feat(toolkit-lib): deploy prompt prints security diff and returns template diff

packages/@aws-cdk/toolkit-lib/lib/payloads/deploy.ts

@@ -2,6 +2,7 @@ import type { CloudFormationStackArtifact } from '@aws-cdk/cx-api';
 import type { IManifestEntry } from 'cdk-assets';
 import type { PermissionChangeType } from './diff';
 import type { ConfirmationRequest } from './types';
+import { TemplateDiff } from '@aws-cdk/cloudformation-diff';
 
 // re-export so they are part of the public API
 export { DeployStackResult, SuccessfulDeployStackResult, NeedRollbackFirstDeployStackResult, ReplacementRequiresRollbackStackResult } from '../api/deployments/deployment-result';
@@ -32,6 +33,11 @@ export interface DeployConfirmationRequest extends ConfirmationRequest {
    * The type of change being made to the IAM permissions.
    */
   readonly permissionChangeType: PermissionChangeType;
+
+  /**
+   * The template diffs of the stack
+   */
+  readonly templateDiffs: { [name: string]: TemplateDiff };
 }
 
 export interface BuildAsset {

packages/@aws-cdk/toolkit-lib/lib/toolkit/toolkit.ts

@@ -512,13 +512,19 @@ export class Toolkit extends CloudAssemblySourceBuilder {
       });
 
       const securityDiff = formatter.formatSecurityDiff();
-      const permissionChangeType = securityDiff.permissionChangeType;
+
+      console.log('diffs', JSON.stringify(formatter.diffs));
+
+      // Send a request response with the formatted security diff as part of the message,
+      // and the template diff as data
+      // (IoHost decides whether to print depending on permissionChangeType)
       const deployMotivation = '"--require-approval" is enabled and stack includes security-sensitive updates.';
-      const deployQuestion = `${deployMotivation}\nDo you wish to deploy these changes`;
+      const deployQuestion = `${securityDiff.formattedDiff}\n\n${deployMotivation}\nDo you wish to deploy these changes`;
       const deployConfirmed = await ioHelper.requestResponse(IO.CDK_TOOLKIT_I5060.req(deployQuestion, {
         motivation: deployMotivation,
         concurrency,
-        permissionChangeType,
+        permissionChangeType: securityDiff.permissionChangeType,
+        templateDiffs: formatter.diffs,
       }));
       if (!deployConfirmed) {
         throw new ToolkitError('Aborted by user');

packages/@aws-cdk/toolkit-lib/test/actions/deploy.test.ts

@@ -61,6 +61,20 @@ describe('deploy', () => {
       data: expect.objectContaining({
         motivation: expect.stringContaining('stack includes security-sensitive updates.'),
         permissionChangeType: 'broadening',
+        templateDiffs: expect.objectContaining({
+          Stack1: expect.objectContaining({
+            resources: expect.objectContaining({
+              diffs: expect.objectContaining({
+                Role1ABCC5F0: expect.objectContaining({
+                  newValue: expect.objectContaining({
+                    Type: 'AWS::IAM::Role',
+                    Properties: expect.anything(),
+                  }),
+                }),
+              }),
+            }),
+          }),
+        }),
       }),
     }));
   });