feat(toolkit-lib): deploy prompt prints security diff and returns template diff (#437)

closes aws/aws-cdk#33435

Does the following:

- sends the formatted security diff in the request response
- returns the full diff to in the request response

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license

---------

Signed-off-by: github-actions <github-actions@github.com>
Co-authored-by: github-actions <github-actions@github.com>

Author: kaizencc

packages/@aws-cdk/toolkit-lib/lib/payloads/deploy.ts

@@ -1,3 +1,4 @@
+import type { TemplateDiff } from '@aws-cdk/cloudformation-diff';
 import type { CloudFormationStackArtifact } from '@aws-cdk/cx-api';
 import type { IManifestEntry } from 'cdk-assets';
 import type { PermissionChangeType } from './diff';
@@ -32,6 +33,11 @@ export interface DeployConfirmationRequest extends ConfirmationRequest {
    * The type of change being made to the IAM permissions.
    */
   readonly permissionChangeType: PermissionChangeType;
+
+  /**
+   * The template diffs of the stack
+   */
+  readonly templateDiffs: { [name: string]: TemplateDiff };
 }
 
 export interface BuildAsset {

packages/@aws-cdk/toolkit-lib/lib/toolkit/toolkit.ts

@@ -514,13 +514,17 @@ export class Toolkit extends CloudAssemblySourceBuilder {
       });
 
       const securityDiff = formatter.formatSecurityDiff();
-      const permissionChangeType = securityDiff.permissionChangeType;
+
+      // Send a request response with the formatted security diff as part of the message,
+      // and the template diff as data
+      // (IoHost decides whether to print depending on permissionChangeType)
       const deployMotivation = '"--require-approval" is enabled and stack includes security-sensitive updates.';
-      const deployQuestion = `${deployMotivation}\nDo you wish to deploy these changes`;
+      const deployQuestion = `${securityDiff.formattedDiff}\n\n${deployMotivation}\nDo you wish to deploy these changes`;
       const deployConfirmed = await ioHelper.requestResponse(IO.CDK_TOOLKIT_I5060.req(deployQuestion, {
         motivation: deployMotivation,
         concurrency,
-        permissionChangeType,
+        permissionChangeType: securityDiff.permissionChangeType,
+        templateDiffs: formatter.diffs,
       }));
       if (!deployConfirmed) {
         throw new ToolkitError('Aborted by user');

packages/@aws-cdk/toolkit-lib/test/actions/deploy.test.ts

@@ -55,6 +55,18 @@ describe('deploy', () => {
     await toolkit.deploy(cx);
 
     // THEN
+    const request = ioHost.requestSpy.mock.calls[0][0].message.replace(/\x1B\[[0-?]*[ -/]*[@-~]/g, '');
+
+    // Message includes formatted security diff
+    expect(request).toContain(`Stack Stack1
+IAM Statement Changes
+┌───┬─────────────┬────────┬────────────────┬───────────┬───────────┐
+│   │ Resource    │ Effect │ Action         │ Principal │ Condition │
+├───┼─────────────┼────────┼────────────────┼───────────┼───────────┤
+│ + │ $\{Role.Arn\} │ Allow  │ sts:AssumeRole │ AWS:arn   │           │
+└───┴─────────────┴────────┴────────────────┴───────────┴───────────┘
+`);
+    // Request response returns template diff
     expect(ioHost.requestSpy).toHaveBeenCalledWith(expect.objectContaining({
       action: 'deploy',
       level: 'info',
@@ -63,6 +75,20 @@ describe('deploy', () => {
       data: expect.objectContaining({
         motivation: expect.stringContaining('stack includes security-sensitive updates.'),
         permissionChangeType: 'broadening',
+        templateDiffs: expect.objectContaining({
+          Stack1: expect.objectContaining({
+            resources: expect.objectContaining({
+              diffs: expect.objectContaining({
+                Role1ABCC5F0: expect.objectContaining({
+                  newValue: expect.objectContaining({
+                    Type: 'AWS::IAM::Role',
+                    Properties: expect.anything(),
+                  }),
+                }),
+              }),
+            }),
+          }),
+        }),
       }),
     }));
   });