feat(bootstrap): resource-action-map for synth-time validation

[scottschreckengaust]

Parent

Sub-issue 4 of #120 (RFC: Least-privilege CDK bootstrap policies as code)

Branch strategy

feat/bootstrap-action-map → targets feat/bootstrap-template

Estimated review time: ~25 min

Summary

Create a mapping from CloudFormation resource types to the IAM actions required to manage them (CRUD lifecycle), scoped to the ~30 resource types used by this app. This map powers the synth-time Aspect (Sub-issue 5) and informs the preflight validator (Sub-issue 6).

Deliverables

• Create cdk/src/bootstrap/preflight/resource-action-map.ts:
  • Export a typed map: Record<string, { create: string[], read: string[], update: string[], delete: string[] }>
  • Cover all CF resource types present in cdk.out/ after synth (e.g., AWS::DynamoDB::Table, AWS::Lambda::Function, AWS::ApiGateway::RestApi, AWS::EC2::VPC, AWS::Cognito::UserPool, AWS::WAFv2::WebACL, AWS::Bedrock::Guardrail, etc.)
  • Each entry's action list is the minimum CloudFormation needs to manage the resource lifecycle
• Create cdk/src/bootstrap/preflight/index.ts — barrel export
• Create cdk/test/bootstrap/resource-action-map.test.ts:
  • All resource types in the synthesized template have a mapping entry (synth → extract types → assert coverage)
  • Each action list is non-empty
  • All actions use valid IAM action format (service:ActionName)
  • Combined action set is a subset of the three policy documents' action sets (the map doesn't require more than what policies allow)

Key design decisions

• Scoped to this app's resources — not all 800+ AWS CF resource types. Keeps maintenance tractable.
• Actions derived from CloudFormation resource type documentation and validated against CloudTrail from prior deployments.
• Unknown resource types (not in map) produce a warning, not an error — allows new constructs to be added without immediately updating the map.
• Map is a plain TypeScript object (not loaded from JSON) — benefits from IDE autocomplete and type checking.

Acceptance criteria

• mise //cdk:synth followed by resource-type extraction shows 100% map coverage of current template
• All tests pass
• No circular imports between preflight/ and policies/

[scottschreckengaust]

Coordination update (from #120/#123 architecture revision)

The following items need updating in this issue's body before implementation:

1. Branch strategy

Change: targets feat/bootstrap-template → targets main (after #123 merges, per ADR-001 §8)

2. "Three policy documents" → "configured policy set"

The test "combined action set is a subset of the three policy documents' action sets" should validate against the configured policy set — the three core policies (infrastructure, application, observability) plus the active compute-variant policies (e.g., compute-agentcore). Not all five globally, not just three statically.

3. New deliverable: REQUIRED_BOOTSTRAP_POLICIES constant

Introduce cdk/src/bootstrap/required-policies.ts:

• Exports getRequiredBootstrapPolicies(computeType: string): string[]
• Returns core policies + compute-variant policies based on CDK context compute_type
• Consumed downstream by the Aspect (feat(bootstrap): CDK Aspect for policy envelope checking #125) and preflight validator (feat(bootstrap): live-account preflight validator #126)
• This is where the app declares "I need these policies" — the sufficiency model's app-side contract

4. Map scoping

Resource-action-map entries should be scoped to the app's active compute type. ECS resource types (e.g., AWS::ECS::Cluster) only need map coverage when compute_type=ecs. The coverage test should synth with the relevant compute type and validate map completeness for that configuration.

5. Traceability

Note in the issue: this implements the "action-set comparison" layer from #120's versioning table — "precisely which actions are missing?"