From 2618b30d40e4607ec053b6a9c9d75e867afe042b Mon Sep 17 00:00:00 2001
From: slalom <test@test.com>
Date: Fri, 15 May 2026 10:39:24 -0400
Subject: [PATCH] optional param to provide CF execution policy

---
 README.md                 |  1 +
 src/commands/infra.py     |  6 ++++++
 src/infra/provisioning.py | 13 +++++++++++--
 3 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 1c69abf..dd73326 100644
--- a/README.md
+++ b/README.md
@@ -84,6 +84,7 @@ qai-cli init --force          Overwrite an existing config file
 ```
 qai-cli infra setup                         Deploy the CDK stack
 qai-cli infra setup --no-bootstrap          Deploy without running CDK bootstrap
+qai-cli infra setup --cloudformation-execution-policy <arn> Set CDK bootstrap execution policy ARN
 qai-cli infra status                        Show CDK stack/resource status
 qai-cli infra destroy                       Destroy stack, retaining S3 data
 qai-cli infra destroy --yes                 Destroy stack without confirmation
diff --git a/src/commands/infra.py b/src/commands/infra.py
index 14307f1..76a81d8 100644
--- a/src/commands/infra.py
+++ b/src/commands/infra.py
@@ -22,6 +22,11 @@ def setup(
         "--bootstrap/--no-bootstrap",
         help="Run CDK bootstrap before deploying the application stack",
     ),
+    cloudformation_execution_policy: str | None = typer.Option(
+        None,
+        "--cloudformation-execution-policy",
+        help="IAM policy ARN for the CDK bootstrap CloudFormation execution role",
+    ),
 ) -> None:
     """Create infrastructure with AWS CDK."""
     cfg = load_cfg(config)
@@ -46,6 +51,7 @@ def setup(
                     profile=cfg.aws.profile,
                     account_id=account_id,
                     region=cfg.aws.region,
+                    cloudformation_execution_policy=cloudformation_execution_policy,
                 )
         with CONSOLE.status("Running cdk deploy..."):
             state = provisioning.deploy(
diff --git a/src/infra/provisioning.py b/src/infra/provisioning.py
index 45c5372..eb54b6e 100644
--- a/src/infra/provisioning.py
+++ b/src/infra/provisioning.py
@@ -8,8 +8,17 @@ from src.infra.state import state_path, write_infra_state
 STACK_NAME = "QaiCliStack"
 
 
-def bootstrap(*, profile: str, account_id: str, region: str) -> None:
-    _run(["cdk", "bootstrap", f"aws://{account_id}/{region}", "--profile", profile])
+def bootstrap(
+    *,
+    profile: str,
+    account_id: str,
+    region: str,
+    cloudformation_execution_policy: str | None = None,
+) -> None:
+    cmd = ["cdk", "bootstrap", f"aws://{account_id}/{region}", "--profile", profile]
+    if cloudformation_execution_policy:
+        cmd.extend(["--cloudformation-execution-policies", cloudformation_execution_policy])
+    _run(cmd)
 
 
 def deploy(