add exclusions

anthony-nhs · anthony-nhs · commit c344d898ebd6 · 2026-02-20T13:39:46.000Z
diff --git a/packages/deploymentUtils/src/changesets/checkDestructiveChanges.ts b/packages/deploymentUtils/src/changesets/checkDestructiveChanges.ts
@@ -1,20 +1,32 @@
-import {CloudFormationClient, DescribeChangeSetCommand} from "@aws-sdk/client-cloudformation"
+import {
+  CloudFormationClient,
+  DescribeChangeSetCommand,
+  DescribeChangeSetCommandOutput
+} from "@aws-sdk/client-cloudformation"
 
 export type ChangeRequiringAttention = {
-  logicalId: string;
-  physicalId: string;
-  resourceType: string;
-  reason: string;
+    logicalId: string;
+    physicalId: string;
+    resourceType: string;
+    reason: string;
+}
+
+export type AllowedDestructiveChange = {
+    LogicalResourceId: string;
+    PhysicalResourceId: string;
+    ResourceType: string;
+    ExpiryDate: string | Date;
+    AllowedReason: string;
 }
 
 type RawChange = {
-  ResourceChange?: {
-    LogicalResourceId?: string;
-    PhysicalResourceId?: string;
-    ResourceType?: string;
-    Replacement?: unknown;
-    Action?: string;
-  } | null;
+    ResourceChange?: {
+        LogicalResourceId?: string;
+        PhysicalResourceId?: string;
+        ResourceType?: string;
+        Replacement?: unknown;
+        Action?: string;
+    } | null;
 }
 
 const requiresReplacement = (replacement: unknown): boolean => {
@@ -27,7 +39,16 @@ const requiresReplacement = (replacement: unknown): boolean => {
 }
 
 type ChangeSet = {
-  Changes?: unknown;
+    Changes?: unknown;
+}
+
+const toDate = (value: Date | string | number | undefined | null): Date | undefined => {
+  if (value === undefined || value === null) {
+    return undefined
+  }
+
+  const date = value instanceof Date ? value : new Date(value)
+  return Number.isNaN(date.getTime()) ? undefined : date
 }
 
 export function checkDestructiveChanges(changeSet: ChangeSet | undefined | null): Array<ChangeRequiringAttention> {
@@ -68,7 +89,8 @@ export function checkDestructiveChanges(changeSet: ChangeSet | undefined | null)
 export async function checkDestructiveChangeSet(
   changeSetName: string,
   stackName: string,
-  region: string): Promise<void> {
+  region: string,
+  allowedChanges: Array<AllowedDestructiveChange> = []): Promise<void> {
   if (!changeSetName || !stackName || !region) {
     throw new Error("Change set name, stack name, and region are required")
   }
@@ -79,16 +101,48 @@ export async function checkDestructiveChangeSet(
     StackName: stackName
   })
 
-  const response = await client.send(command)
+  const response: DescribeChangeSetCommandOutput = await client.send(command)
   const destructiveChanges = checkDestructiveChanges(response)
+  const creationTime = toDate(response.CreationTime)
+
+  const remainingChanges = destructiveChanges.filter(change => {
+    const waiver = allowedChanges.find(allowed =>
+      allowed.LogicalResourceId === change.logicalId &&
+            allowed.PhysicalResourceId === change.physicalId &&
+            allowed.ResourceType === change.resourceType
+    )
+
+    if (!waiver || !creationTime) {
+      return true
+    }
+
+    const expiryDate = toDate(waiver.ExpiryDate)
+    if (!expiryDate) {
+      return true
+    }
+
+    if (expiryDate.getTime() > creationTime.getTime()) {
+
+      console.log(
+        // eslint-disable-next-line max-len
+        `Allowing destructive change ${change.logicalId} (${change.resourceType}) until ${expiryDate.toISOString()} - ${waiver.AllowedReason}`
+      )
+      return false
+    }
+
+    console.error(
+      `Waiver for ${change.logicalId} (${change.resourceType}) expired on ${expiryDate.toISOString()}`
+    )
+    return true
+  })
 
-  if (destructiveChanges.length === 0) {
+  if (remainingChanges.length === 0) {
     console.log(`Change set ${changeSetName} for stack ${stackName} has no destructive changes.`)
     return
   }
 
   console.error("Resources that require attention:")
-  destructiveChanges.forEach(({logicalId, physicalId, resourceType, reason}) => {
+  remainingChanges.forEach(({logicalId, physicalId, resourceType, reason}) => {
     console.error(`- LogicalId: ${logicalId}, PhysicalId: ${physicalId}, Type: ${resourceType}, Reason: ${reason}`)
   })
   throw new Error(`Change set ${changeSetName} contains destructive changes`)
diff --git a/packages/deploymentUtils/tests/changesets/checkDestructiveChanges.test.ts b/packages/deploymentUtils/tests/changesets/checkDestructiveChanges.test.ts
@@ -8,7 +8,11 @@ import {
   test,
   vi
 } from "vitest"
-import {checkDestructiveChanges, checkDestructiveChangeSet} from "../../src/changesets/checkDestructiveChanges"
+import {
+  checkDestructiveChanges,
+  checkDestructiveChangeSet,
+  AllowedDestructiveChange
+} from "../../src/changesets/checkDestructiveChanges"
 
 const mockCloudFormationSend = vi.fn()
 
@@ -136,4 +140,89 @@ describe("checkDestructiveChangeSet", () => {
       errorSpy.mockRestore()
     }
   })
+
+  test("allows matching destructive changes when waiver is active", async () => {
+    const changeSet = {
+      CreationTime: "2026-02-20T11:54:17.083Z",
+      Changes: [
+        {
+          ResourceChange: {
+            LogicalResourceId: "ResourceToRemove",
+            PhysicalResourceId: "physical-id",
+            ResourceType: "AWS::S3::Bucket",
+            Action: "Remove"
+          }
+        }
+      ]
+    }
+    mockCloudFormationSend.mockResolvedValueOnce(changeSet)
+
+    const allowedChanges: Array<AllowedDestructiveChange> = [
+      {
+        LogicalResourceId: "ResourceToRemove",
+        PhysicalResourceId: "physical-id",
+        ResourceType: "AWS::S3::Bucket",
+        ExpiryDate: "2026-03-01T00:00:00Z",
+        AllowedReason: "Pending migration"
+      }
+    ]
+
+    const logSpy = vi.spyOn(console, "log").mockImplementation(() => undefined)
+    const errorSpy = vi.spyOn(console, "error").mockImplementation(() => undefined)
+
+    try {
+      await expect(checkDestructiveChangeSet("cs", "stack", "eu-west-2", allowedChanges))
+        .resolves.toBeUndefined()
+
+      expect(mockCloudFormationSend).toHaveBeenCalledTimes(1)
+      expect(logSpy).toHaveBeenCalledWith(expect.stringContaining("Allowing destructive change ResourceToRemove"))
+      expect(logSpy).toHaveBeenCalledWith("Change set cs for stack stack has no destructive changes.")
+      expect(errorSpy).not.toHaveBeenCalled()
+    } finally {
+      logSpy.mockRestore()
+      errorSpy.mockRestore()
+    }
+  })
+
+  test("throws when waiver expired before change set creation", async () => {
+    const changeSet = {
+      CreationTime: "2026-02-20T11:54:17.083Z",
+      Changes: [
+        {
+          ResourceChange: {
+            LogicalResourceId: "ResourceToRemove",
+            PhysicalResourceId: "physical-id",
+            ResourceType: "AWS::S3::Bucket",
+            Action: "Remove"
+          }
+        }
+      ]
+    }
+    mockCloudFormationSend.mockResolvedValueOnce(changeSet)
+
+    const allowedChanges: Array<AllowedDestructiveChange> = [
+      {
+        LogicalResourceId: "ResourceToRemove",
+        PhysicalResourceId: "physical-id",
+        ResourceType: "AWS::S3::Bucket",
+        ExpiryDate: "2026-02-01T00:00:00Z",
+        AllowedReason: "Expired waiver"
+      }
+    ]
+
+    const logSpy = vi.spyOn(console, "log").mockImplementation(() => undefined)
+    const errorSpy = vi.spyOn(console, "error").mockImplementation(() => undefined)
+
+    try {
+      await expect(checkDestructiveChangeSet("cs", "stack", "eu-west-2", allowedChanges))
+        .rejects.toThrow("Change set cs contains destructive changes")
+
+      expect(errorSpy).toHaveBeenCalledWith(expect.stringContaining("Waiver for ResourceToRemove"))
+      expect(errorSpy).toHaveBeenCalledWith("Resources that require attention:")
+      expect(logSpy).not.toHaveBeenCalledWith("Change set cs for stack stack has no destructive changes.")
+    } finally {
+      logSpy.mockRestore()
+      errorSpy.mockRestore()
+    }
+  })
 })
