optional param to provide CF execution policy

src/commands/infra.py

@@ -22,6 +22,11 @@ def setup(
         "--bootstrap/--no-bootstrap",
         help="Run CDK bootstrap before deploying the application stack",
     ),
+    cloudformation_execution_policy: str | None = typer.Option(
+        None,
+        "--cloudformation-execution-policy",
+        help="IAM policy ARN for the CDK bootstrap CloudFormation execution role",
+    ),
 ) -> None:
     """Create infrastructure with AWS CDK."""
     cfg = load_cfg(config)
@@ -46,6 +51,7 @@ def setup(
                     profile=cfg.aws.profile,
                     account_id=account_id,
                     region=cfg.aws.region,
+                    cloudformation_execution_policy=cloudformation_execution_policy,
                 )
         with CONSOLE.status("Running cdk deploy..."):
             state = provisioning.deploy(

src/infra/provisioning.py

@@ -8,8 +8,17 @@ from src.infra.state import state_path, write_infra_state
 STACK_NAME = "QaiCliStack"
 
 
-def bootstrap(*, profile: str, account_id: str, region: str) -> None:
-    _run(["cdk", "bootstrap", f"aws://{account_id}/{region}", "--profile", profile])
+def bootstrap(
+    *,
+    profile: str,
+    account_id: str,
+    region: str,
+    cloudformation_execution_policy: str | None = None,
+) -> None:
+    cmd = ["cdk", "bootstrap", f"aws://{account_id}/{region}", "--profile", profile]
+    if cloudformation_execution_policy:
+        cmd.extend(["--cloudformation-execution-policies", cloudformation_execution_policy])
+    _run(cmd)
 
 
 def deploy(