wip: working toward change set review on deploy

Author: orien

packages/@aws-cdk/cli-lib-alpha/lib/commands/common.ts

@@ -16,6 +16,11 @@ export enum RequireApproval {
    * Only prompt for approval if there are security related changes
    */
   BROADENING = 'broadening',
+
+  /**
+   * Create and display a CloudFormation change set for review before deployment
+   */
+  CHANGESET = 'change-set',
 }
 
 /**

packages/@aws-cdk/cloud-assembly-schema/lib/integ-tests/commands/common.ts

@@ -16,6 +16,11 @@ export enum RequireApproval {
    * Only prompt for approval if there are security related changes
    */
   BROADENING = 'broadening',
+
+  /**
+   * Create and display a CloudFormation change set for review before deployment
+   */
+  CHANGESET = 'change-set',
 }
 
 /**

packages/@aws-cdk/cloud-assembly-schema/schema/integ.schema.json

@@ -171,6 +171,7 @@
                     "enum": [
                         "any-change",
                         "broadening",
+                        "change-set",
                         "never"
                     ],
                     "type": "string"

packages/@aws-cdk/cloud-assembly-schema/schema/version.json

@@ -1,5 +1,5 @@
 {
-  "schemaHash": "4755f1d1fcb2dc25dd6bff0494afa7d86c517274ffebdf2ac2dcb90ad4b899c4",
+  "schemaHash": "be3b4af15467897d18b5d4f52fafad5901ae65f99ba3fe9c5ebb661a3972dbe4",
   "$comment": "Do not hold back the version on additions: jsonschema validation of the manifest by the consumer will trigger errors on unexpected fields.",
-  "revision": 48
+  "revision": 49
 }

packages/@aws-cdk/cloud-assembly-schema/test/integ-tests.test.ts

@@ -94,6 +94,28 @@ describe('Integration test', () => {
     });
   });
 
+  test('valid input with change-set requireApproval', () => {
+    expect(() => {
+      validate({
+        version: Manifest.version(),
+        testCases: {
+          testCase1: {
+            stacks: ['stack1'],
+            cdkCommandOptions: {
+              deploy: {
+                enabled: true,
+                args: {
+                  requireApproval: 'change-set',
+                  app: 'node bin/my-app.js',
+                },
+              },
+            },
+          },
+        },
+      });
+    }).not.toThrow();
+  });
+
   test('invalid input', () => {
     expect(() => {
       validate({

packages/@aws-cdk/toolkit-lib/lib/actions/deploy/index.ts

@@ -35,6 +35,41 @@ export interface ChangeSetDeployment {
    * @default false
    */
   readonly importExistingResources?: boolean;
+
+  /**
+   * Whether to execute an existing change set instead of creating a new one.
+   * When true, the specified changeSetName must exist and will be executed directly.
+   * When false or undefined, a new change set will be created.
+   *
+   * This is useful for secure change set review workflows where:
+   * 1. A change set is created with `execute: false`
+   * 2. The change set is reviewed by authorized personnel
+   * 3. The same change set is executed using this option to ensure
+   *    the exact changes that were reviewed are deployed
+   *
+   * @example
+   * // Step 1: Create change set for review
+   * deployStack(\{
+   *   deploymentMethod: \{
+   *     method: 'change-set',
+   *     changeSetName: 'my-review-changeset',
+   *     execute: false
+   *   \}
+   * \});
+   *
+   * // Step 2: Execute the reviewed change set
+   * deployStack(\{
+   *   deploymentMethod: \{
+   *     method: 'change-set',
+   *     changeSetName: 'my-review-changeset',
+   *     executeExistingChangeSet: true,
+   *     execute: true
+   *   \}
+   * \});
+   *
+   * @default false
+   */
+  readonly executeExistingChangeSet?: boolean;
 }
 
 /**

packages/@aws-cdk/toolkit-lib/lib/api/deployments/deploy-stack.ts

@@ -430,10 +430,34 @@ class FullCloudFormationDeployment {
     const changeSetName = deploymentMethod.changeSetName ?? 'cdk-deploy-change-set';
     const execute = deploymentMethod.execute ?? true;
     const importExistingResources = deploymentMethod.importExistingResources ?? false;
-    const changeSetDescription = await this.createChangeSet(changeSetName, execute, importExistingResources);
+    const executeExistingChangeSet = deploymentMethod.executeExistingChangeSet ?? false;
+
+    let changeSetDescription: DescribeChangeSetCommandOutput;
+
+    if (executeExistingChangeSet) {
+      // Execute an existing change set instead of creating a new one
+      await this.ioHelper.defaults.info(format('Executing existing change set %s on stack %s', changeSetName, this.stackName));
+      changeSetDescription = await this.cfn.describeChangeSet({
+        StackName: this.stackName,
+        ChangeSetName: changeSetName,
+      });
+
+      // Verify the change set exists and is in a valid state
+      if (!changeSetDescription.ChangeSetId) {
+        throw new ToolkitError(format('Change set %s not found on stack %s', changeSetName, this.stackName));
+      }
+      if (changeSetDescription.Status !== 'CREATE_COMPLETE') {
+        throw new ToolkitError(format('Change set %s is in status %s and cannot be executed', changeSetName, changeSetDescription.Status));
+      }
+    } else {
+      // Create a new change set (existing behavior)
+      changeSetDescription = await this.createChangeSet(changeSetName, execute, importExistingResources);
+    }
+
     await this.updateTerminationProtection();
 
-    if (changeSetHasNoChanges(changeSetDescription)) {
+    // Only check for empty changes when creating a new change set, not when executing an existing one
+    if (!executeExistingChangeSet && changeSetHasNoChanges(changeSetDescription)) {
       await this.ioHelper.defaults.debug(format('No changes are to be performed on %s.', this.stackName));
       if (execute) {
         await this.ioHelper.defaults.debug(format('Deleting empty change set %s', changeSetDescription.ChangeSetId));
@@ -768,6 +792,13 @@ async function canSkipDeploy(
     return false;
   }
 
+  // Executing existing change set, never skip
+  if (deployStackOptions.deploymentMethod?.method === 'change-set' &&
+      deployStackOptions.deploymentMethod.executeExistingChangeSet === true) {
+    await ioHelper.defaults.debug(`${deployName}: executing existing change set, never skip`);
+    return false;
+  }
+
   // No existing stack
   if (!cloudFormationStack.exists) {
     await ioHelper.defaults.debug(`${deployName}: no existing stack`);

packages/@aws-cdk/toolkit-lib/lib/api/deployments/deployments.ts

@@ -1,6 +1,7 @@
 import { randomUUID } from 'crypto';
 import * as cdk_assets from '@aws-cdk/cdk-assets-lib';
 import type * as cxapi from '@aws-cdk/cx-api';
+import type { DescribeChangeSetCommandOutput } from '@aws-sdk/client-cloudformation';
 import * as chalk from 'chalk';
 import { AssetManifestBuilder } from './asset-manifest-builder';
 import {
@@ -674,6 +675,34 @@ export class Deployments {
     return publisher.isEntryPublished(asset);
   }
 
+  /**
+   * Read change set details for a stack
+   */
+  public async readChangeSet(
+    stackArtifact: cxapi.CloudFormationStackArtifact,
+    changeSetName: string,
+  ): Promise<DescribeChangeSetCommandOutput> {
+    const env = await this.envs.accessStackForReadOnlyStackOperations(stackArtifact);
+    return env.sdk.cloudFormation().describeChangeSet({
+      StackName: stackArtifact.stackName,
+      ChangeSetName: changeSetName,
+    });
+  }
+
+  /**
+   * Delete a change set for a stack
+   */
+  public async deleteChangeSet(
+    stackArtifact: cxapi.CloudFormationStackArtifact,
+    changeSetName: string,
+  ): Promise<void> {
+    const env = await this.envs.accessStackForMutableStackOperations(stackArtifact);
+    await env.sdk.cloudFormation().deleteChangeSet({
+      StackName: stackArtifact.stackName,
+      ChangeSetName: changeSetName,
+    });
+  }
+
   /**
    * Validate that the bootstrap stack has the right version for this stack
    *

packages/@aws-cdk/toolkit-lib/test/api/deployments/cloudformation-deployments.test.ts

@@ -1,6 +1,7 @@
 import * as cxapi from '@aws-cdk/cx-api';
 import {
   ContinueUpdateRollbackCommand,
+  DeleteChangeSetCommand,
   DescribeStackEventsCommand,
   DescribeStacksCommand,
   ListStackResourcesCommand,
@@ -1215,3 +1216,120 @@ function givenStacks(stacks: Record<string, { template: any; stackStatus?: strin
     }
   });
 }
+
+describe('change set operations', () => {
+  test('readChangeSet calls CloudFormation describeChangeSet with correct parameters', async () => {
+    // GIVEN
+    const changeSetName = 'test-changeset';
+    const stackName = 'test-stack';
+    const mockChangeSetResponse = {
+      ChangeSetId: 'arn:aws:cloudformation:us-east-1:123456789012:changeSet/test-changeset/12345',
+      ChangeSetName: changeSetName,
+      StackId: 'arn:aws:cloudformation:us-east-1:123456789012:stack/test-stack/12345',
+      Status: 'CREATE_COMPLETE',
+      Changes: [{
+        Type: 'Resource',
+        ResourceChange: {
+          Action: 'Modify',
+          LogicalResourceId: 'TestResource',
+          ResourceType: 'AWS::S3::Bucket',
+        },
+      }],
+    };
+
+    mockCloudFormationClient.on(DescribeChangeSetCommand).resolves(mockChangeSetResponse);
+
+    const stack = testStack({
+      stackName,
+    });
+
+    // WHEN
+    const result = await deployments.readChangeSet(stack, changeSetName);
+
+    // THEN
+    expect(result).toEqual(mockChangeSetResponse);
+    expect(mockCloudFormationClient).toHaveReceivedCommandWith(DescribeChangeSetCommand, {
+      StackName: stackName,
+      ChangeSetName: changeSetName,
+    });
+  });
+
+  test('deleteChangeSet calls CloudFormation deleteChangeSet with correct parameters', async () => {
+    // GIVEN
+    const changeSetName = 'test-changeset';
+    const stackName = 'test-stack';
+
+    mockCloudFormationClient.on(DeleteChangeSetCommand).resolves({});
+
+    const stack = testStack({
+      stackName,
+    });
+
+    // WHEN
+    await deployments.deleteChangeSet(stack, changeSetName);
+
+    // THEN
+    expect(mockCloudFormationClient).toHaveReceivedCommandWith(DeleteChangeSetCommand, {
+      StackName: stackName,
+      ChangeSetName: changeSetName,
+    });
+  });
+
+  test('readChangeSet handles CloudFormation errors gracefully', async () => {
+    // GIVEN
+    const changeSetName = 'non-existent-changeset';
+    const stackName = 'test-stack';
+    const error = new Error('Change set not found');
+
+    mockCloudFormationClient.on(DescribeChangeSetCommand).rejects(error);
+
+    const stack = testStack({
+      stackName,
+    });
+
+    // WHEN/THEN
+    await expect(deployments.readChangeSet(stack, changeSetName)).rejects.toThrow('Change set not found');
+  });
+
+  test('deleteChangeSet handles CloudFormation errors gracefully', async () => {
+    // GIVEN
+    const changeSetName = 'non-existent-changeset';
+    const stackName = 'test-stack';
+    const error = new Error('Change set not found');
+
+    mockCloudFormationClient.on(DeleteChangeSetCommand).rejects(error);
+
+    const stack = testStack({
+      stackName,
+    });
+
+    // WHEN/THEN
+    await expect(deployments.deleteChangeSet(stack, changeSetName)).rejects.toThrow('Change set not found');
+  });
+
+  test('readChangeSet returns change set with empty changes array', async () => {
+    // GIVEN
+    const changeSetName = 'empty-changeset';
+    const stackName = 'test-stack';
+    const mockChangeSetResponse = {
+      ChangeSetId: 'arn:aws:cloudformation:us-east-1:123456789012:changeSet/empty-changeset/12345',
+      ChangeSetName: changeSetName,
+      StackId: 'arn:aws:cloudformation:us-east-1:123456789012:stack/test-stack/12345',
+      Status: 'CREATE_COMPLETE',
+      Changes: [],
+    };
+
+    mockCloudFormationClient.on(DescribeChangeSetCommand).resolves(mockChangeSetResponse);
+
+    const stack = testStack({
+      stackName,
+    });
+
+    // WHEN
+    const result = await deployments.readChangeSet(stack, changeSetName);
+
+    // THEN
+    expect(result).toEqual(mockChangeSetResponse);
+    expect(result.Changes).toHaveLength(0);
+  });
+});