chore: improve stability of tests by copying SSM Parameter Value

`{Fn::GetAtt}` on an `AWS::SSM::Parameter` is eventually consistent. If
an SSM Parameter was just created in a stack deployment, the
`{Fn::GetAtt}` may sometimes fail with a "Parameter not found" error.

This causes ~2 canary failures per week (about 1% failure rate).

We don't actually need to `{Fn::GetAtt}` the value as we know what it is
(it is static, after all). Copy the same literal value into both places
to reduce the canary failure rate by a little bit, and add a test to
make sure the values don't accidentally drift apart.

Internal reference D259904064.

Author: rix0rrr

…b/test/api/bootstrap/external-id.test.ts …api/bootstrap/bootstrap-template.test.tspackages/@aws-cdk/toolkit-lib/test/api/bootstrap/external-id.test.ts renamed to packages/@aws-cdk/toolkit-lib/test/api/bootstrap/bootstrap-template.test.ts packages/@aws-cdk/toolkit-lib/test/api/bootstrap/external-id.test.ts renamed to packages/@aws-cdk/toolkit-lib/test/api/bootstrap/bootstrap-template.test.ts

@@ -2,25 +2,25 @@ import { Bootstrapper } from '../../../lib/api/bootstrap';
 import type { IIoHost } from '../../../lib/api/io';
 import { asIoHelper } from '../../../lib/api/io/private';
 
-describe('ExternalId Protection Integration Test', () => {
-  let ioHost: IIoHost;
-  let ioHelper: any;
+let ioHost: IIoHost;
+let ioHelper: any;
+let template: any;
 
-  beforeEach(() => {
-    ioHost = {
-      notify: jest.fn(),
-      requestResponse: jest.fn(),
-    };
-    ioHelper = asIoHelper(ioHost, 'bootstrap');
-  });
-
-  test('bootstrap template denies AssumeRole with ExternalId by default', async () => {
-    // GIVEN
-    const bootstrapper = new Bootstrapper({ source: 'default' }, ioHelper);
+beforeEach(async () => {
+  ioHost = {
+    notify: jest.fn(),
+    requestResponse: jest.fn(),
+  };
+  ioHelper = asIoHelper(ioHost, 'bootstrap');
 
-    // WHEN
-    const template = await (bootstrapper as any).loadTemplate();
+  // GIVEN
+  const bootstrapper = new Bootstrapper({ source: 'default' }, ioHelper);
+  // WHEN
+  template = await (bootstrapper as any).loadTemplate();
+});
 
+describe('bootstrap template', () => {
+  test('denies AssumeRole with ExternalId by default', async () => {
     // THEN
     // Verify the parameter exists
     expect(template.Parameters.DenyExternalId).toMatchObject({
@@ -70,4 +70,8 @@ describe('ExternalId Protection Integration Test', () => {
       expect(stmt.Condition).toBeUndefined();
     }
   });
+
+  test('has the same values for BootstrapVersion Parameter and Output', async () => {
+    expect(template.Outputs.BootstrapVersion.Value).toEqual(template.Resources.CdkBootstrapVersion.Properties.Value);
+  });
 });

packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml

@@ -844,5 +844,8 @@ Outputs:
   BootstrapVersion:
     Description: The version of the bootstrap resources that are currently mastered
       in this stack
-    Value:
-      Fn::GetAtt: [CdkBootstrapVersion, Value]
+    # This value is purposely duplicated here from the AWS::SSM::Parameter value we define above.
+    # {Fn::GetAtt} on an SSM Parameter is eventually consistent, and can fail with "parameter
+    # doesn't exist" even after just having been created. To reduce our deploy failure rate, we
+    # duplicate the value here and use a build-time test to ensure the two values are the same.
+    Value: '29'

packages/aws-cdk/test/commands/bootstrap.test.ts

@@ -1,5 +1,8 @@
+import * as fs from 'fs/promises';
+import * as path from 'path';
 import { Bootstrapper } from '../../lib/api/bootstrap';
 import { exec } from '../../lib/cli/cli';
+import { deserializeStructure } from '@aws-cdk/toolkit-lib/lib/util';
 
 beforeEach(() => {
   jest.clearAllMocks();
@@ -87,4 +90,4 @@ describe('cdk bootstrap --show-template', () => {
     await exec(['bootstrap', '--show-template']);
     expect(stdoutSpy).toHaveBeenCalledWith(expect.stringContaining('ShouldDenyExternalId'));
   });
-});
+});