feat(cdk): introduce the new cfn-changeset-review-role for the diff command

packages/@aws-cdk-testing/cli-integ/lib/with-cdk-app.ts

@@ -659,7 +659,9 @@ export async function installNpmPackages(fixture: TestFixture, packages: Record<
   }, undefined, 2), { encoding: 'utf-8' });
 
   // Now install that `package.json` using NPM7
-  await fixture.shell(['node', require.resolve('npm'), 'install']);
+  const isRepoMode = !!process.env.REPO_ROOT;
+  const npmPath = isRepoMode ? path.join(__dirname, 'package-sources/repo-tools/npm') : require.resolve('npm');
+  await fixture.shell(['node', npmPath, 'install']);
 }
 
 const ALREADY_BOOTSTRAPPED_IN_THIS_RUN = new Set();

packages/@aws-cdk-testing/cli-integ/resources/cdk-apps/app/app.js

@@ -721,6 +721,18 @@ class BuiltinLambdaStack extends cdk.Stack {
   }
 }
 
+class IamRolesStack extends cdk.Stack {
+  constructor(parent, id, props) {
+    super(parent, id, props);
+
+    for(let i = 1; i <= Number(process.env.NUMBER_OF_ROLES) ; i++) {
+      new iam.Role(this, `Role${i}`, {
+        assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
+      });
+    }
+  }
+}
+
 class NotificationArnPropStack extends cdk.Stack {
   constructor(parent, id, props) {
     super(parent, id, props);
@@ -807,6 +819,8 @@ switch (stackSet) {
     new DockerStack(app, `${stackPrefix}-docker`);
     new DockerStackWithCustomFile(app, `${stackPrefix}-docker-with-custom-file`);
 
+    new IamRolesStack(app, `${stackPrefix}-iam-roles`);
+
     new NotificationArnPropStack(app, `${stackPrefix}-notification-arn-prop`, {
       notificationArns: [`arn:aws:sns:${defaultEnv.region}:${defaultEnv.account}:${stackPrefix}-test-topic-prop`],
     });

packages/@aws-cdk-testing/cli-integ/tests/cli-integ-tests/cli.integtest.ts

@@ -957,6 +957,26 @@ integTest(
   }),
 );
 
+integTest('cdk diff with a large template', withDefaultFixture(async (fixture) => {
+  // In this test, we confirm that the changeset role can upload assets to the bucket and create a changeset
+  await fixture.cdkDeploy('iam-roles', {
+    modEnv: {
+      NUMBER_OF_ROLES: '1',
+    },
+  });
+  const diff = await fixture.cdk(['diff', fixture.fullStackName('iam-roles')], {
+    modEnv: {
+      NUMBER_OF_ROLES: '200',
+    },
+  });
+  expect(diff).not.toContain('changeset role does not exist, hence was not assumed');
+  expect(diff).not.toContain('Could not create a change set');
+  expect(diff).not.toContain('deploy-role');
+  expect(diff).toContain('cfn-changeset-review-role');
+  expect(diff).toContain('success: Published');
+  expect(diff).toContain('Number of stacks with differences');
+}));
+
 integTest(
   'enableDiffNoFail',
   withDefaultFixture(async (fixture) => {

packages/@aws-cdk/app-staging-synthesizer-alpha/README.md

@@ -159,6 +159,7 @@ const app = new App({
       cloudFormationExecutionRole: BootstrapRole.fromRoleArn('arn:aws:iam::123456789012:role/Execute'),
       deploymentRole: BootstrapRole.fromRoleArn('arn:aws:iam::123456789012:role/Deploy'),
       lookupRole: BootstrapRole.fromRoleArn('arn:aws:iam::123456789012:role/Lookup'),
+      changesetRole: BootstrapRole.fromRoleArn('arn:aws:iam::123456789012:role/Changeset'),
     }),
   }),
 });
@@ -167,8 +168,8 @@ const app = new App({
 Or, you can ask to use the CLI credentials that exist at deploy-time.
 These credentials must have the ability to perform CloudFormation calls,
 lookup resources in your account, and perform CloudFormation deployment.
-For a full list of what is necessary, see `LookupRole`, `DeploymentActionRole`,
-and `CloudFormationExecutionRole` in the
+For a full list of what is necessary, see `LookupRole`, `DeploymentActionRole`, `CloudFormationExecutionRole`,
+and `CloudFormationChangeSetReviewRole` in the
 [bootstrap template](https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml).
 
 ```ts

packages/@aws-cdk/app-staging-synthesizer-alpha/lib/app-staging-synthesizer.ts

@@ -118,6 +118,11 @@ export class AppStagingSynthesizer extends StackSynthesizer implements IReusable
    */
   public static readonly DEFAULT_LOOKUP_ROLE_ARN = 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-${Qualifier}-lookup-role-${AWS::AccountId}-${AWS::Region}';
 
+  /**
+   * Default changeset role ARN for missing values.
+   */
+  public static readonly DEFAULT_CHANGESET_ROLE_ARN = 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-${Qualifier}-cfn-changeset-review-role-${AWS::AccountId}-${AWS::Region}';
+
   /**
    * Use the Default Staging Resources, creating a single stack per environment this app is deployed in
    */
@@ -177,7 +182,8 @@ export class AppStagingSynthesizer extends StackSynthesizer implements IReusable
     this.roles = {
       deploymentRole: identities.deploymentRole ?? defaultIdentities.deploymentRole!,
       cloudFormationExecutionRole: identities.cloudFormationExecutionRole ?? defaultIdentities.cloudFormationExecutionRole!,
-      lookupRole: identities.lookupRole ?? identities.lookupRole!,
+      lookupRole: identities.lookupRole ?? defaultIdentities.lookupRole!,
+      changesetRole: identities.changesetRole ?? defaultIdentities.changesetRole!,
     };
   }
 
@@ -207,6 +213,7 @@ export class AppStagingSynthesizer extends StackSynthesizer implements IReusable
       deployRole,
       cloudFormationExecutionRole: this.roles.cloudFormationExecutionRole._specialize(spec),
       lookupRole: this.roles.lookupRole._specialize(spec),
+      changesetRole: this.roles.changesetRole._specialize(spec),
       qualifier,
     });
   }
@@ -292,6 +299,11 @@ interface BoundAppStagingSynthesizerProps {
    * Lookup Role
    */
   readonly lookupRole: BootstrapRole;
+
+  /**
+   * Changeset Role
+   */
+  readonly changesetRole: BootstrapRole;
 }
 
 class BoundAppStagingSynthesizer extends StackSynthesizer implements IBoundAppStagingSynthesizer {
@@ -323,12 +335,14 @@ class BoundAppStagingSynthesizer extends StackSynthesizer implements IBoundAppSt
     const assetManifestId = this.assetManifest.emitManifest(this.boundStack, session, {}, dependencies);
 
     const lookupRoleArn = this.props.lookupRole?._arnForCloudAssembly();
+    const changesetRoleArn = this.props.changesetRole?._arnForCloudAssembly();
 
     this.emitArtifact(session, {
       assumeRoleArn: this.props.deployRole?._arnForCloudAssembly(),
       additionalDependencies: [assetManifestId],
       stackTemplateAssetObjectUrl: templateAsset.s3ObjectUrlWithPlaceholders,
       cloudFormationExecutionRoleArn: this.props.cloudFormationExecutionRole?._arnForCloudAssembly(),
+      changesetRole: changesetRoleArn ? { arn: changesetRoleArn } : undefined,
       lookupRole: lookupRoleArn ? { arn: lookupRoleArn } : undefined,
     });
   }

packages/@aws-cdk/app-staging-synthesizer-alpha/lib/bootstrap-roles.ts

@@ -67,6 +67,7 @@ export class DeploymentIdentities {
       cloudFormationExecutionRole: BootstrapRole.cliCredentials(),
       deploymentRole: BootstrapRole.cliCredentials(),
       lookupRole: BootstrapRole.cliCredentials(),
+      changesetRole: BootstrapRole.cliCredentials(),
     });
   }
 
@@ -93,6 +94,7 @@ export class DeploymentIdentities {
       deploymentRole: BootstrapRole.fromRoleArn(replacePlaceholders(AppStagingSynthesizer.DEFAULT_DEPLOY_ROLE_ARN)),
       cloudFormationExecutionRole: BootstrapRole.fromRoleArn(replacePlaceholders(AppStagingSynthesizer.DEFAULT_CLOUDFORMATION_ROLE_ARN)),
       lookupRole: BootstrapRole.fromRoleArn(replacePlaceholders(AppStagingSynthesizer.DEFAULT_LOOKUP_ROLE_ARN)),
+      changesetRole: BootstrapRole.fromRoleArn(replacePlaceholders(AppStagingSynthesizer.DEFAULT_CHANGESET_ROLE_ARN)),
     });
   }
 
@@ -112,13 +114,20 @@ export class DeploymentIdentities {
    */
   public readonly lookupRole?: BootstrapRole;
 
+  /**
+   * Changeset Role
+    @default - use bootstrapped role
+   */
+  public readonly changesetRole?: BootstrapRole;
+
   private constructor(
     /** roles that are bootstrapped to your account. */
     roles: BootstrapRoles,
   ) {
     this.cloudFormationExecutionRole = roles.cloudFormationExecutionRole;
     this.deploymentRole = roles.deploymentRole;
     this.lookupRole = roles.lookupRole;
+    this.changesetRole = roles.changesetRole;
   }
 }
 
@@ -160,6 +169,13 @@ export interface BootstrapRoles {
    * @default - use bootstrapped role
    */
   readonly lookupRole?: BootstrapRole;
+
+  /**
+   * Changeset Role
+   *
+   * @default - use bootstrapped role
+   */
+  readonly changesetRole?: BootstrapRole;
 }
 
 /**

packages/@aws-cdk/app-staging-synthesizer-alpha/test/bootstrap-roles.test.ts

@@ -8,6 +8,7 @@ import { AppStagingSynthesizer, BootstrapRole, DeploymentIdentities } from '../l
 const CLOUDFORMATION_EXECUTION_ROLE = 'cloudformation-execution-role';
 const DEPLOY_ACTION_ROLE = 'deploy-action-role';
 const LOOKUP_ROLE = 'lookup-role';
+const CHANG_SET_ROLE = 'changeset-role';
 
 describe('Boostrap Roles', () => {
   test('default bootstrap role name is always under 64 characters', () => {
@@ -48,6 +49,7 @@ describe('Boostrap Roles', () => {
           cloudFormationExecutionRole: BootstrapRole.fromRoleArn(CLOUDFORMATION_EXECUTION_ROLE),
           lookupRole: BootstrapRole.fromRoleArn(LOOKUP_ROLE),
           deploymentRole: BootstrapRole.fromRoleArn(DEPLOY_ACTION_ROLE),
+          changesetRole: BootstrapRole.fromRoleArn(CHANG_SET_ROLE),
         }),
         stagingBucketEncryption: BucketEncryption.S3_MANAGED,
       }),
@@ -72,6 +74,7 @@ describe('Boostrap Roles', () => {
     expect(stackArtifact.cloudFormationExecutionRoleArn).toEqual(CLOUDFORMATION_EXECUTION_ROLE);
     expect(stackArtifact.lookupRole).toEqual({ arn: LOOKUP_ROLE });
     expect(stackArtifact.assumeRoleArn).toEqual(DEPLOY_ACTION_ROLE);
+    expect(stackArtifact.changesetRole).toEqual({ arn: CHANG_SET_ROLE });
   });
 
   test('can request other bootstrap region', () => {
@@ -93,6 +96,7 @@ describe('Boostrap Roles', () => {
     expect(stackArtifact.cloudFormationExecutionRoleArn).toEqual('arn:${AWS::Partition}:iam::000000000000:role/cdk-hnb659fds-cfn-exec-role-000000000000-us-west-2');
     expect(stackArtifact.lookupRole).toEqual({ arn: 'arn:${AWS::Partition}:iam::000000000000:role/cdk-hnb659fds-lookup-role-000000000000-us-west-2' });
     expect(stackArtifact.assumeRoleArn).toEqual('arn:${AWS::Partition}:iam::000000000000:role/cdk-hnb659fds-deploy-role-000000000000-us-west-2');
+    expect(stackArtifact.changesetRole).toEqual({ arn: 'arn:${AWS::Partition}:iam::000000000000:role/cdk-hnb659fds-cfn-changeset-review-role-000000000000-us-west-2' });
   });
 
   test('can request other qualifier', () => {
@@ -115,6 +119,7 @@ describe('Boostrap Roles', () => {
     expect(stackArtifact.cloudFormationExecutionRoleArn).toEqual('arn:${AWS::Partition}:iam::000000000000:role/cdk-Q-cfn-exec-role-000000000000-us-west-2');
     expect(stackArtifact.lookupRole).toEqual({ arn: 'arn:${AWS::Partition}:iam::000000000000:role/cdk-Q-lookup-role-000000000000-us-west-2' });
     expect(stackArtifact.assumeRoleArn).toEqual('arn:${AWS::Partition}:iam::000000000000:role/cdk-Q-deploy-role-000000000000-us-west-2');
+    expect(stackArtifact.changesetRole).toEqual({ arn: 'arn:${AWS::Partition}:iam::000000000000:role/cdk-Q-cfn-changeset-review-role-000000000000-us-west-2' });
   });
 
   test('can supply existing arn for bucket staging role', () => {
@@ -210,6 +215,7 @@ describe('Boostrap Roles', () => {
     expect(stackArtifact.cloudFormationExecutionRoleArn).toBeUndefined();
     expect(stackArtifact.lookupRole).toBeUndefined();
     expect(stackArtifact.assumeRoleArn).toBeUndefined();
+    expect(stackArtifact.changesetRole).toBeUndefined();
   });
 
   test('qualifier is resolved in the synthesizer', () => {

packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-resources.js.snapshot/synthesize-custom-roles.template.json

@@ -0,0 +1 @@
+{}