileSync(outPath, templateData);
 
     for (const ctx of this._missingContext) {
-      builder.addMissing({ ...ctx, props: { ...ctx.props, lookupRoleArn, lookupRoleAdditionalOptions } });
+
+      // 'account' and 'region' are added to the schema at tree instantiation time.
+      // these options however are only known at synthesis, so are added here.
+      // see https://github.com/aws/aws-cdk/blob/v2.158.0/packages/aws-cdk-lib/core/lib/context-provider.ts#L71
+      const queryLookupOptions: Omit<cxschema.ContextLookupRoleOptions, 'account' | 'region'> = {
+        lookupRoleArn,
+        lookupRoleExternalId,
+        assumeRoleAdditionalOptions: lookupRoleAdditionalOptions,
+      };
+
+      builder.addMissing({ ...ctx, props: { ...ctx.props, ...queryLookupOptions } });
     }
   }
 
diff --git a/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts b/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts
index dd01774fee251..780c4d6db5457 100644
--- a/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts
+++ b/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts
@@ -368,7 +368,7 @@ export class SdkProvider {
     externalId: string | undefined,
     additionalOptions: AssumeRoleAdditionalOptions | undefined,
     region: string | undefined) {
-    debug(`Assuming role '${roleArn}' with additional options: ${JSON.stringify(additionalOptions ?? {}, null, 2)}.`);
+    debug(`Assuming role '${roleArn}'.`);
 
     region = region ?? this.defaultRegion;
     const creds = new AWS.ChainableTemporaryCredentials({