Skip to content

(cli): --require-approval any-change silently skips approval for non-broadening changes #1236

New issue
New issue
Closed
#1246
Closed
(cli): --require-approval any-change silently skips approval for non-broadening changes#1236
#1246
Labels
aws-cdkbugp0potential-regression
@thu-san

Description

@thu-san
thu-san
opened on Mar 21, 2026

Describe the bug

cdk deploy --require-approval any-change no longer prompts for approval on non-broadening changes. It behaves the same as --require-approval broadening, only prompting for broadening permission changes.

Per the docs, any-change should require "manual approval for any change to the stack."

Two issues in CliIoHost:

  1. requireDeployApproval is not wired from CLI args to CliIoHost — In packages/aws-cdk/lib/cli/cli.ts, CliIoHost.instance() is created without requireDeployApproval, so it defaults to RequireApproval.BROADENING. The --require-approval value is only passed to CdkToolkit.deploy() (line 411), but never to CliIoHost.

  2. Missing return in skipApprovalStep — In packages/aws-cdk/lib/cli/io-host/cli-io-host.ts line 380, the early-return guard is missing return:

if (!(msg.code && approvalToolkitCodes.includes(msg.code))) {
    false;  // BUG: should be `return false;`
}

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

2.1019.2

Expected Behavior

When running cdk deploy --require-approval any-change, the CLI should prompt for confirmation before deploying ANY stack changes (security or not), as documented.

Current Behavior

The CLI only prompts for broadening security changes, silently deploying all other changes without approval. The any-change option behaves identically to broadening.

Reproduction Steps

# Make any non-IAM change to a CDK stack (e.g., change a tag, add a resource)
cdk deploy --require-approval any-change <stack-name>
# Expected: prompt "Do you wish to deploy these changes (y/n)?"
# Actual: deploys without prompting

Possible Solution

  1. In cli.ts, set ioHost.requireDeployApproval after configuration is parsed:
const requireApproval = configuration.settings.get(['requireApproval']);
if (requireApproval) {
    ioHost.requireDeployApproval = requireApproval;
}
  1. In cli-io-host.ts, add the missing return:
if (!(msg.code && approvalToolkitCodes.includes(msg.code))) {
    return false;
}

Additional Information/Context

The regression was introduced during the CliIoHost refactor that replaced direct promptly.confirm() calls with the ioHost.requestResponse() abstraction. In the previous version (2.1019.2), askUserConfirmation directly checked process.stdin.isTTY and used promptly.confirm(), which worked correctly.

CDK CLI Version

2.1100.3 (build 0aa3e98)

Framework Version

aws-cdk-lib 2.201.0

Node.js Version

v24.11.0

OS

macOS (Darwin 25.3.0)

Language

TypeScript

Language Version

No response

Other information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    aws-cdkbugp0potential-regression

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions