You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
docs: incorporate best-effort dry-run caveats from main
Update cli-commands.md with main's dry-run best-effort language:
pre-deployment validation, --dry-run option, dry run mode section,
and pre-deployment validation section all now include caveats about
best-effort nature and conditions that may cause deployment failure
despite clean validation.
Copy file name to clipboardExpand all lines: docs/cli-commands.md
+5-3Lines changed: 5 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -255,7 +255,7 @@ Bundle creation complete for target: dev
255
255
256
256
Deploys bundle files to target environments (auto-initializes if needed). The deploy command performs the following operations:
257
257
258
-
0.**Pre-Deployment Validation (automatic)**: Runs a dry-run validation before deployment to catch errors early. If any blocking errors are found, the deployment is aborted before any resources are created or modified. This prevents partial deployments that leave resources in an inconsistent state. Skip with `--skip-validation`.
258
+
0.**Pre-Deployment Validation (automatic)**: Runs a best-effort dry-run validation before deployment to catch errors early. If any blocking errors are found, the deployment is aborted before any resources are created or modified. This prevents partial deployments that leave resources in an inconsistent state. Note that a passing validation does not guarantee deployment success — transient errors or state changes may still occur. Skip with `--skip-validation`.
259
259
1.**Bundle Deployment**: Uploads workflow and storage files to target project connections
260
260
2.**Catalog Asset Access**: Processes catalog assets defined in the bundle manifest:
-**`-m, --manifest`**: Path to bundle manifest file (default: `manifest.yaml`)
276
276
-**`-t, --targets`**: Target name(s) - single target or comma-separated list (uses default target if not specified)
277
277
-**`-b, --bundle-archive-path`**: Path to pre-created bundle file (optional)
278
-
-**`--dry-run`**: Preview the deployment without making any changes. Validates the manifest, bundle, IAM permissions, resource reachability, catalog dependencies, and workflow definitions, then produces a structured report of what would happen and any issues detected. No resources are created, modified, or deleted.
278
+
-**`--dry-run`**: Preview the deployment without making any changes. Validates the manifest, bundle, IAM permissions, resource reachability, catalog dependencies, and workflow definitions, then produces a structured report of what would happen and any issues detected. No resources are created, modified, or deleted. This is a best-effort check — a passing dry run does not guarantee deployment success.
279
279
-**`--output`**: Output format for the dry-run report: `text` (default, human-readable) or `json` (machine-readable). Only applies when `--dry-run` is used.
280
280
-**`--skip-validation`**: Skip the automatic pre-deployment dry-run validation step and proceed directly to deployment. Useful when you have already validated with `--dry-run` or need to bypass validation for speed.
281
281
-**`--emit-events`**: Enable EventBridge event emission for deployment tracking
@@ -315,6 +315,8 @@ aws-smus-cicd-cli deploy --targets test --skip-validation
315
315
316
316
Use `--dry-run` to preview a deployment without creating, modifying, or deleting any resources. The dry run walks through every deployment phase in read-only mode:
317
317
318
+
> **Note:** The dry run is a best-effort validation. A passing dry run significantly reduces the risk of deployment failure but does not guarantee success. Conditions such as transient AWS service errors, IAM policy changes between validation and deployment, concurrent resource modifications, eventual consistency delays, and service quota limits may cause a deployment to fail even after a clean dry-run report.
319
+
318
320
1.**Manifest Validation** — Loads and validates the manifest YAML, resolves the target stage, builds domain configuration, checks environment variable references
319
321
2.**Bundle Exploration** — Opens the bundle archive, enumerates files, validates catalog export data if present
320
322
3.**Permission Verification** — Uses `iam:SimulatePrincipalPolicy` to check that the current IAM identity has all required permissions (S3, DataZone, Glue, IAM, QuickSight, Airflow, etc.). Also checks DataZone policy grants on the project's domain unit when catalog resources are present.
@@ -415,7 +417,7 @@ Exit codes for dry run:
415
417
416
418
#### Pre-Deployment Validation
417
419
418
-
By default, every `deploy` invocation (without `--dry-run`) automatically runs a dry-run validation step before beginning the actual deployment. This catches errors early and prevents partial deployments.
420
+
By default, every `deploy` invocation (without `--dry-run`) automatically runs a dry-run validation step before beginning the actual deployment. This catches errors early and prevents partial deployments. Note that this validation is best-effort — it cannot detect transient failures or state changes that occur after validation completes.
419
421
420
422
- If the validation finds errors, the deployment is aborted and the report is displayed.
421
423
- If the validation finds only warnings or passes cleanly, the deployment proceeds normally.
0 commit comments