aws · kaizencc · May 6, 2025 · Apr 30, 2025 · May 1, 2025 · May 1, 2025
diff --git a/packages/@aws-cdk/toolkit-lib/lib/payloads/deploy.ts b/packages/@aws-cdk/toolkit-lib/lib/payloads/deploy.ts
@@ -1,3 +1,4 @@
+import type { TemplateDiff } from '@aws-cdk/cloudformation-diff';
 import type { CloudFormationStackArtifact } from '@aws-cdk/cx-api';
 import type { IManifestEntry } from 'cdk-assets';
 import type { PermissionChangeType } from './diff';
@@ -32,6 +33,11 @@ export interface DeployConfirmationRequest extends ConfirmationRequest {
    * The type of change being made to the IAM permissions.
    */
   readonly permissionChangeType: PermissionChangeType;
+
+  /**
+   * The template diffs of the stack
+   */
+  readonly templateDiffs: { [name: string]: TemplateDiff };
 }
 
 export interface BuildAsset {

diff --git a/packages/@aws-cdk/toolkit-lib/lib/toolkit/toolkit.ts b/packages/@aws-cdk/toolkit-lib/lib/toolkit/toolkit.ts
@@ -514,13 +514,17 @@ export class Toolkit extends CloudAssemblySourceBuilder {
       });
 
       const securityDiff = formatter.formatSecurityDiff();
-      const permissionChangeType = securityDiff.permissionChangeType;
+
+      // Send a request response with the formatted security diff as part of the message,
+      // and the template diff as data
+      // (IoHost decides whether to print depending on permissionChangeType)
       const deployMotivation = '"--require-approval" is enabled and stack includes security-sensitive updates.';
-      const deployQuestion = `${deployMotivation}\nDo you wish to deploy these changes`;
+      const deployQuestion = `${securityDiff.formattedDiff}\n\n${deployMotivation}\nDo you wish to deploy these changes`;
       const deployConfirmed = await ioHelper.requestResponse(IO.CDK_TOOLKIT_I5060.req(deployQuestion, {
         motivation: deployMotivation,
         concurrency,
-        permissionChangeType,
+        permissionChangeType: securityDiff.permissionChangeType,
+        templateDiffs: formatter.diffs,
       }));
       if (!deployConfirmed) {
         throw new ToolkitError('Aborted by user');

diff --git a/packages/@aws-cdk/toolkit-lib/test/actions/deploy.test.ts b/packages/@aws-cdk/toolkit-lib/test/actions/deploy.test.ts
@@ -63,6 +63,20 @@ describe('deploy', () => {
       data: expect.objectContaining({
         motivation: expect.stringContaining('stack includes security-sensitive updates.'),
         permissionChangeType: 'broadening',
+        templateDiffs: expect.objectContaining({
+          Stack1: expect.objectContaining({
+            resources: expect.objectContaining({
+              diffs: expect.objectContaining({
+                Role1ABCC5F0: expect.objectContaining({
+                  newValue: expect.objectContaining({
+                    Type: 'AWS::IAM::Role',
+                    Properties: expect.anything(),
+                  }),
+                }),
+              }),
+            }),
+          }),
+        }),
       }),
     }));
   });