feat: refactor (dry-run mode only) (#342)

Add a `refactor` command. For now, it only works in dry run mode
(`-dry-run` in the command line, or `dryRun: true` to the toolkit). It
computes the mappings based on the difference between the deployed
stacks and the cloud assembly stacks, and shows them in a table.
Example:

```
$ cdk refactor --dry-run --unstable=refactor

The following resources were moved or renamed:
┌───────────────────────┬────────────────────────────────────────┬───────────────────────────────────────┐
│ Resource Type         │ Old Construct Path                     │ New Construct Path                    │
├───────────────────────┼────────────────────────────────────────┼───────────────────────────────────────┤
│ AWS::IAM::Role        │ Consumer/Function/ServiceRole/Resource │ Consumer/NewName/ServiceRole/Resource │
├───────────────────────┼────────────────────────────────────────┼───────────────────────────────────────┤
│ AWS::Lambda::Function │ Consumer/Function/Resource             │ Consumer/NewName/Resource             │
└───────────────────────┴────────────────────────────────────────┴───────────────────────────────────────┘
```

Note that we are launching this feature under unstable mode, which
requires the user to acknowledge that by passing the
`--unstable=refactor` flag.

Closes #132,
#133,
#141,
#134 and
#135.

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license

Author: otaviomacedo

Diff for: packages/@aws-cdk/cloudformation-diff/lib/index.ts

@@ -1,4 +1,5 @@
 export * from './diff-template';
 export * from './format';
 export * from './format-table';
+export * from './mappings';
 export { deepEqual, mangleLikeCloudFormation } from './diff/util';

Diff for: packages/@aws-cdk/cloudformation-diff/lib/mappings.ts

@@ -0,0 +1,50 @@
+import * as chalk from 'chalk';
+import { Formatter } from './format';
+import { formatTable } from './format-table';
+
+export interface TypedMapping {
+  readonly type: string;
+  readonly sourcePath: string;
+  readonly destinationPath: string;
+}
+
+export function formatTypedMappings(stream: NodeJS.WritableStream, mappings: TypedMapping[]) {
+  const header = [['Resource Type', 'Old Construct Path', 'New Construct Path']];
+  const rows = mappings.map((m) => [m.type, m.sourcePath, m.destinationPath]);
+
+  const formatter = new Formatter(stream, {});
+  if (mappings.length > 0) {
+    formatter.printSectionHeader('The following resources were moved or renamed:');
+    formatter.print(chalk.green(formatTable(header.concat(rows), undefined)));
+  } else {
+    formatter.print('Nothing to refactor.');
+  }
+}
+
+export function formatAmbiguousMappings(
+  stream: NodeJS.WritableStream,
+  pairs: [string[], string[]][],
+) {
+  const tables = pairs.map(renderTable);
+  const formatter = new Formatter(stream, {});
+
+  formatter.printSectionHeader('Ambiguous Resource Name Changes');
+  formatter.print(tables.join('\n\n'));
+  formatter.printSectionFooter();
+
+  function renderTable([removed, added]: [string[], string[]]) {
+    return formatTable([['', 'Resource'], renderRemoval(removed), renderAddition(added)], undefined);
+  }
+
+  function renderRemoval(locations: string[]) {
+    return [chalk.red('-'), chalk.red(renderLocations(locations))];
+  }
+
+  function renderAddition(locations: string[]) {
+    return [chalk.green('+'), chalk.green(renderLocations(locations))];
+  }
+
+  function renderLocations(locs: string[]) {
+    return locs.join('\n');
+  }
+}

Diff for: packages/@aws-cdk/tmp-toolkit-helpers/src/api/aws-auth/sdk.ts

@@ -87,8 +87,10 @@ import type {
   UpdateStackCommandOutput,
   UpdateTerminationProtectionCommandInput,
   UpdateTerminationProtectionCommandOutput,
+  StackSummary,
 } from '@aws-sdk/client-cloudformation';
 import {
+  paginateListStacks,
   CloudFormationClient,
   ContinueUpdateRollbackCommand,
   CreateChangeSetCommand,
@@ -440,6 +442,7 @@ export interface ICloudFormationClient {
   // Pagination functions
   describeStackEvents(input: DescribeStackEventsCommandInput): Promise<DescribeStackEventsCommandOutput>;
   listStackResources(input: ListStackResourcesCommandInput): Promise<StackResourceSummary[]>;
+  paginatedListStacks(input: ListStacksCommandInput): Promise<StackSummary[]>;
 }
 
 export interface ICloudWatchLogsClient {
@@ -730,6 +733,14 @@ export class SDK {
         }
         return stackResources;
       },
+      paginatedListStacks: async (input: ListStacksCommandInput): Promise<StackSummary[]> => {
+        const stackResources = Array<StackSummary>();
+        const paginator = paginateListStacks({ client }, input);
+        for await (const page of paginator) {
+          stackResources.push(...(page?.StackSummaries || []));
+        }
+        return stackResources;
+      },
     };
   }
 

Diff for: packages/@aws-cdk/tmp-toolkit-helpers/src/api/diff/diff-formatter.ts

@@ -1,43 +1,21 @@
 import { format } from 'node:util';
-import { Writable } from 'stream';
 import * as cxschema from '@aws-cdk/cloud-assembly-schema';
 import {
-  type TemplateDiff,
-  fullDiff,
-  formatSecurityChanges,
   formatDifferences,
+  formatSecurityChanges,
+  fullDiff,
   mangleLikeCloudFormation,
+  type TemplateDiff,
 } from '@aws-cdk/cloudformation-diff';
 import type * as cxapi from '@aws-cdk/cx-api';
 import * as chalk from 'chalk';
 import type { NestedStackTemplates } from '../cloudformation';
 import type { IoHelper } from '../io/private';
 import { IoDefaultMessages } from '../io/private';
 import { RequireApproval } from '../require-approval';
+import { StringWriteStream } from '../streams';
 import { ToolkitError } from '../toolkit-error';
 
-/*
- * Custom writable stream that collects text into a string buffer.
- * Used on classes that take in and directly write to a stream, but
- * we intend to capture the output rather than print.
- */
-class StringWriteStream extends Writable {
-  private buffer: string[] = [];
-
-  constructor() {
-    super();
-  }
-
-  _write(chunk: any, _encoding: string, callback: (error?: Error | null) => void): void {
-    this.buffer.push(chunk.toString());
-    callback();
-  }
-
-  toString(): string {
-    return this.buffer.join('');
-  }
-}
-
 /**
  * Output of formatSecurityDiff
  */

Diff for: packages/@aws-cdk/tmp-toolkit-helpers/src/api/index.ts

@@ -12,6 +12,7 @@ export * from './io';
 export * from './logs-monitor';
 export * from './notices';
 export * from './plugin';
+export * from './refactoring';
 export * from './require-approval';
 export * from './resource-import';
 export * from './rwlock';

Diff for: packages/@aws-cdk/tmp-toolkit-helpers/src/api/io/private/messages.ts

@@ -9,6 +9,7 @@ import type { StackDestroy, StackDestroyProgress } from '../../../payloads/destr
 import type { HotswapDeploymentDetails, HotswapDeploymentAttempt, HotswappableChange, HotswapResult } from '../../../payloads/hotswap';
 import type { StackDetailsPayload } from '../../../payloads/list';
 import type { CloudWatchLogEvent, CloudWatchLogMonitorControlEvent } from '../../../payloads/logs-monitor';
+import type { RefactorResult } from '../../../payloads/refactor';
 import type { StackRollbackProgress } from '../../../payloads/rollback';
 import type { SdkTrace } from '../../../payloads/sdk-trace';
 import type { StackActivity, StackMonitoringControlEvent } from '../../../payloads/stack-activity';
@@ -349,6 +350,18 @@ export const IO = {
     interface: 'ErrorPayload',
   }),
 
+  // 8. Refactor (8xxx)
+  CDK_TOOLKIT_I8900: make.result<RefactorResult>({
+    code: 'CDK_TOOLKIT_I8900',
+    description: 'Refactor result',
+    interface: 'RefactorResult',
+  }),
+
+  CDK_TOOLKIT_W8010: make.warn({
+    code: 'CDK_TOOLKIT_W8010',
+    description: 'Refactor execution not yet supported',
+  }),
+
   // 9: Bootstrap (9xxx)
   CDK_TOOLKIT_I9000: make.info<Duration>({
     code: 'CDK_TOOLKIT_I9000',

Diff for: packages/@aws-cdk/tmp-toolkit-helpers/src/api/io/toolkit-action.ts

@@ -16,4 +16,5 @@ export type ToolkitAction =
 | 'import'
 | 'metadata'
 | 'init'
-| 'migrate';
+| 'migrate'
+| 'refactor';

Diff for: packages/@aws-cdk/tmp-toolkit-helpers/src/api/refactoring/cloudformation.ts

@@ -0,0 +1,17 @@
+import type * as cxapi from '@aws-cdk/cx-api';
+
+export interface CloudFormationTemplate {
+  Resources?: {
+    [logicalId: string]: {
+      Type: string;
+      Properties?: any;
+      Metadata?: Record<string, any>;
+    };
+  };
+}
+
+export interface CloudFormationStack {
+  readonly environment: cxapi.Environment;
+  readonly stackName: string;
+  readonly template: CloudFormationTemplate;
+}

Diff for: packages/@aws-cdk/tmp-toolkit-helpers/src/api/refactoring/digest.ts

@@ -0,0 +1,153 @@
+import * as crypto from 'node:crypto';
+import type { CloudFormationTemplate } from './cloudformation';
+
+/**
+ * Computes the digest for each resource in the template.
+ *
+ * Conceptually, the digest is computed as:
+ *
+ *     digest(resource) = hash(type + properties + dependencies.map(d))
+ *
+ * where `hash` is a cryptographic hash function. In other words, the digest of a
+ * resource is computed from its type, its own properties (that is, excluding
+ * properties that refer to other resources), and the digests of each of its
+ * dependencies.
+ *
+ * The digest of a resource, defined recursively this way, remains stable even if
+ * one or more of its dependencies gets renamed. Since the resources in a
+ * CloudFormation template form a directed acyclic graph, this function is
+ * well-defined.
+ */
+export function computeResourceDigests(template: CloudFormationTemplate): Record<string, string> {
+  const resources = template.Resources || {};
+  const graph: Record<string, Set<string>> = {};
+  const reverseGraph: Record<string, Set<string>> = {};
+
+  // 1. Build adjacency lists
+  for (const id of Object.keys(resources)) {
+    graph[id] = new Set();
+    reverseGraph[id] = new Set();
+  }
+
+  // 2. Detect dependencies by searching for Ref/Fn::GetAtt
+  const findDependencies = (value: any): string[] => {
+    if (!value || typeof value !== 'object') return [];
+    if (Array.isArray(value)) {
+      return value.flatMap(findDependencies);
+    }
+    if ('Ref' in value) {
+      return [value.Ref];
+    }
+    if ('Fn::GetAtt' in value) {
+      const refTarget = Array.isArray(value['Fn::GetAtt']) ? value['Fn::GetAtt'][0] : value['Fn::GetAtt'].split('.')[0];
+      return [refTarget];
+    }
+    if ('DependsOn' in value) {
+      return [value.DependsOn];
+    }
+    return Object.values(value).flatMap(findDependencies);
+  };
+
+  for (const [id, res] of Object.entries(resources)) {
+    const deps = findDependencies(res || {});
+    for (const dep of deps) {
+      if (dep in resources && dep !== id) {
+        graph[id].add(dep);
+        reverseGraph[dep].add(id);
+      }
+    }
+  }
+
+  // 3. Topological sort
+  const outDegree = Object.keys(graph).reduce((acc, k) => {
+    acc[k] = graph[k].size;
+    return acc;
+  }, {} as Record<string, number>);
+
+  const queue = Object.keys(outDegree).filter((k) => outDegree[k] === 0);
+  const order: string[] = [];
+
+  while (queue.length > 0) {
+    const node = queue.shift()!;
+    order.push(node);
+    for (const nxt of reverseGraph[node]) {
+      outDegree[nxt]--;
+      if (outDegree[nxt] === 0) {
+        queue.push(nxt);
+      }
+    }
+  }
+
+  // 4. Compute digests in sorted order
+  const result: Record<string, string> = {};
+  for (const id of order) {
+    const resource = resources[id];
+    const depDigests = Array.from(graph[id]).map((d) => result[d]);
+    const propsWithoutRefs = hashObject(stripReferences(stripConstructPath(resource)));
+    const toHash = resource.Type + propsWithoutRefs + depDigests.join('');
+    result[id] = crypto.createHash('sha256').update(toHash).digest('hex');
+  }
+
+  return result;
+}
+
+export function hashObject(obj: any): string {
+  const hash = crypto.createHash('sha256');
+
+  function addToHash(value: any) {
+    if (value == null) {
+      addToHash('null');
+    } else if (typeof value === 'object') {
+      if (Array.isArray(value)) {
+        value.forEach(addToHash);
+      } else {
+        Object.keys(value)
+          .sort()
+          .forEach((key) => {
+            hash.update(key);
+            addToHash(value[key]);
+          });
+      }
+    } else {
+      hash.update(typeof value + value.toString());
+    }
+  }
+
+  addToHash(obj);
+  return hash.digest('hex');
+}
+
+/**
+ * Removes sub-properties containing Ref or Fn::GetAtt to avoid hashing
+ * references themselves but keeps the property structure.
+ */
+function stripReferences(value: any): any {
+  if (!value || typeof value !== 'object') return value;
+  if (Array.isArray(value)) {
+    return value.map(stripReferences);
+  }
+  if ('Ref' in value) {
+    return { __cloud_ref__: 'Ref' };
+  }
+  if ('Fn::GetAtt' in value) {
+    return { __cloud_ref__: 'Fn::GetAtt' };
+  }
+  if ('DependsOn' in value) {
+    return { __cloud_ref__: 'DependsOn' };
+  }
+  const result: any = {};
+  for (const [k, v] of Object.entries(value)) {
+    result[k] = stripReferences(v);
+  }
+  return result;
+}
+
+function stripConstructPath(resource: any): any {
+  if (resource?.Metadata?.['aws:cdk:path'] == null) {
+    return resource;
+  }
+
+  const copy = JSON.parse(JSON.stringify(resource));
+  delete copy.Metadata['aws:cdk:path'];
+  return copy;
+}