fix(cli): diff with changeset fails if deploy role cannot be assumed

[scanlonp]

Closes #29650

Description of changes

This addresses the issue in two ways:

1. If the describeStacks call errors out, we now catch it and default to classic diff behavior.
2. The describeStacks call now tries to use the lookup role rather than the deploy role.

Description of how you validated changes

Manual testing with a user that could only assume lookup roles.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

[scanlonp]

@Mergifyio update

[mergify]

update

✅ Branch has been successfully updated

[aws-cdk-automation]

➡️ PR build request submitted to test-main-pipeline ⬅️

A maintainer must now check the pipeline and add the pr-linter/cli-integ-tested label once the pipeline succeeds.

[TheRealAmazonKendra]

We've already messed this up a few times so I'd like to see significantly more tests here.

[scanlonp]

@TheRealAmazonKendra, these tests should cover the cases for the stack exists call. I did not find a good way to test which permissions we grab for the stack exists call, but I did not find too much prior art around which role is assumed. Additionally, the new functionality in stackExists() is exclusive to the call made in our diff logic.

[scanlonp]

@Mergifyio update

[mergify]

update

✅ Branch has been successfully updated

[comcalvi]

prepareSdkWithLookupOrDeployRole defaults to ForReading. If we can't assume the lookup role, it will fall back to the deploy role.

Don't use prepareSdkFor directly, use the wrappers like prepareSdkWithLookupRole or whichever one you want to use; those methods have names that make it clear which role is being assumed.

[comcalvi]

We should still try to fallback to the deploy role, in case somebody doesn't have permissions to the lookup role. Why don't we catch any errors we get when trying to assume the deploy role? If we can't assume it then we stop changeset creation.

Inside of prepareSdkFor, cachedSdkForEnvironment returns an object with didAssumeRole on it. didAssumeRole is not returned to the caller, but you could add it as a property to the returned object. Then you have a way of checking if the fallback was successful.

[comcalvi]

discussed off(on?)line, we can investigate this in a follow up next week

[comcalvi]

This option is confusing...if it's on, then try to assume the lookup role or the deploy role, but if it's off, we assume the lookup role only?

[comcalvi]

we can follow this one up in another PR

[comcalvi]

LGTM; let's test out removing the option and only using lookupOrDeployRole in a follow up PR

Addressed review comment.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 3559d44
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.