Warning in case the events cannot be fetched

Author: otaviomacedo

packages/@aws-cdk/toolkit-lib/lib/api/aws-auth/sdk.ts

@@ -100,9 +100,14 @@ import type {
   DescribeStackResourceDriftsCommandInput,
   ExecuteStackRefactorCommandInput,
   DescribeStackRefactorCommandInput,
-  CreateStackRefactorCommandOutput, ExecuteStackRefactorCommandOutput, DescribeEventsCommandOutput, DescribeEventsCommandInput,
+  CreateStackRefactorCommandOutput,
+  ExecuteStackRefactorCommandOutput,
+  DescribeEventsCommandOutput,
+  DescribeEventsCommandInput,
 } from '@aws-sdk/client-cloudformation';
 import {
+  paginateDescribeEvents,
+
   paginateListStacks,
   CloudFormationClient,
   ContinueUpdateRollbackCommand,
@@ -142,6 +147,7 @@ import {
   waitUntilStackRefactorCreateComplete,
   waitUntilStackRefactorExecuteComplete,
 } from '@aws-sdk/client-cloudformation';
+import type { OperationEvent } from '@aws-sdk/client-cloudformation/dist-types/models/models_0';
 import type {
   FilterLogEventsCommandInput,
   FilterLogEventsCommandOutput,
@@ -470,6 +476,7 @@ export interface ICloudFormationClient {
   describeStackEvents(input: DescribeStackEventsCommandInput): Promise<DescribeStackEventsCommandOutput>;
   listStackResources(input: ListStackResourcesCommandInput): Promise<StackResourceSummary[]>;
   paginatedListStacks(input: ListStacksCommandInput): Promise<StackSummary[]>;
+  paginatedDescribeEvents(input: DescribeEventsCommandInput): Promise<OperationEvent[]>;
   createStackRefactor(input: CreateStackRefactorCommandInput): Promise<CreateStackRefactorCommandOutput>;
   executeStackRefactor(input: ExecuteStackRefactorCommandInput): Promise<ExecuteStackRefactorCommandOutput>;
   waitUntilStackRefactorCreateComplete(input: DescribeStackRefactorCommandInput): Promise<WaiterResult>;
@@ -779,6 +786,14 @@ export class SDK {
         }
         return stackResources;
       },
+      paginatedDescribeEvents: async (input: DescribeEventsCommandInput): Promise<OperationEvent[]> => {
+        const stackResources = Array<OperationEvent>();
+        const paginator = paginateDescribeEvents({ client }, input);
+        for await (const page of paginator) {
+          stackResources.push(...(page.OperationEvents || []));
+        }
+        return stackResources;
+      },
       createStackRefactor: (input: CreateStackRefactorCommandInput): Promise<CreateStackRefactorCommandOutput> => {
         return client.send(new CreateStackRefactorCommand(input));
       },

packages/@aws-cdk/toolkit-lib/lib/api/deployments/cfn-api.ts

@@ -22,7 +22,7 @@ import type { IoHelper } from '../io/private';
 import type { ResourcesToImport } from '../resource-import';
 
 export interface ValidationReporter {
-  check(description: DescribeChangeSetCommandOutput, changeSetName: string, stackName: string): Promise<void>;
+  report(changeSetName: string, stackName: string): Promise<void>;
 }
 
 /**
@@ -125,12 +125,17 @@ export async function waitForChangeSet(
       return description;
     }
 
-    await validationReporter?.check(description, changeSetName, stackName);
-
-    // eslint-disable-next-line @stylistic/max-len
-    throw new ToolkitError(
-      `Failed to create ChangeSet ${changeSetName} on ${stackName}: ${description.Status || 'NO_STATUS'}, ${description.StatusReason || 'no reason provided'}`,
-    );
+    if (description.Status === ChangeSetStatus.FAILED && description.StatusReason?.includes('AWS::EarlyValidation')) {
+      await validationReporter?.report(changeSetName, stackName);
+      return description;
+    } else {
+      // eslint-disable-next-line @stylistic/max-len
+      throw new ToolkitError(
+        `Failed to create ChangeSet ${changeSetName} on ${stackName}: ${description.Status || 'NO_STATUS'}, ${
+          description.StatusReason || 'no reason provided'
+        }`,
+      );
+    }
   });
 
   if (!ret) {

packages/@aws-cdk/toolkit-lib/lib/api/deployments/deploy-stack.ts

@@ -32,7 +32,7 @@ import { formatErrorMessage } from '../../util';
 import type { SDK, SdkProvider, ICloudFormationClient } from '../aws-auth/private';
 import type { TemplateBodyParameter } from '../cloudformation';
 import { makeBodyParameter, CfnEvaluationException, CloudFormationStack } from '../cloudformation';
-import { EnvironmentResources, EnvironmentResourcesRegistry, StringWithoutPlaceholders } from '../environment';
+import type { EnvironmentResources, StringWithoutPlaceholders } from '../environment';
 import { HotswapPropertyOverrides, HotswapMode, ICON, createHotswapPropertyOverrides } from '../hotswap/common';
 import { tryHotswapDeployment } from '../hotswap/hotswap-deployments';
 import type { IoHelper } from '../io/private';
@@ -512,9 +512,7 @@ class FullCloudFormationDeployment {
 
     await this.ioHelper.defaults.debug(format('Initiated creation of changeset: %s; waiting for it to finish creating...', changeSet.Id));
     // Fetching all pages if we'll execute, so we can have the correct change count when monitoring.
-    const environmentResources = new EnvironmentResourcesRegistry()
-      .for(this.options.resolvedEnvironment, this.options.sdk, this.ioHelper);
-    const validationReporter = new EarlyValidationReporter(this.options.sdk, environmentResources);
+    const validationReporter = new EarlyValidationReporter(this.options.sdk, this.ioHelper);
     return waitForChangeSet(this.cfn, this.ioHelper, this.stackName, changeSetName, {
       fetchAll: willExecute,
       validationReporter,

packages/@aws-cdk/toolkit-lib/lib/api/deployments/early-validation.ts

@@ -1,37 +1,34 @@
-import type { DescribeChangeSetCommandOutput } from '@aws-sdk/client-cloudformation';
-import { ChangeSetStatus, ValidationStatus } from '@aws-sdk/client-cloudformation';
+import type { OperationEvent } from '@aws-sdk/client-cloudformation';
 import type { ValidationReporter } from './cfn-api';
 import { ToolkitError } from '../../toolkit/toolkit-error';
 import type { SDK } from '../aws-auth/sdk';
-import type { EnvironmentResources } from '../environment/index';
+import type { IoHelper } from '../io/private';
 
 /**
- * Reports early validation failures from CloudFormation ChangeSets. To determine what the actual error is
- * it needs to call the `DescribeEvents` API, and therefore the deployment role in the bootstrap bucket
- * must have permissions to call that API. This permission was introduced in version 30 of the bootstrap template.
- * If the bootstrap stack is older than that, a special error message is thrown to instruct the user to
- * re-bootstrap.
+ * A ValidationReporter that checks for early validation errors right after
+ * creating the change set. If any are found, it throws an error listing all validation failures.
+ * If the DescribeEvents API call fails (for example, due to insufficient permissions),
+ * it logs a warning instead.
  */
 export class EarlyValidationReporter implements ValidationReporter {
-  constructor(private readonly sdk: SDK, private readonly environmentResources: EnvironmentResources) {
+  constructor(private readonly sdk: SDK, private readonly ioHelper: IoHelper) {
   }
 
-  /**
-   * Checks whether the ChangeSet failed early validation, and if so, throw an error. Otherwise, do nothing.
-   * @param description - the ChangeSet description, resulting from the call to CloudFormation's DescribeChangeSet API
-   * @param changeSetName - the name of the ChangeSet
-   * @param stackName - the name of the stack
-   */
-  public async check(description: DescribeChangeSetCommandOutput, changeSetName: string, stackName: string) {
-    if (description.Status === ChangeSetStatus.FAILED && description.StatusReason?.includes('AWS::EarlyValidation')) {
-      await this.checkBootstrapVersion();
-      const eventsOutput = await this.sdk.cloudFormation().describeEvents({
-        ChangeSetName: changeSetName,
-        StackName: stackName,
-      });
+  public async report(changeSetName: string, stackName: string) {
+    let operationEvents: OperationEvent[] = [];
+    try {
+      operationEvents = await this.getFailedEvents(stackName, changeSetName);
+    } catch (error) {
+      const message =
+        'While creating the change set, CloudFormation detected errors in the generated templates,' +
+        ' but the deployment role does not have permissions to call the DescribeEvents API to retrieve details about these errors.\n' +
+        'To see more details, re-bootstrap your environment, or otherwise ensure that the deployment role has permissions to call the DescribeEvents API.';
+
+      await this.ioHelper.defaults.warn(message);
+    }
 
-      const failures = (eventsOutput.OperationEvents ?? [])
-        .filter((event) => event.ValidationStatus === ValidationStatus.FAILED)
+    if (operationEvents.length > 0) {
+      const failures = operationEvents
         .map((event) => `  - ${event.ValidationStatusReason} (at ${event.ValidationPath})`)
         .join('\n');
 
@@ -40,21 +37,13 @@ export class EarlyValidationReporter implements ValidationReporter {
     }
   }
 
-  private async checkBootstrapVersion() {
-    const environment = this.environmentResources.environment;
-    let bootstrapVersion: number | undefined = undefined;
-    try {
-      // Try to get the bootstrap version
-      bootstrapVersion = (await this.environmentResources.lookupToolkit()).version;
-    } catch (e) {
-      // But if we can't, keep going. Maybe we can still succeed.
-    }
-    if (bootstrapVersion != null && bootstrapVersion < 30) {
-      const env = `aws://${environment.account}/${environment.region}`;
-      throw new ToolkitError(
-        'While creating the change set, CloudFormation detected errors in the generated templates.\n' +
-          `To see details about these errors, re-bootstrap your environment with 'cdk bootstrap ${env}', and run 'cdk deploy' again.`,
-      );
-    }
+  private async getFailedEvents(stackName: string, changeSetName: string) {
+    return this.sdk.cloudFormation().paginatedDescribeEvents({
+      StackName: stackName,
+      ChangeSetName: changeSetName,
+      Filters: {
+        FailedEvents: true,
+      },
+    });
   }
 }

packages/@aws-cdk/toolkit-lib/test/api/deployments/deploy-stack.test.ts

@@ -35,6 +35,7 @@ import { TestIoHost } from '../../_helpers/test-io-host';
 
 let ioHost = new TestIoHost();
 let ioHelper = ioHost.asHelper('deploy');
+let ioHelperWarn: jest.SpyInstance<Promise<void>, [input: string, ...args: unknown[]], any>;
 
 function testDeployStack(options: DeployStackApiOptions) {
   return deployStack(options, ioHelper);
@@ -112,6 +113,7 @@ beforeEach(() => {
   mockCloudFormationClient.on(UpdateTerminationProtectionCommand).resolves({
     StackId: 'stack-id',
   });
+  ioHelperWarn = jest.spyOn(ioHelper.defaults, 'warn');
 });
 
 function standardDeployStackArguments(): DeployStackApiOptions {
@@ -784,8 +786,27 @@ test('deployStack throws error in case of early validation failures', async () =
     testDeployStack({
       ...standardDeployStackArguments(),
     }),
-  ).rejects.toThrow(`While creating the change set, CloudFormation detected errors in the generated templates.
-To see details about these errors, re-bootstrap your environment with 'cdk bootstrap aws://123456789/bermuda-triangle-1337', and run 'cdk deploy' again.`);
+  ).rejects.toThrow(`ChangeSet 'cdk-deploy-change-set' on stack 'withouterrors' failed early validation:
+  - Resource already exists (at Resources/MyResource)`);
+});
+
+test('deployStack warns when it cannot get the events in case of early validation errors', async () => {
+  mockCloudFormationClient.on(DescribeChangeSetCommand).resolvesOnce({
+    Status: ChangeSetStatus.FAILED,
+    StatusReason: '(AWS::EarlyValidation::SomeError). Blah blah blah.',
+  });
+
+  mockCloudFormationClient.on(DescribeEventsCommand).rejectsOnce({
+    message: 'AccessDenied',
+  });
+
+  await testDeployStack({
+    ...standardDeployStackArguments(),
+  });
+
+  expect(ioHelperWarn).toHaveBeenCalledWith(
+    expect.stringContaining('does not have permissions to call the DescribeEvents API'),
+  );
 });
 
 test('deploy not skipped if template did not change but one tag removed', async () => {

packages/@aws-cdk/toolkit-lib/test/api/deployments/early-validation.test.ts

@@ -1,87 +1,46 @@
-import { ChangeSetStatus } from '@aws-sdk/client-cloudformation';
 import { EarlyValidationReporter } from '../../../lib/api/deployments/early-validation';
 
-describe('EarlyValidationReporter', () => {
-  let mockSdk: any;
-  let mockEnvironmentResources: any;
-  let reporter: EarlyValidationReporter;
-
-  beforeEach(() => {
-    mockSdk = {
-      cloudFormation: jest.fn().mockReturnValue({
-        describeEvents: jest.fn(),
-      }),
-    };
-    mockEnvironmentResources = {
-      environment: { account: '123456789012', region: 'us-east-1' },
-      lookupToolkit: jest.fn(),
-    };
-    reporter = new EarlyValidationReporter(mockSdk, mockEnvironmentResources);
-  });
-
-  it('does not throw when ChangeSet status is FAILED but reason is not AWS::EarlyValidation', async () => {
-    const description = {
-      $metadata: {},
-      Status: ChangeSetStatus.FAILED,
-      StatusReason: 'Some other reason',
-    };
-    const changeSetName = 'test-change-set';
-    const stackName = 'test-stack';
-
-    await expect(reporter.check(description, changeSetName, stackName)).resolves.not.toThrow();
-  });
-
-  it('does not throw when ChangeSet status is undefined', async () => {
-    const description = {
-      $metadata: {},
-      Status: undefined,
-      StatusReason: undefined,
-    };
-    const changeSetName = 'test-change-set';
-    const stackName = 'test-stack';
-
-    await expect(reporter.check(description, changeSetName, stackName)).resolves.not.toThrow();
-  });
-
-  it('throws when ChangeSet status is FAILED due to AWS::EarlyValidation', async () => {
-    const description = {
-      $metadata: {},
-      Status: ChangeSetStatus.FAILED,
-      StatusReason: 'The following resource(s) failed to create: [MyResource] (AWS::EarlyValidation).',
-    };
-    const changeSetName = 'test-change-set';
-    const stackName = 'test-stack';
-
-    mockSdk.cloudFormation().describeEvents.mockResolvedValue({
-      OperationEvents: [
-        {
-          ValidationStatus: 'FAILED',
-          ValidationStatusReason: 'Resource already exists',
-          ValidationPath: 'Resources/MyResource',
-        },
-      ],
-    });
+it('throws an error when there are failed validation events', async () => {
+  const sdkMock = {
+    cloudFormation: jest.fn().mockReturnValue({
+      paginatedDescribeEvents: jest.fn().mockResolvedValue([
+        { ValidationStatusReason: 'Resource already exists', ValidationPath: 'Resources/MyResource' },
+      ]),
+    }),
+  };
+  const ioHelperMock = { defaults: { warn: jest.fn() } };
+  const reporter = new EarlyValidationReporter(sdkMock as any, ioHelperMock as any);
+
+  await expect(reporter.report('test-change-set', 'test-stack')).rejects.toThrow(
+    "ChangeSet 'test-change-set' on stack 'test-stack' failed early validation:\n  - Resource already exists (at Resources/MyResource)"
+  );
+});
 
-    await expect(reporter.check(description, changeSetName, stackName)).rejects.toThrow(
-      `ChangeSet 'test-change-set' on stack 'test-stack' failed early validation:
-  - Resource already exists (at Resources/MyResource)`,
-    );
-  });
+it('does not throw when there are no failed validation events', async () => {
+  const sdkMock = {
+    cloudFormation: jest.fn().mockReturnValue({
+      paginatedDescribeEvents: jest.fn().mockResolvedValue([]),
+    }),
+  };
+  const ioHelperMock = { defaults: { warn: jest.fn() } };
+  const reporter = new EarlyValidationReporter(sdkMock as any, ioHelperMock as any);
+
+  await expect(reporter.report('test-change-set', 'test-stack')).resolves.not.toThrow();
+  expect(ioHelperMock.defaults.warn).not.toHaveBeenCalled();
+});
 
-  it('throws with bootstrap version less than 30', async () => {
-    const description = {
-      $metadata: {},
-      Status: ChangeSetStatus.FAILED,
-      StatusReason: 'The following resource(s) failed to create: [MyResource] (AWS::EarlyValidation).',
-    };
-    const changeSetName = 'test-change-set';
-    const stackName = 'test-stack';
+it('logs a warning when DescribeEvents API call fails', async () => {
+  const sdkMock = {
+    cloudFormation: jest.fn().mockReturnValue({
+      paginatedDescribeEvents: jest.fn().mockRejectedValue(new Error('AccessDenied')),
+    }),
+  };
+  const ioHelperMock = { defaults: { warn: jest.fn() } };
+  const reporter = new EarlyValidationReporter(sdkMock as any, ioHelperMock as any);
 
-    mockEnvironmentResources.lookupToolkit.mockResolvedValue({ version: 29 });
+  await reporter.report('test-change-set', 'test-stack');
 
-    await expect(reporter.check(description, changeSetName, stackName)).rejects.toThrow(
-      `While creating the change set, CloudFormation detected errors in the generated templates.
-To see details about these errors, re-bootstrap your environment with 'cdk bootstrap aws://123456789012/us-east-1', and run 'cdk deploy' again.`,
-    );
-  });
+  expect(ioHelperMock.defaults.warn).toHaveBeenCalledWith(
+    expect.stringContaining('While creating the change set, CloudFormation detected errors in the generated templates')
+  );
 });