feat: add drift detection to cdk as cdk drift

[Leo10Gama]

Fixes # N/A

Added an additional command, cdk drift, which invokes drift detection. Prints an output of the drift results listing out any resources in the stack that may have drifted.

Tested via yarn build && yarn test and adding in a few integ tests.

Running the command locally shows the following. With one resource drifted:

With no resources drifted: (image outdated)

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[rix0rrr]

Thanks! This is a great feature to have!

I understand that we're detecting some kind of "diff" from a user point of view, but I'm very put-off by drift detection being part of cdk diff. That's just not what CDK diff historically did, and it's confusing to me. I wonder if it will be confusing to more people?

┌────────────┐            ╔═════════════╗            ┌────────────┐
│            │    diff    ║             ║    drift   │            │
│  Template  │◀──────────▶║    Stack    ║◀──────────▶│  Reality   │
│            │            ║             ║            │            │
└────────────┘            ╚═════════════╝            └────────────┘
                                                                   
                   ^                                               
               cdk diff                                            
            does this today                                        

Can we make this its own subcommand to begin with? cdk drift ?

Tested via yarn build && yarn test, which both compile.

Surely there's more? 🥹 An integ test would be nice.

[mrgrain]

Also needs integ tests and added to toolkit-lib (see Rico's comments).

If we are adding this as a new action/command, the action code should live in toolkit-lib and CLI just be calling it.

[GavinZZ]

Thanks! This is a great feature to have!

I understand that we're detecting some kind of "diff" from a user point of view, but I'm very put-off by drift detection being part of cdk diff. That's just not what CDK diff historically did, and it's confusing to me. I wonder if it will be confusing to more people?

┌────────────┐            ╔═════════════╗            ┌────────────┐
│            │    diff    ║             ║    drift   │            │
│  Template  │◀──────────▶║    Stack    ║◀──────────▶│  Reality   │
│            │            ║             ║            │            │
└────────────┘            ╚═════════════╝            └────────────┘
                                                                   
                   ^                                               
               cdk diff                                            
            does this today                                        

Can we make this its own subcommand to begin with? cdk drift ?

@rix0rrr Let's discuss this further during Tuesday's meeting. While I'm open to making this a separate command, I'd like to explain my original reasoning for including it in cdk diff:

I envisioned cdk diff as a broader capability for detecting any differences affecting a deployed stack, whether those differences:

• Come from changes in local CDK code
• Result from manual modifications to deployed resources through console or CLI (Drifts)

However, I recognize your point about the historical context of cdk diff and the potential for user confusion. This would be a good topic for us to explore during the meeting, weighing the benefits of command consolidation against clarity and user expectations.

[rix0rrr]

I envisioned cdk diff as a broader capability for detecting any differences affecting a deployed stack, whether those differences:

I see that, and I like the idea of a general cdk whatsup command.

There is some precedent for having certain features both as their own commands as well as options to other commands.

So I would propose to have both:

$ cdk drift
$ cdk diff --drift 

[mrgrain]

So I would propose to have both:

came here to say this. cdk drift should be the main command, cdk diff --drift is a convenience short cut.

[Leo10Gama]

Setting to draft until AppSec signs off

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 82.44275% with 23 lines in your changes missing coverage. Please review.

Project coverage is 79.04%. Comparing base (7e23e64) to head (c10140c).

Files with missing lines	Patch %	Lines
packages/aws-cdk/lib/cli/cdk-toolkit.ts	87.60%	15 Missing ⚠️
packages/aws-cdk/lib/cli/cli.ts	11.11%	8 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #442      +/-   ##
==========================================
- Coverage   79.75%   79.04%   -0.72%     
==========================================
  Files          46       46              
  Lines        6994     7124     +130     
  Branches      788      784       -4     
==========================================
+ Hits         5578     5631      +53     
- Misses       1394     1475      +81     
+ Partials       22       18       -4     

Flag	Coverage Δ
suite.unit	79.04% <82.44%> (-0.72%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[rix0rrr]

I think we'd want this code to live in @aws-cdk/toolkit-lib, and then call it from the CLI.

Right, @mrgrain ?