add stack

Author: anthony-nhs

packages/deploymentUtils/src/changesets/checkDestructiveChanges.ts

@@ -17,6 +17,7 @@ export type AllowedDestructiveChange = {
   PhysicalResourceId: string;
   ResourceType: string;
   ExpiryDate: string | Date;
+  StackName: string;
   AllowedReason: string;
 }
 
@@ -38,6 +39,12 @@ const toDate = (value: Date | string | number | undefined | null): Date | undefi
   return Number.isNaN(date.getTime()) ? undefined : date
 }
 
+/**
+ * Extracts the subset of CloudFormation changes that either require replacement or remove resources.
+ *
+ * @param changeSet - Raw change-set details returned from `DescribeChangeSet`.
+ * @returns Array of changes that need operator attention.
+ */
 export function checkDestructiveChanges(
   changeSet: DescribeChangeSetCommandOutput | undefined | null
 ): Array<ChangeRequiringAttention> {
@@ -75,6 +82,14 @@ export function checkDestructiveChanges(
     .filter((change): change is ChangeRequiringAttention => Boolean(change))
 }
 
+/**
+ * Describes a CloudFormation change set, applies waiver logic, and throws if destructive changes remain.
+ *
+ * @param changeSetName - Name or ARN of the change set.
+ * @param stackName - Name or ARN of the stack that owns the change set.
+ * @param region - AWS region where the stack resides.
+ * @param allowedChanges - Optional waivers that temporarily allow specific destructive changes.
+ */
 export async function checkDestructiveChangeSet(
   changeSetName: string,
   stackName: string,
@@ -93,6 +108,7 @@ export async function checkDestructiveChangeSet(
   const response: DescribeChangeSetCommandOutput = await client.send(command)
   const destructiveChanges = checkDestructiveChanges(response)
   const creationTime = toDate(response.CreationTime)
+  const changeSetStackName = response.StackName
 
   const remainingChanges = destructiveChanges.filter(change => {
     const waiver = allowedChanges.find(allowed =>
@@ -101,7 +117,7 @@ export async function checkDestructiveChangeSet(
       allowed.ResourceType === change.resourceType
     )
 
-    if (!waiver || !creationTime) {
+    if (!waiver || !creationTime || !changeSetStackName || waiver.StackName !== changeSetStackName) {
       return true
     }
 

packages/deploymentUtils/tests/changesets/checkDestructiveChanges.test.ts

@@ -144,6 +144,7 @@ describe("checkDestructiveChangeSet", () => {
   test("allows matching destructive changes when waiver is active", async () => {
     const changeSet = {
       CreationTime: "2026-02-20T11:54:17.083Z",
+      StackName: "stack",
       Changes: [
         {
           ResourceChange: {
@@ -163,6 +164,7 @@ describe("checkDestructiveChangeSet", () => {
         PhysicalResourceId: "physical-id",
         ResourceType: "AWS::S3::Bucket",
         ExpiryDate: "2026-03-01T00:00:00Z",
+        StackName: "stack",
         AllowedReason: "Pending migration"
       }
     ]
@@ -187,6 +189,7 @@ describe("checkDestructiveChangeSet", () => {
   test("throws when waiver expired before change set creation", async () => {
     const changeSet = {
       CreationTime: "2026-02-20T11:54:17.083Z",
+      StackName: "stack",
       Changes: [
         {
           ResourceChange: {
@@ -206,6 +209,7 @@ describe("checkDestructiveChangeSet", () => {
         PhysicalResourceId: "physical-id",
         ResourceType: "AWS::S3::Bucket",
         ExpiryDate: "2026-02-01T00:00:00Z",
+        StackName: "stack",
         AllowedReason: "Expired waiver"
       }
     ]