feat(cli): `cdk rollback`

[rix0rrr]

Add a CLI feature to roll a stuck change back.

This is mostly useful for deployments performed using --no-rollback: if a failure occurs, the stack gets stuck in an UPDATE_FAILED state from which there are 2 options:

• Try again using a new template
• Roll back to the last stable state

There used to be no way to perform the second operation using the CDK CLI, but there now is.

cdk rollback works in 2 situations:

• A paused fail state; it will initiating a fresh rollback (on CREATE_FAILED, UPDATE_FAILED).
• A paused rollback state; it will retry the rollback, optionally skipping some resources (on UPDATE_ROLLBACK_FAILED -- it seems there is no way to continue a rollback in ROLLBACK_FAILED state).

cdk rollback --orphan <logicalid> can be used to skip resource rollbacks that are causing problems.

cdk rollback --force will look up all failed resources and continue skipping them until the rollback has finished.

This change requires new bootstrap permissions, so the bootstrap stack is updated to add the following IAM permissions to the deploy-action role:

                  - cloudformation:RollbackStack
                  - cloudformation:ContinueUpdateRollback

These are necessary to call the 2 CloudFormation APIs that start and continue a rollback.

Relates to (but does not close yet) #30546.

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: c6d9b19737a62d2f9d36e9454a87b5b4a555fb06
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository