Skip to content

feat: show early validation errors on deploy #970

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

feat: show early validation errors on deploy #970

wants to merge 6 commits into from
+229 −8

Conversation

@otaviomacedo
Copy link
Contributor

@otaviomacedo otaviomacedo commented Dec 1, 2025

CloudFormation has recently launched early validation. When creating the change set, CloudFormation validates a few things such as whether a resource with that physical ID already exists. More validations to come. But the specific information about the error (other than it's an early validation error) is not returned by the DescribeChangeSet API. The consumer is supposed to call a new API, DescribeEvents to get that information.

Introduce a new class,EarlyValidationReporter that checks whether such an error occurred and call the DescribeChangeSet API. The bootstrap stack was also updated to include permission to this new API. If the user's bootstrap stack is older than that, throw a special error to instruct the user to re-bootstrap.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@otaviomacedo
chore: upgrade dependencies
1b0086d 
Additional changes, done by hand:

- Added `IMAGE_ARCHIVED` to `ScanStatus` to reflect the latest version from the SDK
- `renderYargs` output now has an additional line break. Fix the test
@otaviomacedo
WIP
5c07d8c
@otaviomacedo
Integ test
465d44b
@github-actions github-actions bot added the p2 label Dec 1, 2025
@aws-cdk-automation aws-cdk-automation requested a review from a team December 1, 2025 10:55
rix0rrr
rix0rrr requested changes Dec 1, 2025
View reviewed changes
packages/@aws-cdk/toolkit-lib/lib/api/deployments/early-validation.ts Outdated
Comment on lines 33 to 36
const failures = (eventsOutput.OperationEvents ?? [])
.filter((event) => event.ValidationStatus === ValidationStatus.FAILED)
.map((event) => ` - ${event.ValidationStatusReason} (at ${event.ValidationPath})`)
.join('\n');
Copy link
Contributor

@rix0rrr rix0rrr Dec 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This might include events from multiple deployments, as long as they fit on one page.

We should only check events from the last deployment (perhaps even locate them based on an identifier, if that's feasible at all)

Copy link
Contributor Author

@otaviomacedo otaviomacedo Dec 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The toolkit deletes the old change set before creating a new one. And when a change set is deleted, all events are also deleted. So when a new one is created, and we are looking at its description here, it will contain only the events for this deployment.

Base automatically changed from otaviom/upgrade-deps-sdk-3.940.0 to main December 4, 2025 14:43
@otaviomacedo
Merge branch 'main' into otaviom/early-validation
4be7d70 
# Conflicts:
#	packages/@aws-cdk/integ-runner/THIRD_PARTY_LICENSES
#	packages/aws-cdk/THIRD_PARTY_LICENSES
#	packages/aws-cdk/test/commands/init.test.ts
#	packages/cdk-assets/THIRD_PARTY_LICENSES
@otaviomacedo
format
50ef569
@otaviomacedo otaviomacedo deployed to integ-approval December 4, 2025 16:17 — with GitHub Actions Active
@codecov-commenter
Copy link

codecov-commenter commented Dec 4, 2025

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.39%. Comparing base (2a6f8d3) to head (50ef569).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #970   +/-   ##
=======================================
  Coverage   87.38%   87.39%           
=======================================
  Files          71       71           
  Lines       10010    10010           
  Branches     1311     1310    -1     
=======================================
+ Hits         8747     8748    +1     
+ Misses       1240     1239    -1     
  Partials       23       23
Flag Coverage Δ
suite.unit 87.39% <ø> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@github-actions
Copy link
Contributor

github-actions bot commented Dec 4, 2025

⚠️ Bootstrap Template Protection

This PR modifies the bootstrap template (packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml), which requires special protections.

✅ All requirements met! This PR can proceed with normal review process.

Requirements

Version Increment
✅ Version incremented from 29 to 30

Security Review
✅ Review completed (PR has pr/security-reviewed label)

Why these protections exist

  • The bootstrap template contains critical infrastructure
  • Changes can affect IAM roles, policies, and resource access across all CDK deployments
  • Version increments ensure users are notified of updates

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rix0rrr rix0rrr rix0rrr requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

p2 pr/security-reviewed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@otaviomacedo @codecov-commenter @rix0rrr