feat(cli): cdk diff works for Nested Stacks

packages/aws-cdk/lib/api/cloudformation-deployments.ts

@@ -1,5 +1,8 @@
+import * as path from 'path';
 import * as cxapi from '@aws-cdk/cx-api';
 import { AssetManifest } from 'cdk-assets';
+import * as fs from 'fs-extra';
+import { LazyListStackResources, ListStackResources } from '../api/evaluate-cloudformation-template';
 import { Tag } from '../cdk-toolkit';
 import { debug, warning } from '../logging';
 import { publishAssets } from '../util/asset-publishing';
@@ -293,25 +296,21 @@ export class CloudFormationDeployments {
     this.sdkProvider = props.sdkProvider;
   }
 
-  public async readCurrentTemplate(stackArtifact: cxapi.CloudFormationStackArtifact): Promise<Template> {
-    debug(`Reading existing template for stack ${stackArtifact.displayName}.`);
-    let stackSdk: ISDK | undefined = undefined;
-    // try to assume the lookup role and fallback to the deploy role
-    try {
-      const result = await prepareSdkWithLookupRoleFor(this.sdkProvider, stackArtifact);
-      if (result.didAssumeRole) {
-        stackSdk = result.sdk;
-      }
-    } catch { }
+  public async readCurrentTemplateWithNestedStacks(rootStackArtifact: cxapi.CloudFormationStackArtifact): Promise<Template> {
+    const sdk = await this.prepareSdkWithLookupOrDeployRole(rootStackArtifact);
+    const deployedTemplate = await this.readCurrentTemplate(rootStackArtifact, sdk);
+    await this.replaceNestedStacksInRootStack(rootStackArtifact, deployedTemplate, sdk);
 
-    if (!stackSdk) {
-      stackSdk = (await this.prepareSdkFor(stackArtifact, undefined, Mode.ForReading)).stackSdk;
-    }
+    return deployedTemplate;
+  }
 
-    const cfn = stackSdk.cloudFormation();
+  public async readCurrentTemplate(stackArtifact: cxapi.CloudFormationStackArtifact, sdk?: ISDK): Promise<Template> {
+    debug(`Reading existing template for stack ${stackArtifact.displayName}.`);
+    if (!sdk) {
+      sdk = await this.prepareSdkWithLookupOrDeployRole(stackArtifact);
+    }
 
-    const stack = await CloudFormationStack.lookup(cfn, stackArtifact.stackName);
-    return stack.template();
+    return this.readCurrentStackTemplate(stackArtifact.stackName, sdk);
   }
 
   public async deployStack(options: DeployStackOptions): Promise<DeployStackResult> {
@@ -372,6 +371,123 @@ export class CloudFormationDeployments {
     return stack.exists;
   }
 
+  private async prepareSdkWithLookupOrDeployRole(stackArtifact: cxapi.CloudFormationStackArtifact): Promise<ISDK> {
+    // try to assume the lookup role
+    try {
+      const result = await prepareSdkWithLookupRoleFor(this.sdkProvider, stackArtifact);
+      if (result.didAssumeRole) {
+        return result.sdk;
+      }
+    } catch { }
+
+    // fall back to the deploy role
+    return (await this.prepareSdkFor(stackArtifact, undefined, Mode.ForReading)).stackSdk;
+  }
+
+  private async readCurrentStackTemplate(stackName: string, stackSdk: ISDK) : Promise<Template> {
+    // if `stackName !== stackArtifact.stackName`, then `stackArtifact` is an ancestor to a nested stack with name `stackName`.
+    const cfn = stackSdk.cloudFormation();
+    const stack = await CloudFormationStack.lookup(cfn, stackName);
+    return stack.template();
+  }
+
+  private async replaceNestedStacksInRootStack(
+    rootStackArtifact: cxapi.CloudFormationStackArtifact, deployedTemplate: any, sdk: ISDK,
+  ): Promise<void> {
+    await this.replaceNestedStacksInParentTemplate(
+      rootStackArtifact, rootStackArtifact.template, deployedTemplate, rootStackArtifact.stackName, sdk,
+    );
+  }
+
+  private async replaceNestedStacksInParentTemplate(
+    rootStackArtifact: cxapi.CloudFormationStackArtifact,
+    generatedParentTemplate: any,
+    deployedParentTemplate: any,
+    parentStackName: string | undefined,
+    sdk: ISDK,
+  ): Promise<void> {
+    const listStackResources = parentStackName ? new LazyListStackResources(sdk, parentStackName) : undefined;
+    const parentStackResources = Object.entries(generatedParentTemplate.Resources ?? {});
+    for (const [nestedStackLogicalId, nestedStackResource] of parentStackResources) {
+      if (!this.isCdkManagedNestedStack(nestedStackResource)) {
+        continue;
+      }
+
+      const assetPath = nestedStackResource.Metadata['aws:asset:path'];
+      const nestedStackTemplates = await this.getNestedStackTemplates(
+        rootStackArtifact, assetPath, nestedStackLogicalId, parentStackName, listStackResources, sdk,
+      );
+
+      if (!generatedParentTemplate.Resources[nestedStackLogicalId].Properties) {
+        generatedParentTemplate.Resources[nestedStackLogicalId].Properties = {};
+      }
+      generatedParentTemplate.Resources[nestedStackLogicalId].Properties.NestedTemplate = nestedStackTemplates.generatedNestedTemplate;
+
+      if (!deployedParentTemplate.Resources) {
+        deployedParentTemplate.Resources = {};
+      }
+      if (!deployedParentTemplate.Resources[nestedStackLogicalId]) {
+        deployedParentTemplate.Resources[nestedStackLogicalId] = {};
+        deployedParentTemplate.Resources[nestedStackLogicalId].Type = 'AWS::CloudFormation::Stack';
+      }
+      if (!deployedParentTemplate.Resources[nestedStackLogicalId].Properties) {
+        deployedParentTemplate.Resources[nestedStackLogicalId].Properties = {};
+      }
+      deployedParentTemplate.Resources[nestedStackLogicalId].Properties.NestedTemplate = nestedStackTemplates.deployedNestedTemplate;
+
+      await this.replaceNestedStacksInParentTemplate(
+        rootStackArtifact,
+        generatedParentTemplate.Resources[nestedStackLogicalId].Properties.NestedTemplate,
+        deployedParentTemplate.Resources[nestedStackLogicalId].Properties.NestedTemplate ?? {},
+        nestedStackTemplates.nestedStackName,
+        sdk,
+      );
+    }
+  }
+
+  private async getNestedStackTemplates(
+    rootStackArtifact: cxapi.CloudFormationStackArtifact, nestedTemplateAssetPath: string, nestedStackLogicalId: string,
+    parentStackName: string | undefined, listStackResources: ListStackResources | undefined, sdk: ISDK,
+  ): Promise<NestedStackTemplates> {
+    const nestedTemplatePath = path.join(rootStackArtifact.assembly.directory, nestedTemplateAssetPath);
+    const nestedStackArn = await this.getNestedStackArn(nestedStackLogicalId, parentStackName, listStackResources);
+
+    // CFN generates the nested stack name in the form `ParentStackName-NestedStackLogicalID-SomeHashWeCan'tCompute,
+    // the arn is of the form: arn:aws:cloudformation:region:123456789012:stack/NestedStackName/AnotherHashWeDon'tNeed
+    // so we get the ARN and manually extract the name.
+    const nestedStackName = nestedStackArn?.slice(nestedStackArn.indexOf('/') + 1, nestedStackArn.lastIndexOf('/'));
+
+    return {
+      generatedNestedTemplate: JSON.parse(fs.readFileSync(nestedTemplatePath, 'utf-8')),
+      deployedNestedTemplate: nestedStackName
+        ? await this.readCurrentStackTemplate(nestedStackName, sdk)
+        : {},
+      nestedStackName,
+    };
+  }
+
+  private async getNestedStackArn(
+    nestedStackLogicalId: string, parentStackName?: string, listStackResources?: ListStackResources,
+  ): Promise<string | undefined> {
+    try {
+      const stackResources = await listStackResources?.listStackResources();
+
+      if (stackResources) {
+        return stackResources.find(sr => sr.LogicalResourceId === nestedStackLogicalId)?.PhysicalResourceId;
+      }
+    } catch (e) {
+      if (e.message !== `Stack with id ${parentStackName} does not exist`) {
+        throw e;
+      }
+    }
+
+    return undefined;
+  }
+
+  private isCdkManagedNestedStack(stackResource: any): stackResource is NestedStackResource {
+    return stackResource.Type === 'AWS::CloudFormation::Stack' && stackResource.Metadata && stackResource.Metadata['aws:asset:path'];
+  }
+
   /**
    * Get the environment necessary for touching the given stack
    *
@@ -453,3 +569,13 @@ export class CloudFormationDeployments {
 function isAssetManifestArtifact(art: cxapi.CloudArtifact): art is cxapi.AssetManifestArtifact {
   return art instanceof cxapi.AssetManifestArtifact;
 }
+
+interface NestedStackTemplates {
+  readonly generatedNestedTemplate: any,
+  readonly deployedNestedTemplate: any,
+  readonly nestedStackName: string | undefined,
+}
+
+interface NestedStackResource {
+  readonly Metadata: { 'aws:asset:path': string };
+}

packages/aws-cdk/lib/api/hotswap-deployments.ts

@@ -234,4 +234,3 @@ async function applyHotswappableChange(sdk: ISDK, hotswapOperation: HotswapOpera
     sdk.removeCustomUserAgent(customUserAgent);
   }
 }
-

packages/aws-cdk/lib/cdk-toolkit.ts

@@ -1,8 +1,8 @@
 import * as path from 'path';
 import { format } from 'util';
 import * as cxapi from '@aws-cdk/cx-api';
-import * as chokidar from 'chokidar';
 import * as chalk from 'chalk';
+import * as chokidar from 'chokidar';
 import * as fs from 'fs-extra';
 import * as promptly from 'promptly';
 import { environmentsFromDescriptors, globEnvironmentsFromStacks, looksLikeGlob } from '../lib/api/cxapp/environments';
@@ -104,7 +104,7 @@ export class CdkToolkit {
       // Compare N stacks against deployed templates
       for (const stack of stacks.stackArtifacts) {
         stream.write(format('Stack %s\n', chalk.bold(stack.displayName)));
-        const currentTemplate = await this.props.cloudFormation.readCurrentTemplate(stack);
+        const currentTemplate = await this.props.cloudFormation.readCurrentTemplateWithNestedStacks(stack);
         diffs += options.securityOnly
           ? numberFromBool(printSecurityDiff(currentTemplate, stack, RequireApproval.Broadening))
           : printStackDiff(currentTemplate, stack, strict, contextLines, stream);