fix(cli): No deploy-path or CDK change needed (field + wiring alrea... (#870)

src/cli/commands/add/types.ts

@@ -34,6 +34,7 @@ export interface AddAgentOptions extends VpcOptions {
   customClaims?: string;
   clientId?: string;
   clientSecret?: string;
+  executionRoleArn?: string;
   requestHeaderAllowlist?: string;
   idleTimeout?: number | string;
   maxLifetime?: number | string;

src/cli/commands/add/validate.ts

@@ -24,7 +24,7 @@
   matchEnumValue,
   validateApiFormat,
 } from '../../../schema';
-import { ARN_VALIDATION_MESSAGE, isValidArn } from '../shared/arn-utils';
+import { ARN_VALIDATION_MESSAGE, IAM_ROLE_ARN_REGEX, isValidArn } from '../shared/arn-utils';
 import { validateHeaderAllowlist } from '../shared/header-utils';
 import { MAX_INDEXED_KEYS, parseIndexedKeyArg } from '../shared/indexed-key-parser';
 import { parseAndValidateLifecycleOptions } from '../shared/lifecycle-utils';
@@ -115,6 +115,14 @@
     return { valid: false, error: nameResult.error.issues[0]?.message ?? 'Invalid agent name' };
   }
 
+  if (options.executionRoleArn && !IAM_ROLE_ARN_REGEX.test(options.executionRoleArn)) {
+    return {
+      valid: false,
+      error:
+        '--execution-role-arn must be a valid IAM role ARN (e.g. arn:aws:iam::123456789012:role/MyRole)',
+    };
+  }
+
   // Validate build type if provided
   if (options.build) {
     const buildResult = BuildTypeSchema.safeParse(options.build);
@@ -729,7 +737,7 @@
     if (!passthroughEndpoint) {
       return { valid: false, error: '--passthrough-endpoint is required for passthrough type' };
     }
     if (!/^https:\/\/[a-zA-Z0-9\-.]+(:[0-9]{1,5})?(\/.*)?$/.test(passthroughEndpoint)) {
       return { valid: false, error: '--passthrough-endpoint must be a valid HTTPS URL' };
     }
     if (options.language && options.language !== 'Other') {

src/cli/commands/shared/arn-utils.ts

@@ -1,6 +1,9 @@
 const ARN_PART_COUNT = 6;
 const ARN_FORMAT = 'arn:partition:service:region:account:resource';
 
+/** Matches an IAM role ARN across any partition (commercial, GovCloud, China). */
+export const IAM_ROLE_ARN_REGEX = /^arn:[^:]+:iam::\d{12}:role\/.+/;
+
 /**
  * Check whether a string looks like a valid ARN (starts with `arn:` and has at least 6 colon-separated parts).
  */

src/cli/operations/agent/generate/__tests__/schema-mapper.test.ts

@@ -1,3 +1,4 @@
+import { AgentEnvSpecSchema } from '../../../../../schema/index.js';
 import { computeManagedOAuthCredentialName } from '../../../../primitives/credential-utils.js';
 import { mapByoConfigToAgent } from '../../../../tui/screens/agent/useAddAgent.js';
 import type { GenerateConfig } from '../../../../tui/screens/generate/types.js';
@@ -342,6 +343,21 @@ describe('mapGenerateConfigToAgent - requestHeaderAllowlist', () => {
   });
 });
 
+describe('mapGenerateConfigToAgent - executionRoleArn', () => {
+  const ROLE_ARN = 'arn:aws:iam::123456789012:role/MyRole';
+
+  it('includes executionRoleArn when provided and round-trips through AgentEnvSpecSchema', () => {
+    const result = mapGenerateConfigToAgent({ ...baseConfig, executionRoleArn: ROLE_ARN });
+    expect(result.executionRoleArn).toBe(ROLE_ARN);
+    expect(AgentEnvSpecSchema.parse(result).executionRoleArn).toBe(ROLE_ARN);
+  });
+
+  it('omits executionRoleArn when undefined', () => {
+    const result = mapGenerateConfigToAgent(baseConfig);
+    expect(result.executionRoleArn).toBeUndefined();
+  });
+});
+
 describe('mapByoConfigToAgent - VPC support', () => {
   const baseByoConfig = {
     name: 'MyByo',

src/cli/operations/agent/generate/schema-mapper.ts

@@ -140,6 +140,7 @@ export function mapGenerateConfigToAgent(config: GenerateConfig): AgentEnvSpec {
     ...(config.requestHeaderAllowlist?.length && {
       requestHeaderAllowlist: config.requestHeaderAllowlist,
     }),
+    ...(config.executionRoleArn && { executionRoleArn: config.executionRoleArn }),
     ...(config.authorizerType && { authorizerType: config.authorizerType }),
     ...(config.authorizerType === 'CUSTOM_JWT' &&
       config.jwtConfig && {

src/cli/primitives/AgentPrimitive.tsx

@@ -109,6 +109,7 @@ export interface AddAgentOptions extends VpcOptions {
   customClaims?: CustomClaimValidation[];
   clientId?: string;
   clientSecret?: string;
+  executionRoleArn?: string;
   idleTimeout?: number;
   maxLifetime?: number;
   sessionStorageMountPath?: string;
@@ -274,6 +275,10 @@ export class AgentPrimitive extends BasePrimitive<AddAgentOptions, RemovableReso
       .option('--network-mode <mode>', 'Network mode (PUBLIC, VPC) [non-interactive]')
       .option('--subnets <ids>', 'Comma-separated subnet IDs (required for VPC mode) [non-interactive]')
       .option('--security-groups <ids>', 'Comma-separated security group IDs (required for VPC mode) [non-interactive]')
+      .option(
+        '--execution-role-arn <arn>',
+        'ARN of an existing IAM execution role to use instead of creating a CDK-managed one [non-interactive]'
+      )
       .option('--authorizer-type <type>', 'Inbound auth: AWS_IAM or CUSTOM_JWT [non-interactive]')
       .option('--discovery-url <url>', 'OIDC discovery URL (for CUSTOM_JWT) [non-interactive]')
       .option('--allowed-audience <audience>', 'Comma-separated allowed audiences (for CUSTOM_JWT) [non-interactive]')
@@ -435,6 +440,7 @@ export class AgentPrimitive extends BasePrimitive<AddAgentOptions, RemovableReso
               customClaims,
               clientId: cliOptions.clientId,
               clientSecret: cliOptions.clientSecret,
+              executionRoleArn: cliOptions.executionRoleArn,
               idleTimeout: cliOptions.idleTimeout ? Number(cliOptions.idleTimeout) : undefined,
               maxLifetime: cliOptions.maxLifetime ? Number(cliOptions.maxLifetime) : undefined,
               sessionStorageMountPath: cliOptions.sessionStorageMountPath,
@@ -558,6 +564,7 @@ export class AgentPrimitive extends BasePrimitive<AddAgentOptions, RemovableReso
           },
         }),
       requestHeaderAllowlist: options.requestHeaderAllowlist,
+      executionRoleArn: options.executionRoleArn,
       idleRuntimeSessionTimeout: options.idleTimeout,
       maxLifetime: options.maxLifetime,
       sessionStorageMountPath: options.sessionStorageMountPath,
@@ -726,6 +733,7 @@ export class AgentPrimitive extends BasePrimitive<AddAgentOptions, RemovableReso
       ...(options.requestHeaderAllowlist?.length && {
         requestHeaderAllowlist: options.requestHeaderAllowlist,
       }),
+      ...(options.executionRoleArn && { executionRoleArn: options.executionRoleArn }),
       ...(authorizerType && { authorizerType }),
       ...(authorizerConfiguration && { authorizerConfiguration }),
       ...(lifecycleConfiguration && { lifecycleConfiguration }),

src/cli/tui/screens/generate/types.ts

@@ -67,6 +67,8 @@ export interface GenerateConfig {
   securityGroups?: string[];
   /** Allowed request headers for the runtime */
   requestHeaderAllowlist?: string[];
+  /** ARN of an existing IAM execution role to use instead of creating a CDK-managed one */
+  executionRoleArn?: string;
   /** Authorizer type for inbound requests */
   authorizerType?: RuntimeAuthorizerType;
   /** JWT config for CUSTOM_JWT authorizer */