aws-cdk/aws-cognito-identitypool-alpha: Rule based role mapping Circular Dependency

[sarflux]

Describe the bug

Describe the bug

We are encountering a circular dependency when configuring rule-based role mapping for an Amazon Cognito Identity Pool using AWS CDK.

The problem arises because:

IAM Role Trust Policy requires the Identity Pool ID (aud condition).
Identity Pool Role Mapping requires the IAM Role ARN during initialization.

This creates a dependency loop where:

The Identity Pool cannot be created without the IAM Role.
The IAM Role cannot be created without the Identity Pool ID.

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

CDK should allow defining role mappings without causing a circular dependency when the IAM role trust policy depends on the Identity Pool ID.

Current Behavior

There is no way to reference the identity pool ID in the IAM role before its creation

Reproduction Steps

client_role_principal = iam.WebIdentityPrincipal(
            "cognito-identity.amazonaws.com",
            {
                "StringEquals": {"cognito-identity.amazonaws.com:aud": "<Identity Pool ID>"},
                "ForAnyValue:StringLike": {"cognito-identity.amazonaws.com:amr": "authenticated"},
            },
        )

self.myapp_role = iam.Role(self, f"{client_name}Role-{stage}", assumed_by=client_role_principal)


role_mappings = [
    cognito_idp.IdentityPoolRoleMapping(
        mapping_key="myapp",
        provider_url=cognito_idp.IdentityPoolProviderUrl.user_pool(
            self.cognito_user_pool, self.myapp
        ),
        rules=[
            cognito_idp.RoleMappingRule(
                claim="aud",
                claim_value=self.myapp_client.user_pool_client_id,
                mapped_role=self.myapp_role,  # Requires IAM Role ARN
                match_type=cognito_idp.RoleMappingMatchType.EQUALS,
            )
        ]
    )
]

cognito_identity_pool = cognito_idp.IdentityPool(
    self,
    "MyIdentityPool",
    allow_classic_flow=False,
    allow_unauthenticated_identities=False,
    authentication_providers=cognito_idp.IdentityPoolAuthenticationProviders(
        user_pools=[
            cognito_idp.UserPoolAuthenticationProvider(
                user_pool=self.cognito_user_pool,
                user_pool_client=self.myapp_client,
            )
        ],
    ),
    role_mappings=role_mappings,  # Requires IAM Role ARN
)

Possible Solution

CDK could support lazy evaluation for IAM roles in role mappings, allowing:

The Identity Pool to be created first.
The IAM role mapping to be applied afterward without breaking dependencies.

Additional Information/Context

No response

CDK CLI Version

2.1001.0 (build 130445d)

Framework Version

No response

Node.js Version

v20.18.0

OS

Ubuntu 22.04.5 LTS

Language

Python

Language Version

Python 3.12.7

Other information

No response