feat(toolkit-lib): validate command#1508
Conversation
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
aws-cdk-automation
temporarily deployed
to
run-tests
GitHub Actions
Inactive
aws-cdk-automation
temporarily deployed
to
run-tests
GitHub Actions
Inactive
aws-cdk-automation
temporarily deployed
to
run-tests
GitHub Actions
Inactive
aws-cdk-automation
temporarily deployed
to
run-tests
GitHub Actions
Inactive
aws-cdk-automation
temporarily deployed
to
run-tests
GitHub Actions
Inactive
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1508 +/- ##
=======================================
Coverage 88.20% 88.20%
=======================================
Files 76 76
Lines 10834 10834
Branches 1492 1492
=======================================
Hits 9556 9556
Misses 1250 1250
Partials 28 28
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
| if (status === 'failure') { | ||
| await ioHelper.notify(IO.CDK_TOOLKIT_E9600.msg('Policy validation failed', result)); | ||
| } else { | ||
| await ioHelper.notify(IO.CDK_TOOLKIT_I9600.msg('Policy validation passed', result)); | ||
| } |
There was a problem hiding this comment.
Can we pick slightly less mechanical language here?
There was a problem hiding this comment.
"policy policy policy"
Let's speak like a human.
"cdk validate found problems" (or something to that effect), "no problems found", let's not pretend to be IBM and we all wear ties in triplicate.
| const selectStacks = stacksOpt(options); | ||
| await using assembly = await synthAndMeasure(ioHelper, cx, selectStacks); | ||
|
|
||
| const reportPath = path.join(assembly.directory, POLICY_VALIDATION_REPORT_FILE); |
There was a problem hiding this comment.
Should be an artifact in the manifest, no?
Although I can live with this for a bit.
There was a problem hiding this comment.
https://github.com/orgs/aws/projects/178/views/44?pane=issue&itemId=189647151
i tracked it and will do it separately
| status: 'success', | ||
| pluginReports: [], | ||
| }; | ||
| await ioHelper.notify(IO.CDK_TOOLKIT_I9601.msg('No policy validation report found')); |
There was a problem hiding this comment.
This is very mechanical. What does this mean to me as a user?
There was a problem hiding this comment.
Right now it means no plugins / no construct annotations / default rule set is turned off.
I could be convinced for this to not be possible and we always write a report no matter what
There was a problem hiding this comment.
there's no default rule set right now so the message wont mention that for now
|
|
||
| const reportJson = await fs.readJson(reportPath); | ||
|
|
||
| if (!Array.isArray(reportJson.pluginReports)) { |
There was a problem hiding this comment.
Can we do a JSON schema validation so we don't have to bother with this?
| if (status === 'failure') { | ||
| await ioHelper.notify(IO.CDK_TOOLKIT_E9600.msg('Policy validation failed', result)); | ||
| } else { | ||
| await ioHelper.notify(IO.CDK_TOOLKIT_I9600.msg('Policy validation passed', result)); | ||
| } |
There was a problem hiding this comment.
"policy policy policy"
Let's speak like a human.
"cdk validate found problems" (or something to that effect), "no problems found", let's not pretend to be IBM and we all wear ties in triplicate.
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…lidate Instead of redefining the policy validation report types locally, import them from @aws-cdk/cloud-assembly-schema (added in PR #1515). This removes ~130 lines of duplicate type definitions and simplifies the validate method to a typed cast instead of manual field mapping. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Handle malformed report: throw ToolkitError if pluginReports is missing or not an array - Test constructStack (ConstructTraceJson): add recursive trace to fixture and assert nested id/construct/location fields - Assert IO message data payload contains full ValidateResult - Test missing title field gracefully results in undefined Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Replace 'as const' with explicit PolicyValidationReportStatus type annotation - Extract 'policy-validation-report.json' to a file-level constant Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- PolicyValidationReportStatus -> PolicyValidationReportConclusion - PluginReportJson.summary.pluginName -> PluginReportJson.pluginName - PluginReportJson.summary.status -> PluginReportJson.conclusion - PluginReportJson.version -> PluginReportJson.pluginVersion - PolicyViolationJson.fix -> PolicyViolationJson.suggestedFix - ViolatingConstructJson restructured: resourceLogicalId/templatePath moved to cloudFormationResource, constructStack -> stackTraces - ValidateResult.status -> ValidateResult.conclusion - Update test fixtures and assertions to match
- Use friendlier message when no validation report exists: explain that no plugins are configured rather than stating a file is missing - Remove manual pluginReports array check; trust the report format since it's written by aws-cdk-lib (not user-authored)
- "No validation plugins configured" instead of "No policy validation report found" - "cdk validate found problems" instead of "Policy validation failed" - "No problems found" instead of "All policy checks passed"
The policy-validation-report.json fixtures were missing the required `version` field, causing Manifest.loadValidationReport to throw "Invalid semver string: undefined" during schema validation.
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
4 participants
Summary
Adds a
validate()method to theToolkitclass in@aws-cdk/toolkit-lib. This command:policy-validation-report.jsonfrom the cloud assembly output directory (written by aws-cdk-lib during synthesis)ValidateResultwith overall pass/fail status and per-plugin reportsThis is the toolkit-lib layer only — CLI wiring (
cdk validate) will follow separately.Changes
lib/actions/validate/index.ts):ValidateOptions,ValidateResult— uses schema types from@aws-cdk/cloud-assembly-schema(PR feat(cloud-assembly-schema): add policy validation report schema types #1515) rather than redefining themvalidate()method on theToolkitclass — reads the report JSON and casts to typed schema, no manual field mappingCDK_TOOLKIT_I9600(passed),CDK_TOOLKIT_E9600(failed),CDK_TOOLKIT_I9601(no report found)ToolkitAction: addedvalidateto the union typeDependencies
@aws-cdk/cloud-assembly-schema(must merge first)aws-cdk-libto always writepolicy-validation-report.jsonto the assembly directory (currently gated behind a context flag)Test plan
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license