iam: No error when more than 11 ManagedPolicy are set for UserGroup.

[watany-dev]

Describe the bug

When I set up the group with the code as written in the reproduction procedure, neither CDK nor CreateStack failed, but Createstack was tried, and I had to wait for more than 20 minutes!

Expected Behavior

It takes a long time to get an error in CloudFormation, so it would be kind to get an error in the CDK constucts.

Current Behavior

After attempting to cdk deploy, CreateStack continued for over 20 minutes without error.

Reproduction Steps

const group = new iam.Group(this, 'sample-group', {});
const policylist: string[] = [
  'AWSSome01PowerUser',
  ……

  'AWSSome20PowerUser',    
]
for (var policy of policylist)
      group.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName(policy))

Possible Solution

I want to modify the cdk side to raise an Exception Error.

Additional Information/Context

No response

CDK CLI Version

2.62.2

Framework Version

No response

Node.js Version

any

OS

AmazonLinux2

Language

Typescript

Language Version

No response

Other information

No response

[peterwoodworth]

It would be nice to throw an error before deployment I agree, however I have some concern with hardcoding a limit of 10 that maybe some others could alleviate - The quota is described here in IAM documentation. There currently isn't a way to request a limit increase for this, however what if they introduce that option? Or change the default limit in the future? This check we would implement would then become a blocker for people.

We should at least mention the limits in our own documentation, and if we decide to not throw an error for this maybe we could throw a warning instead

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.