(cli): shell out to changeset approver tool

[rix0rrr]

Description

Shell out to external tools for change approval during cdk deploy.

Use Case

Allow people to integrate their own tools into cdk deploy, so they can customize the approval logic (and/or UI) without having to go through us).

Proposed Solution

Add a --changeset-approval-tool=xyz flag. This flag will supersede the built-in change approval modes and work as follows:

• After creating the changeset (assuming it's non-empty), shell out to the given command, with AWS credentials in the environment and the changeset ID as an argument. Run the equivalent of:

AWS_ACCESS_KEY_ID=*** AWS_SECRET_KEY=*** AWS_SESSION_TOKEN=*** xyz arn:aws:....:stack/MyStack/11111-22222-ccccc/my-change-set

If the tool exits with exit code 0, continue.

Otherwise, abort.

Other information

No response

Acknowledge

• [ ] I may be able to implement this feature request
• [ ] This feature might incur a breaking change

[stevehodgkiss]

It would be great if CDK had a builtin way of viewing the changeset before approval. We don't have any special requirements for how a changeset is visualised/approved, just that the actions (add, remove, modify, replace) can be seen before approval. I think it's something that should be a core part of aws-cdk.

https://github.com/aws/aws-cdk/issues/3780 https://github.com/aws/aws-cdk/pull/15494

Would you be open to a new PR to show the change set before approval, similar to https://github.com/aws/aws-cdk/pull/15494 but with the same output columns as SAM CLI? For reference, SAM CLI presents the change set like this: