fix: prevent fullDiff mutation corrupting cdk import change set#1602
Open
saeekailas wants to merge 3 commits into
Open
fix: prevent fullDiff mutation corrupting cdk import change set#1602saeekailas wants to merge 3 commits into
saeekailas wants to merge 3 commits into
Conversation
Clone templates before normalization to prevent mutation of originals.
saeekailas
requested a deployment
to
integ-approval
GitHub Actions
Waiting
saeekailas
changed the title
saeekailas
requested a deployment
to
integ-approval
GitHub Actions
Waiting
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
cdk importwas failing with:You have modified resources [...] in your template that are not
being imported. Update, create or delete operations cannot be
executed during import operations.
This error was appearing even when the user had not modified any
resources. It affected any stack containing a resource with a
multi-element DependsOn array whose natural order is not alphabetical.
A CDK L2 lambda.Function reliably triggers this because CDK generates:
DependsOn: [ FnServiceRoleDefaultPolicy, FnServiceRole ]
which is not in alphabetical order. After the bug, the submitted
change set had them reversed, which CloudFormation treated as a
modification and rejected the import.
Root Cause
Two issues working together:
fullDiff() in diff-template.ts called normalize() directly on the
caller's template objects, sorting DependsOn arrays in-place.
This means fullDiff() was secretly mutating whatever object you
passed into it.
ResourceImporter in importer.ts cached the deployed template and
reused the exact same object for both:
So by the time the change set was submitted, DependsOn arrays were
reordered and CloudFormation saw that as a modification.
Fix
packages/@aws-cdk/cloudformation-diff/lib/diff-template.ts
Clone both templates before calling normalize() so fullDiff() is
completely side-effect free and never mutates the caller's objects.
packages/@aws-cdk/toolkit-lib/lib/api/resource-import/importer.ts
Deep clone the deployed template when storing it in _currentTemplate
so no downstream mutation can ever corrupt the cached value.
Also clone inside currentTemplateWithAdditions() before appending
new resources so the cache stays a clean mirror of the deployed state.
Testing
Added unit test that calls fullDiff() with a template containing
a multi-element DependsOn in non-alphabetical order and asserts
the original object is unchanged after the call.
Manually verified cdk import succeeds on a stack containing a
CDK L2 lambda.Function (the original reproduction case).
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license
Related
Fixes #1575