(aws-cdk-lib): Remove some uses of CfnResource to further enable Blueprints #36683
Description
Describe the bug
There several places throughout aws-cdk where CfnResource is used instead of L2 construct. For example:
aws-cdk/packages/aws-cdk-lib/aws-logs/lib/log-retention.ts
Lines 175 to 188 in 13b6480
This prevents the ability to inject properties via Blueprints (a very cool feature, thanks!).
Regression Issue
- Select this option if this issue appears to be a regression.
Last Known Working CDK Library Version
No response
Expected Behavior
Instead, use L2 construct so Blueprints can be used for property injection.
Current Behavior
Use of CfnResource so cannot inject via Function.PROPERTY_INJECTION_ID. This applies to other resources created in this way.
Reproduction Steps
Example use case: in a high security environment, all Lambdas must be attached to the VPC. A CDK Aspect can be used, but it is not a very clean solution due to having to find the function's IAM Role and modifying the role to allow VPC association via AWSLambdaVPCAccessExecutionRole managed policy. Sometimes, this aspect fails to find the IAM Role as well. So, having all Functions be L2 constructs, then Blueprints solves this easily.
The future mixins proposal might be another way to solve this if it works with CfnResource, but having done this with L1 constructs via CDK Aspect, the Function role can be hard to find and modify successfully (again, maybe mixins fixes this, I'm not sure).
Possible Solution
Convert from CfnResource to L2 constructs.
Additional Information/Context
No response
AWS CDK Library version (aws-cdk-lib)
2.204.0
AWS CDK CLI version
2.1100.1
Node.js Version
22
OS
macOS
Language
TypeScript
Language Version
TypeScript 5.9
Other information
No response