Skip to content
You're viewing an older version of this GitHub Action. Do you want to see the latest version instead?
message-square

GitHub Action

cdk-diff-action

v1.1.2

cdk-diff-action

message-square

cdk-diff-action

The CDK Diff GitHub Action allows you to run CDK diff as part of your CI/CD workflow

Installation

Copy and paste the following snippet into your .yml file.

 
              
- name: cdk-diff-action

              
  uses: corymhall/[email protected]
Learn more about this action in corymhall/cdk-diff-action

Choose a version

CDK Diff Action

GitHub action to comment on PRs with the stack diff.

✨ Features

  • 💬 Create a single comment per CDK stage
  • ♻️ Updates the same comment on each commit, reducing clutter
  • ‼️ Calls out any destructive changes to resources
  • ❌ Fail workflow if there are destructive changes
  • 🧵 Summary of stack changes with expandable details
  • 🙈 Allow destructive changes for certain resource types

Example Configurations

The cdk-diff-action handles performing the diff and commenting on the PR. In order to do so it requires credentials to AWS and the synthesized CDK cloud assembly (cdk.out). Below is a minimal example

name: diff
on:
  pull_request:
    branches:
      - main
jobs:
  Synth:
    name: Synthesize
    permissions:
      contents: read
      pull-requests: write
      id-token: write
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup Node
        uses: actions/setup-node@v3
        with:
          node-version: 20
      - name: Install dependencies
        run: yarn install --frozen-lockfile
      - name: Synth
        run: npx cdk synth
      - name: Authenticate Via OIDC Role
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: us-east-2
          role-duration-seconds: 1800
          role-skip-session-tagging: true
          role-to-assume: arn:aws:iam::1234567891012:role/cdk_github_actions
          role-session-name: github
      - name: Diff
        uses: corymhall/[email protected]
        with:
          githubToken: ${{ secrets.GITHUB_TOKEN }}

You can also use the v1-beta branch to keep up to date.

jobs:
  Synth:
    steps:
      - name: Diff
        uses: corymhall/cdk-diff-action@v1-beta
        with:
          githubToken: ${{ secrets.GITHUB_TOKEN }}

Allow Destroy Types

You can optionally allow certain resource types to be destroyed without failing the build.

jobs:
  Synth:
    steps:
      - name: Diff
        uses: corymhall/cdk-diff-action@v1-beta
        with:
          allowedDestroyTypes: "AWS::ECS::TaskDefinition,AWS::CloudWatch::Dashboard"
          githubToken: ${{ secrets.GITHUB_TOKEN }}

Disable showing diff for stages

You can disable displaying the diff for certain stages by using noDiffForStages

jobs:
  Synth:
    steps:
      - name: Diff
        uses: corymhall/cdk-diff-action@v1-beta
        with:
          noDiffForStages: "Stage1,Stage2"
          githubToken: ${{ secrets.GITHUB_TOKEN }}

Don't fail for destructive changes in certain stages

If you still want to show the diff for certain stages, but do not want destructive changes to fail the build, you can use noFailOnDestructiveChanges.

jobs:
  Synth:
    steps:
      - name: Diff
        uses: corymhall/cdk-diff-action@v1-beta
        with:
          noFailOnDestructiveChanges: "Stage1,Stage2"
          githubToken: ${{ secrets.GITHUB_TOKEN }}

Don't fail workflow

If you want to show the diffs, but never want to fail the workflow (even if there are destructive changes) you can disable the workflow failure feature.

jobs:
  Synth:
    steps:
      - name: Diff
        uses: corymhall/cdk-diff-action@v1-beta
        with:
          failOnDestructiveChanges: false
          githubToken: ${{ secrets.GITHUB_TOKEN }}