chore(iam): throw warning if managed policies attached to a group exceeds 10 (#24385)

Throw a warning if more than 10 managed policies are attached to an IAM group.
Added [IAM and AWS STS quotas, name requirements, and character limits](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-quotas-entities) to documentation indicating current quotas.

Closes #24085.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: fynnfluegge

packages/@aws-cdk/aws-iam/lib/group.ts

@@ -1,4 +1,4 @@
-import { ArnFormat, Lazy, Resource, Stack } from '@aws-cdk/core';
+import { Annotations, ArnFormat, Lazy, Resource, Stack } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import { CfnGroup } from './iam.generated';
 import { IIdentity } from './identity-base';
@@ -200,14 +200,25 @@ export class Group extends GroupBase {
       // Removes leading slash from path
       resourceName: `${props.path ? props.path.substr(props.path.charAt(0) === '/' ? 1 : 0) : ''}${this.physicalName}`,
     });
+
+    this.managedPoliciesExceededWarning();
   }
 
   /**
-   * Attaches a managed policy to this group.
+   * Attaches a managed policy to this group. See [IAM and AWS STS quotas, name requirements, and character limits]
+   * (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-quotas-entities)
+   * for quota of managed policies attached to an IAM group.
    * @param policy The managed policy to attach.
    */
   public addManagedPolicy(policy: IManagedPolicy) {
     if (this.managedPolicies.find(mp => mp === policy)) { return; }
     this.managedPolicies.push(policy);
+    this.managedPoliciesExceededWarning();
+  }
+
+  private managedPoliciesExceededWarning() {
+    if (this.managedPolicies.length > 10) {
+      Annotations.of(this).addWarning(`You added ${this.managedPolicies.length} to IAM Group ${this.physicalName}. The maximum number of managed policies attached to an IAM group is 10.`);
+    }
   }
 }

packages/@aws-cdk/aws-iam/test/group.test.ts

@@ -1,4 +1,4 @@
-import { Template } from '@aws-cdk/assertions';
+import { Annotations, Template } from '@aws-cdk/assertions';
 import { App, CfnResource, Stack } from '@aws-cdk/core';
 import { Group, ManagedPolicy, User } from '../lib';
 
@@ -103,3 +103,44 @@ test('cross-env group ARNs include path', () => {
     },
   });
 });
+
+test('throw warning if attached managed policies exceed 10 in constructor', () => {
+  // GIVEN
+  const stack = new Stack();
+
+  // WHEN
+  new Group(stack, 'MyGroup', {
+    groupName: 'MyGroup',
+    managedPolicies: [
+      ManagedPolicy.fromAwsManagedPolicyName('0'),
+      ManagedPolicy.fromAwsManagedPolicyName('1'),
+      ManagedPolicy.fromAwsManagedPolicyName('2'),
+      ManagedPolicy.fromAwsManagedPolicyName('3'),
+      ManagedPolicy.fromAwsManagedPolicyName('4'),
+      ManagedPolicy.fromAwsManagedPolicyName('5'),
+      ManagedPolicy.fromAwsManagedPolicyName('6'),
+      ManagedPolicy.fromAwsManagedPolicyName('7'),
+      ManagedPolicy.fromAwsManagedPolicyName('8'),
+      ManagedPolicy.fromAwsManagedPolicyName('9'),
+      ManagedPolicy.fromAwsManagedPolicyName('10'),
+    ],
+  });
+
+  Annotations.fromStack(stack).hasWarning('*', 'You added 11 to IAM Group MyGroup. The maximum number of managed policies attached to an IAM group is 10.');
+});
+
+test('throw warning if attached managed policies exceed 10 when calling `addManagedPolicy`', () => {
+  // GIVEN
+  const stack = new Stack();
+
+  // WHEN
+  const group = new Group(stack, 'MyGroup', {
+    groupName: 'MyGroup',
+  });
+
+  for (let i = 0; i <= 11; i++) {
+    group.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(i.toString()));
+  }
+
+  Annotations.fromStack(stack).hasWarning('/Default/MyGroup', 'You added 11 to IAM Group MyGroup. The maximum number of managed policies attached to an IAM group is 10.');
+});