feat(cli): Hotswapping Support for S3 Bucket Deployments

packages/aws-cdk/README.md

@@ -364,6 +364,7 @@ Hotswapping is currently supported for the following changes
 - Code asset changes of AWS Lambda functions.
 - Definition changes of AWS Step Functions State Machines.
 - Container asset changes of AWS ECS Services.
+- Website asset changes of AWS S3 Bucket Deployments
 
 **⚠ Note #1**: This command deliberately introduces drift in CloudFormation stacks in order to speed up deployments.
 For this reason, only use it for development purposes.

packages/aws-cdk/lib/api/hotswap-deployments.ts

@@ -7,6 +7,7 @@ import { ChangeHotswapImpact, ChangeHotswapResult, HotswapOperation, ListStackRe
 import { isHotswappableEcsServiceChange } from './hotswap/ecs-services';
 import { EvaluateCloudFormationTemplate } from './hotswap/evaluate-cloudformation-template';
 import { isHotswappableLambdaFunctionChange } from './hotswap/lambda-functions';
+import { isHotswappableS3BucketDeploymentChange } from './hotswap/s3-bucket-deployments';
 import { isHotswappableStateMachineChange } from './hotswap/stepfunctions-state-machines';
 import { CloudFormationStack } from './util/cloudformation';
 
@@ -73,6 +74,7 @@ async function findAllHotswappableChanges(
         isHotswappableLambdaFunctionChange(logicalId, resourceHotswapEvaluation, evaluateCfnTemplate),
         isHotswappableStateMachineChange(logicalId, resourceHotswapEvaluation, evaluateCfnTemplate),
         isHotswappableEcsServiceChange(logicalId, resourceHotswapEvaluation, evaluateCfnTemplate),
+        isHotswappableS3BucketDeploymentChange(logicalId, resourceHotswapEvaluation, evaluateCfnTemplate),
       ]);
     }
   });

packages/aws-cdk/lib/api/hotswap/evaluate-cloudformation-template.ts

@@ -50,6 +50,11 @@ export class EvaluateCloudFormationTemplate {
     return stackResources.find(sr => sr.LogicalResourceId === logicalId)?.PhysicalResourceId;
   }
 
+  public async findLogicallNameFor(physicalId: string): Promise<string | undefined> {
+    const stackResources = await this.stackResources.listStackResources();
+    return stackResources.find(sr => sr.PhysicalResourceId === physicalId)?.LogicalResourceId;
+  }
+
   public findReferencesTo(logicalId: string): Array<ResourceDefinition> {
     const ret = new Array<ResourceDefinition>();
     for (const [resourceLogicalId, resourceDef] of Object.entries(this.template?.Resources ?? {})) {

packages/aws-cdk/lib/api/hotswap/lambda-functions.ts

@@ -3,8 +3,8 @@ import { assetMetadataChanged, ChangeHotswapImpact, ChangeHotswapResult, Hotswap
 import { EvaluateCloudFormationTemplate } from './evaluate-cloudformation-template';
 
 /**
- * Returns `false` if the change cannot be short-circuited,
- * `true` if the change is irrelevant from a short-circuit perspective
+ * Returns `ChangeHotswapImpact.REQUIRES_FULL_DEPLOYMENT` if the change cannot be short-circuited,
+ * `ChangeHotswapImpact.IRRELEVANT` if the change is irrelevant from a short-circuit perspective
  * (like a change to CDKMetadata),
  * or a LambdaFunctionResource if the change can be short-circuited.
  */

packages/aws-cdk/lib/api/hotswap/s3-bucket-deployments.ts

@@ -0,0 +1,107 @@
+import { ISDK } from '../aws-auth';
+import { ChangeHotswapImpact, ChangeHotswapResult, HotswapOperation, HotswappableChangeCandidate, establishResourcePhysicalName } from './common';
+import { EvaluateCloudFormationTemplate } from './evaluate-cloudformation-template';
+
+/**
+ * This means that the value is required to exist by CloudFormation's API (or our S3 Bucket Deployment Lambda)
+ * but the actual value specified is irrelevant
+ */
+export const REQUIRED_BY_CFN = 'required-to-be-present-by-cfn';
+
+export async function isHotswappableS3BucketDeploymentChange(
+  logicalId: string, change: HotswappableChangeCandidate, evaluateCfnTemplate: EvaluateCloudFormationTemplate,
+): Promise<ChangeHotswapResult> {
+  // In old-style synthesis, the policy used by the lambda to copy assets Ref's the assets directly,
+  // meaning that the changes made to the Policy are artifacts that can be safely ignored
+  if (change.newValue.Type === 'AWS::IAM::Policy') {
+    const roles = change.newValue.Properties?.Roles;
+    for (const role of roles) {
+      const roleLogicalName = await evaluateCfnTemplate.findLogicallNameFor(await evaluateCfnTemplate.evaluateCfnExpression(role));
+      if (!roleLogicalName) {
+        return ChangeHotswapImpact.REQUIRES_FULL_DEPLOYMENT;
+      }
+
+      const roleRefs = evaluateCfnTemplate.findReferencesTo(roleLogicalName);
+      for (const roleRef of roleRefs) {
+        if (roleRef.Type === 'AWS::Lambda::Function') {
+          const lambdaRefs = evaluateCfnTemplate.findReferencesTo(roleRef.LogicalId);
+          for (const lambdaRef of lambdaRefs) {
+            // If S3Deployment -> Lambda -> Role and IAM::Policy -> Role, then this IAM::Policy change is an
+            // artifact of old-style synthesis
+            if (lambdaRef.Type === 'Custom::CDKBucketDeployment') {
+              return new EmptyHotswapOperation();
+            }
+          }
+        }
+      }
+    }
+  }
+
+  if (change.newValue.Type !== 'Custom::CDKBucketDeployment') {
+    return ChangeHotswapImpact.REQUIRES_FULL_DEPLOYMENT;
+  }
+
+  // note that this gives the ARN of the lambda, not the name. This is fine though, the invoke() sdk call will take either
+  const functionName = await establishResourcePhysicalName(logicalId, change.newValue.Properties?.ServiceToken, evaluateCfnTemplate);
+  if (!functionName) {
+    return ChangeHotswapImpact.REQUIRES_FULL_DEPLOYMENT;
+  }
+
+  const sourceBucketNames = await evaluateCfnTemplate.evaluateCfnExpression(change.newValue.Properties?.SourceBucketNames);
+  const sourceObjectKeys = await evaluateCfnTemplate.evaluateCfnExpression(change.newValue.Properties?.SourceObjectKeys);
+  const destinationBucketName = await evaluateCfnTemplate.evaluateCfnExpression(change.newValue.Properties?.DestinationBucketName);
+  const destinationBucketKeyPrefix = await evaluateCfnTemplate.evaluateCfnExpression(change.newValue.Properties?.DestinationBucketKeyPrefix);
+
+  return new S3BucketDeploymentHotswapOperation({
+    FunctionName: functionName,
+    SourceBucketNames: sourceBucketNames,
+    SourceObjectKeys: sourceObjectKeys,
+    DestinationBucketName: destinationBucketName,
+    DestinationBucketKeyPrefix: destinationBucketKeyPrefix,
+  });
+}
+
+interface S3BucketDeployment {
+  FunctionName: string,
+  SourceBucketNames: any,
+  SourceObjectKeys: any,
+  DestinationBucketName: any,
+  DestinationBucketKeyPrefix: string,
+}
+
+class S3BucketDeploymentHotswapOperation implements HotswapOperation {
+  constructor(private readonly s3BucketDeployment: S3BucketDeployment) {
+  }
+
+  public async apply(sdk: ISDK): Promise<any> {
+    const deployment = this.s3BucketDeployment;
+
+    return sdk.lambda().invoke({
+      FunctionName: deployment.FunctionName,
+      // Lambda refuses to take a direct JSON object and requires it to be stringify()'d
+      Payload: JSON.stringify({
+        RequestType: 'Update',
+        ResponseURL: REQUIRED_BY_CFN,
+        PhysicalResourceId: REQUIRED_BY_CFN,
+        StackId: REQUIRED_BY_CFN,
+        RequestId: REQUIRED_BY_CFN,
+        LogicalResourceId: REQUIRED_BY_CFN,
+        ResourceProperties: {
+          SourceBucketNames: deployment.SourceBucketNames,
+          SourceObjectKeys: deployment.SourceObjectKeys,
+          DestinationBucketName: deployment.DestinationBucketName,
+          DestinationBucketKeyPrefix: deployment.DestinationBucketKeyPrefix,
+        },
+      }),
+    }).promise();
+  }
+}
+
+class EmptyHotswapOperation implements HotswapOperation {
+  constructor() {
+  }
+
+  public async apply(sdk: ISDK): Promise<any> {
+    return new Promise(() => { sdk; });
+  }
+}

packages/aws-cdk/test/api/hotswap/hotswap-test-setup.ts

@@ -41,7 +41,8 @@ export function pushStackResourceSummaries(...items: CloudFormation.StackResourc
   currentCfnStackResources.push(...items);
 }
 
-export function setCurrentCfnStackTemplate(template: Template) {
+export function setCurrentCfnStackTemplate(_template: Template) {
+  let template = JSON.parse(JSON.stringify(_template)); // deep copy the _template, so our tests can mutate one template instead of creating two
   currentCfnStack.setTemplate(template);
 }
 
@@ -87,6 +88,12 @@ export class CfnMockProvider {
     });
   }
 
+  public setLambdaInvocationMock(mockInvoke: (input: lambda.InvocationRequest) => lambda.InvocationResponse) {
+    this.mockSdkProvider.stubLambda({
+      invoke: mockInvoke,
+    });
+  }
+
   public stubEcs(stubs: SyncHandlerSubsetOf<AWS.ECS>, additionalProperties: { [key: string]: any } = {}): void {
     this.mockSdkProvider.stubEcs(stubs, additionalProperties);
   }