feat: new synthesizer separates assets out per CDK application

packages/@aws-cdk/app-staging-synthesizer/lib/bootstrap-roles.ts

@@ -16,36 +16,43 @@ export class BootstrapRole {
    * Specify an existing IAM Role to assume
    */
   public static fromRoleArn(arn: string) {
+    StringSpecializer.validateNoTokens(arn, 'BootstrapRole ARN');
     return new BootstrapRole(arn);
   }
 
   private static CLI_CREDS = 'cli-credentials';
 
   private constructor(private readonly roleArn: string) {}
 
+  /**
+   * Whether or not this is object was created using BootstrapRole.cliCredentials()
+   */
   public isCliCredentials() {
     return this.roleArn === BootstrapRole.CLI_CREDS;
   }
 
-  public renderRoleArn(options: {
-    spec?: StringSpecializer,
-    tokenType?: 'asset' | 'cfn',
-  } = {}) {
-    if (this.isCliCredentials()) { return undefined; }
-    if (!options.spec) { return this.roleArn; }
+  /**
+   * @internal
+   */
+  public _arnForCloudFormation() {
+    return this.isCliCredentials() ? undefined : translateAssetTokenToCfnToken(this.roleArn);
+  }
+
+  /**
+   * @internal
+   */
+  public _arnForCloudAssembly() {
+    return this.isCliCredentials() ? undefined : translateCfnTokenToAssetToken(this.roleArn);
+  }
 
-    const arn = options.spec.specialize(this.roleArn);
-    if (options.tokenType === 'asset') {
-      return translateCfnTokenToAssetToken(arn);
-    } else if (options.tokenType === 'cfn') {
-      return translateAssetTokenToCfnToken(arn);
-    } else {
-      return arn;
-    }
+  /**
+   * @internal
+   */
+  public _specialize(spec: StringSpecializer) {
+    return new BootstrapRole(spec.specialize(this.roleArn));
   }
 }
 
-
 /**
  * Roles that are bootstrapped to your account.
  */
@@ -62,7 +69,7 @@ export interface BootstrapRoles {
    *
    * @default - use boostrapped role
    */
-  readonly deploymentActionRole?: BootstrapRole;
+  readonly deploymentRole?: BootstrapRole;
 
   /**
    * Lookup Role

packages/@aws-cdk/app-staging-synthesizer/lib/index.ts

@@ -1,3 +1,4 @@
 export * from './default-staging-stack';
 export * from './app-staging-synthesizer';
-export * from './bootstrap-roles';
+export * from './bootstrap-roles';
+export * from './staging-stack';

packages/@aws-cdk/app-staging-synthesizer/lib/per-env-staging-factory.ts

@@ -0,0 +1,32 @@
+import { Stack } from 'aws-cdk-lib';
+import { AppScopedGlobal } from './private/app-global';
+import { IStagingStack, IStagingStackFactory, ObtainStagingResourcesContext } from './staging-stack';
+
+/**
+ * Per-environment cache
+ *
+ * This is a global because we might have multiple instances of this class
+ * in the app, but we want to cache across all of them.
+ */
+const ENVIRONMENT_CACHE = new AppScopedGlobal(() => new Map<string, IStagingStack>);
+
+/**
+ * Wraps another IStagingStack factory, and caches the result on a per-environment basis
+ */
+export class PerEnvironmenStagingFactory implements IStagingStackFactory {
+  constructor(private readonly wrapped: IStagingStackFactory) { }
+
+  public obtainStagingResources(stack: Stack, context: ObtainStagingResourcesContext): IStagingStack {
+    const cacheKey = context.environmentString;
+
+    const cache = ENVIRONMENT_CACHE.for(stack);
+    const existing = cache.get(cacheKey);
+    if (existing) {
+      return existing;
+    }
+
+    const result = this.wrapped.obtainStagingResources(stack, context);
+    cache.set(cacheKey, result);
+    return result;
+  }
+}

packages/@aws-cdk/app-staging-synthesizer/lib/private/app-global.ts

@@ -0,0 +1,33 @@
+import { App } from 'aws-cdk-lib';
+import { IConstruct } from 'constructs';
+
+/**
+ * Hold an App-wide global variable
+ *
+ * This is a replacement for a `static` variable, but does the right thing in case people
+ * instantiate multiple Apps in the same process space (for example, in unit tests or
+ * people using `cli-lib` in advanced configurations).
+ *
+ * This class assumes that the global you're going to be storing is a mutable object.
+ */
+export class AppScopedGlobal<A> {
+  private readonly map = new WeakMap<App, A>();
+
+  constructor(private readonly factory: () => A) {
+  }
+
+  public for(ctr: IConstruct): A {
+    const app = App.of(ctr);
+    if (!App.isApp(app)) {
+      throw new Error(`Construct ${ctr.node.path} must be part of an App`);
+    }
+
+    const existing = this.map.get(app);
+    if (existing) {
+      return existing;
+    }
+    const instance = this.factory();
+    this.map.set(app, instance);
+    return instance;
+  }
+}

packages/@aws-cdk/app-staging-synthesizer/lib/private/no-tokens.ts

@@ -0,0 +1,9 @@
+import { StringSpecializer } from 'aws-cdk-lib/core/lib/helpers-internal';
+
+export function validateNoTokens<A extends object>(props: A, context: string) {
+  for (const [key, value] of Object.entries(props)) {
+    if (typeof value === 'string') {
+      StringSpecializer.validateNoTokens(value, `${context} property '${key}'`);
+    }
+  }
+}

packages/@aws-cdk/app-staging-synthesizer/lib/staging-stack.ts

@@ -0,0 +1,120 @@
+import { DockerImageAssetSource, FileAssetSource, Stack } from 'aws-cdk-lib';
+import { IConstruct } from 'constructs';
+
+/**
+ * Information returned by the Staging Stack for each file asset.
+ */
+export interface FileStagingLocation {
+  /**
+   * The name of the staging bucket
+   */
+  readonly bucketName: string;
+
+  /**
+   * A prefix to add to the keys
+   *
+   * @default ''
+   */
+  readonly prefix?: string;
+
+  /**
+   * The ARN to assume to write files to this bucket
+   *
+   * @default - Don't assume a role
+   */
+  readonly assumeRoleArn?: string;
+
+  /**
+   * The stack that creates this bucket (leads to dependencies on it)
+   *
+   * @default - Don't add dependencies
+   */
+  readonly dependencyStack?: Stack;
+}
+
+/**
+ * Information returned by the Staging Stack for each image asset
+ */
+export interface ImageStagingLocation {
+  /**
+   * The name of the staging repository
+   */
+  readonly repoName: string;
+
+  /**
+   * The arn to assume to write files to this repository
+   *
+   * @default - Don't assume a role
+   */
+  readonly assumeRoleArn?: string;
+
+  /**
+   * The stack that creates this repository (leads to dependencies on it)
+   *
+   * @default - Don't add dependencies
+   */
+  readonly dependencyStack?: Stack;
+}
+
+/**
+ * Information on how a Staging Stack should look.
+ */
+export interface IStagingStack extends IConstruct {
+  /**
+   * Return staging resource information for a file asset.
+   */
+  addFile(asset: FileAssetSource): FileStagingLocation;
+
+  /**
+   * Return staging resource information for a docker asset.
+   */
+  addDockerImage(asset: DockerImageAssetSource): ImageStagingLocation;
+}
+
+/**
+ * Staging Stack Factory interface.
+ *
+ * The function included in this class will be called by the synthesizer
+ * to create or reference an IStagingStack that has the necessary
+ * staging resources for the Stack.
+ */
+export interface IStagingStackFactory {
+  /**
+   * Return an object that will manage staging resources for the given stack
+   *
+   * This is called whenever the the `AppStagingSynthesizer` binds to a specific
+   * stack, and allows selecting where the staging resources go.
+   *
+   * This method can choose to either create a new construct (perhaps a stack)
+   * and return it, or reference an existing construct.
+   *
+   * @param stack - stack to return an appropriate IStagingStack for
+   */
+  obtainStagingResources(stack: Stack, context: ObtainStagingResourcesContext): IStagingStack;
+}
+
+/**
+ * Context parameters for the 'obtainStagingResources' function
+ */
+export interface ObtainStagingResourcesContext {
+  /**
+   * A unique string describing the environment that is guaranteed not to have tokens in it
+   */
+  readonly environmentString: string;
+
+  /**
+   * The ARN of the deploy action role, if given
+   *
+   * This role will need permissions to read from to the staging resources.
+   *
+   * @default - Deploy role ARN is unknown
+   */
+  readonly deployRoleArn?: string;
+
+  /**
+   * The qualifier passed to the synthesizer
+   *
+   * The staging stack shouldn't need this, but it might.
+   */
+  readonly qualifier: string;
+}

packages/@aws-cdk/app-staging-synthesizer/test/app-staging-synthesizer.test.ts

@@ -1,7 +1,7 @@
 /* eslint-disable jest/no-commented-out-tests */
 import * as fs from 'fs';
 import { App, Stack, CfnResource, FileAssetPackaging, Token, Lazy, Duration } from 'aws-cdk-lib';
-import { Template, Match } from 'aws-cdk-lib/assertions';
+import { Match, Template } from 'aws-cdk-lib/assertions';
 import * as cxschema from 'aws-cdk-lib/cloud-assembly-schema';
 import { evaluateCFN } from 'aws-cdk-lib/core/test/evaluate-cfn';
 import { APP_ID, CFN_CONTEXT, TestAppScopedStagingSynthesizer, isAssetManifest, last } from './util';
@@ -38,7 +38,7 @@ describe(AppStagingSynthesizer, () => {
     const stackArtifact = asm.getStackArtifact('Stack');
 
     const templateObjectKey = last(stackArtifact.stackTemplateAssetObjectUrl?.split('/'));
-    expect(stackArtifact.stackTemplateAssetObjectUrl).toEqual(`s3://cdk-000000000000-us-east-1-${APP_ID.toLocaleLowerCase()}/${templateObjectKey}`);
+    expect(stackArtifact.stackTemplateAssetObjectUrl).toEqual(`s3://cdk-${APP_ID}-staging-000000000000-us-east-1/${templateObjectKey}`);
 
     // THEN - the template is in the asset manifest
     const manifestArtifact = asm.artifacts.filter(isAssetManifest)[0];
@@ -51,10 +51,10 @@ describe(AppStagingSynthesizer, () => {
       source: { path: 'Stack.template.json', packaging: 'file' },
       destinations: {
         '000000000000-us-east-1': {
-          bucketName: `cdk-000000000000-us-east-1-${APP_ID.toLocaleLowerCase()}`,
+          bucketName: `cdk-${APP_ID}-staging-000000000000-us-east-1`,
           objectKey: templateObjectKey,
           region: 'us-east-1',
-          assumeRoleArn: `arn:\${AWS::Partition}:iam::000000000000:role/cdk-file-publishing-role-us-east-1-${APP_ID}`,
+          assumeRoleArn: `arn:\${AWS::Partition}:iam::000000000000:role/cdk-${APP_ID}-file-publishing-role-us-east-1`,
         },
       },
     });
@@ -85,7 +85,7 @@ describe(AppStagingSynthesizer, () => {
     const stackArtifact = asm.getStackArtifact('Stack2');
 
     const templateObjectKey = last(stackArtifact.stackTemplateAssetObjectUrl?.split('/'));
-    expect(stackArtifact.stackTemplateAssetObjectUrl).toEqual(`s3://cdk-${accountToken}-${regionToken}-${APP_ID.toLocaleLowerCase()}/${templateObjectKey}`);
+    expect(stackArtifact.stackTemplateAssetObjectUrl).toEqual(`s3://cdk-${APP_ID}-staging-${accountToken}-${regionToken}/${templateObjectKey}`);
 
     // THEN - the template is in the asset manifest
     const manifestArtifact = asm.artifacts.filter(isAssetManifest)[0];
@@ -98,10 +98,10 @@ describe(AppStagingSynthesizer, () => {
       source: { path: 'Stack2.template.json', packaging: 'file' },
       destinations: {
         '111111111111-us-east-2': {
-          bucketName: `cdk-111111111111-us-east-2-${APP_ID.toLocaleLowerCase()}`,
+          bucketName: `cdk-${APP_ID}-staging-111111111111-us-east-2`,
           objectKey: templateObjectKey,
           region: 'us-east-2',
-          assumeRoleArn: `arn:\${AWS::Partition}:iam::111111111111:role/cdk-file-publishing-role-us-east-2-${APP_ID}`,
+          assumeRoleArn: `arn:\${AWS::Partition}:iam::111111111111:role/cdk-${APP_ID}-file-publishing-role-us-east-2`,
         },
       },
     });
@@ -118,7 +118,7 @@ describe(AppStagingSynthesizer, () => {
     // THEN - we have a stack dependency on the staging stack
     expect(stack.dependencies.length).toEqual(1);
     const depStack = stack.dependencies[0];
-    expect(depStack.stackName).toEqual(`StagingStack${APP_ID}`);
+    expect(depStack.stackName).toEqual(`StagingStack-${APP_ID}`);
   });
 
   test('add file asset', () => {
@@ -130,8 +130,8 @@ describe(AppStagingSynthesizer, () => {
     });
 
     // THEN - we have a fixed asset location
-    expect(evalCFN(location.bucketName)).toEqual(`cdk-000000000000-us-east-1-${APP_ID.toLocaleLowerCase()}`);
-    expect(evalCFN(location.httpUrl)).toEqual(`https://s3.us-east-1.domain.aws/cdk-000000000000-us-east-1-${APP_ID.toLocaleLowerCase()}/abcdef.js`);
+    expect(evalCFN(location.bucketName)).toEqual(`cdk-${APP_ID}-staging-000000000000-us-east-1`);
+    expect(evalCFN(location.httpUrl)).toEqual(`https://s3.us-east-1.domain.aws/cdk-${APP_ID}-staging-000000000000-us-east-1/abcdef.js`);
 
     // THEN - object key contains source hash somewhere
     expect(location.objectKey.indexOf('abcdef')).toBeGreaterThan(-1);
@@ -154,33 +154,8 @@ describe(AppStagingSynthesizer, () => {
     expect(evalCFN(location1.bucketName)).toEqual(evalCFN(location2.bucketName));
   });
 
-  test('can configure bucket prefix', () => {
-    // GIVEN
-    app = new App({
-      defaultStackSynthesizer: TestAppScopedStagingSynthesizer.stackPerEnv({
-        bucketPrefix: 'prefix',
-      }),
-    });
-    stack = new Stack(app, 'Stack', {
-      env: {
-        account: '000000000000',
-        region: 'us-west-2',
-      },
-    });
-
-    // WHEN
-    const location = stack.synthesizer.addFileAsset({
-      fileName: __filename,
-      packaging: FileAssetPackaging.FILE,
-      sourceHash: 'abcdef',
-    });
-
-    // THEN - assets have the same location
-    expect(evalCFN(location.objectKey)).toEqual('prefixabcdef.js');
-  });
-
   describe('ephemeral assets', () => {
-    test('ephemeral assets have the \'eph-\' prefix', () => {
+    test('ephemeral assets have the \'handoff/\' prefix', () => {
       // WHEN
       const location = stack.synthesizer.addFileAsset({
         fileName: __filename,
@@ -190,15 +165,13 @@ describe(AppStagingSynthesizer, () => {
       });
 
       // THEN - asset has bucket prefix
-      expect(evalCFN(location.objectKey)).toEqual('eph-abcdef.js');
+      expect(evalCFN(location.objectKey)).toEqual('handoff/abcdef.js');
     });
 
     test('ephemeral assets do not get specified bucketPrefix', () => {
       // GIVEN
       app = new App({
-        defaultStackSynthesizer: TestAppScopedStagingSynthesizer.stackPerEnv({
-          bucketPrefix: 'prefix',
-        }),
+        defaultStackSynthesizer: TestAppScopedStagingSynthesizer.stackPerEnv({}),
       });
       stack = new Stack(app, 'Stack', {
         env: {
@@ -216,7 +189,7 @@ describe(AppStagingSynthesizer, () => {
       });
 
       // THEN - asset has bucket prefix
-      expect(evalCFN(location.objectKey)).toEqual('eph-abcdef.js');
+      expect(evalCFN(location.objectKey)).toEqual('handoff/abcdef.js');
     });
 
     test('s3 bucket has lifecycle rule on ephemeral assets by default', () => {
@@ -229,15 +202,15 @@ describe(AppStagingSynthesizer, () => {
       const asm = app.synth();
 
       // THEN
-      const stagingStackArtifact = asm.getStackArtifact('StagingStack000000000000us-east-1');
+      const stagingStackArtifact = asm.getStackArtifact(`StagingStack-${APP_ID}-000000000000-us-east-1`);
 
       Template.fromJSON(stagingStackArtifact.template).hasResourceProperties('AWS::S3::Bucket', {
         LifecycleConfiguration: {
-          Rules: [{
-            ExpirationInDays: 10,
-            Prefix: 'eph-',
+          Rules: Match.arrayWith([{
+            ExpirationInDays: 30,
+            Prefix: 'handoff/',
             Status: 'Enabled',
-          }],
+          }]),
         },
       });
     });
@@ -246,11 +219,7 @@ describe(AppStagingSynthesizer, () => {
       // GIVEN
       app = new App({
         defaultStackSynthesizer: TestAppScopedStagingSynthesizer.stackPerEnv({
-          ephemeralFileAssetLifecycleRule: {
-            prefix: 'eph-',
-            objectSizeGreaterThan: 10000,
-            expiration: Duration.days(1),
-          },
+          handoffFileAssetLifetime: Duration.days(1),
         }),
       });
       stack = new Stack(app, 'Stack', {
@@ -267,66 +236,17 @@ describe(AppStagingSynthesizer, () => {
       const asm = app.synth();
 
       // THEN
-      const stagingStackArtifact = asm.getStackArtifact('StagingStack000000000000us-west-2');
+      const stagingStackArtifact = asm.getStackArtifact(`StagingStack-${APP_ID}-000000000000-us-west-2`);
 
       Template.fromJSON(stagingStackArtifact.template).hasResourceProperties('AWS::S3::Bucket', {
         LifecycleConfiguration: {
-          Rules: [{
+          Rules: Match.arrayWith([{
             ExpirationInDays: 1,
-            Prefix: 'eph-',
+            Prefix: 'handoff/',
             Status: 'Enabled',
-            ObjectSizeGreaterThan: 10000,
-          }],
-        },
-      });
-    });
-
-    test('customized lifecycle rule must have correct prefix', () => {
-      // GIVEN
-      app = new App({
-        defaultStackSynthesizer: TestAppScopedStagingSynthesizer.stackPerEnv({
-          ephemeralFileAssetLifecycleRule: {
-            objectSizeGreaterThan: 10000,
-            expiration: Duration.days(1),
-          },
-        }),
-      });
-      expect(() => {
-        new Stack(app, 'Stack', {
-          env: {
-            account: '000000000000',
-            region: 'us-west-2',
-          },
-        });
-      }).toThrowError('ephemeralAssetLifecycleRule must contain "prefix: \'eph-\'" but got "prefix: undefined". This prefix is the only way to identify ephemeral assets.');
-    });
-
-    test('lifecycle rule on ephemeral assets can be turned off', () => {
-      // GIVEN
-      app = new App({
-        defaultStackSynthesizer: TestAppScopedStagingSynthesizer.stackPerEnv({
-          retainEphemeralFileAssets: true,
-        }),
-      });
-      stack = new Stack(app, 'Stack', {
-        env: {
-          account: '000000000000',
-          region: 'us-west-2',
+          }]),
         },
       });
-      new CfnResource(stack, 'Resource', {
-        type: 'Some::Resource',
-      });
-
-      // WHEN
-      const asm = app.synth();
-
-      // THEN
-      const stagingStackArtifact = asm.getStackArtifact('StagingStack000000000000us-west-2');
-
-      Template.fromJSON(stagingStackArtifact.template).hasResourceProperties('AWS::S3::Bucket', {
-        LifecycleConfiguration: Match.absent(),
-      });
     });
   });
 
@@ -394,20 +314,7 @@ describe(AppStagingSynthesizer, () => {
       // GIVEN - App with Stack with specific environment
 
       // THEN - Expect environment agnostic stack to fail
-      expect(() => new Stack(app, 'NoEnvStack')).toThrowError('AppStagingSynthesizer cannot synthesize CDK Apps with BOTH environment-agnostic stacks and set environment stacks.\nPlease either specify environments for all stacks or no stacks in the CDK App.');
-    });
-
-    test('metadata for cdk-env is only added once on the app', () => {
-      // GIVEN - Additional App with specific environment
-      new Stack(app, 'EnvStack', {
-        env: {
-          account: '000000000000',
-          region: 'us-west-2',
-        },
-      });
-
-      // THEN - We only add the env metadata once
-      expect(app.node.metadata.filter((m) => m.type === 'cdk-env').length).toEqual(1);
+      expect(() => new Stack(app, 'NoEnvStack')).toThrowError(/It is not safe to use AppStagingSynthesizer/);
     });
   });
 
@@ -416,7 +323,7 @@ describe(AppStagingSynthesizer, () => {
       defaultStackSynthesizer: TestAppScopedStagingSynthesizer.stackPerEnv({
         appId: Lazy.string({ produce: () => 'appId' }),
       }),
-    })).toThrowError(/AppStagingSynthesizer property 'appId' cannot contain tokens;/);
+    })).toThrowError(/AppStagingSynthesizer property 'appId' may not contain tokens;/);
   });
 
   /**

packages/@aws-cdk/app-staging-synthesizer/test/bootstrap-roles.test.ts

@@ -1,20 +1,20 @@
+import * as fs from 'fs';
 import { App, Stack, CfnResource } from 'aws-cdk-lib';
+import * as cxschema from 'aws-cdk-lib/cloud-assembly-schema';
 import { isAssetManifest } from 'aws-cdk-lib/pipelines/lib/private/cloud-assembly-internals';
-import { AppStagingSynthesizer, BootstrapRole } from '../lib';
 import { APP_ID, CLOUDFORMATION_EXECUTION_ROLE, DEPLOY_ACTION_ROLE, LOOKUP_ROLE } from './util';
-import * as cxschema from 'aws-cdk-lib/cloud-assembly-schema';
-import * as fs from 'fs';
+import { AppStagingSynthesizer, BootstrapRole } from '../lib';
 
 describe('Boostrap Roles', () => {
   test('Can supply existing arns for bootstrapped roles', () => {
     // GIVEN
     const app = new App({
-      defaultStackSynthesizer: AppStagingSynthesizer.stackPerEnv({
+      defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({
         appId: APP_ID,
-        bootstrapRoles: {
+        deploymentRoles: {
           cloudFormationExecutionRole: BootstrapRole.fromRoleArn(CLOUDFORMATION_EXECUTION_ROLE),
           lookupRole: BootstrapRole.fromRoleArn(LOOKUP_ROLE),
-          deploymentActionRole: BootstrapRole.fromRoleArn(DEPLOY_ACTION_ROLE),
+          deploymentRole: BootstrapRole.fromRoleArn(DEPLOY_ACTION_ROLE),
         },
       }),
     });
@@ -43,11 +43,9 @@ describe('Boostrap Roles', () => {
   test('can supply existing arns for staging roles', () => {
     // GIVEN
     const app = new App({
-      defaultStackSynthesizer: AppStagingSynthesizer.stackPerEnv({
+      defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({
         appId: APP_ID,
-        stagingRoles: {
-          fileAssetPublishingRole: BootstrapRole.fromRoleArn('arn'),
-        },
+        fileAssetPublishingRole: BootstrapRole.fromRoleArn('arn:aws:iam::123456789012:role/S3Access'),
       }),
     });
     const stack = new Stack(app, 'Stack', {
@@ -69,18 +67,18 @@ describe('Boostrap Roles', () => {
     expect(manifestArtifact).toBeDefined();
     const manifest: cxschema.AssetManifest = JSON.parse(fs.readFileSync(manifestArtifact.file, { encoding: 'utf-8' }));
     const firstFile: any = (manifest.files ? manifest.files[Object.keys(manifest.files)[0]] : undefined) ?? {};
-    expect(firstFile.destinations['000000000000-us-east-1'].assumeRoleArn).toEqual('arn');
+    expect(firstFile.destinations['000000000000-us-east-1'].assumeRoleArn).toEqual('arn:aws:iam::123456789012:role/S3Access');
   });
 
   test('bootstrap roles can be specified as current cli credentials instead', () => {
     // GIVEN
     const app = new App({
-      defaultStackSynthesizer: AppStagingSynthesizer.stackPerEnv({
+      defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({
         appId: APP_ID,
-        bootstrapRoles: {
+        deploymentRoles: {
           cloudFormationExecutionRole: BootstrapRole.cliCredentials(),
           lookupRole: BootstrapRole.cliCredentials(),
-          deploymentActionRole: BootstrapRole.cliCredentials(),
+          deploymentRole: BootstrapRole.cliCredentials(),
         },
       }),
     });
@@ -106,23 +104,10 @@ describe('Boostrap Roles', () => {
     expect(stackArtifact.assumeRoleArn).toBeUndefined();
   });
 
-  test('staging roles cannot be specified as cli credentials', () => {
-    const app = new App({
-      defaultStackSynthesizer: AppStagingSynthesizer.stackPerEnv({
-        appId: APP_ID,
-        stagingRoles: {
-          fileAssetPublishingRole: BootstrapRole.cliCredentials(),
-        },
-      }),
-    });
-
-    expect(() => new Stack(app, 'Stack')).toThrowError('fileAssetPublishingRole and dockerAssetPublishingRole cannot be specified as cliCredentials(). Please supply an arn to reference an existing IAM role.');
-  });
-
   test('qualifier is resolved in the synthesizer', () => {
     const app = new App({
-      defaultStackSynthesizer: AppStagingSynthesizer.stackPerEnv({
-        qualifier: 'abcdef',
+      defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({
+        bootstrapQualifier: 'abcdef',
         appId: APP_ID,
       }),
     });

packages/@aws-cdk/app-staging-synthesizer/test/integ.env-agnostic-synth.ts

@@ -7,7 +7,7 @@ import { AppStagingSynthesizer } from '../lib';
 const app = new App();
 
 const stack = new Stack(app, 'app-scoped-staging-test', {
-  synthesizer: AppStagingSynthesizer.stackPerEnv({
+  synthesizer: AppStagingSynthesizer.defaultResources({
     appId: 'envAgnostic',
   }),
 });

packages/@aws-cdk/app-staging-synthesizer/test/integ.synthesizer.ts

@@ -7,7 +7,7 @@ import { AppStagingSynthesizer } from '../lib';
 const app = new App();
 
 const stack = new Stack(app, 'app-scoped-staging-test', {
-  synthesizer: AppStagingSynthesizer.stackPerEnv({
+  synthesizer: AppStagingSynthesizer.defaultResources({
     appId: 'newId3',
   }),
   env: {

packages/@aws-cdk/app-staging-synthesizer/test/util.ts

@@ -1,12 +1,12 @@
-import { StackPerEnvProps, AppStagingSynthesizer, BootstrapRole } from '../lib';
 import * as cxapi from 'aws-cdk-lib/cx-api';
+import { DefaultResourcesOptions, AppStagingSynthesizer, BootstrapRole } from '../lib';
 
 export const CFN_CONTEXT = {
   'AWS::Region': 'the_region',
   'AWS::AccountId': 'the_account',
   'AWS::URLSuffix': 'domain.aws',
 };
-export const APP_ID = 'appId';
+export const APP_ID = 'appid';
 export const CLOUDFORMATION_EXECUTION_ROLE = 'role';
 export const DEPLOY_ACTION_ROLE = 'role';
 export const LOOKUP_ROLE = 'role';
@@ -20,12 +20,12 @@ export function last<A>(xs?: A[]): A | undefined {
 }
 
 export class TestAppScopedStagingSynthesizer {
-  public static stackPerEnv(props: Partial<StackPerEnvProps> = {}): AppStagingSynthesizer {
-    return AppStagingSynthesizer.stackPerEnv({
+  public static stackPerEnv(props: Partial<DefaultResourcesOptions> = {}): AppStagingSynthesizer {
+    return AppStagingSynthesizer.defaultResources({
       appId: props.appId ?? APP_ID,
-      bootstrapRoles: {
+      deploymentRoles: {
         cloudFormationExecutionRole: BootstrapRole.fromRoleArn(CLOUDFORMATION_EXECUTION_ROLE),
-        deploymentActionRole: BootstrapRole.fromRoleArn(DEPLOY_ACTION_ROLE),
+        deploymentRole: BootstrapRole.fromRoleArn(DEPLOY_ACTION_ROLE),
         lookupRole: BootstrapRole.fromRoleArn(LOOKUP_ROLE),
       },
       ...props,

packages/aws-cdk-lib/core/lib/helpers-internal/string-specializer.ts

@@ -11,9 +11,22 @@ function replaceAll(s: string, search: string, replace: string) {
 }
 
 export class StringSpecializer {
-  constructor(private readonly stack: Stack, private readonly qualifier: string) {
+  /**
+   * Validate that the given string does not contain tokens
+   */
+  public static validateNoTokens(s: string, what: string) {
+    if (Token.isUnresolved(s)) {
+      throw new Error(`${what} may not contain tokens; only the following literal placeholder strings are allowed: ` + [
+        '${Qualifier}',
+        cxapi.EnvironmentPlaceholders.CURRENT_REGION,
+        cxapi.EnvironmentPlaceholders.CURRENT_ACCOUNT,
+        cxapi.EnvironmentPlaceholders.CURRENT_PARTITION,
+      ].join(', ') + `. Got: ${s}`);
+    }
   }
 
+  constructor(private readonly stack: Stack, private readonly qualifier: string) { }
+
   /**
    * Function to replace placeholders in the input string as much as possible
    *
@@ -31,6 +44,14 @@ export class StringSpecializer {
     });
   }
 
+  /**
+   * Specialize the given string, make sure it doesn't contain tokens
+   */
+  public specializeNoTokens(s: string, what: string): string {
+    StringSpecializer.validateNoTokens(s, what);
+    return this.specialize(s);
+  }
+
   /**
    * Specialize only the qualifier
    */

packages/aws-cdk-lib/core/lib/stack-synthesizers/stack-synthesizer.ts

@@ -1,14 +1,14 @@
 import * as fs from 'fs';
 import * as path from 'path';
-import * as cxschema from '../../../cloud-assembly-schema';
-import * as cxapi from '../../../cx-api';
-import { resolvedOr } from '../helpers-internal/string-specializer';
 import { addStackArtifactToAssembly, contentHash } from './_shared';
 import { IStackSynthesizer, ISynthesisSession } from './types';
+import * as cxschema from '../../../cloud-assembly-schema';
+import * as cxapi from '../../../cx-api';
 import { DockerImageAssetLocation, DockerImageAssetSource, FileAssetLocation, FileAssetSource, FileAssetPackaging } from '../assets';
 import { Fn } from '../cfn-fn';
 import { CfnParameter } from '../cfn-parameter';
 import { CfnRule } from '../cfn-rule';
+import { resolvedOr } from '../helpers-internal/string-specializer';
 import { Stack } from '../stack';
 
 /**