@aws-cdk/integ-runner 2.197.9 → 2.197.11

package/lib/workers/extract/index.js

@@ -4670,7 +4670,7 @@ var require_semver2 = __commonJS({
 // ../cloud-assembly-schema/cli-version.json
 var require_cli_version = __commonJS({
   "../cloud-assembly-schema/cli-version.json"(exports2, module2) {
-    module2.exports = { version: "2.1115.0" };
+    module2.exports = { version: "2.1116.0" };
   }
 });
 
@@ -79283,7 +79283,7 @@ var init_messages = __esm({
         code: "CDK_TOOLKIT_W8010",
         description: "Refactor execution not yet supported"
       }),
-      // 9: Bootstrap  & gc (9xxx)
+      // 9: Bootstrap, gc, flags & publish (9xxx)
       CDK_TOOLKIT_I9000: info({
         code: "CDK_TOOLKIT_I9000",
         description: "Provides bootstrap times",
@@ -79310,12 +79310,27 @@ var init_messages = __esm({
         description: "Bootstrap failed",
         interface: "ErrorPayload"
       }),
-      // flags (93xxx)
+      // flags (93xx)
       CDK_TOOLKIT_I9300: info({
         code: "CDK_TOOLKIT_I9300",
         description: "Confirm the feature flag configuration changes",
         interface: "FeatureFlagChangeRequest"
       }),
+      // publish (94xx)
+      CDK_TOOLKIT_I9400: info({
+        code: "CDK_TOOLKIT_I9400",
+        description: "All assets are already published"
+      }),
+      CDK_TOOLKIT_I9401: info({
+        code: "CDK_TOOLKIT_I9401",
+        description: "Publishing assets",
+        interface: "AssetsPayload"
+      }),
+      CDK_TOOLKIT_I9402: result({
+        code: "CDK_TOOLKIT_I9402",
+        description: "Publish assets results on success",
+        interface: "AssetsPayload"
+      }),
       // Notices
       CDK_TOOLKIT_I0100: info({
         code: "CDK_TOOLKIT_I0100",
@@ -122603,7 +122618,7 @@ var require_dist_cjs57 = __commonJS({
         __name(this, "GetGeneratedTemplateCommand");
       }
     };
-    var GetHookResultCommand = class extends smithyClient.Command.classBuilder().ep(commonParams6).m(function(Command, cs, config, o6) {
+    var GetHookResultCommand2 = class extends smithyClient.Command.classBuilder().ep(commonParams6).m(function(Command, cs, config, o6) {
       return [middlewareEndpoint.getEndpointPlugin(config, Command.getEndpointParameterInstructions())];
     }).s("CloudFormation", "GetHookResult", {}).n("CloudFormationClient", "GetHookResultCommand").sc(schemas_0.GetHookResult$).build() {
       static {
@@ -123847,7 +123862,7 @@ var require_dist_cjs57 = __commonJS({
       ExecuteChangeSetCommand: ExecuteChangeSetCommand2,
       ExecuteStackRefactorCommand: ExecuteStackRefactorCommand2,
       GetGeneratedTemplateCommand: GetGeneratedTemplateCommand2,
-      GetHookResultCommand,
+      GetHookResultCommand: GetHookResultCommand2,
       GetStackPolicyCommand,
       GetTemplateCommand: GetTemplateCommand2,
       GetTemplateSummaryCommand: GetTemplateSummaryCommand2,
@@ -124538,7 +124553,7 @@ var require_dist_cjs57 = __commonJS({
     exports2.GeneratedTemplateStatus = GeneratedTemplateStatus;
     exports2.GeneratedTemplateUpdateReplacePolicy = GeneratedTemplateUpdateReplacePolicy;
     exports2.GetGeneratedTemplateCommand = GetGeneratedTemplateCommand2;
-    exports2.GetHookResultCommand = GetHookResultCommand;
+    exports2.GetHookResultCommand = GetHookResultCommand2;
     exports2.GetStackPolicyCommand = GetStackPolicyCommand;
     exports2.GetTemplateCommand = GetTemplateCommand2;
     exports2.GetTemplateSummaryCommand = GetTemplateSummaryCommand2;
@@ -287536,7 +287551,8 @@ var init_sdk = __esm({
               },
               input
             );
-          }, "waitUntilStackRefactorExecuteComplete")
+          }, "waitUntilStackRefactorExecuteComplete"),
+          getHookResult: /* @__PURE__ */ __name((input) => client.send(new import_client_cloudformation.GetHookResultCommand(input)), "getHookResult")
         };
       }
       cloudWatchLogs() {
@@ -294917,6 +294933,8 @@ var init_stack_activity_monitor = __esm({
       ioHelper;
       stackName;
       stack;
+      cfn;
+      envResources;
       constructor({
         cfn,
         ioHelper,
@@ -294924,11 +294942,14 @@ var init_stack_activity_monitor = __esm({
         stackName,
         resourcesTotal,
         changeSetCreationTime,
-        pollingInterval = 2e3
+        pollingInterval = 2e3,
+        envResources
       }) {
         this.ioHelper = ioHelper;
         this.stack = stack;
         this.stackName = stackName;
+        this.cfn = cfn;
+        this.envResources = envResources;
         this.progressMonitor = new StackProgressMonitor(resourcesTotal);
         this.pollingInterval = pollingInterval;
         this.poller = new StackEventPoller(cfn, {
@@ -295016,6 +295037,65 @@ var init_stack_activity_monitor = __esm({
         }
         return resourceMetadata(this.stack, logicalId);
       }
+      /**
+       * Trims leading/trailing whitespace, collapses all internal whitespace
+       * (including newlines) to a single space, and truncates to `maxChars`
+       * characters, appending `[...truncated]` when the original was longer.
+       */
+      normalizeMessage(message2, maxChars = 400) {
+        const normalized = message2.trim().replace(/\s+/g, " ");
+        return normalized.length > maxChars ? normalized.substring(0, maxChars) + "[...truncated]" : normalized;
+      }
+      /**
+       * Fetches Guard Hook annotation details via GetHookResult API and formats them
+       * into a human-readable string. Returns undefined if the fetch fails or there
+       * are no failed annotations.
+       */
+      async fetchGuardHookAnnotations(hookInvocationId) {
+        try {
+          const result2 = await this.cfn.getHookResult({ HookResultId: hookInvocationId });
+          const annotations = result2.Annotations ?? [];
+          const failedAnnotations = annotations.filter((a6) => a6.Status === "FAILED");
+          if (failedAnnotations.length === 0) {
+            return void 0;
+          }
+          const lines = ["NonCompliant Rules:", ""];
+          for (const annotation of failedAnnotations) {
+            if (annotation.AnnotationName) {
+              lines.push(`[${annotation.AnnotationName}]`);
+            }
+            if (annotation.StatusMessage) {
+              lines.push(`\u2022 ${this.normalizeMessage(annotation.StatusMessage)}`);
+            }
+            if (annotation.RemediationMessage) {
+              lines.push(`Remediation: ${this.normalizeMessage(annotation.RemediationMessage)}`);
+            }
+            lines.push("");
+          }
+          return lines.join("\n").trimEnd();
+        } catch (e6) {
+          const errorMessage = e6 instanceof Error ? e6.message : String(e6);
+          const isPermissionsError = e6.name === "AccessDeniedException" || typeof errorMessage === "string" && errorMessage.toLowerCase().includes("not authorized to perform: cloudformation:gethookresult");
+          if (isPermissionsError && this.envResources) {
+            let currentVersion = void 0;
+            try {
+              currentVersion = (await this.envResources.lookupToolkit()).version;
+            } catch {
+            }
+            await this.ioHelper.defaults.warn(
+              util6.format(
+                `Failed to fetch result details for Hook invocation ${hookInvocationId}: ${errorMessage}. Make sure you have permissions to call the GetHookResult API, or re-bootstrap your environment by running 'cdk bootstrap' to update the Bootstrap CDK Toolkit stack.
+            'Bootstrap toolkit stack version 31 or later is needed; current version: ${currentVersion ?? "unknown"}.`
+              )
+            );
+          } else {
+            await this.ioHelper.defaults.warn(
+              util6.format("Failed to fetch Guard Hook details for invocation %s: %s", hookInvocationId, errorMessage)
+            );
+          }
+          return void 0;
+        }
+      }
       /**
        * Reads all new events from the stack history
        *
@@ -295025,6 +295105,12 @@ var init_stack_activity_monitor = __esm({
         const pollEvents = await this.poller.poll();
         for (const resourceEvent of pollEvents) {
           this.progressMonitor.process(resourceEvent.event);
+          if (resourceEvent.event.HookInvocationId) {
+            const annotations = await this.fetchGuardHookAnnotations(resourceEvent.event.HookInvocationId);
+            if (annotations) {
+              resourceEvent.event.HookStatusReason = annotations;
+            }
+          }
           const activity = {
             deployment: monitorId,
             event: resourceEvent.event,
@@ -295421,6 +295507,11 @@ async function getNestedStackArn(nestedStackLogicalId, listStackResources) {
 function isCdkManagedNestedStack(stackResource) {
   return stackResource.Type === "AWS::CloudFormation::Stack" && stackResource.Metadata && stackResource.Metadata["aws:asset:path"];
 }
+function templateContainsNestedStacks(template) {
+  return Object.values(template?.Resources ?? {}).some(
+    (resource) => resource.Type === "AWS::CloudFormation::Stack"
+  );
+}
 var path23, fs26;
 var init_nested_stack_helpers = __esm({
   "../toolkit-lib/lib/api/cloudformation/nested-stack-helpers.ts"() {
@@ -295437,6 +295528,7 @@ var init_nested_stack_helpers = __esm({
     __name(getNestedStackTemplates, "getNestedStackTemplates");
     __name(getNestedStackArn, "getNestedStackArn");
     __name(isCdkManagedNestedStack, "isCdkManagedNestedStack");
+    __name(templateContainsNestedStacks, "templateContainsNestedStacks");
   }
 });
 
@@ -295512,16 +295604,10 @@ async function waitForChangeSet(cfn, ioHelper, stackName, changeSetName, { fetch
   return ret;
 }
 async function createDiffChangeSet(ioHelper, options) {
-  for (const resource of Object.values(options.stack.template.Resources ?? {})) {
-    if (resource.Type === "AWS::CloudFormation::Stack") {
-      if (options.failOnError) {
-        throw new ToolkitError("NestedStacksNotSupported", "Changeset diff is not supported for stacks with nested stacks. Please use '--method=auto' to allow falling back to a template diff.");
-      }
-      await ioHelper.defaults.debug("This stack contains one or more nested stacks, falling back to template diff...");
-      return void 0;
-    }
-  }
-  return uploadBodyParameterAndCreateChangeSet(ioHelper, options);
+  return uploadBodyParameterAndCreateChangeSet(ioHelper, {
+    ...options,
+    includeNestedStacks: templateContainsNestedStacks(options.stack.template)
+  });
 }
 function templatesFromAssetManifestArtifact(artifact) {
   const assets = [];
@@ -295549,7 +295635,8 @@ async function uploadBodyParameterAndCreateChangeSet(ioHelper, options) {
       env.resources
     );
     const cfn = env.sdk.cloudFormation();
-    const exists = (await CloudFormationStack.lookup(cfn, options.stack.stackName, false)).exists;
+    const stack = await CloudFormationStack.lookup(cfn, options.stack.stackName, false);
+    const exists = stack.exists && stack.stackStatus.name !== "REVIEW_IN_PROGRESS";
     const executionRoleArn = await env.replacePlaceholders(options.stack.cloudFormationExecutionRoleArn);
     await ioHelper.defaults.info(
       "Hold on while we create a read-only change set to get a diff with accurate replacement information (use --method=template to use a less accurate but faster template-only diff)\n"
@@ -295565,6 +295652,7 @@ async function uploadBodyParameterAndCreateChangeSet(ioHelper, options) {
       parameters: options.parameters,
       resourcesToImport: options.resourcesToImport,
       importExistingResources: options.importExistingResources,
+      includeNestedStacks: options.includeNestedStacks,
       role: executionRoleArn
     });
   } catch (e6) {
@@ -295612,6 +295700,7 @@ async function createChangeSet(ioHelper, options) {
     Parameters: stackParams.apiParameters,
     ResourcesToImport: options.resourcesToImport,
     ImportExistingResources: options.importExistingResources,
+    IncludeNestedStacks: options.includeNestedStacks || void 0,
     RoleARN: options.role,
     Tags: toCfnTags(options.stack.tags),
     Capabilities: ["CAPABILITY_IAM", "CAPABILITY_NAMED_IAM", "CAPABILITY_AUTO_EXPAND"]
@@ -296734,9 +296823,10 @@ var require_split2 = __commonJS({
 
 // ../toolkit-lib/lib/api/cloud-assembly/private/exec.ts
 async function execInChildProcess(commandAndArgs, options = {}) {
+  const captureOutput = options.captureOutput ?? true;
   return new Promise((ok, fail) => {
     const proc = child_process2.spawn(commandAndArgs, {
-      stdio: ["ignore", "pipe", "pipe"],
+      stdio: captureOutput ? ["ignore", "pipe", "pipe"] : ["ignore", "inherit", "inherit"],
       detached: false,
       cwd: options.cwd,
       env: {
@@ -296766,11 +296856,13 @@ async function execInChildProcess(commandAndArgs, options = {}) {
       }
     });
     const stderr2 = new Array();
-    proc.stdout.pipe(split()).on("data", (line) => eventPublisher("data_stdout", line));
-    proc.stderr.pipe(split()).on("data", (line) => {
-      stderr2.push(line);
-      return eventPublisher("data_stderr", line);
-    });
+    if (captureOutput) {
+      proc.stdout.pipe(split()).on("data", (line) => eventPublisher("data_stdout", line));
+      proc.stderr.pipe(split()).on("data", (line) => {
+        stderr2.push(line);
+        return eventPublisher("data_stderr", line);
+      });
+    }
     proc.on("error", (e6) => {
       fail(AssemblyError.withCause(`Failed to execute CDK app: ${commandAndArgs}`, e6));
     });
@@ -296788,7 +296880,7 @@ async function execInChildProcess(commandAndArgs, options = {}) {
         if (options.errorCodeFile) {
           const contents = tryReadFile(options.errorCodeFile);
           if (contents) {
-            const errorInStdErr = contents.split("\n").find((c6) => stdErrString.includes(`${SYNTH_ERROR_CODE_MARKERS[0]}${c6}${SYNTH_ERROR_CODE_MARKERS[1]}`));
+            const errorInStdErr = contents.split("\n")[0];
             if (errorInStdErr) {
               error4.attachSynthesisErrorCode(errorInStdErr);
             }
@@ -296809,7 +296901,7 @@ function tryReadFile(name) {
     throw e6;
   }
 }
-var child_process2, import_fs7, split, SYNTH_ERROR_CODE_MARKERS;
+var child_process2, import_fs7, split;
 var init_exec = __esm({
   "../toolkit-lib/lib/api/cloud-assembly/private/exec.ts"() {
     "use strict";
@@ -296818,7 +296910,6 @@ var init_exec = __esm({
     init_toolkit_error();
     split = require_split2();
     __name(execInChildProcess, "execInChildProcess");
-    SYNTH_ERROR_CODE_MARKERS = ["\xAB", "\xBB"];
     __name(tryReadFile, "tryReadFile");
   }
 });
@@ -309178,6 +309269,13 @@ var init_progress2 = __esm({
   }
 });
 
+// ../toolkit-lib/lib/payloads/publish-assets.ts
+var init_publish_assets = __esm({
+  "../toolkit-lib/lib/payloads/publish-assets.ts"() {
+    "use strict";
+  }
+});
+
 // ../toolkit-lib/lib/payloads/refactor.ts
 var init_refactor = __esm({
   "../toolkit-lib/lib/payloads/refactor.ts"() {
@@ -309255,6 +309353,7 @@ var init_payloads = __esm({
     init_synth();
     init_types6();
     init_progress2();
+    init_publish_assets();
     init_refactor();
     init_watch();
     init_stack_details();
@@ -311211,6 +311310,7 @@ var init_deploy_stack = __esm({
           Description: `CDK Changeset for execution ${this.uuid}`,
           ClientToken: `create${this.uuid}`,
           ImportExistingResources: importExistingResources,
+          IncludeNestedStacks: templateContainsNestedStacks(this.stackArtifact.template),
           DeploymentMode: revertDrift ? "REVERT_DRIFT" : void 0,
           ...this.commonPrepareOptions()
         });
@@ -311312,7 +311412,8 @@ var init_deploy_stack = __esm({
           stackName: this.stackName,
           resourcesTotal: expectedChanges,
           ioHelper: this.ioHelper,
-          changeSetCreationTime: startTime
+          changeSetCreationTime: startTime,
+          envResources: this.options.envResources
         });
         await monitor.start();
         let finalState = this.cloudFormationStack;
@@ -312948,6 +313049,9 @@ async function cfnDiff2(ioHelper, stacks, deployments, options, sdkProvider, inc
       methodOptions.fallbackToTemplate,
       methodOptions.importExistingResources
     ) : void 0;
+    if (changeSet) {
+      await attachNestedChangeSetData(deployments, stack, changeSet, nestedStacks);
+    }
     const mappings = allMappings.find(
       (m6) => m6.environment.region === stack.environment.region && m6.environment.account === stack.environment.account
     )?.mappings ?? {};
@@ -312975,6 +313079,31 @@ async function changeSetDiff(ioHelper, deployments, stack, sdkProvider, resource
     importExistingResources
   });
 }
+async function attachNestedChangeSetData(deployments, stack, rootChangeSet, nestedStacks) {
+  const env = await deployments.envs.accessStackForReadOnlyStackOperations(stack);
+  const cfn = env.sdk.cloudFormation();
+  for (const change of rootChangeSet.Changes ?? []) {
+    const rc = change.ResourceChange;
+    if (rc?.ResourceType !== "AWS::CloudFormation::Stack" || !rc.ChangeSetId || !rc.LogicalResourceId) {
+      continue;
+    }
+    const nested = nestedStacks[rc.LogicalResourceId];
+    if (!nested) {
+      continue;
+    }
+    const nestedChangeSet = await cfn.describeChangeSet({
+      ChangeSetName: rc.ChangeSetId,
+      StackName: rc.PhysicalResourceId ?? rc.LogicalResourceId
+    });
+    nestedStacks[rc.LogicalResourceId] = {
+      ...nested,
+      changeSet: nestedChangeSet
+    };
+    if (nestedChangeSet && Object.keys(nested.nestedStackTemplates).length > 0) {
+      await attachNestedChangeSetData(deployments, stack, nestedChangeSet, nested.nestedStackTemplates);
+    }
+  }
+}
 function appendObject(obj1, obj2) {
   for (const key in obj2) {
     obj1[key] = obj2[key];
@@ -312997,6 +313126,7 @@ var init_helpers4 = __esm({
     __name(localFileDiff, "localFileDiff");
     __name(cfnDiff2, "cfnDiff");
     __name(changeSetDiff, "changeSetDiff");
+    __name(attachNestedChangeSetData, "attachNestedChangeSetData");
     __name(appendObject, "appendObject");
   }
 });
@@ -313693,6 +313823,14 @@ var init_bootstrap3 = __esm({
 });
 
 // ../toolkit-lib/lib/api/diff/diff-formatter.ts
+function permissionTypeFromDiff(diff) {
+  if (diff.permissionsBroadened) {
+    return "broadening" /* BROADENING */;
+  } else if (diff.permissionsAnyChanges) {
+    return "non-broadening" /* NON_BROADENING */;
+  }
+  return "none" /* NONE */;
+}
 function buildLogicalToPathMap(stack) {
   const map2 = {};
   for (const md of stack.findMetadataByType(cxschema9.ArtifactMetadataEntryType.LOGICAL_ID)) {
@@ -313754,44 +313892,35 @@ var init_diff_formatter = __esm({
       static {
         __name(this, "DiffFormatter");
       }
-      oldTemplate;
-      newTemplate;
+      templateInfo;
       stackName;
-      changeSet;
-      nestedStacks;
       isImport;
       mappings;
       /**
-       * Stores the TemplateDiffs that get calculated in this DiffFormatter,
-       * indexed by the stack name.
+       * Cache of computed TemplateDiffs, indexed by stack name.
        */
-      _diffs = {};
+      cache = /* @__PURE__ */ new Map();
       constructor(props) {
-        this.oldTemplate = props.templateInfo.oldTemplate;
-        this.newTemplate = props.templateInfo.newTemplate;
+        this.templateInfo = props.templateInfo;
         this.stackName = props.templateInfo.newTemplate.displayName ?? props.templateInfo.newTemplate.stackName;
-        this.changeSet = props.templateInfo.changeSet;
-        this.nestedStacks = props.templateInfo.nestedStacks;
         this.isImport = props.templateInfo.isImport ?? false;
         this.mappings = props.templateInfo.mappings ?? {};
       }
       get diffs() {
-        return this._diffs;
+        return Object.fromEntries(this.cache);
       }
       /**
-       * Get or creates the diff of a stack.
-       * If it creates the diff, it stores the result in a map for
-       * easier retrieval later.
+       * Compute the diff for a single stack. Results are cached by stack name.
+       *
+       * @param stackName - The name to cache the diff under
+       * @param oldTemplate - The deployed template
+       * @param newTemplate - The new/generated template (read from the artifact)
+       * @param changeSet - The CloudFormation changeset for this specific stack, if available
+       * @param mappings - Resource move mappings
        */
-      diff(stackName, oldTemplate, mappings = {}) {
-        const realStackName = stackName ?? this.stackName;
-        if (!this._diffs[realStackName]) {
-          const templateDiff = (0, import_cloudformation_diff2.fullDiff)(
-            oldTemplate ?? this.oldTemplate,
-            this.newTemplate.template,
-            this.changeSet,
-            this.isImport
-          );
+      computeDiff(stackName, oldTemplate, newTemplate, changeSet, mappings) {
+        if (!this.cache.has(stackName)) {
+          const templateDiff = (0, import_cloudformation_diff2.fullDiff)(oldTemplate, newTemplate, changeSet, this.isImport);
           const setMove = /* @__PURE__ */ __name((change, direction, location) => {
             if (location != null) {
               const [sourceStackName, sourceLogicalId] = location.split(".");
@@ -313803,46 +313932,34 @@ var init_diff_formatter = __esm({
             }
           }, "setMove");
           templateDiff.resources.forEachDifference((id, change) => {
-            const location = `${realStackName}.${id}`;
+            const location = `${stackName}.${id}`;
             if (change.isAddition && Object.values(mappings).includes(location)) {
               setMove(change, "from", Object.keys(mappings).find((k6) => mappings[k6] === location));
             } else if (change.isRemoval && Object.keys(mappings).includes(location)) {
               setMove(change, "to", mappings[location]);
             }
           });
-          this._diffs[realStackName] = templateDiff;
-        }
-        return this._diffs[realStackName];
-      }
-      /**
-       * Return whether the diff has security-impacting changes that need confirmation.
-       *
-       * If no stackName is given, then the root stack name is used.
-       */
-      permissionType() {
-        const diff = this.diff();
-        if (diff.permissionsBroadened) {
-          return "broadening" /* BROADENING */;
-        } else if (diff.permissionsAnyChanges) {
-          return "non-broadening" /* NON_BROADENING */;
-        } else {
-          return "none" /* NONE */;
+          this.cache.set(stackName, templateDiff);
         }
+        return this.cache.get(stackName);
       }
       /**
-       * Format the stack diff
+       * Format the stack diff, including all nested stacks.
        */
       formatStackDiff(options = {}) {
-        return this.formatStackDiffHelper(
-          this.oldTemplate,
-          this.stackName,
-          this.nestedStacks,
-          options,
-          this.mappings
-        );
-      }
-      formatStackDiffHelper(oldTemplate, stackName, nestedStackTemplates, options, mappings = {}) {
-        let diff = this.diff(stackName, oldTemplate, mappings);
+        return this.formatStackDiffHelper({
+          oldTemplate: this.templateInfo.oldTemplate,
+          newTemplate: this.templateInfo.newTemplate.template,
+          stackName: this.stackName,
+          nestedStacks: this.templateInfo.nestedStacks,
+          changeSet: this.templateInfo.changeSet,
+          mappings: this.mappings,
+          logicalIdMap: buildLogicalToPathMap(this.templateInfo.newTemplate)
+        }, options);
+      }
+      formatStackDiffHelper(params, options = {}) {
+        const { oldTemplate, newTemplate, stackName, nestedStacks, changeSet, mappings, logicalIdMap } = params;
+        const diff = this.computeDiff(stackName, oldTemplate, newTemplate, changeSet, mappings);
         const stream = new StringWriteStream();
         let numStacksWithChanges = 0;
         let formattedDiff = "";
@@ -313855,22 +313972,24 @@ var init_diff_formatter = __esm({
           if (!options.quiet && this.isImport) {
             stream.write("Parameters and rules created during migration do not affect resource configuration.\n");
           }
+          let activeDiff = diff;
           if (diff.differenceCount && !options.strict) {
-            const mangledNewTemplate = JSON.parse((0, import_cloudformation_diff2.mangleLikeCloudFormation)(JSON.stringify(this.newTemplate.template)));
-            const mangledDiff = (0, import_cloudformation_diff2.fullDiff)(oldTemplate, mangledNewTemplate, this.changeSet);
+            const mangledNewTemplate = JSON.parse((0, import_cloudformation_diff2.mangleLikeCloudFormation)(JSON.stringify(newTemplate)));
+            const mangledDiff = (0, import_cloudformation_diff2.fullDiff)(oldTemplate, mangledNewTemplate, changeSet);
             filteredChangesCount = Math.max(0, diff.differenceCount - mangledDiff.differenceCount);
             if (filteredChangesCount > 0) {
-              diff = mangledDiff;
+              activeDiff = mangledDiff;
             }
           }
           if (!options.strict) {
-            obscureDiff(diff);
+            obscureDiff(activeDiff);
           }
-          if (!diff.isEmpty) {
+          if (!activeDiff.isEmpty) {
             numStacksWithChanges++;
-            (0, import_cloudformation_diff2.formatDifferences)(stream, diff, {
-              ...logicalIdMapFromTemplate(this.oldTemplate),
-              ...buildLogicalToPathMap(this.newTemplate)
+            (0, import_cloudformation_diff2.formatDifferences)(stream, activeDiff, {
+              ...logicalIdMapFromTemplate(oldTemplate),
+              ...logicalIdMapFromTemplate(newTemplate),
+              ...logicalIdMap
             }, options.contextLines);
           } else if (!options.quiet) {
             stream.write(chalk19.green("There were no differences\n"));
@@ -313883,44 +314002,78 @@ var init_diff_formatter = __esm({
           formattedDiff = stream.toString();
           stream.end();
         }
-        for (const nestedStackLogicalId of Object.keys(nestedStackTemplates ?? {})) {
-          if (!nestedStackTemplates) {
-            break;
-          }
-          const nestedStack = nestedStackTemplates[nestedStackLogicalId];
-          this.newTemplate._template = nestedStack.generatedTemplate;
-          const nextDiff = this.formatStackDiffHelper(
-            nestedStack.deployedTemplate,
-            nestedStack.physicalName ?? nestedStackLogicalId,
-            nestedStack.nestedStackTemplates,
-            options,
-            this.mappings
-          );
+        for (const [logicalId, nestedStack] of Object.entries(nestedStacks ?? {})) {
+          const nextDiff = this.formatStackDiffHelper({
+            oldTemplate: nestedStack.deployedTemplate,
+            newTemplate: nestedStack.generatedTemplate,
+            stackName: nestedStack.physicalName ?? logicalId,
+            nestedStacks: nestedStack.nestedStackTemplates,
+            changeSet: nestedStack.changeSet,
+            mappings,
+            logicalIdMap: {}
+          }, options);
           numStacksWithChanges += nextDiff.numStacksWithChanges;
           formattedDiff += nextDiff.formattedDiff;
         }
-        return {
-          numStacksWithChanges,
-          formattedDiff
-        };
+        return { numStacksWithChanges, formattedDiff };
       }
       /**
-       * Format the security diff
+       * Format the security diff, including all nested stacks.
        */
-      formatSecurityDiff() {
-        const diff = this.diff();
+      formatSecurityDiff(options = {}) {
+        const { formattedDiff, permissionChangeType, numStacksWithChanges } = this.formatSecurityDiffHelper({
+          oldTemplate: this.templateInfo.oldTemplate,
+          newTemplate: this.templateInfo.newTemplate.template,
+          stackName: this.stackName,
+          nestedStacks: this.templateInfo.nestedStacks,
+          changeSet: this.templateInfo.changeSet,
+          logicalIdMap: buildLogicalToPathMap(this.templateInfo.newTemplate)
+        }, options);
+        return { formattedDiff, permissionChangeType, numStacksWithChanges };
+      }
+      formatSecurityDiffHelper(params, options = {}) {
+        const { oldTemplate, newTemplate, stackName, nestedStacks, changeSet, logicalIdMap } = params;
+        const diff = this.computeDiff(stackName, oldTemplate, newTemplate, changeSet, this.mappings);
+        const permissionChangeType = permissionTypeFromDiff(diff);
         const stream = new StringWriteStream();
-        stream.write((0, import_node_util3.format)(`Stack ${chalk19.bold(this.stackName)}
+        if (!options.quiet || permissionChangeType !== "none" /* NONE */) {
+          stream.write((0, import_node_util3.format)(`Stack ${chalk19.bold(stackName)}
 `));
+        }
         try {
-          (0, import_cloudformation_diff2.formatSecurityChanges)(stream, diff, buildLogicalToPathMap(this.newTemplate));
+          (0, import_cloudformation_diff2.formatSecurityChanges)(stream, diff, {
+            ...logicalIdMapFromTemplate(newTemplate),
+            ...logicalIdMap
+          });
         } finally {
           stream.end();
         }
-        const formattedDiff = stream.toString();
-        return { formattedDiff, permissionChangeType: this.permissionType() };
+        let formattedDiff = stream.toString();
+        if (!options.quiet && permissionChangeType === "none" /* NONE */) {
+          formattedDiff += chalk19.green("There were no security-related changes (limitations: https://github.com/aws/aws-cdk/issues/1299)\n");
+        }
+        let numStacksWithChanges = permissionChangeType !== "none" /* NONE */ ? 1 : 0;
+        let escalatedPermissionType = permissionChangeType;
+        for (const [logicalId, nestedStack] of Object.entries(nestedStacks ?? {})) {
+          const nestedResult = this.formatSecurityDiffHelper({
+            oldTemplate: nestedStack.deployedTemplate,
+            newTemplate: nestedStack.generatedTemplate,
+            stackName: nestedStack.physicalName ?? logicalId,
+            nestedStacks: nestedStack.nestedStackTemplates,
+            changeSet: nestedStack.changeSet
+          }, options);
+          formattedDiff += nestedResult.formattedDiff ? "\n" + nestedResult.formattedDiff : "";
+          numStacksWithChanges += nestedResult.numStacksWithChanges;
+          if (nestedResult.permissionChangeType === "broadening" /* BROADENING */) {
+            escalatedPermissionType = "broadening" /* BROADENING */;
+          } else if (nestedResult.permissionChangeType === "non-broadening" /* NON_BROADENING */ && escalatedPermissionType === "none" /* NONE */) {
+            escalatedPermissionType = "non-broadening" /* NON_BROADENING */;
+          }
+        }
+        return { formattedDiff, permissionChangeType: escalatedPermissionType, numStacksWithChanges };
       }
     };
+    __name(permissionTypeFromDiff, "permissionTypeFromDiff");
     __name(buildLogicalToPathMap, "buildLogicalToPathMap");
     __name(logicalIdMapFromTemplate, "logicalIdMapFromTemplate");
     __name(obscureDiff, "obscureDiff");
@@ -315220,6 +315373,36 @@ var init_promises = __esm({
   }
 });
 
+// ../toolkit-lib/lib/toolkit/private/count-assembly-results.ts
+function countAssemblyResults(span, assembly) {
+  const stacksRecursively = assembly.stacksRecursively;
+  span.incCounter("stacks", stacksRecursively.length);
+  span.incCounter("assemblies", asmCount(assembly));
+  span.incCounter("errorAnns", sum3(stacksRecursively.map((s6) => s6.messages.filter((m6) => m6.level === import_cloud_assembly_api14.SynthesisMessageLevel.ERROR).length)));
+  span.incCounter("warnings", sum3(stacksRecursively.map((s6) => s6.messages.filter((m6) => m6.level === import_cloud_assembly_api14.SynthesisMessageLevel.WARNING).length)));
+  const annotationErrorCodes = stacksRecursively.flatMap((s6) => Object.values(s6.metadata).flatMap((ms) => ms.filter((m6) => m6.type === ANNOTATION_ERROR_CODE_TYPE)));
+  for (const annotationErrorCode of annotationErrorCodes) {
+    span.incCounter(`errorAnn:${annotationErrorCode.data}`);
+  }
+  function asmCount(x6) {
+    return 1 + x6.nestedAssemblies.reduce((acc, asm) => acc + asmCount(asm.nestedAssembly), 0);
+  }
+  __name(asmCount, "asmCount");
+}
+function sum3(xs) {
+  return xs.reduce((a6, b6) => a6 + b6, 0);
+}
+var import_cloud_assembly_api14, ANNOTATION_ERROR_CODE_TYPE;
+var init_count_assembly_results = __esm({
+  "../toolkit-lib/lib/toolkit/private/count-assembly-results.ts"() {
+    "use strict";
+    import_cloud_assembly_api14 = __toESM(require_lib3());
+    __name(countAssemblyResults, "countAssemblyResults");
+    __name(sum3, "sum");
+    ANNOTATION_ERROR_CODE_TYPE = "aws:cdk:error-code";
+  }
+});
+
 // ../toolkit-lib/lib/toolkit/toolkit.ts
 function isFileEvent(event) {
   return FILE_EVENTS.includes(event);
@@ -315242,28 +315425,13 @@ async function synthAndMeasure(ioHelper, cx, selectStacks) {
 function zeroTime() {
   return { asMs: 0, asSec: 0 };
 }
-function countAssemblyResults(span, assembly) {
-  const stacksRecursively = assembly.stacksRecursively;
-  span.incCounter("stacks", stacksRecursively.length);
-  span.incCounter("assemblies", asmCount(assembly));
-  span.incCounter("errorAnns", sum3(stacksRecursively.map((s6) => s6.messages.filter((m6) => m6.level === import_cloud_assembly_api14.SynthesisMessageLevel.ERROR).length)));
-  span.incCounter("warnings", sum3(stacksRecursively.map((s6) => s6.messages.filter((m6) => m6.level === import_cloud_assembly_api14.SynthesisMessageLevel.WARNING).length)));
-  function asmCount(x6) {
-    return 1 + x6.nestedAssemblies.reduce((acc, asm) => acc + asmCount(asm.nestedAssembly), 0);
-  }
-  __name(asmCount, "asmCount");
-}
-function sum3(xs) {
-  return xs.reduce((a6, b6) => a6 + b6, 0);
-}
-var import_dispose_polyfill5, path31, cxapi8, import_cloud_assembly_api14, import_cloud_assembly_schema7, chalk23, fs35, FILE_EVENTS, Toolkit;
+var import_dispose_polyfill5, path31, cxapi8, import_cloud_assembly_schema7, chalk23, fs35, FILE_EVENTS, Toolkit;
 var init_toolkit = __esm({
   "../toolkit-lib/lib/toolkit/toolkit.ts"() {
     "use strict";
     import_dispose_polyfill5 = __toESM(require_dispose_polyfill());
     path31 = __toESM(require("node:path"));
     cxapi8 = __toESM(require_lib3());
-    import_cloud_assembly_api14 = __toESM(require_lib3());
     import_cloud_assembly_schema7 = __toESM(require_lib2());
     chalk23 = __toESM(require_source());
     init_esm2();
@@ -315305,6 +315473,7 @@ var init_toolkit = __esm({
     init_concurrency();
     init_glob_matcher();
     init_promises();
+    init_count_assembly_results();
     FILE_EVENTS = [EVENTS.ADD, EVENTS.ADD_DIR, EVENTS.CHANGE, EVENTS.UNLINK, EVENTS.UNLINK_DIR];
     __name(isFileEvent, "isFileEvent");
     Toolkit = class extends CloudAssemblySourceBuilder {
@@ -315488,6 +315657,7 @@ var init_toolkit = __esm({
           const strict = !!options.strict;
           const contextLines = options.contextLines || 3;
           let diffs = 0;
+          let securityDiffs = 0;
           const templateInfos = await prepareDiff(diffSpan.asHelper, stacks, deployments, await this.sdkProvider("diff"), options);
           const templateDiffs = {};
           for (const templateInfo of templateInfos) {
@@ -315501,11 +315671,13 @@ var init_toolkit = __esm({
               await diffSpan.defaults.info(securityDiff.formattedDiff);
             }
             diffs += stackDiff.numStacksWithChanges;
+            securityDiffs += securityDiff.numStacksWithChanges;
             appendObject(templateDiffs, formatter.diffs);
             await diffSpan.notify(IO.CDK_TOOLKIT_I4002.msg(stackDiff.formattedDiff, {
               stack: templateInfo.newTemplate,
               diffs: formatter.diffs,
               numStacksWithChanges: stackDiff.numStacksWithChanges,
+              numStacksWithSecurityChanges: securityDiff.numStacksWithChanges,
               permissionChanges: securityDiff.permissionChangeType,
               formattedDiff: {
                 diff: stackDiff.formattedDiff,
@@ -315515,6 +315687,7 @@ var init_toolkit = __esm({
           }
           await diffSpan.end(`\u2728 Number of stacks with differences: ${diffs}`, {
             numStacksWithChanges: diffs,
+            numStacksWithSecurityChanges: securityDiffs,
             diffs: templateDiffs
           });
           return templateDiffs;
@@ -315595,6 +315768,72 @@ var init_toolkit = __esm({
           _promise && await _promise;
         }
       }
+      /**
+       * Publish Assets Action
+       *
+       * Publishes assets for the selected stacks without deploying
+       */
+      async publishAssets(cx, options = {}) {
+        var _stack = [];
+        try {
+          this.requireUnstableFeature("publish-assets");
+          const ioHelper = asIoHelper(this.ioHost, "publish-assets");
+          const selectStacks = stacksOpt(options);
+          const assembly = __using(_stack, await synthAndMeasure(ioHelper, cx, selectStacks), true);
+          const stackCollection = await assembly.selectStacksV2(selectStacks);
+          await this.validateStacksMetadata(stackCollection, ioHelper);
+          if (stackCollection.stackCount === 0) {
+            await ioHelper.notify(IO.CDK_TOOLKIT_E5001.msg("No stacks selected"));
+            return {
+              publishedAssets: []
+            };
+          }
+          const deployments = await this.deploymentsForAction("publish-assets");
+          const stacks = stackCollection.stackArtifacts;
+          const stacksAndTheirAssetManifests = stacks.flatMap((stack) => [
+            stack,
+            ...stack.dependencies.filter((x6) => cxapi8.AssetManifestArtifact.isAssetManifestArtifact(x6))
+          ]);
+          const workGraph = new WorkGraphBuilder(
+            ioHelper,
+            true
+            // prebuild all assets
+          ).build(stacksAndTheirAssetManifests);
+          if (!options.force) {
+            await removePublishedAssetsFromWorkGraph(workGraph, deployments, options);
+          }
+          const assetNodes = Object.values(workGraph.nodes).filter((n6) => n6.type === "asset-publish");
+          if (assetNodes.length === 0) {
+            await ioHelper.notify(IO.CDK_TOOLKIT_I9400.msg(chalk23.green("\n\u2728  All assets are already published\n")));
+            return {
+              publishedAssets: []
+            };
+          }
+          const assets = assetNodes.map((n6) => n6.asset);
+          await ioHelper.notify(IO.CDK_TOOLKIT_I9401.msg("Publishing assets", { assets }));
+          const concurrency = options.concurrency ?? 4;
+          const graphConcurrency = {
+            "stack": 1,
+            "asset-build": concurrency,
+            "asset-publish": concurrency
+          };
+          await workGraph.doParallel(graphConcurrency, {
+            deployStack: /* @__PURE__ */ __name(async () => {
+            }, "deployStack"),
+            buildAsset: this.createBuildAssetFunction(ioHelper, deployments, void 0),
+            publishAsset: this.createPublishAssetFunction(ioHelper, deployments, void 0, options.force)
+          });
+          await ioHelper.notify(IO.CDK_TOOLKIT_I9402.msg(chalk23.green("\n\u2728  Assets published successfully\n"), { assets }));
+          return {
+            publishedAssets: assets
+          };
+        } catch (_2) {
+          var _error = _2, _hasError = true;
+        } finally {
+          var _promise = __callDispose(_stack, _error, _hasError);
+          _promise && await _promise;
+        }
+      }
       /**
        * List Action
        *
@@ -315664,34 +315903,6 @@ var init_toolkit = __esm({
         const stacks = stackCollection.stackArtifacts;
         const stackOutputs = {};
         const outputsFile = options.outputsFile;
-        const buildAsset = /* @__PURE__ */ __name(async (assetNode) => {
-          const buildAssetSpan = await ioHelper.span(SPAN.BUILD_ASSET).begin({
-            asset: assetNode.asset
-          });
-          await deployments.buildSingleAsset(
-            assetNode.assetManifestArtifact,
-            assetNode.assetManifest,
-            assetNode.asset,
-            {
-              stack: assetNode.parentStack,
-              roleArn: options.roleArn,
-              stackName: assetNode.parentStack.stackName
-            }
-          );
-          await buildAssetSpan.end();
-        }, "buildAsset");
-        const publishAsset = /* @__PURE__ */ __name(async (assetNode) => {
-          const publishAssetSpan = await ioHelper.span(SPAN.PUBLISH_ASSET).begin({
-            asset: assetNode.asset
-          });
-          await deployments.publishSingleAsset(assetNode.assetManifest, assetNode.asset, {
-            stack: assetNode.parentStack,
-            roleArn: options.roleArn,
-            stackName: assetNode.parentStack.stackName,
-            forcePublish: options.forceAssetPublishing
-          });
-          await publishAssetSpan.end();
-        }, "publishAsset");
         const deployStack2 = /* @__PURE__ */ __name(async (stackNode) => {
           const stack = stackNode.stack;
           if (stackCollection.stackCount !== 1) {
@@ -315897,8 +316108,8 @@ ${deployResult.stackArn}`));
         };
         await workGraph.doParallel(graphConcurrency, {
           deployStack: deployStack2,
-          buildAsset,
-          publishAsset
+          buildAsset: this.createBuildAssetFunction(ioHelper, deployments, options.roleArn),
+          publishAsset: this.createPublishAssetFunction(ioHelper, deployments, options.roleArn, options.forceAssetPublishing)
         });
         return ret;
       }
@@ -316379,12 +316590,48 @@ ${deployResult.stackArn}`));
           throw new ToolkitError("UnstableFeatureNotEnabled", `Unstable feature '${requestedFeature}' is not enabled. Please enable it under 'unstableFeatures'`);
         }
       }
+      /**
+       * Create a buildAsset function for use in WorkGraph
+       */
+      createBuildAssetFunction(ioHelper, deployments, roleArn) {
+        return async (assetNode) => {
+          const buildAssetSpan = await ioHelper.span(SPAN.BUILD_ASSET).begin({
+            asset: assetNode.asset
+          });
+          await deployments.buildSingleAsset(
+            assetNode.assetManifestArtifact,
+            assetNode.assetManifest,
+            assetNode.asset,
+            {
+              stack: assetNode.parentStack,
+              roleArn,
+              stackName: assetNode.parentStack.stackName
+            }
+          );
+          await buildAssetSpan.end();
+        };
+      }
+      /**
+       * Create a publishAsset function for use in WorkGraph
+       */
+      createPublishAssetFunction(ioHelper, deployments, roleArn, forcePublish) {
+        return async (assetNode) => {
+          const publishAssetSpan = await ioHelper.span(SPAN.PUBLISH_ASSET).begin({
+            asset: assetNode.asset
+          });
+          await deployments.publishSingleAsset(assetNode.assetManifest, assetNode.asset, {
+            stack: assetNode.parentStack,
+            roleArn,
+            stackName: assetNode.parentStack.stackName,
+            forcePublish
+          });
+          await publishAssetSpan.end();
+        };
+      }
     };
     __name(stacksOpt, "stacksOpt");
     __name(synthAndMeasure, "synthAndMeasure");
     __name(zeroTime, "zeroTime");
-    __name(countAssemblyResults, "countAssemblyResults");
-    __name(sum3, "sum");
   }
 });
 
@@ -316431,6 +316678,13 @@ var init_list2 = __esm({
   }
 });
 
+// ../toolkit-lib/lib/actions/publish-assets/index.ts
+var init_publish_assets2 = __esm({
+  "../toolkit-lib/lib/actions/publish-assets/index.ts"() {
+    "use strict";
+  }
+});
+
 // ../toolkit-lib/lib/actions/refactor/index.ts
 var init_refactor2 = __esm({
   "../toolkit-lib/lib/actions/refactor/index.ts"() {
@@ -316479,6 +316733,7 @@ var init_actions = __esm({
     init_diff();
     init_drift4();
     init_list2();
+    init_publish_assets2();
     init_refactor2();
     init_rollback2();
     init_synth2();

package/package.json

@@ -66,12 +66,12 @@
     "@aws-cdk/aws-service-spec": "^0.1.167",
     "@aws-cdk/cdk-assets-lib": "1.4.2",
     "@aws-cdk/cloud-assembly-api": "2.2.1",
-    "@aws-cdk/cloud-assembly-schema": ">=53.10.0",
-    "@aws-cdk/cloudformation-diff": "2.186.0",
+    "@aws-cdk/cloud-assembly-schema": ">=53.12.0",
+    "@aws-cdk/cloudformation-diff": "2.187.0",
     "@aws-cdk/cx-api": "^2",
-    "@aws-cdk/toolkit-lib": "1.20.0",
+    "@aws-cdk/toolkit-lib": "1.21.0",
     "@aws-sdk/client-cloudformation": "^3",
-    "aws-cdk": "2.1115.0",
+    "aws-cdk": "2.1116.0",
     "chalk": "^4",
     "chokidar": "^4",
     "fs-extra": "^9",
@@ -80,7 +80,7 @@
   },
   "dependencies": {
     "@aws-cdk/aws-service-spec": "0.1.167",
-    "aws-cdk": "2.1115.0"
+    "aws-cdk": "2.1116.0"
   },
   "keywords": [
     "aws",
@@ -95,7 +95,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "2.197.9",
+  "version": "2.197.11",
   "types": "lib/index.d.ts",
   "//": "~~ Generated by projen. To modify, edit .projenrc.js and run \"npx projen\"."
 }