corymhall / cdk-diff-action

GitHub action to post CDK diff to PR comments
Apache License 2.0
46 stars 8 forks source link

CDK Diff Action

GitHub action to comment on PRs with the stack diff.

:sparkles: Features

Example Configurations

The cdk-diff-action handles performing the diff and commenting on the PR. In order to do so it requires credentials to AWS and the synthesized CDK cloud assembly (cdk.out). Below is a minimal example

name: diff
on:
  pull_request:
    branches:
      - main
jobs:
  Synth:
    name: Synthesize
    permissions:
      contents: read
      pull-requests: write
      id-token: write
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup Node
        uses: actions/setup-node@v3
        with:
          node-version: 20
      - name: Install dependencies
        run: yarn install --frozen-lockfile
      - name: Synth
        run: npx cdk synth
      - name: Authenticate Via OIDC Role
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: us-east-2
          role-duration-seconds: 1800
          role-skip-session-tagging: true
          role-to-assume: arn:aws:iam::1234567891012:role/cdk_github_actions
          role-session-name: github
      - name: Diff
        uses: corymhall/cdk-diff-action@v1
        with:
          githubToken: ${{ secrets.GITHUB_TOKEN }}

This action supports semver versioning.

For example, to get the latest v1.x.x version.

uses: corymhall/cdk-diff-action@v1

Or to get the latest v1.1.x version.

uses: corymhall/cdk-diff-action@v1.1

Allow Destroy Types

You can optionally allow certain resource types to be destroyed without failing the build.

jobs:
  Synth:
    steps:
      - name: Diff
        uses: corymhall/cdk-diff-action@v1
        with:
          allowedDestroyTypes: "AWS::ECS::TaskDefinition,AWS::CloudWatch::Dashboard"
          githubToken: ${{ secrets.GITHUB_TOKEN }}

Disable showing diff for stages

You can disable displaying the diff for certain stages by using noDiffForStages

jobs:
  Synth:
    steps:
      - name: Diff
        uses: corymhall/cdk-diff-action@v1
        with:
          noDiffForStages: "Stage1,Stage2"
          githubToken: ${{ secrets.GITHUB_TOKEN }}

Don't fail for destructive changes in certain stages

If you still want to show the diff for certain stages, but do not want destructive changes to fail the build, you can use noFailOnDestructiveChanges.

jobs:
  Synth:
    steps:
      - name: Diff
        uses: corymhall/cdk-diff-action@v1
        with:
          noFailOnDestructiveChanges: "Stage1,Stage2"
          githubToken: ${{ secrets.GITHUB_TOKEN }}

Don't fail workflow

If you want to show the diffs, but never want to fail the workflow (even if there are destructive changes) you can disable the workflow failure feature.

jobs:
  Synth:
    steps:
      - name: Diff
        uses: corymhall/cdk-diff-action@v1
        with:
          failOnDestructiveChanges: false
          githubToken: ${{ secrets.GITHUB_TOKEN }}