@aws-cdk/integ-runner 2.197.17 → 2.197.18

package/lib/workers/extract/index.js

@@ -4672,7 +4672,7 @@ var require_semver2 = __commonJS({
 // ../cloud-assembly-schema/cli-version.json
 var require_cli_version = __commonJS({
   "../cloud-assembly-schema/cli-version.json"(exports2, module2) {
-    module2.exports = { version: "2.1118.4" };
+    module2.exports = { version: "2.1119.0" };
   }
 });
 
@@ -293628,6 +293628,26 @@ async function waitForChangeSet(cfn, ioHelper, stackName, changeSetName, { fetch
   }
   return ret;
 }
+async function waitForChangeSetGone(cfn, ioHelper, stackName, changeSetName) {
+  await ioHelper.defaults.debug((0, import_util26.format)("Waiting for changeset %s on stack %s to finish deleting...", changeSetName, stackName));
+  await waitFor(async () => {
+    try {
+      const description = await cfn.describeChangeSet({
+        StackName: stackName,
+        ChangeSetName: changeSetName
+      });
+      if (description.Status === import_client_cloudformation3.ChangeSetStatus.DELETE_COMPLETE || description.Status === import_client_cloudformation3.ChangeSetStatus.DELETE_FAILED) {
+        return true;
+      }
+      return void 0;
+    } catch (e6) {
+      if (e6.name === "ChangeSetNotFoundException") {
+        return true;
+      }
+      throw e6;
+    }
+  });
+}
 async function createDiffChangeSet(ioHelper, options) {
   return uploadBodyParameterAndCreateChangeSet(ioHelper, {
     ...options,
@@ -293824,6 +293844,7 @@ var init_cfn_api = __esm({
     __name(describeChangeSet, "describeChangeSet");
     __name(waitFor, "waitFor");
     __name(waitForChangeSet, "waitForChangeSet");
+    __name(waitForChangeSetGone, "waitForChangeSetGone");
     __name(createDiffChangeSet, "createDiffChangeSet");
     __name(templatesFromAssetManifestArtifact, "templatesFromAssetManifestArtifact");
     __name(uploadBodyParameterAndCreateChangeSet, "uploadBodyParameterAndCreateChangeSet");
@@ -312007,16 +312028,19 @@ var init_early_validation = __esm({
   "../toolkit-lib/lib/api/deployments/early-validation.ts"() {
     "use strict";
     EarlyValidationReporter = class {
-      constructor(sdk, envResources) {
+      constructor(sdk, envResources, ioHelper) {
         this.sdk = sdk;
         this.envResources = envResources;
+        this.ioHelper = ioHelper;
       }
       sdk;
       envResources;
+      ioHelper;
       static {
         __name(this, "EarlyValidationReporter");
       }
       async fetchDetails(changeSetName, stackName) {
+        const summary = `Early validation failed for stack '${stackName}' (ChangeSet '${changeSetName}')`;
         let operationEvents = [];
         try {
           operationEvents = await this.getFailedEvents(stackName, changeSetName);
@@ -312026,12 +312050,12 @@ var init_early_validation = __esm({
             currentVersion = (await this.envResources.lookupToolkit()).version;
           } catch (e6) {
           }
-          return `The template cannot be deployed because of early validation errors, but retrieving more details about those
-errors failed (${error4}). Make sure you have permissions to call the DescribeEvents API, or re-bootstrap
-your environment by running 'cdk bootstrap' to update the Bootstrap CDK Toolkit stack.
-Bootstrap toolkit stack version 30 or later is needed; current version: ${currentVersion ?? "unknown"}.`;
+          await this.ioHelper.defaults.warn(
+            `Could not retrieve additional details about early validation errors (${error4}). Make sure you have permissions to call the DescribeEvents API, or re-bootstrap your environment by running 'cdk bootstrap' to update the Bootstrap CDK Toolkit stack. Bootstrap toolkit stack version 30 or later is needed; current version: ${currentVersion ?? "unknown"}.`
+          );
+          return summary;
         }
-        let message2 = `ChangeSet '${changeSetName}' on stack '${stackName}' failed early validation`;
+        let message2 = summary;
         if (operationEvents.length > 0) {
           const failures = operationEvents.map((event) => `  - ${event.ValidationStatusReason} (at ${event.ValidationPath})`).join("\n");
           message2 += `:
@@ -312452,7 +312476,7 @@ var init_deploy_stack = __esm({
         await this.ioHelper.defaults.debug((0, import_util51.format)("Initiated creation of changeset: %s; waiting for it to finish creating...", changeSet.Id));
         const environmentResourcesRegistry = new EnvironmentResourcesRegistry();
         const envResources = environmentResourcesRegistry.for(this.options.resolvedEnvironment, this.options.sdk, this.ioHelper);
-        const validationReporter = new EarlyValidationReporter(this.options.sdk, envResources);
+        const validationReporter = new EarlyValidationReporter(this.options.sdk, envResources, this.ioHelper);
         try {
           return await waitForChangeSet(this.cfn, this.ioHelper, this.stackName, changeSetName, {
             fetchAll: willExecute,
@@ -312519,6 +312543,7 @@ var init_deploy_stack = __esm({
             StackName: this.stackName,
             ChangeSetName: changeSetName
           });
+          await waitForChangeSetGone(this.cfn, this.ioHelper, this.stackName, changeSetName);
         }
       }
       async updateTerminationProtection() {
@@ -313064,6 +313089,304 @@ var init_deployments2 = __esm({
   }
 });
 
+// ../toolkit-lib/lib/api/streams.ts
+var import_node_stream2, StringWriteStream;
+var init_streams = __esm({
+  "../toolkit-lib/lib/api/streams.ts"() {
+    "use strict";
+    import_node_stream2 = require("node:stream");
+    StringWriteStream = class extends import_node_stream2.Writable {
+      static {
+        __name(this, "StringWriteStream");
+      }
+      buffer = [];
+      /**
+       * Terminal width in columns.
+       * Used by formatTable() to apply width constraints and prevent table overflow.
+       */
+      get columns() {
+        return process.stdout.columns;
+      }
+      constructor() {
+        super();
+      }
+      _write(chunk, _encoding, callback) {
+        this.buffer.push(chunk.toString());
+        callback();
+      }
+      toString() {
+        return this.buffer.join("");
+      }
+    };
+  }
+});
+
+// ../toolkit-lib/lib/api/diff/diff-formatter.ts
+function permissionTypeFromDiff(diff) {
+  if (diff.permissionsBroadened) {
+    return "broadening" /* BROADENING */;
+  } else if (diff.permissionsAnyChanges) {
+    return "non-broadening" /* NON_BROADENING */;
+  }
+  return "none" /* NONE */;
+}
+function buildLogicalToPathMap(stack) {
+  const map2 = {};
+  for (const md of stack.findMetadataByType(cxschema9.ArtifactMetadataEntryType.LOGICAL_ID)) {
+    map2[md.data] = md.path;
+  }
+  return map2;
+}
+function logicalIdMapFromTemplate(template) {
+  const ret = {};
+  for (const [logicalId, resource] of Object.entries(template.Resources ?? {})) {
+    const path38 = resource?.Metadata?.["aws:cdk:path"];
+    if (path38) {
+      ret[logicalId] = path38;
+    }
+  }
+  return ret;
+}
+function obscureDiff(diff) {
+  if (diff.unknown) {
+    diff.unknown = diff.unknown.filter((change) => {
+      if (!change) {
+        return true;
+      }
+      if (change.newValue?.CheckBootstrapVersion) {
+        return false;
+      }
+      if (change.oldValue?.CheckBootstrapVersion) {
+        return false;
+      }
+      return true;
+    });
+  }
+  if (diff.resources) {
+    diff.resources = diff.resources.filter((change) => {
+      if (!change) {
+        return true;
+      }
+      if (change.newResourceType === "AWS::CDK::Metadata") {
+        return false;
+      }
+      if (change.oldResourceType === "AWS::CDK::Metadata") {
+        return false;
+      }
+      return true;
+    });
+  }
+}
+var import_node_util3, cxschema9, import_cloudformation_diff, chalk17, DiffFormatter;
+var init_diff_formatter = __esm({
+  "../toolkit-lib/lib/api/diff/diff-formatter.ts"() {
+    "use strict";
+    import_node_util3 = require("node:util");
+    cxschema9 = __toESM(require_lib2());
+    import_cloudformation_diff = __toESM(require_lib11());
+    chalk17 = __toESM(require_source());
+    init_payloads();
+    init_streams();
+    DiffFormatter = class {
+      static {
+        __name(this, "DiffFormatter");
+      }
+      templateInfo;
+      stackName;
+      isImport;
+      mappings;
+      /**
+       * Cache of computed TemplateDiffs, indexed by stack name.
+       */
+      cache = /* @__PURE__ */ new Map();
+      constructor(props) {
+        this.templateInfo = props.templateInfo;
+        this.stackName = props.templateInfo.newTemplate.displayName ?? props.templateInfo.newTemplate.stackName;
+        this.isImport = props.templateInfo.isImport ?? false;
+        this.mappings = props.templateInfo.mappings ?? {};
+      }
+      get diffs() {
+        return Object.fromEntries(this.cache);
+      }
+      /**
+       * Compute the diff for a single stack. Results are cached by stack name.
+       *
+       * @param stackName - The name to cache the diff under
+       * @param oldTemplate - The deployed template
+       * @param newTemplate - The new/generated template (read from the artifact)
+       * @param changeSet - The CloudFormation changeset for this specific stack, if available
+       * @param mappings - Resource move mappings
+       */
+      computeDiff(stackName, oldTemplate, newTemplate, changeSet, mappings) {
+        if (!this.cache.has(stackName)) {
+          const templateDiff = (0, import_cloudformation_diff.fullDiff)(oldTemplate, newTemplate, changeSet, this.isImport);
+          const setMove = /* @__PURE__ */ __name((change, direction, location) => {
+            if (location != null) {
+              const [sourceStackName, sourceLogicalId] = location.split(".");
+              change.move = {
+                direction,
+                stackName: sourceStackName,
+                resourceLogicalId: sourceLogicalId
+              };
+            }
+          }, "setMove");
+          templateDiff.resources.forEachDifference((id, change) => {
+            const location = `${stackName}.${id}`;
+            if (change.isAddition && Object.values(mappings).includes(location)) {
+              setMove(change, "from", Object.keys(mappings).find((k6) => mappings[k6] === location));
+            } else if (change.isRemoval && Object.keys(mappings).includes(location)) {
+              setMove(change, "to", mappings[location]);
+            }
+          });
+          this.cache.set(stackName, templateDiff);
+        }
+        return this.cache.get(stackName);
+      }
+      /**
+       * Format the stack diff, including all nested stacks.
+       */
+      formatStackDiff(options = {}) {
+        return this.formatStackDiffHelper({
+          oldTemplate: this.templateInfo.oldTemplate,
+          newTemplate: this.templateInfo.newTemplate.template,
+          stackName: this.stackName,
+          nestedStacks: this.templateInfo.nestedStacks,
+          changeSet: this.templateInfo.changeSet,
+          mappings: this.mappings,
+          logicalIdMap: buildLogicalToPathMap(this.templateInfo.newTemplate)
+        }, options);
+      }
+      formatStackDiffHelper(params, options = {}) {
+        const { oldTemplate, newTemplate, stackName, nestedStacks, changeSet, mappings, logicalIdMap } = params;
+        const diff = this.computeDiff(stackName, oldTemplate, newTemplate, changeSet, mappings);
+        const stream = new StringWriteStream();
+        let numStacksWithChanges = 0;
+        let formattedDiff = "";
+        let filteredChangesCount = 0;
+        try {
+          if (stackName && (!options.quiet || !diff.isEmpty)) {
+            stream.write((0, import_node_util3.format)(`Stack ${chalk17.bold(stackName)}
+`));
+          }
+          if (!options.quiet && this.isImport) {
+            stream.write("Parameters and rules created during migration do not affect resource configuration.\n");
+          }
+          let activeDiff = diff;
+          if (diff.differenceCount && !options.strict) {
+            const mangledNewTemplate = JSON.parse((0, import_cloudformation_diff.mangleLikeCloudFormation)(JSON.stringify(newTemplate)));
+            const mangledDiff = (0, import_cloudformation_diff.fullDiff)(oldTemplate, mangledNewTemplate, changeSet);
+            filteredChangesCount = Math.max(0, diff.differenceCount - mangledDiff.differenceCount);
+            if (filteredChangesCount > 0) {
+              activeDiff = mangledDiff;
+            }
+          }
+          if (!options.strict) {
+            obscureDiff(activeDiff);
+          }
+          if (!activeDiff.isEmpty) {
+            numStacksWithChanges++;
+            (0, import_cloudformation_diff.formatDifferences)(stream, activeDiff, {
+              ...logicalIdMapFromTemplate(oldTemplate),
+              ...logicalIdMapFromTemplate(newTemplate),
+              ...logicalIdMap
+            }, options.contextLines);
+          } else if (!options.quiet) {
+            stream.write(chalk17.green("There were no differences\n"));
+          }
+          if (filteredChangesCount > 0) {
+            stream.write(chalk17.yellow(`Omitted ${filteredChangesCount} changes because they are likely mangled non-ASCII characters. Use --strict to print them.
+`));
+          }
+        } finally {
+          formattedDiff = stream.toString();
+          stream.end();
+        }
+        for (const [logicalId, nestedStack] of Object.entries(nestedStacks ?? {})) {
+          const nextDiff = this.formatStackDiffHelper({
+            oldTemplate: nestedStack.deployedTemplate,
+            newTemplate: nestedStack.generatedTemplate,
+            stackName: nestedStack.physicalName ?? logicalId,
+            nestedStacks: nestedStack.nestedStackTemplates,
+            changeSet: nestedStack.changeSet,
+            mappings,
+            logicalIdMap: {}
+          }, options);
+          numStacksWithChanges += nextDiff.numStacksWithChanges;
+          formattedDiff += nextDiff.formattedDiff;
+        }
+        return { numStacksWithChanges, formattedDiff };
+      }
+      /**
+       * Format the security diff, including all nested stacks.
+       */
+      formatSecurityDiff(options = {}) {
+        const { formattedDiff, permissionChangeType, numStacksWithChanges } = this.formatSecurityDiffHelper({
+          oldTemplate: this.templateInfo.oldTemplate,
+          newTemplate: this.templateInfo.newTemplate.template,
+          stackName: this.stackName,
+          nestedStacks: this.templateInfo.nestedStacks,
+          changeSet: this.templateInfo.changeSet,
+          logicalIdMap: buildLogicalToPathMap(this.templateInfo.newTemplate)
+        }, options);
+        return { formattedDiff, permissionChangeType, numStacksWithChanges };
+      }
+      formatSecurityDiffHelper(params, options = {}) {
+        const { oldTemplate, newTemplate, stackName, nestedStacks, changeSet, logicalIdMap } = params;
+        const diff = this.computeDiff(stackName, oldTemplate, newTemplate, changeSet, this.mappings);
+        const permissionChangeType = permissionTypeFromDiff(diff);
+        const stream = new StringWriteStream();
+        if (!options.quiet || permissionChangeType !== "none" /* NONE */) {
+          stream.write((0, import_node_util3.format)(`Stack ${chalk17.bold(stackName)}
+`));
+        }
+        try {
+          (0, import_cloudformation_diff.formatSecurityChanges)(stream, diff, {
+            ...logicalIdMapFromTemplate(newTemplate),
+            ...logicalIdMap
+          });
+        } finally {
+          stream.end();
+        }
+        let formattedDiff = stream.toString();
+        if (!options.quiet && permissionChangeType === "none" /* NONE */) {
+          formattedDiff += chalk17.green("There were no security-related changes (limitations: https://github.com/aws/aws-cdk/issues/1299)\n");
+        }
+        let numStacksWithChanges = permissionChangeType !== "none" /* NONE */ ? 1 : 0;
+        let escalatedPermissionType = permissionChangeType;
+        for (const [logicalId, nestedStack] of Object.entries(nestedStacks ?? {})) {
+          const nestedResult = this.formatSecurityDiffHelper({
+            oldTemplate: nestedStack.deployedTemplate,
+            newTemplate: nestedStack.generatedTemplate,
+            stackName: nestedStack.physicalName ?? logicalId,
+            nestedStacks: nestedStack.nestedStackTemplates,
+            changeSet: nestedStack.changeSet
+          }, options);
+          formattedDiff += nestedResult.formattedDiff ? "\n" + nestedResult.formattedDiff : "";
+          numStacksWithChanges += nestedResult.numStacksWithChanges;
+          if (nestedResult.permissionChangeType === "broadening" /* BROADENING */) {
+            escalatedPermissionType = "broadening" /* BROADENING */;
+          } else if (nestedResult.permissionChangeType === "non-broadening" /* NON_BROADENING */ && escalatedPermissionType === "none" /* NONE */) {
+            escalatedPermissionType = "non-broadening" /* NON_BROADENING */;
+          }
+        }
+        return { formattedDiff, permissionChangeType: escalatedPermissionType, numStacksWithChanges };
+      }
+    };
+    __name(permissionTypeFromDiff, "permissionTypeFromDiff");
+    __name(buildLogicalToPathMap, "buildLogicalToPathMap");
+    __name(logicalIdMapFromTemplate, "logicalIdMapFromTemplate");
+    __name(obscureDiff, "obscureDiff");
+  }
+});
+
+// ../toolkit-lib/lib/api/diff/index.ts
+var init_diff4 = __esm({
+  "../toolkit-lib/lib/api/diff/index.ts"() {
+    "use strict";
+    init_diff_formatter();
+  }
+});
+
 // ../toolkit-lib/lib/api/resource-import/importer.ts
 function fmtdict(xs) {
   return Object.entries(xs).map(([k6, v7]) => `${k6}=${v7}`).join(", ");
@@ -313083,16 +313406,16 @@ function removeNonImportResources(stack) {
   delete template.Outputs;
   return template;
 }
-var import_util54, cfnDiff, chalk17, fs30, ResourceImporter;
+var import_util54, cfnDiff, chalk18, fs30, ResourceImporter;
 var init_importer = __esm({
   "../toolkit-lib/lib/api/resource-import/importer.ts"() {
     "use strict";
     import_util54 = require("util");
     cfnDiff = __toESM(require_lib11());
-    chalk17 = __toESM(require_source());
+    chalk18 = __toESM(require_source());
     fs30 = __toESM(require_lib4());
-    init_toolkit_error();
     init_deployments2();
+    init_diff4();
     init_private();
     ResourceImporter = class {
       static {
@@ -313133,12 +313456,12 @@ var init_importer = __esm({
           const descr = this.describeResource(resource.logicalId);
           const idProps = contents[resource.logicalId];
           if (idProps) {
-            await this.ioHelper.defaults.info((0, import_util54.format)("%s: importing using %s", chalk17.blue(descr), chalk17.blue(fmtdict(idProps))));
+            await this.ioHelper.defaults.info((0, import_util54.format)("%s: importing using %s", chalk18.blue(descr), chalk18.blue(fmtdict(idProps))));
             ret.importResources.push(resource);
             ret.resourceMap[resource.logicalId] = idProps;
             delete contents[resource.logicalId];
           } else {
-            await this.ioHelper.defaults.info((0, import_util54.format)("%s: skipping", chalk17.blue(descr)));
+            await this.ioHelper.defaults.info((0, import_util54.format)("%s: skipping", chalk18.blue(descr)));
           }
         }
         const unknown = Object.keys(contents);
@@ -313182,9 +313505,9 @@ var init_importer = __esm({
           });
           assertIsSuccessfulDeployStackResult(result2);
           const message2 = result2.noOp ? " \u2705  %s (no changes)" : " \u2705  %s";
-          await this.ioHelper.defaults.info("\n" + chalk17.green((0, import_util54.format)(message2, this.stack.displayName)));
+          await this.ioHelper.defaults.info("\n" + chalk18.green((0, import_util54.format)(message2, this.stack.displayName)));
         } catch (e6) {
-          await this.ioHelper.notify(IO.CDK_TOOLKIT_E3900.msg((0, import_util54.format)("\n \u274C  %s failed: %s", chalk17.bold(this.stack.displayName), e6), { error: e6 }));
+          await this.ioHelper.notify(IO.CDK_TOOLKIT_E3900.msg((0, import_util54.format)("\n \u274C  %s failed: %s", chalk18.bold(this.stack.displayName), e6), { error: e6 }));
           throw e6;
         }
       }
@@ -313200,13 +313523,9 @@ var init_importer = __esm({
         const resourceChanges = Object.entries(diff.resources.changes).filter(([logicalId, _2]) => logicalId !== "CDKMetadata");
         const nonAdditions = resourceChanges.filter(([_2, dif]) => !dif.isAddition);
         const additions = resourceChanges.filter(([_2, dif]) => dif.isAddition);
-        if (nonAdditions.length) {
+        if (nonAdditions.length && allowNonAdditions) {
           const offendingResources = nonAdditions.map(([logId, _2]) => this.describeResource(logId));
-          if (allowNonAdditions) {
-            await this.ioHelper.defaults.warn(`Ignoring updated/deleted resources (--force): ${offendingResources.join(", ")}`);
-          } else {
-            throw new ToolkitError("ImportNonAdditionChanges", `No resource updates or deletes are allowed on import operation. Make sure to resolve pending changes to existing resources, before attempting an import. Updated/deleted resources: ${offendingResources.join(", ")} (--force to override)`);
-          }
+          await this.ioHelper.defaults.warn(`Ignoring updated/deleted resources (--force): ${offendingResources.join(", ")}`);
         }
         return {
           additions: additions.map(([logicalId, resourceDiff]) => ({
@@ -313214,7 +313533,14 @@ var init_importer = __esm({
             resourceDiff,
             resourceDefinition: addDefaultDeletionPolicy(this.stack.template?.Resources?.[logicalId] ?? {})
           })),
-          hasNonAdditions: nonAdditions.length > 0
+          hasNonAdditions: nonAdditions.length > 0,
+          nonAdditionNames: nonAdditions.map(([logId, _2]) => this.describeResource(logId)),
+          diffFormatter: new DiffFormatter({
+            templateInfo: {
+              oldTemplate: currentTemplate,
+              newTemplate: this.stack
+            }
+          })
         };
       }
       /**
@@ -313285,7 +313611,7 @@ var init_importer = __esm({
         for (const satisfiedPropSet of satisfiedPropSets) {
           const candidateProps = Object.fromEntries(satisfiedPropSet.map((p6) => [p6, resourceProps[p6]]));
           const displayCandidateProps = fmtdict(candidateProps);
-          const importTheResource = await this.ioHelper.requestResponse(IO.CDK_TOOLKIT_I3100.req(`${chalk17.blue(resourceName)} (${resourceType}): import with ${chalk17.yellow(displayCandidateProps)}`, {
+          const importTheResource = await this.ioHelper.requestResponse(IO.CDK_TOOLKIT_I3100.req(`${chalk18.blue(resourceName)} (${resourceType}): import with ${chalk18.yellow(displayCandidateProps)}`, {
             resource: {
               type: resourceType,
               props: candidateProps,
@@ -313297,13 +313623,13 @@ var init_importer = __esm({
           }
         }
         if (satisfiedPropSets.length > 0) {
-          await this.ioHelper.defaults.info(chalk17.grey(`Skipping import of ${resourceName}`));
+          await this.ioHelper.defaults.info(chalk18.grey(`Skipping import of ${resourceName}`));
           return void 0;
         }
-        const prefix = `${chalk17.blue(resourceName)} (${resourceType})`;
+        const prefix = `${chalk18.blue(resourceName)} (${resourceType})`;
         const promptPattern = `${prefix}: enter %s`;
         if (idPropSets.length > 1) {
-          const preamble = `${prefix}: enter one of ${idPropSets.map((x6) => chalk17.blue(x6.join("+"))).join(", ")} to import (leave all empty to skip)`;
+          const preamble = `${prefix}: enter one of ${idPropSets.map((x6) => chalk18.blue(x6.join("+"))).join(", ")} to import (leave all empty to skip)`;
           await this.ioHelper.defaults.info(preamble);
         }
         for (const idProps of idPropSets) {
@@ -313311,7 +313637,7 @@ var init_importer = __esm({
           for (const idProp of idProps) {
             const defaultValue = resourceProps[idProp] ?? "";
             const response = await this.ioHelper.requestResponse(IO.CDK_TOOLKIT_I3110.req(
-              (0, import_util54.format)(promptPattern, chalk17.blue(idProp)),
+              (0, import_util54.format)(promptPattern, chalk18.blue(idProp)),
               {
                 resource: {
                   name: resourceName,
@@ -313332,7 +313658,7 @@ var init_importer = __esm({
             return input;
           }
         }
-        await this.ioHelper.defaults.info(chalk17.grey(`Skipping import of ${resourceName}`));
+        await this.ioHelper.defaults.info(chalk18.grey(`Skipping import of ${resourceName}`));
         return void 0;
       }
       /**
@@ -313369,11 +313695,11 @@ var init_importer = __esm({
 });
 
 // ../toolkit-lib/lib/api/resource-import/migrator.ts
-var chalk18, fs31, ResourceMigrator;
+var chalk19, fs31, ResourceMigrator;
 var init_migrator = __esm({
   "../toolkit-lib/lib/api/resource-import/migrator.ts"() {
     "use strict";
-    chalk18 = __toESM(require_source());
+    chalk19 = __toESM(require_source());
     fs31 = __toESM(require_lib4());
     init_importer();
     init_util();
@@ -313402,11 +313728,11 @@ var init_migrator = __esm({
         });
         const resourcesToImport = await this.tryGetResources(await migrateDeployment.resolveEnvironment());
         if (resourcesToImport) {
-          await this.ioHelper.defaults.info(`${chalk18.bold(stack.displayName)}: creating stack for resource migration...`);
-          await this.ioHelper.defaults.info(`${chalk18.bold(stack.displayName)}: importing resources into stack...`);
+          await this.ioHelper.defaults.info(`${chalk19.bold(stack.displayName)}: creating stack for resource migration...`);
+          await this.ioHelper.defaults.info(`${chalk19.bold(stack.displayName)}: importing resources into stack...`);
           await this.performResourceMigration(migrateDeployment, resourcesToImport, options);
           fs31.rmSync("migrate.json");
-          await this.ioHelper.defaults.info(`${chalk18.bold(stack.displayName)}: applying CDKMetadata and Outputs to stack (if applicable)...`);
+          await this.ioHelper.defaults.info(`${chalk19.bold(stack.displayName)}: applying CDKMetadata and Outputs to stack (if applicable)...`);
         }
       }
       /**
@@ -313454,38 +313780,6 @@ var init_resource_import = __esm({
   }
 });
 
-// ../toolkit-lib/lib/api/streams.ts
-var import_node_stream2, StringWriteStream;
-var init_streams = __esm({
-  "../toolkit-lib/lib/api/streams.ts"() {
-    "use strict";
-    import_node_stream2 = require("node:stream");
-    StringWriteStream = class extends import_node_stream2.Writable {
-      static {
-        __name(this, "StringWriteStream");
-      }
-      buffer = [];
-      /**
-       * Terminal width in columns.
-       * Used by formatTable() to apply width constraints and prevent table overflow.
-       */
-      get columns() {
-        return process.stdout.columns;
-      }
-      constructor() {
-        super();
-      }
-      _write(chunk, _encoding, callback) {
-        this.buffer.push(chunk.toString());
-        callback();
-      }
-      toString() {
-        return this.buffer.join("");
-      }
-    };
-  }
-});
-
 // ../toolkit-lib/lib/api/refactoring/cloudformation.ts
 var ResourceLocation, ResourceMapping;
 var init_cloudformation3 = __esm({
@@ -314130,13 +314424,13 @@ async function listStacks(sdkProvider, environment) {
 }
 function formatEnvironmentSectionHeader2(environment) {
   const env = `aws://${environment.account}/${environment.region}`;
-  return formatToStream((stream) => (0, import_cloudformation_diff.formatEnvironmentSectionHeader)(stream, env));
+  return formatToStream((stream) => (0, import_cloudformation_diff2.formatEnvironmentSectionHeader)(stream, env));
 }
 function formatTypedMappings2(mappings) {
-  return formatToStream((stream) => (0, import_cloudformation_diff.formatTypedMappings)(stream, mappings));
+  return formatToStream((stream) => (0, import_cloudformation_diff2.formatTypedMappings)(stream, mappings));
 }
 function formatAmbiguousMappings2(paths) {
-  return formatToStream((stream) => (0, import_cloudformation_diff.formatAmbiguousMappings)(stream, paths));
+  return formatToStream((stream) => (0, import_cloudformation_diff2.formatAmbiguousMappings)(stream, paths));
 }
 function formatToStream(cb) {
   const stream = new StringWriteStream();
@@ -314171,11 +314465,11 @@ async function groupStacks(sdkProvider, localStacks, additionalStackNames) {
   }
   return groups;
 }
-var import_cloudformation_diff;
+var import_cloudformation_diff2;
 var init_refactoring = __esm({
   "../toolkit-lib/lib/api/refactoring/index.ts"() {
     "use strict";
-    import_cloudformation_diff = __toESM(require_lib11());
+    import_cloudformation_diff2 = __toESM(require_lib11());
     init_util();
     init_plugin2();
     init_streams();
@@ -315056,272 +315350,6 @@ var init_bootstrap3 = __esm({
   }
 });
 
-// ../toolkit-lib/lib/api/diff/diff-formatter.ts
-function permissionTypeFromDiff(diff) {
-  if (diff.permissionsBroadened) {
-    return "broadening" /* BROADENING */;
-  } else if (diff.permissionsAnyChanges) {
-    return "non-broadening" /* NON_BROADENING */;
-  }
-  return "none" /* NONE */;
-}
-function buildLogicalToPathMap(stack) {
-  const map2 = {};
-  for (const md of stack.findMetadataByType(cxschema9.ArtifactMetadataEntryType.LOGICAL_ID)) {
-    map2[md.data] = md.path;
-  }
-  return map2;
-}
-function logicalIdMapFromTemplate(template) {
-  const ret = {};
-  for (const [logicalId, resource] of Object.entries(template.Resources ?? {})) {
-    const path38 = resource?.Metadata?.["aws:cdk:path"];
-    if (path38) {
-      ret[logicalId] = path38;
-    }
-  }
-  return ret;
-}
-function obscureDiff(diff) {
-  if (diff.unknown) {
-    diff.unknown = diff.unknown.filter((change) => {
-      if (!change) {
-        return true;
-      }
-      if (change.newValue?.CheckBootstrapVersion) {
-        return false;
-      }
-      if (change.oldValue?.CheckBootstrapVersion) {
-        return false;
-      }
-      return true;
-    });
-  }
-  if (diff.resources) {
-    diff.resources = diff.resources.filter((change) => {
-      if (!change) {
-        return true;
-      }
-      if (change.newResourceType === "AWS::CDK::Metadata") {
-        return false;
-      }
-      if (change.oldResourceType === "AWS::CDK::Metadata") {
-        return false;
-      }
-      return true;
-    });
-  }
-}
-var import_node_util3, cxschema9, import_cloudformation_diff2, chalk19, DiffFormatter;
-var init_diff_formatter = __esm({
-  "../toolkit-lib/lib/api/diff/diff-formatter.ts"() {
-    "use strict";
-    import_node_util3 = require("node:util");
-    cxschema9 = __toESM(require_lib2());
-    import_cloudformation_diff2 = __toESM(require_lib11());
-    chalk19 = __toESM(require_source());
-    init_payloads();
-    init_streams();
-    DiffFormatter = class {
-      static {
-        __name(this, "DiffFormatter");
-      }
-      templateInfo;
-      stackName;
-      isImport;
-      mappings;
-      /**
-       * Cache of computed TemplateDiffs, indexed by stack name.
-       */
-      cache = /* @__PURE__ */ new Map();
-      constructor(props) {
-        this.templateInfo = props.templateInfo;
-        this.stackName = props.templateInfo.newTemplate.displayName ?? props.templateInfo.newTemplate.stackName;
-        this.isImport = props.templateInfo.isImport ?? false;
-        this.mappings = props.templateInfo.mappings ?? {};
-      }
-      get diffs() {
-        return Object.fromEntries(this.cache);
-      }
-      /**
-       * Compute the diff for a single stack. Results are cached by stack name.
-       *
-       * @param stackName - The name to cache the diff under
-       * @param oldTemplate - The deployed template
-       * @param newTemplate - The new/generated template (read from the artifact)
-       * @param changeSet - The CloudFormation changeset for this specific stack, if available
-       * @param mappings - Resource move mappings
-       */
-      computeDiff(stackName, oldTemplate, newTemplate, changeSet, mappings) {
-        if (!this.cache.has(stackName)) {
-          const templateDiff = (0, import_cloudformation_diff2.fullDiff)(oldTemplate, newTemplate, changeSet, this.isImport);
-          const setMove = /* @__PURE__ */ __name((change, direction, location) => {
-            if (location != null) {
-              const [sourceStackName, sourceLogicalId] = location.split(".");
-              change.move = {
-                direction,
-                stackName: sourceStackName,
-                resourceLogicalId: sourceLogicalId
-              };
-            }
-          }, "setMove");
-          templateDiff.resources.forEachDifference((id, change) => {
-            const location = `${stackName}.${id}`;
-            if (change.isAddition && Object.values(mappings).includes(location)) {
-              setMove(change, "from", Object.keys(mappings).find((k6) => mappings[k6] === location));
-            } else if (change.isRemoval && Object.keys(mappings).includes(location)) {
-              setMove(change, "to", mappings[location]);
-            }
-          });
-          this.cache.set(stackName, templateDiff);
-        }
-        return this.cache.get(stackName);
-      }
-      /**
-       * Format the stack diff, including all nested stacks.
-       */
-      formatStackDiff(options = {}) {
-        return this.formatStackDiffHelper({
-          oldTemplate: this.templateInfo.oldTemplate,
-          newTemplate: this.templateInfo.newTemplate.template,
-          stackName: this.stackName,
-          nestedStacks: this.templateInfo.nestedStacks,
-          changeSet: this.templateInfo.changeSet,
-          mappings: this.mappings,
-          logicalIdMap: buildLogicalToPathMap(this.templateInfo.newTemplate)
-        }, options);
-      }
-      formatStackDiffHelper(params, options = {}) {
-        const { oldTemplate, newTemplate, stackName, nestedStacks, changeSet, mappings, logicalIdMap } = params;
-        const diff = this.computeDiff(stackName, oldTemplate, newTemplate, changeSet, mappings);
-        const stream = new StringWriteStream();
-        let numStacksWithChanges = 0;
-        let formattedDiff = "";
-        let filteredChangesCount = 0;
-        try {
-          if (stackName && (!options.quiet || !diff.isEmpty)) {
-            stream.write((0, import_node_util3.format)(`Stack ${chalk19.bold(stackName)}
-`));
-          }
-          if (!options.quiet && this.isImport) {
-            stream.write("Parameters and rules created during migration do not affect resource configuration.\n");
-          }
-          let activeDiff = diff;
-          if (diff.differenceCount && !options.strict) {
-            const mangledNewTemplate = JSON.parse((0, import_cloudformation_diff2.mangleLikeCloudFormation)(JSON.stringify(newTemplate)));
-            const mangledDiff = (0, import_cloudformation_diff2.fullDiff)(oldTemplate, mangledNewTemplate, changeSet);
-            filteredChangesCount = Math.max(0, diff.differenceCount - mangledDiff.differenceCount);
-            if (filteredChangesCount > 0) {
-              activeDiff = mangledDiff;
-            }
-          }
-          if (!options.strict) {
-            obscureDiff(activeDiff);
-          }
-          if (!activeDiff.isEmpty) {
-            numStacksWithChanges++;
-            (0, import_cloudformation_diff2.formatDifferences)(stream, activeDiff, {
-              ...logicalIdMapFromTemplate(oldTemplate),
-              ...logicalIdMapFromTemplate(newTemplate),
-              ...logicalIdMap
-            }, options.contextLines);
-          } else if (!options.quiet) {
-            stream.write(chalk19.green("There were no differences\n"));
-          }
-          if (filteredChangesCount > 0) {
-            stream.write(chalk19.yellow(`Omitted ${filteredChangesCount} changes because they are likely mangled non-ASCII characters. Use --strict to print them.
-`));
-          }
-        } finally {
-          formattedDiff = stream.toString();
-          stream.end();
-        }
-        for (const [logicalId, nestedStack] of Object.entries(nestedStacks ?? {})) {
-          const nextDiff = this.formatStackDiffHelper({
-            oldTemplate: nestedStack.deployedTemplate,
-            newTemplate: nestedStack.generatedTemplate,
-            stackName: nestedStack.physicalName ?? logicalId,
-            nestedStacks: nestedStack.nestedStackTemplates,
-            changeSet: nestedStack.changeSet,
-            mappings,
-            logicalIdMap: {}
-          }, options);
-          numStacksWithChanges += nextDiff.numStacksWithChanges;
-          formattedDiff += nextDiff.formattedDiff;
-        }
-        return { numStacksWithChanges, formattedDiff };
-      }
-      /**
-       * Format the security diff, including all nested stacks.
-       */
-      formatSecurityDiff(options = {}) {
-        const { formattedDiff, permissionChangeType, numStacksWithChanges } = this.formatSecurityDiffHelper({
-          oldTemplate: this.templateInfo.oldTemplate,
-          newTemplate: this.templateInfo.newTemplate.template,
-          stackName: this.stackName,
-          nestedStacks: this.templateInfo.nestedStacks,
-          changeSet: this.templateInfo.changeSet,
-          logicalIdMap: buildLogicalToPathMap(this.templateInfo.newTemplate)
-        }, options);
-        return { formattedDiff, permissionChangeType, numStacksWithChanges };
-      }
-      formatSecurityDiffHelper(params, options = {}) {
-        const { oldTemplate, newTemplate, stackName, nestedStacks, changeSet, logicalIdMap } = params;
-        const diff = this.computeDiff(stackName, oldTemplate, newTemplate, changeSet, this.mappings);
-        const permissionChangeType = permissionTypeFromDiff(diff);
-        const stream = new StringWriteStream();
-        if (!options.quiet || permissionChangeType !== "none" /* NONE */) {
-          stream.write((0, import_node_util3.format)(`Stack ${chalk19.bold(stackName)}
-`));
-        }
-        try {
-          (0, import_cloudformation_diff2.formatSecurityChanges)(stream, diff, {
-            ...logicalIdMapFromTemplate(newTemplate),
-            ...logicalIdMap
-          });
-        } finally {
-          stream.end();
-        }
-        let formattedDiff = stream.toString();
-        if (!options.quiet && permissionChangeType === "none" /* NONE */) {
-          formattedDiff += chalk19.green("There were no security-related changes (limitations: https://github.com/aws/aws-cdk/issues/1299)\n");
-        }
-        let numStacksWithChanges = permissionChangeType !== "none" /* NONE */ ? 1 : 0;
-        let escalatedPermissionType = permissionChangeType;
-        for (const [logicalId, nestedStack] of Object.entries(nestedStacks ?? {})) {
-          const nestedResult = this.formatSecurityDiffHelper({
-            oldTemplate: nestedStack.deployedTemplate,
-            newTemplate: nestedStack.generatedTemplate,
-            stackName: nestedStack.physicalName ?? logicalId,
-            nestedStacks: nestedStack.nestedStackTemplates,
-            changeSet: nestedStack.changeSet
-          }, options);
-          formattedDiff += nestedResult.formattedDiff ? "\n" + nestedResult.formattedDiff : "";
-          numStacksWithChanges += nestedResult.numStacksWithChanges;
-          if (nestedResult.permissionChangeType === "broadening" /* BROADENING */) {
-            escalatedPermissionType = "broadening" /* BROADENING */;
-          } else if (nestedResult.permissionChangeType === "non-broadening" /* NON_BROADENING */ && escalatedPermissionType === "none" /* NONE */) {
-            escalatedPermissionType = "non-broadening" /* NON_BROADENING */;
-          }
-        }
-        return { formattedDiff, permissionChangeType: escalatedPermissionType, numStacksWithChanges };
-      }
-    };
-    __name(permissionTypeFromDiff, "permissionTypeFromDiff");
-    __name(buildLogicalToPathMap, "buildLogicalToPathMap");
-    __name(logicalIdMapFromTemplate, "logicalIdMapFromTemplate");
-    __name(obscureDiff, "obscureDiff");
-  }
-});
-
-// ../toolkit-lib/lib/api/diff/index.ts
-var init_diff4 = __esm({
-  "../toolkit-lib/lib/api/diff/index.ts"() {
-    "use strict";
-    init_diff_formatter();
-  }
-});
-
 // ../toolkit-lib/lib/api/drift/drift-formatter.ts
 var import_node_util4, cxschema10, import_cloudformation_diff3, import_client_cloudformation4, chalk20, DriftFormatter, ADDITION3, CONTEXT2, UPDATE3, REMOVAL3;
 var init_drift_formatter = __esm({
@@ -317191,33 +317219,35 @@ var init_toolkit = __esm({
             deploymentMethod: options.deploymentMethod,
             cleanupOnNoOp: isExecutingChangeSetDeployment(options.deploymentMethod)
           }) : void 0;
-          const formatter = new DiffFormatter({
-            templateInfo: {
-              oldTemplate: currentTemplate,
-              newTemplate: stack,
-              changeSet: prepareResult?.changeSet
-            }
-          });
-          const securityDiff = formatter.formatSecurityDiff();
-          const stackDiff = formatter.formatStackDiff();
-          const hasSecurityChanges = securityDiff.permissionChangeType !== "none" /* NONE */;
-          const deployMotivation = hasSecurityChanges ? '"--require-approval" is enabled and stack includes security-sensitive updates.' : '"--require-approval" is enabled and stack includes updates.';
-          const diffOutput2 = hasSecurityChanges ? securityDiff.formattedDiff : stackDiff.formattedDiff;
-          const deployQuestion = `${diffOutput2}
+          if (!prepareResult?.noOp) {
+            const formatter = new DiffFormatter({
+              templateInfo: {
+                oldTemplate: currentTemplate,
+                newTemplate: stack,
+                changeSet: prepareResult?.changeSet
+              }
+            });
+            const securityDiff = formatter.formatSecurityDiff();
+            const stackDiff = formatter.formatStackDiff();
+            const hasSecurityChanges = securityDiff.permissionChangeType !== "none" /* NONE */;
+            const deployMotivation = hasSecurityChanges ? '"--require-approval" is enabled and stack includes security-sensitive updates.' : '"--require-approval" is enabled and stack includes updates.';
+            const diffOutput2 = hasSecurityChanges ? securityDiff.formattedDiff : stackDiff.formattedDiff;
+            const deployQuestion = `${diffOutput2}
 
 ${deployMotivation}
 Do you wish to deploy these changes`;
-          const deployConfirmed = await ioHelper.requestResponse(IO.CDK_TOOLKIT_I5060.req(deployQuestion, {
-            motivation: deployMotivation,
-            concurrency,
-            permissionChangeType: securityDiff.permissionChangeType,
-            templateDiffs: formatter.diffs
-          }));
-          if (!deployConfirmed) {
-            if (prepareResult?.changeSet?.ChangeSetName) {
-              await deployments.cleanupChangeSet(stack, prepareResult.changeSet.ChangeSetName);
+            const deployConfirmed = await ioHelper.requestResponse(IO.CDK_TOOLKIT_I5060.req(deployQuestion, {
+              motivation: deployMotivation,
+              concurrency,
+              permissionChangeType: securityDiff.permissionChangeType,
+              templateDiffs: formatter.diffs
+            }));
+            if (!deployConfirmed) {
+              if (prepareResult?.changeSet?.ChangeSetName) {
+                await deployments.cleanupChangeSet(stack, prepareResult.changeSet.ChangeSetName);
+              }
+              throw new ToolkitError("DeployAborted", "Aborted by user");
             }
-            throw new ToolkitError("DeployAborted", "Aborted by user");
           }
           const stackIndex = stacks.indexOf(stack) + 1;
           const deploySpan = await ioHelper.span(SPAN.DEPLOY_STACK).begin(`${chalk23.bold(stack.displayName)}: deploying... [${stackIndex}/${stackCollection.stackCount}]`, {

package/package.json

@@ -66,11 +66,11 @@
     "@aws-cdk/aws-service-spec": "^0.1.171",
     "@aws-cdk/cdk-assets-lib": "1.4.5",
     "@aws-cdk/cloud-assembly-api": "2.2.2",
-    "@aws-cdk/cloud-assembly-schema": ">=53.17.0",
+    "@aws-cdk/cloud-assembly-schema": ">=53.18.0",
     "@aws-cdk/cloudformation-diff": "2.187.1",
-    "@aws-cdk/toolkit-lib": "1.23.0",
+    "@aws-cdk/toolkit-lib": "1.24.0",
     "@aws-sdk/client-cloudformation": "^3",
-    "aws-cdk": "2.1118.4",
+    "aws-cdk": "2.1119.0",
     "chalk": "^4",
     "chokidar": "^4",
     "fs-extra": "^11",
@@ -80,7 +80,7 @@
   },
   "dependencies": {
     "@aws-cdk/aws-service-spec": "0.1.171",
-    "aws-cdk": "2.1118.4"
+    "aws-cdk": "2.1119.0"
   },
   "keywords": [
     "aws",
@@ -102,7 +102,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "2.197.17",
+  "version": "2.197.18",
   "packageManager": "yarn@4.13.0",
   "types": "lib/index.d.ts",
   "//": "~~ Generated by projen. To modify, edit .projenrc.js and run \"yarn projen\"."