fix(diff): properties from ChangeSet diff were ignored

packages/@aws-cdk/cloudformation-diff/lib/diff-template.ts

@@ -2,6 +2,7 @@
 // The SDK should not make network calls here
 import type { DescribeChangeSetOutput as DescribeChangeSet } from '@aws-sdk/client-cloudformation';
 import * as impl from './diff';
+import { TemplateAndChangeSetDiffMerger } from './diff/template-and-changeset-diff-merger';
 import * as types from './diff/types';
 import { deepEqual, diffKeyedEntities, unionOf } from './diff/util';
 
@@ -55,8 +56,14 @@ export function fullDiff(
   normalize(newTemplate);
   const theDiff = diffTemplate(currentTemplate, newTemplate);
   if (changeSet) {
-    filterFalsePositives(theDiff, changeSet);
-    addImportInformation(theDiff, changeSet);
+    const changeSetDiff = new TemplateAndChangeSetDiffMerger({
+      changeSet: changeSet,
+      currentTemplateResources: currentTemplate.Resources,
+    });
+    changeSetDiff.addChangeSetResourcesToDiff(theDiff.resources);
+    changeSetDiff.addImportInformation(theDiff.resources);
+    // TODO: now that you've added change set resources to diff, you shuold recreate the iamChanges so that the
+    // security diff is more accurate
   } else if (isImport) {
     makeAllResourceChangesImports(theDiff);
   }
@@ -143,13 +150,6 @@ function calculateTemplateDiff(currentTemplate: { [key: string]: any }, newTempl
   return new types.TemplateDiff(differences);
 }
 
-/**
- * Compare two CloudFormation resources and return semantic differences between them
- */
-export function diffResource(oldValue: types.Resource, newValue: types.Resource): types.ResourceDifference {
-  return impl.diffResource(oldValue, newValue);
-}
-
 /**
  * Replace all references to the given logicalID on the given template, in-place
  *
@@ -214,100 +214,12 @@ function deepCopy(x: any): any {
   return x;
 }
 
-function addImportInformation(diff: types.TemplateDiff, changeSet: DescribeChangeSetOutput) {
-  const imports = findResourceImports(changeSet);
-  diff.resources.forEachDifference((logicalId: string, change: types.ResourceDifference) => {
-    if (imports.includes(logicalId)) {
-      change.isImport = true;
-    }
-  });
-}
-
 function makeAllResourceChangesImports(diff: types.TemplateDiff) {
   diff.resources.forEachDifference((_logicalId: string, change: types.ResourceDifference) => {
     change.isImport = true;
   });
 }
 
-function filterFalsePositives(diff: types.TemplateDiff, changeSet: DescribeChangeSetOutput) {
-  const replacements = findResourceReplacements(changeSet);
-  diff.resources.forEachDifference((logicalId: string, change: types.ResourceDifference) => {
-    if (change.resourceType.includes('AWS::Serverless')) {
-      // CFN applies the SAM transform before creating the changeset, so the changeset contains no information about SAM resources
-      return;
-    }
-    change.forEachDifference((type: 'Property' | 'Other', name: string, value: types.Difference<any> | types.PropertyDifference<any>) => {
-      if (type === 'Property') {
-        if (!replacements[logicalId]) {
-          (value as types.PropertyDifference<any>).changeImpact = types.ResourceImpact.NO_CHANGE;
-          (value as types.PropertyDifference<any>).isDifferent = false;
-          return;
-        }
-        switch (replacements[logicalId].propertiesReplaced[name]) {
-          case 'Always':
-            (value as types.PropertyDifference<any>).changeImpact = types.ResourceImpact.WILL_REPLACE;
-            break;
-          case 'Never':
-            (value as types.PropertyDifference<any>).changeImpact = types.ResourceImpact.WILL_UPDATE;
-            break;
-          case 'Conditionally':
-            (value as types.PropertyDifference<any>).changeImpact = types.ResourceImpact.MAY_REPLACE;
-            break;
-          case undefined:
-            (value as types.PropertyDifference<any>).changeImpact = types.ResourceImpact.NO_CHANGE;
-            (value as types.PropertyDifference<any>).isDifferent = false;
-            break;
-          // otherwise, defer to the changeImpact from `diffTemplate`
-        }
-      } else if (type === 'Other') {
-        switch (name) {
-          case 'Metadata':
-            change.setOtherChange('Metadata', new types.Difference<string>(value.newValue, value.newValue));
-            break;
-        }
-      }
-    });
-  });
-}
-
-function findResourceImports(changeSet: DescribeChangeSetOutput): string[] {
-  const importedResourceLogicalIds = [];
-  for (const resourceChange of changeSet.Changes ?? []) {
-    if (resourceChange.ResourceChange?.Action === 'Import') {
-      importedResourceLogicalIds.push(resourceChange.ResourceChange.LogicalResourceId!);
-    }
-  }
-
-  return importedResourceLogicalIds;
-}
-
-function findResourceReplacements(changeSet: DescribeChangeSetOutput): types.ResourceReplacements {
-  const replacements: types.ResourceReplacements = {};
-  for (const resourceChange of changeSet.Changes ?? []) {
-    const propertiesReplaced: { [propName: string]: types.ChangeSetReplacement } = {};
-    for (const propertyChange of resourceChange.ResourceChange?.Details ?? []) {
-      if (propertyChange.Target?.Attribute === 'Properties') {
-        const requiresReplacement = propertyChange.Target.RequiresRecreation === 'Always';
-        if (requiresReplacement && propertyChange.Evaluation === 'Static') {
-          propertiesReplaced[propertyChange.Target.Name!] = 'Always';
-        } else if (requiresReplacement && propertyChange.Evaluation === 'Dynamic') {
-          // If Evaluation is 'Dynamic', then this may cause replacement, or it may not.
-          // see 'Replacement': https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_ResourceChange.html
-          propertiesReplaced[propertyChange.Target.Name!] = 'Conditionally';
-        } else {
-          propertiesReplaced[propertyChange.Target.Name!] = propertyChange.Target.RequiresRecreation as types.ChangeSetReplacement;
-        }
-      }
-    }
-    replacements[resourceChange.ResourceChange?.LogicalResourceId!] = {
-      resourceReplaced: resourceChange.ResourceChange?.Replacement === 'True',
-      propertiesReplaced,
-    };
-  }
-
-  return replacements;
-}
-
 function normalize(template: any) {
   if (typeof template === 'object') {
     for (const key of (Object.keys(template ?? {}))) {

packages/@aws-cdk/cloudformation-diff/lib/diff/template-and-changeset-diff-merger.ts

@@ -0,0 +1,191 @@
+// The SDK is only used to reference `DescribeChangeSetOutput`, so the SDK is added as a devDependency.
+// The SDK should not make network calls here
+import type { DescribeChangeSetOutput as DescribeChangeSet, ResourceChangeDetail } from '@aws-sdk/client-cloudformation';
+import { diffResource } from '.';
+import * as types from '../diff/types';
+
+export type DescribeChangeSetOutput = DescribeChangeSet;
+
+/**
+ * The purpose of this class is to include differences from the ChangeSet to differences in the TemplateDiff.
+ */
+export class TemplateAndChangeSetDiffMerger {
+  // If we somehow cannot find the resourceType, then we'll mark it as UNKNOWN, so that can be seen in the diff.
+  private UNKNOWN_RESOURCE_TYPE = 'UNKNOWN';
+
+  changeSet: DescribeChangeSetOutput;
+  currentTemplateResources: {[logicalId: string]: any};
+  changeSetResources: types.ChangeSetResources;
+
+  constructor(
+    args: {
+      changeSet: DescribeChangeSetOutput;
+      currentTemplateResources: {[logicalId: string]: any};
+    },
+  ) {
+    this.changeSet = args.changeSet;
+    this.currentTemplateResources = args.currentTemplateResources;
+    this.changeSetResources = this.inspectChangeSet(this.changeSet);
+  }
+
+  inspectChangeSet(changeSet: DescribeChangeSetOutput): types.ChangeSetResources {
+    const replacements: types.ChangeSetResources = {};
+    for (const resourceChange of changeSet.Changes ?? []) {
+      if (resourceChange.ResourceChange?.LogicalResourceId === undefined) {
+        continue;
+      }
+
+      const propertiesReplaced: types.ChangeSetProperties = {};
+      for (const propertyChange of resourceChange.ResourceChange.Details ?? []) {
+        if (propertyChange.Target?.Attribute === 'Properties' && propertyChange.Target.Name) {
+          propertiesReplaced[propertyChange.Target.Name] = {
+            changeSetReplacementMode: this.determineChangeSetReplacementMode(propertyChange),
+            beforeValue: propertyChange.Target.BeforeValue,
+            afterValue: propertyChange.Target.AfterValue,
+          };
+        }
+      }
+
+      replacements[resourceChange.ResourceChange.LogicalResourceId] = {
+        resourceWasReplaced: resourceChange.ResourceChange.Replacement === 'True',
+        resourceType: resourceChange.ResourceChange.ResourceType ?? this.UNKNOWN_RESOURCE_TYPE, // DescribeChanegSet doesn't promise to have the ResourceType...
+        properties: propertiesReplaced,
+      };
+    }
+
+    return replacements;
+  }
+
+  determineChangeSetReplacementMode(propertyChange: ResourceChangeDetail): types.ChangeSetReplacementMode {
+    if (propertyChange.Target!.RequiresRecreation === 'Always') {
+      switch (propertyChange.Evaluation) {
+        case 'Static':
+          return 'Always';
+        case 'Dynamic':
+          // If Evaluation is 'Dynamic', then this may cause replacement, or it may not.
+          // see 'Replacement': https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_ResourceChange.html
+          return 'Conditionally';
+      }
+    }
+
+    return propertyChange.Target!.RequiresRecreation as types.ChangeSetReplacementMode;
+  }
+
+  /**
+  * Finds resource differences that are only visible in the changeset diff from CloudFormation (that is, we can't find this difference in the diff between 2 templates)
+  * and adds those missing differences to the templateDiff.
+  *
+  * - One case when this can happen is when a resource is added to the stack through the changeset.
+  * - Another case is when a resource is changed because the resource is defined by an SSM parameter, and the value of that SSM parameter changes.
+  */
+  addChangeSetResourcesToDiff(resourceDiffs: types.DifferenceCollection<types.Resource, types.ResourceDifference>) {
+    for (const [logicalId, changeSetResource] of Object.entries(this.changeSetResources)) {
+      const resourceNotFoundInTemplateDiff = !(resourceDiffs.logicalIds.includes(logicalId));
+      if (resourceNotFoundInTemplateDiff) {
+        const resourceDiffFromChangeset = diffResource(
+          this.convertResourceFromChangesetToResourceForDiff(changeSetResource, 'OLD_VALUES'),
+          this.convertResourceFromChangesetToResourceForDiff(changeSetResource, 'NEW_VALUES'),
+        );
+        resourceDiffs.set(logicalId, resourceDiffFromChangeset);
+      }
+
+      const propertyChangesFromTemplate = resourceDiffs.get(logicalId).propertyUpdates;
+      for (const propertyName of Object.keys(this.changeSetResources[logicalId]?.properties ?? {})) {
+        if (propertyName in propertyChangesFromTemplate) {
+          // If the property is already marked to be updated, then we don't need to do anything.
+          continue;
+        }
+
+        // This property diff will be hydrated when enhanceChangeImpacts is called.
+        const emptyPropertyDiff = new types.PropertyDifference({}, {}, {});
+        emptyPropertyDiff.isDifferent = true;
+        resourceDiffs.get(logicalId).setPropertyChange(propertyName, emptyPropertyDiff);
+      }
+    }
+
+    this.enhanceChangeImpacts(resourceDiffs);
+  }
+
+  convertResourceFromChangesetToResourceForDiff(
+    resourceInfoFromChangeset: types.ChangeSetResource,
+    parseOldOrNewValues: 'OLD_VALUES' | 'NEW_VALUES',
+  ): types.Resource {
+    const props: { [logicalId: string]: string | undefined } = {};
+    if (parseOldOrNewValues === 'NEW_VALUES') {
+      for (const [propertyName, value] of Object.entries(resourceInfoFromChangeset.properties ?? {})) {
+        props[propertyName] = value.afterValue;
+      }
+    } else {
+      for (const [propertyName, value] of Object.entries(resourceInfoFromChangeset.properties ?? {})) {
+        props[propertyName] = value.beforeValue;
+      }
+    }
+
+    return {
+      Type: resourceInfoFromChangeset.resourceType ?? this.UNKNOWN_RESOURCE_TYPE,
+      Properties: props,
+    };
+  }
+
+  enhanceChangeImpacts(resourceDiffs: types.DifferenceCollection<types.Resource, types.ResourceDifference>) {
+    resourceDiffs.forEachDifference((logicalId: string, change: types.ResourceDifference) => {
+      if ((!change.resourceTypeChanged) && change.resourceType?.includes('AWS::Serverless')) {
+        // CFN applies the SAM transform before creating the changeset, so the changeset contains no information about SAM resources
+        return;
+      }
+      change.forEachDifference((type: 'Property' | 'Other', name: string, value: types.Difference<any> | types.PropertyDifference<any>) => {
+        if (type === 'Property') {
+          if (!this.changeSetResources[logicalId]) {
+            (value as types.PropertyDifference<any>).changeImpact = types.ResourceImpact.NO_CHANGE;
+            (value as types.PropertyDifference<any>).isDifferent = false;
+            return;
+          }
+
+          const changeSetReplacementMode = (this.changeSetResources[logicalId]?.properties ?? {})[name]?.changeSetReplacementMode;
+          switch (changeSetReplacementMode) {
+            case 'Always':
+              (value as types.PropertyDifference<any>).changeImpact = types.ResourceImpact.WILL_REPLACE;
+              break;
+            case 'Never':
+              (value as types.PropertyDifference<any>).changeImpact = types.ResourceImpact.WILL_UPDATE;
+              break;
+            case 'Conditionally':
+              (value as types.PropertyDifference<any>).changeImpact = types.ResourceImpact.MAY_REPLACE;
+              break;
+            case undefined:
+              (value as types.PropertyDifference<any>).changeImpact = types.ResourceImpact.NO_CHANGE;
+              (value as types.PropertyDifference<any>).isDifferent = false;
+              break;
+          // otherwise, defer to the changeImpact from `diffTemplate`
+          }
+        } else if (type === 'Other') {
+          switch (name) {
+            case 'Metadata':
+              change.setOtherChange('Metadata', new types.Difference<string>(value.newValue, value.newValue));
+              break;
+          }
+        }
+      });
+    });
+  }
+
+  addImportInformation(resourceDiffs: types.DifferenceCollection<types.Resource, types.ResourceDifference>) {
+    const imports = this.findResourceImports();
+    resourceDiffs.forEachDifference((logicalId: string, change: types.ResourceDifference) => {
+      if (imports.includes(logicalId)) {
+        change.isImport = true;
+      }
+    });
+  }
+
+  findResourceImports(): string[] {
+    const importedResourceLogicalIds = [];
+    for (const resourceChange of this.changeSet.Changes ?? []) {
+      if (resourceChange.ResourceChange?.Action === 'Import') {
+        importedResourceLogicalIds.push(resourceChange.ResourceChange.LogicalResourceId!);
+      }
+    }
+
+    return importedResourceLogicalIds;
+  }
+}

packages/@aws-cdk/cloudformation-diff/lib/diff/types.ts

@@ -6,14 +6,23 @@ import { SecurityGroupChanges } from '../network/security-group-changes';
 
 export type PropertyMap = {[key: string]: any };
 
-export type ResourceReplacements = { [logicalId: string]: ResourceReplacement };
+export type ChangeSetResources = { [logicalId: string]: ChangeSetResource };
 
-export interface ResourceReplacement {
-  resourceReplaced: boolean;
-  propertiesReplaced: { [propertyName: string]: ChangeSetReplacement };
+export interface ChangeSetResource {
+  resourceWasReplaced: boolean;
+  resourceType: string | undefined;
+  properties: ChangeSetProperties | undefined;
 }
 
-export type ChangeSetReplacement = 'Always' | 'Never' | 'Conditionally';
+export type ChangeSetProperties = {
+  [propertyName: string]: {
+    changeSetReplacementMode: ChangeSetReplacementMode | undefined;
+    beforeValue: string | undefined;
+    afterValue: string | undefined;
+  };
+}
+
+export type ChangeSetReplacementMode = 'Always' | 'Never' | 'Conditionally';
 
 /** Semantic differences between two CloudFormation templates. */
 export class TemplateDiff implements ITemplateDiff {
@@ -198,6 +207,10 @@ export class TemplateDiff implements ITemplateDiff {
           }
         }
       } else {
+        if (!resourceChange.resourceType) {
+          continue;
+        }
+
         const resourceModel = loadResourceModel(resourceChange.resourceType);
         if (resourceModel && this.resourceIsScrutinizable(resourceModel, scrutinyTypes)) {
           ret.push({
@@ -367,6 +380,10 @@ export class DifferenceCollection<V, T extends IDifference<V>> {
     delete this.diffs[logicalId];
   }
 
+  public set(logicalId: string, diff: T): void {
+    this.diffs[logicalId] = diff;
+  }
+
   public get logicalIds(): string[] {
     return Object.keys(this.changes);
   }
@@ -626,11 +643,11 @@ export class ResourceDifference implements IDifference<Resource> {
    *
    * If the resource type was changed, it's an error to call this.
    */
-  public get resourceType(): string {
+  public get resourceType(): string | undefined {
     if (this.resourceTypeChanged) {
       throw new Error('Cannot get .resourceType, because the type was changed');
     }
-    return this.resourceTypes.oldType || this.resourceTypes.newType!;
+    return this.resourceTypes.oldType || this.resourceTypes.newType;
   }
 
   /**