feat(iam): support Role.fromLookup() method (#33603)

### Issue # (if applicable)

Closes #33602.

### Reason for this change



There will be many cases where IAM roles will be created outside the CFn stack and used.
Importing actual existing roles from AWS accounts is very convenience. It is also useful to be able to make an error if a role does not exist.

On the other hand, a generic Context Provider for CloudControl API has been added in aws-cdk-cli.

aws/aws-cdk-cli#138

This allows us to implement new context methods.

### Description of changes



Add `Role.fromLookup` method using the new context provider.

### Describe any new or updated permissions being added




### Description of how you validated changes



Both unit and integ tests.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: go-to-k

packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role-from-lookup.js.snapshot/LookupRoleStack.assets.json

@@ -0,0 +1,62 @@
+{
+ "Resources": {
+  "HelloPolicyD59007DF": {
+   "Type": "AWS::IAM::Policy",
+   "Properties": {
+    "PolicyDocument": {
+     "Statement": [
+      {
+       "Action": "ec2:*",
+       "Effect": "Allow",
+       "Resource": "*"
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "PolicyName": "Default",
+    "Roles": [
+     "MyLookupTestRole"
+    ]
+   }
+  }
+ },
+ "Outputs": {
+  "LookupRoleName": {
+   "Value": "MyLookupTestRole"
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}

packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role-from-lookup.js.snapshot/LookupRoleStack.template.json

@@ -0,0 +1,35 @@
+import { App, CfnOutput, Stack } from 'aws-cdk-lib';
+import { IntegTest } from '@aws-cdk/integ-tests-alpha';
+import { Policy, PolicyStatement, Role } from 'aws-cdk-lib/aws-iam';
+
+const roleName = 'MyLookupTestRole';
+
+const app = new App();
+
+const stack = new Stack(app, 'LookupRoleStack', {
+  env: {
+    account: process.env.CDK_INTEG_ACCOUNT ?? process.env.CDK_DEFAULT_ACCOUNT,
+    region: process.env.CDK_INTEG_REGION ?? process.env.CDK_DEFAULT_REGION,
+  },
+});
+
+const lookupRole = Role.fromLookup(stack, 'LookupRole', {
+  roleName,
+});
+
+const policy = new Policy(stack, 'HelloPolicy', { policyName: 'Default' });
+policy.addStatements(new PolicyStatement({ actions: ['ec2:*'], resources: ['*'] }));
+policy.attachToRole(lookupRole);
+
+new CfnOutput(stack, 'LookupRoleName', { value: lookupRole.roleName });
+
+new IntegTest(app, 'integ-iam-role-from-lookup', {
+  enableLookups: true,
+  stackUpdateWorkflow: false,
+  testCases: [stack],
+  // create the role before the test and delete it after
+  hooks: {
+    preDeploy: [`aws iam create-role --role-name ${roleName} --assume-role-policy-document file://policy-document.json`],
+    postDestroy: [`aws iam delete-role --role-name ${roleName}`],
+  },
+});

packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role-from-lookup.js.snapshot/cdk.out

@@ -0,0 +1,12 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "Service": "sqs.amazonaws.com"
+            },
+            "Action": "sts:AssumeRole"
+        }
+    ]
+}