feat(cli): hotswap support for resources in nested stacks (#18950)

Resources in nested stacks can now be hotswapped.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: comcalvi

packages/aws-cdk/README.md

@@ -348,7 +348,8 @@ $ cdk deploy --hotswap [StackNames]
 This will attempt to perform a faster, short-circuit deployment if possible
 (for example, if you only changed the code of a Lambda function in your CDK app,
 but nothing else in your CDK code),
-skipping CloudFormation, and updating the affected resources directly.
+skipping CloudFormation, and updating the affected resources directly;
+this includes changes to resources in nested stacks.
 If the tool detects that the change does not support hotswapping,
 it will fall back and perform a full CloudFormation deployment,
 exactly like `cdk deploy` does without the `--hotswap` flag.

packages/aws-cdk/lib/api/cloudformation-deployments.ts

@@ -1,15 +1,13 @@
-import * as path from 'path';
 import * as cxapi from '@aws-cdk/cx-api';
 import { AssetManifest } from 'cdk-assets';
-import * as fs from 'fs-extra';
 import { Tag } from '../cdk-toolkit';
 import { debug, warning } from '../logging';
 import { publishAssets } from '../util/asset-publishing';
 import { Mode } from './aws-auth/credentials';
 import { ISDK } from './aws-auth/sdk';
 import { SdkProvider } from './aws-auth/sdk-provider';
 import { deployStack, DeployStackResult, destroyStack } from './deploy-stack';
-import { LazyListStackResources, ListStackResources } from './evaluate-cloudformation-template';
+import { loadCurrentTemplateWithNestedStacks, loadCurrentTemplate } from './nested-stack-helpers';
 import { ToolkitInfo } from './toolkit-info';
 import { CloudFormationStack, Template } from './util/cloudformation';
 import { StackActivityProgress } from './util/cloudformation/stack-activity-monitor';
@@ -283,21 +281,13 @@ export class CloudFormationDeployments {
 
   public async readCurrentTemplateWithNestedStacks(rootStackArtifact: cxapi.CloudFormationStackArtifact): Promise<Template> {
     const sdk = await this.prepareSdkWithLookupOrDeployRole(rootStackArtifact);
-    const deployedTemplate = await this.readCurrentTemplate(rootStackArtifact, sdk);
-    await this.addNestedTemplatesToGeneratedAndDeployedStacks(rootStackArtifact, sdk, {
-      generatedTemplate: rootStackArtifact.template,
-      deployedTemplate: deployedTemplate,
-      deployedStackName: rootStackArtifact.stackName,
-    });
-    return deployedTemplate;
+    return (await loadCurrentTemplateWithNestedStacks(rootStackArtifact, sdk)).deployedTemplate;
   }
 
-  public async readCurrentTemplate(stackArtifact: cxapi.CloudFormationStackArtifact, sdk?: ISDK): Promise<Template> {
+  public async readCurrentTemplate(stackArtifact: cxapi.CloudFormationStackArtifact): Promise<Template> {
     debug(`Reading existing template for stack ${stackArtifact.displayName}.`);
-    if (!sdk) {
-      sdk = await this.prepareSdkWithLookupOrDeployRole(stackArtifact);
-    }
-    return this.readCurrentStackTemplate(stackArtifact.stackName, sdk);
+    const sdk = await this.prepareSdkWithLookupOrDeployRole(stackArtifact);
+    return loadCurrentTemplate(stackArtifact, sdk);
   }
 
   public async deployStack(options: DeployStackOptions): Promise<DeployStackResult> {
@@ -370,83 +360,6 @@ export class CloudFormationDeployments {
     return (await this.prepareSdkFor(stackArtifact, undefined, Mode.ForReading)).stackSdk;
   }
 
-  private async readCurrentStackTemplate(stackName: string, stackSdk: ISDK) : Promise<Template> {
-    const cfn = stackSdk.cloudFormation();
-    const stack = await CloudFormationStack.lookup(cfn, stackName);
-    return stack.template();
-  }
-
-  private async addNestedTemplatesToGeneratedAndDeployedStacks(
-    rootStackArtifact: cxapi.CloudFormationStackArtifact,
-    sdk: ISDK,
-    parentTemplates: StackTemplates,
-  ): Promise<void> {
-    const listStackResources = parentTemplates.deployedStackName ? new LazyListStackResources(sdk, parentTemplates.deployedStackName) : undefined;
-    for (const [nestedStackLogicalId, generatedNestedStackResource] of Object.entries(parentTemplates.generatedTemplate.Resources ?? {})) {
-      if (!this.isCdkManagedNestedStack(generatedNestedStackResource)) {
-        continue;
-      }
-
-      const assetPath = generatedNestedStackResource.Metadata['aws:asset:path'];
-      const nestedStackTemplates = await this.getNestedStackTemplates(rootStackArtifact, assetPath, nestedStackLogicalId, listStackResources, sdk);
-
-      generatedNestedStackResource.Properties.NestedTemplate = nestedStackTemplates.generatedTemplate;
-
-      const deployedParentTemplate = parentTemplates.deployedTemplate;
-      deployedParentTemplate.Resources = deployedParentTemplate.Resources ?? {};
-      const deployedNestedStackResource = deployedParentTemplate.Resources[nestedStackLogicalId] ?? {};
-      deployedParentTemplate.Resources[nestedStackLogicalId] = deployedNestedStackResource;
-      deployedNestedStackResource.Type = deployedNestedStackResource.Type ?? 'AWS::CloudFormation::Stack';
-      deployedNestedStackResource.Properties = deployedNestedStackResource.Properties ?? {};
-      deployedNestedStackResource.Properties.NestedTemplate = nestedStackTemplates.deployedTemplate;
-
-      await this.addNestedTemplatesToGeneratedAndDeployedStacks(
-        rootStackArtifact,
-        sdk,
-        nestedStackTemplates,
-      );
-    }
-  }
-
-  private async getNestedStackTemplates(
-    rootStackArtifact: cxapi.CloudFormationStackArtifact, nestedTemplateAssetPath: string, nestedStackLogicalId: string,
-    listStackResources: ListStackResources | undefined, sdk: ISDK,
-  ): Promise<StackTemplates> {
-    const nestedTemplatePath = path.join(rootStackArtifact.assembly.directory, nestedTemplateAssetPath);
-
-    // CFN generates the nested stack name in the form `ParentStackName-NestedStackLogicalID-SomeHashWeCan'tCompute,
-    // the arn is of the form: arn:aws:cloudformation:region:123456789012:stack/NestedStackName/AnotherHashWeDon'tNeed
-    // so we get the ARN and manually extract the name.
-    const nestedStackArn = await this.getNestedStackArn(nestedStackLogicalId, listStackResources);
-    const deployedStackName = nestedStackArn?.slice(nestedStackArn.indexOf('/') + 1, nestedStackArn.lastIndexOf('/'));
-
-    return {
-      generatedTemplate: JSON.parse(fs.readFileSync(nestedTemplatePath, 'utf-8')),
-      deployedTemplate: deployedStackName
-        ? await this.readCurrentStackTemplate(deployedStackName, sdk)
-        : {},
-      deployedStackName,
-    };
-  }
-
-  private async getNestedStackArn(
-    nestedStackLogicalId: string, listStackResources?: ListStackResources,
-  ): Promise<string | undefined> {
-    try {
-      const stackResources = await listStackResources?.listStackResources();
-      return stackResources?.find(sr => sr.LogicalResourceId === nestedStackLogicalId)?.PhysicalResourceId;
-    } catch (e) {
-      if (e.message.startsWith('Stack with id ') && e.message.endsWith(' does not exist')) {
-        return;
-      }
-      throw e;
-    }
-  }
-
-  private isCdkManagedNestedStack(stackResource: any): stackResource is NestedStackResource {
-    return stackResource.Type === 'AWS::CloudFormation::Stack' && stackResource.Metadata && stackResource.Metadata['aws:asset:path'];
-  }
-
   /**
    * Get the environment necessary for touching the given stack
    *
@@ -528,14 +441,3 @@ export class CloudFormationDeployments {
 function isAssetManifestArtifact(art: cxapi.CloudArtifact): art is cxapi.AssetManifestArtifact {
   return art instanceof cxapi.AssetManifestArtifact;
 }
-
-interface StackTemplates {
-  readonly generatedTemplate: any;
-  readonly deployedTemplate: any;
-  readonly deployedStackName: string | undefined;
-}
-
-interface NestedStackResource {
-  readonly Metadata: { 'aws:asset:path': string };
-  readonly Properties: any;
-}

packages/aws-cdk/lib/api/evaluate-cloudformation-template.ts

@@ -1,4 +1,3 @@
-import * as cxapi from '@aws-cdk/cx-api';
 import * as AWS from 'aws-sdk';
 import { ISDK } from './aws-auth';
 
@@ -43,7 +42,7 @@ export interface ResourceDefinition {
 }
 
 export interface EvaluateCloudFormationTemplateProps {
-  readonly stackArtifact: cxapi.CloudFormationStackArtifact;
+  readonly template: Template;
   readonly parameters: { [parameterName: string]: string };
   readonly account: string;
   readonly region: string;
@@ -54,8 +53,8 @@ export interface EvaluateCloudFormationTemplateProps {
 
 export class EvaluateCloudFormationTemplate {
   private readonly stackResources: ListStackResources;
-  private readonly template: { [section: string]: { [headings: string]: any } };
-  private readonly context: { [k: string]: string };
+  private readonly template: Template;
+  private readonly context: { [k: string]: any };
   private readonly account: string;
   private readonly region: string;
   private readonly partition: string;
@@ -64,7 +63,7 @@ export class EvaluateCloudFormationTemplate {
 
   constructor(props: EvaluateCloudFormationTemplateProps) {
     this.stackResources = props.listStackResources;
-    this.template = props.stackArtifact.template;
+    this.template = props.template;
     this.context = {
       'AWS::AccountId': props.account,
       'AWS::Region': props.region,
@@ -77,6 +76,23 @@ export class EvaluateCloudFormationTemplate {
     this.urlSuffix = props.urlSuffix;
   }
 
+  // clones current EvaluateCloudFormationTemplate object, but updates the stack name
+  public createNestedEvaluateCloudFormationTemplate(
+    listNestedStackResources: ListStackResources,
+    nestedTemplate: Template,
+    nestedStackParameters: { [parameterName: string]: any },
+  ) {
+    return new EvaluateCloudFormationTemplate({
+      template: nestedTemplate,
+      parameters: nestedStackParameters,
+      account: this.account,
+      region: this.region,
+      partition: this.partition,
+      urlSuffix: this.urlSuffix,
+      listStackResources: listNestedStackResources,
+    });
+  }
+
   public async establishResourcePhysicalName(logicalId: string, physicalNameInCfnTemplate: any): Promise<string | undefined> {
     if (physicalNameInCfnTemplate != null) {
       try {
@@ -309,6 +325,8 @@ export class EvaluateCloudFormationTemplate {
   }
 }
 
+export type Template = { [section: string]: { [headings: string]: any } };
+
 interface ArnParts {
   readonly partition: string;
   readonly service: string;

packages/aws-cdk/lib/api/hotswap-deployments.ts

@@ -12,6 +12,7 @@ import { isHotswappableEcsServiceChange } from './hotswap/ecs-services';
 import { isHotswappableLambdaFunctionChange } from './hotswap/lambda-functions';
 import { isHotswappableS3BucketDeploymentChange } from './hotswap/s3-bucket-deployments';
 import { isHotswappableStateMachineChange } from './hotswap/stepfunctions-state-machines';
+import { loadCurrentTemplateWithNestedStacks, NestedStackNames } from './nested-stack-helpers';
 import { CloudFormationStack } from './util/cloudformation';
 
 /**
@@ -35,7 +36,7 @@ export async function tryHotswapDeployment(
   // We fetch it lazily, to save a service call, in case all hotswapped resources have their physical names set.
   const listStackResources = new LazyListStackResources(sdk, stackArtifact.stackName);
   const evaluateCfnTemplate = new EvaluateCloudFormationTemplate({
-    stackArtifact,
+    template: stackArtifact.template,
     parameters: assetParams,
     account: resolvedEnv.account,
     region: resolvedEnv.region,
@@ -44,9 +45,12 @@ export async function tryHotswapDeployment(
     listStackResources,
   });
 
-  const currentTemplate = await cloudFormationStack.template();
-  const stackChanges = cfn_diff.diffTemplate(currentTemplate, stackArtifact.template);
-  const hotswappableChanges = await findAllHotswappableChanges(stackChanges, evaluateCfnTemplate);
+  const currentTemplate = await loadCurrentTemplateWithNestedStacks(stackArtifact, sdk);
+  const stackChanges = cfn_diff.diffTemplate(currentTemplate.deployedTemplate, stackArtifact.template);
+  const hotswappableChanges = await findAllHotswappableChanges(
+    stackChanges, evaluateCfnTemplate, sdk, currentTemplate.nestedStackNames,
+  );
+
   if (!hotswappableChanges) {
     // this means there were changes to the template that cannot be short-circuited
     return undefined;
@@ -59,14 +63,28 @@ export async function tryHotswapDeployment(
 }
 
 async function findAllHotswappableChanges(
-  stackChanges: cfn_diff.TemplateDiff, evaluateCfnTemplate: EvaluateCloudFormationTemplate,
+  stackChanges: cfn_diff.TemplateDiff,
+  evaluateCfnTemplate: EvaluateCloudFormationTemplate,
+  sdk: ISDK,
+  nestedStackNames: { [nestedStackName: string]: NestedStackNames },
 ): Promise<HotswapOperation[] | undefined> {
   const resourceDifferences = getStackResourceDifferences(stackChanges);
 
   let foundNonHotswappableChange = false;
   const promises: Array<Array<Promise<ChangeHotswapResult>>> = [];
+  const hotswappableResources = new Array<HotswapOperation>();
+
   // gather the results of the detector functions
   for (const [logicalId, change] of Object.entries(resourceDifferences)) {
+    if (change.newValue?.Type === 'AWS::CloudFormation::Stack' && change.oldValue?.Type === 'AWS::CloudFormation::Stack') {
+      const nestedHotswappableResources = await findNestedHotswappableChanges(logicalId, change, nestedStackNames, evaluateCfnTemplate, sdk);
+      if (!nestedHotswappableResources) {
+        return undefined;
+      }
+      hotswappableResources.push(...nestedHotswappableResources);
+      continue;
+    }
+
     const resourceHotswapEvaluation = isCandidateForHotswapping(change);
 
     if (resourceHotswapEvaluation === ChangeHotswapImpact.REQUIRES_FULL_DEPLOYMENT) {
@@ -92,7 +110,6 @@ async function findAllHotswappableChanges(
     changesDetectionResults.push(hotswapDetectionResults);
   }
 
-  const hotswappableResources = new Array<HotswapOperation>();
   for (const hotswapDetectionResults of changesDetectionResults) {
     const perChangeHotswappableResources = new Array<HotswapOperation>();
 
@@ -165,6 +182,32 @@ function filterDict<T>(dict: { [key: string]: T }, func: (t: T) => boolean): { [
   }, {} as { [key: string]: T });
 }
 
+/** Finds any hotswappable changes in all nested stacks. */
+async function findNestedHotswappableChanges(
+  logicalId: string,
+  change: cfn_diff.ResourceDifference,
+  nestedStackNames: { [nestedStackName: string]: NestedStackNames },
+  evaluateCfnTemplate: EvaluateCloudFormationTemplate,
+  sdk: ISDK,
+): Promise<HotswapOperation[] | undefined> {
+  const nestedStackName = nestedStackNames[logicalId].nestedStackPhysicalName;
+  // the stack name could not be found in CFN, so this is a newly created nested stack
+  if (!nestedStackName) {
+    return undefined;
+  }
+
+  const nestedStackParameters = await evaluateCfnTemplate.evaluateCfnExpression(change.newValue?.Properties?.Parameters);
+  const evaluateNestedCfnTemplate = evaluateCfnTemplate.createNestedEvaluateCloudFormationTemplate(
+    new LazyListStackResources(sdk, nestedStackName), change.newValue?.Properties?.NestedTemplate, nestedStackParameters,
+  );
+
+  const nestedDiff = cfn_diff.diffTemplate(
+    change.oldValue?.Properties?.NestedTemplate, change.newValue?.Properties?.NestedTemplate,
+  );
+
+  return findAllHotswappableChanges(nestedDiff, evaluateNestedCfnTemplate, sdk, nestedStackNames[logicalId].nestedChildStackNames);
+}
+
 /** Returns 'true' if a pair of changes is for the same resource. */
 function changesAreForSameResource(oldChange: cfn_diff.ResourceDifference, newChange: cfn_diff.ResourceDifference): boolean {
   return oldChange.oldResourceType === newChange.newResourceType &&
@@ -201,6 +244,11 @@ function isCandidateForHotswapping(change: cfn_diff.ResourceDifference): Hotswap
     return ChangeHotswapImpact.REQUIRES_FULL_DEPLOYMENT;
   }
 
+  // a resource has had its type changed
+  if (change.newValue.Type !== change.oldValue.Type) {
+    return ChangeHotswapImpact.REQUIRES_FULL_DEPLOYMENT;
+  }
+
   // Ignore Metadata changes
   if (change.newValue.Type === 'AWS::CDK::Metadata') {
     return ChangeHotswapImpact.IRRELEVANT;

packages/aws-cdk/lib/api/logs/find-cloudwatch-logs.ts

@@ -56,7 +56,7 @@ export async function findCloudWatchLogGroups(
 
   const listStackResources = new LazyListStackResources(sdk, stackArtifact.stackName);
   const evaluateCfnTemplate = new EvaluateCloudFormationTemplate({
-    stackArtifact,
+    template: stackArtifact.template,
     parameters: {},
     account: resolvedEnv.account,
     region: resolvedEnv.region,