🚀 Feature Request

General Information

• 👋 I may be able to implement this feature request

Description

We should provide wrapper classes for common types (such as Role and Bucket) with stubbed out implements of methods like addTo[Resource]Policy().

Many users will be operating in environments where they won't be able to make IAM changes, instead having to go to operators who will prepare IAM roles/permissions for them.

Right now, the CDK will do a whole bunch of IAM "heavy lifting" for users, but deployment of those stacks will fail because the deploying user won't have permissions to make the changes the CDK is proposing.

Proposed Solution

Wrapper classes which no-op the modifications away (potentially registering/emitting them somewhere as metadata which can be queried).

Sample:

class BucketWrapper implements IBucket {
  constructor(private readonly inner: IBucket) { 
  }

  public get bucketArn()  {
    return this.inner.bucketArn;
  } 

  public urlForObject(key?: string) {
    return this.inner.urlForObject(key);
  }
  
  // ...

  public addToResourcePolicy(statement: iam.PolicyStatement) {
    // Intentionally do nothing
  }
}

The name obviously needs to be better. Suggestions welcome.