feat(cli): cdk validate --online#1539
Open
kaizencc wants to merge 5 commits into
Open
Conversation
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
kaizencc
changed the title
kaizencc
force-pushed
the
conroyka/cli-validate
branch
from
3aa593b to
96eee8f
Compare
…ly validation Refactor waitForChangeSet into waitForChangeSetReport (returns diagnosis without throwing) + waitForChangeSet wrapper (throws, preserving existing behavior for deploy/diff). Add createValidationChangeSet() which creates a non-executing change set, collects early validation errors via the existing diagnoser infrastructure, and always cleans up afterwards. Extend validate() to optionally run online validation after reading the offline report, merging CloudFormation early validation errors into the combined result as a synthetic "CloudFormation" plugin report using proper schema types (PluginReportJson, ViolatingConstructJson).
Tests cover: - Invalid resource type (AWS::Fake::DoesNotExist) is caught by CFN - Valid template passes online validation - --no-online flag skips CloudFormation validation
…it tests Extract prepareChangeSetEnv() to share env setup between diff and validate change set creation. Restore JSDoc on waitForChangeSet. Add unit tests for the online validation path: - Reports CFN errors as a CloudFormation plugin report - Passes when CFN finds no problems - Merges offline + online results - Gracefully handles errors (warns instead of throwing)
kaizencc
force-pushed
the
conroyka/cli-validate-online
branch
from
595fe9a to
747dffe
Compare
kaizencc
force-pushed
the
conroyka/cli-validate-online
branch
from
4b289b5 to
11d577c
Compare
kaizencc
force-pushed
the
conroyka/cli-validate-online
branch
from
11d577c to
0bebffb
Compare
…ations - Add --online option to parse-command-line-arguments.ts so yargs recognizes it instead of warning "Unknown option" - Report CloudFormation errors (like template format errors) as violations instead of swallowing them with a warning
kaizencc
force-pushed
the
conroyka/cli-validate-online
branch
from
0bebffb to
703b125
Compare
Adds a CombinedStack fixture with both an S3 bucket (triggers SecurityPlugin offline) and AWS::Fake::DoesNotExist (rejected by CFN online). Test verifies both violations appear in one report.
rix0rrr
approved these changes
May 22, 2026
Contributor
rix0rrr
left a comment
rix0rrr
left a comment
There was a problem hiding this comment.
Broadly alright with this, modulo an error handling case.
So this is turning diagnosis errors into policy validation errors, right?
| }); | ||
| } | ||
| } | ||
| } catch (e: any) { |
Contributor
There was a problem hiding this comment.
This doesn't feel correct. An SDK failure or whatever is not the same as a policy violation.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
cdk validate --onlinewhich submits synthesized CloudFormation templates for early validation via non-executing change sets. This catches errors that offline policy plugins can't — invalid resource types, property validation failures, name conflicts, etc.onlineoption toValidateOptions(defaults totrue)waitForChangeSetintowaitForChangeSetReport(non-throwing) + wrapper, extracting sharedprepareChangeSetEnvhelper to deduplicate with the diff change set pathcreateValidationChangeSet()— creates a non-executing change set per stack, collects early validation errors via the diagnoser, reports them as a synthetic "CloudFormation" plugin, always cleans upvalidate()to merge offline (policy report) + online (CFN) results--online/--no-onlineflag through CLI (cli-config.ts,cli.ts)createValidationChangeSet)AWS::Fake::DoesNotExistto trigger CFN rejectionDepends on
cdk validatecommand (behind--unstableflag) #1527 (cdk validateCLI command behind--unstableflag)Test plan
cdk validate --onlinecatches invalid resource type, passes valid template,--no-onlineskips CFN validationcd packages/@aws-cdk-testing/cli-integ/resources/cdk-apps/validate-online-app && STACK_NAME_PREFIX=test node ../../../../../aws-cdk/bin/cdk --app "node app.js" --unstable=validate validate --onlineBy submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license