CONCEPT Cited by 1 source

CloudFormation ChangeSet

Definition

A CloudFormation ChangeSet is AWS CloudFormation's dry-run API for a stack update. Given an updated template (or parameters), the CreateChangeSet endpoint computes and returns a JSON description of the per-resource actions that would be applied — Add, Modify, Remove, Import — along with resource-property deltas and replacement flags. The ChangeSet is a first-class CloudFormation object that can be inspected, shared, executed via ExecuteChangeSet, or deleted without side effects.

Why it matters for change safety

CloudFormation template diffs are syntactic — a YAML text diff shows which lines changed. A ChangeSet is semantic — it shows which resources will change, which will be replaced (causing deletion of the old resource), which dependent resources will cascade, and which properties will take new values. The two diffs differ in operationally important ways:

• Replacement detection. A small property change can cause resource replacement (e.g., renaming a DynamoDB table, changing an RDS engine version). The template diff looks tiny; the ChangeSet shows the destructive cascade.
• Cross-stack cascade. An export used by other stacks shows up in the ChangeSet as dependent changes.
• Parameter-only changes. A change driven by new parameter values (same template) has no template diff at all, but a real ChangeSet.

Zalando's use

From the 2024-01 metadpata postmortem:

"We have implemented automated previews in the Pull Request comments. This feature leverages the [AWS CloudFormation "ChangeSet" feature]. When an updated CF stack template is provided to the CloudFormation "CreateChangeSet" endpoint, CloudFormation generates a json preview of the changes, which then can be executed or rejected. We read this ChangeSet from each account in our AWS Organization and merge them to create a human readable preview of changes in a PR comment. After the preview is created, the ChangeSet is dropped." — sources/2024-01-22-zalando-tale-of-metadpata-the-revenge-of-the-supertools

Load-bearing mechanics:

1. Per-account iteration. The bot walks every AWS account in the organisation and calls CreateChangeSet for the stack update in each.
2. Merge into one human-readable preview. Per-account JSON ChangeSets are aggregated into a single PR comment (the post does not disclose the merge format).
3. Drop the ChangeSet after preview. ChangeSets are not free-forever; Zalando's bot calls DeleteChangeSet once the PR comment is posted, then re-creates on subsequent pushes.
4. Execute / reject lives in the PR. Merging the PR is the approval signal; the actual ExecuteChangeSet happens on merge.

Caveats from the post

• The post doesn't disclose latency, retry behaviour, or how the bot handles ChangeSet errors across hundreds of accounts.
• Not every resource type supports ChangeSet previews equally — some custom resources and macros are shown as opaque.
• A ChangeSet is only a preview; concurrent external drift can change what actually happens at execute time. SET_PARAMETERS vs CHANGE_SET_NAME subtleties apply.

Distinguishing from adjacent mechanisms

• terraform plan is the Terraform equivalent. Both produce a "what would happen" artifact; Terraform's plan is serialised to a binary file and can be applied later; CloudFormation's ChangeSet is an API-side object.
• AWS CDK cdk diff walks from the CDK app down to ChangeSet but presents a developer-friendly summary.
• CloudFormation drift detection is a separate API that checks whether a deployed stack diverges from its template; ChangeSet is for pre-apply preview, drift is for post-apply comparison.

Seen in

• sources/2024-01-22-zalando-tale-of-metadpata-the-revenge-of-the-supertools — ChangeSet is the load-bearing primitive for Zalando's PR preview of CloudFormation ChangeSet pattern, one of the five remediations introduced after the supertool metadpata incident.

Related

• systems/cloudformation
• patterns/pr-preview-of-cloudformation-changeset
• concepts/supertool
• concepts/blast-radius
• companies/zalando