fix(cli): cdk diff fails when deploy role requires tags (#33340)

The call to `createChangeSet` is not passing that stack's tags. If the deploy role has some policy that requires specific tags, it will fail to create a change set and, therefore, to create a diff. Pass the tags along to `createChangeSet`. Fixes #33316. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Feb 7, 2025 · f1d9a7d · f1d9a7d
1 parent 4744ee5
commit f1d9a7d
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 9 deletions.
diff --git a/packages/aws-cdk/lib/api/deployments/cloudformation.ts b/packages/aws-cdk/lib/api/deployments/cloudformation.ts
@@ -459,7 +459,7 @@ export async function uploadStackTemplateAssets(stack: cxapi.CloudFormationStack
   }
 }
 
-async function createChangeSet(options: CreateChangeSetOptions): Promise<DescribeChangeSetCommandOutput> {
+export async function createChangeSet(options: CreateChangeSetOptions): Promise<DescribeChangeSetCommandOutput> {
   await cleanupOldChangeset(options.changeSetName, options.stack.stackName, options.cfn);
 
   debug(`Attempting to create ChangeSet with name ${options.changeSetName} for stack ${options.stack.stackName}`);
@@ -478,6 +478,7 @@ async function createChangeSet(options: CreateChangeSetOptions): Promise<Describ
     Parameters: stackParams.apiParameters,
     ResourcesToImport: options.resourcesToImport,
     RoleARN: options.role,
+    Tags: toCfnTags(options.stack.tags),
     Capabilities: ['CAPABILITY_IAM', 'CAPABILITY_NAMED_IAM', 'CAPABILITY_AUTO_EXPAND'],
   });
 
@@ -491,6 +492,13 @@ async function createChangeSet(options: CreateChangeSetOptions): Promise<Describ
   return createdChangeSet;
 }
 
+function toCfnTags(tags: { [id: string]: string }): Tag[] {
+  return Object.entries(tags).map(([k, v]) => ({
+    Key: k,
+    Value: v,
+  }));
+}
+
 export async function cleanupOldChangeset(changeSetName: string, stackName: string, cfn: ICloudFormationClient) {
   // Delete any existing change sets generated by CDK since change set names must be unique.
   // The delete request is successful as long as the stack exists (even if the change set does not exist).

diff --git a/packages/aws-cdk/test/api/deployments/cloudformation-deployments.test.ts b/packages/aws-cdk/test/api/deployments/cloudformation-deployments.test.ts
@@ -1,17 +1,18 @@
-jest.mock('../../../lib/api/deployments/deploy-stack');
-jest.mock('../../../lib/api/deployments/asset-publishing');
-
+import * as cxapi from '@aws-cdk/cx-api';
 import {
+  ContinueUpdateRollbackCommand,
+  DescribeStackEventsCommand,
   DescribeStacksCommand,
   ListStackResourcesCommand,
-  StackStatus,
-  type StackResourceSummary,
   RollbackStackCommand,
-  ContinueUpdateRollbackCommand,
-  DescribeStackEventsCommand,
+  type StackResourceSummary,
+  StackStatus,
+  DescribeChangeSetCommand,
+  ChangeSetStatus,
+  CreateChangeSetCommand,
 } from '@aws-sdk/client-cloudformation';
 import { GetParameterCommand } from '@aws-sdk/client-ssm';
-import { CloudFormationStack, Deployments } from '../../../lib/api/deployments';
+import { CloudFormationStack, createChangeSet, Deployments } from '../../../lib/api/deployments';
 import { deployStack } from '../../../lib/api/deployments/deploy-stack';
 import { HotswapMode } from '../../../lib/api/hotswap/common';
 import { ToolkitInfo } from '../../../lib/api/toolkit-info';
@@ -27,6 +28,9 @@ import {
 } from '../../util/mock-sdk';
 import { FakeCloudformationStack } from '../fake-cloudformation-stack';
 
+jest.mock('../../../lib/api/deployments/deploy-stack');
+jest.mock('../../../lib/api/deployments/asset-publishing');
+
 let sdkProvider: MockSdkProvider;
 let sdk: MockSdk;
 let deployments: Deployments;
@@ -1132,6 +1136,33 @@ describe('stackExists', () => {
   });
 });
 
+test('tags are passed along to create change set', async () => {
+  mockCloudFormationClient.on(DescribeChangeSetCommand).resolves({
+    Status: ChangeSetStatus.CREATE_COMPLETE,
+  });
+
+  const stack: any = {};
+  stack.tags = { SomeKey: 'SomeValue' };
+  for (const methodName of Object.getOwnPropertyNames(cxapi.CloudFormationStackArtifact.prototype)) {
+    stack[methodName] = jest.fn();
+  }
+
+  await createChangeSet({
+    stack: stack,
+    cfn: new MockSdk().cloudFormation(),
+    changeSetName: 'foo',
+    willExecute: false,
+    exists: true,
+    uuid: '142DF82A-8ED8-4944-8EEB-A5BAE141F13F',
+    bodyParameter: {},
+    parameters: {},
+  });
+
+  expect(mockCloudFormationClient).toHaveReceivedCommandWith(CreateChangeSetCommand, {
+    Tags: [{ Key: 'SomeKey', Value: 'SomeValue' }],
+  });
+});
+
 function pushStackResourceSummaries(stackName: string, ...items: StackResourceSummary[]) {
   if (!currentCfnStackResources[stackName]) {
     currentCfnStackResources[stackName] = [];