fix(cognito-identitypool-alpha): prevent stacks from not deploying co…

…rrectly (#33609)

### Issue # (if applicable)

Closes #33510 

### Reason for this change

A previous change ([PR33305](#33305)) removed the `IdentityPoolRoleAttachment` L2 construct, which also changed the creation logic of the default role attachment in the `IdentityPool` L2. This not only triggered redeployments, but did not allow for redeployment at all, as the new role attachment (with a different resource hash) was trying to be created before the old one was removed. This led to failed deployments, as only one role attachment can exist per identity pool.

### Description of changes

Brought back the `IdentityPoolRoleAttachment` L2 logic to prevent redeployment for customers using CDK `<v2.179.0`. However, the construct is now no longer being exported, which preserves the original intention of preventing confusion about using this resource.

### Describe any new or updated permissions being added

N/A

### Description of how you validated changes

`yarn test && yarn integ test/integ.identitypool.js --update-on-failed`

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

**BREAKING CHANGE**: Any `IdentityPool` resources deployed in versions `>=2.179.0` will now fail to deploy. You will need to delete the `IdentityPoolRoleAttachment` from your stack via the console before redeploying.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

packages/@aws-cdk/aws-cognito-identitypool-alpha/lib/identitypool.ts

@@ -440,7 +440,7 @@ export class IdentityPool extends Resource implements IIdentityPool {
   /**
    * Role Provider for the default Role for authenticated users
    */
-  private readonly roleAttachment: CfnIdentityPoolRoleAttachment;
+  private readonly roleAttachment: IdentityPoolRoleAttachment;
 
   /**
    * List of Identity Providers added in constructor for use with property overrides
@@ -495,18 +495,11 @@ export class IdentityPool extends Resource implements IIdentityPool {
     this.unauthenticatedRole = props.unauthenticatedRole ? props.unauthenticatedRole : this.configureDefaultRole('Unauthenticated');
 
     // Set up Role Attachment
-    const mappings = props.roleMappings || [];
-    let roleMappings: any = undefined;
-    if (mappings) {
-      roleMappings = this.configureRoleMappings(...mappings);
-    }
-    this.roleAttachment = new CfnIdentityPoolRoleAttachment(this, 'DefaultRoleAttachment', {
-      identityPoolId: this.identityPoolId,
-      roles: {
-        authenticated: this.authenticatedRole.roleArn,
-        unauthenticated: this.unauthenticatedRole.roleArn,
-      },
-      roleMappings,
+    this.roleAttachment = new IdentityPoolRoleAttachment(this, 'DefaultRoleAttachment', {
+      identityPool: this,
+      authenticatedRole: this.authenticatedRole,
+      unauthenticatedRole: this.unauthenticatedRole,
+      roleMappings: props.roleMappings,
     });
 
     Array.isArray(this.roleAttachment);
@@ -544,6 +537,79 @@ export class IdentityPool extends Resource implements IIdentityPool {
       },
     }, 'sts:AssumeRoleWithWebIdentity');
   }
+}
+
+/**
+ * Represents an Identity Pool Role Attachment
+ */
+interface IIdentityPoolRoleAttachment extends IResource {
+  /**
+   * ID of the Attachment's underlying Identity Pool
+   */
+  readonly identityPoolId: string;
+}
+
+/**
+ * Props for an Identity Pool Role Attachment
+ */
+interface IdentityPoolRoleAttachmentProps {
+
+  /**
+   * ID of the Attachment's underlying Identity Pool
+   */
+  readonly identityPool: IIdentityPool;
+
+  /**
+   * Default authenticated (User) Role
+   * @default - No default authenticated Role will be added
+   */
+  readonly authenticatedRole?: IRole;
+
+  /**
+   * Default unauthenticated (Guest) Role
+   * @default - No default unauthenticated Role will be added
+   */
+  readonly unauthenticatedRole?: IRole;
+
+  /**
+   * Rules for mapping roles to users
+   * @default - No role mappings
+   */
+  readonly roleMappings?: IdentityPoolRoleMapping[];
+}
+
+/**
+ * Defines an Identity Pool Role Attachment
+ *
+ * @resource AWS::Cognito::IdentityPoolRoleAttachment
+ */
+class IdentityPoolRoleAttachment extends Resource implements IIdentityPoolRoleAttachment {
+  /**
+   * ID of the underlying Identity Pool
+   */
+  public readonly identityPoolId: string;
+
+  constructor(scope: Construct, id: string, props: IdentityPoolRoleAttachmentProps) {
+    super(scope, id);
+    // Enhanced CDK Analytics Telemetry
+    addConstructMetadata(this, props);
+    this.identityPoolId = props.identityPool.identityPoolId;
+    const mappings = props.roleMappings || [];
+    let roles: any = undefined, roleMappings: any = undefined;
+    if (props.authenticatedRole || props.unauthenticatedRole) {
+      roles = {};
+      if (props.authenticatedRole) roles.authenticated = props.authenticatedRole.roleArn;
+      if (props.unauthenticatedRole) roles.unauthenticated = props.unauthenticatedRole.roleArn;
+    }
+    if (mappings) {
+      roleMappings = this.configureRoleMappings(...mappings);
+    }
+    new CfnIdentityPoolRoleAttachment(this, 'Resource', {
+      identityPoolId: this.identityPoolId,
+      roles,
+      roleMappings,
+    });
+  }
 
   /**
    * Configures role mappings for the Identity Pool Role Attachment

packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/integ-idp.template.json

@@ -485,7 +485,7 @@
     "PooltestClientFE8D4935"
    ]
   },
-  "identitypoolDefaultRoleAttachment9339A8E5": {
+  "identitypoolDefaultRoleAttachment6BCAB114": {
    "Type": "AWS::Cognito::IdentityPoolRoleAttachment",
    "Properties": {
     "IdentityPoolId": {