feat(cli): Add hotswap support for QuickSight resources

[awsmadi]

Summary

This PR adds hotswap deployment support for Amazon QuickSight resources, enabling faster iterative development when working with QuickSight dashboards, analyses, datasets, data sources, and templates.

Motivation

QuickSight resources often require frequent updates during development, particularly when iterating on dashboard definitions, data mappings, and visualizations. Full CloudFormation deployments for these changes can be slow. Hotswap allows developers to bypass CloudFormation and update resources directly
via the AWS API, significantly reducing deployment time during development.

Changes

New QuickSight Hotswap Handler (lib/api/hotswap/quicksight.ts)

Adds hotswap support for five QuickSight resource types:

• AWS::QuickSight::DataSet - Hotswappable properties: PhysicalTableMap, LogicalTableMap, Name
• AWS::QuickSight::DataSource - Hotswappable properties: DataSourceParameters, Name, Credentials
• AWS::QuickSight::Dashboard - Hotswappable properties: Definition, Name, SourceEntity
• AWS::QuickSight::Analysis - Hotswappable properties: Definition, Name, SourceEntity
• AWS::QuickSight::Template - Hotswappable properties: Definition, Name, SourceEntity

The implementation:

• Evaluates CloudFormation expressions for changed properties
• Resolves resource physical IDs from logical IDs
• Calls the appropriate QuickSight Update API for each resource type
• Falls back to CloudFormation for non-hotswappable property changes (e.g., ImportMode)

SDK Integration (lib/api/aws-auth/sdk.ts)

Adds IQuickSightClient interface and quickSight() method to the SDK class with support for:

• updateAnalysis
• updateDashboard
• updateDataSet
• updateDataSource
• updateTemplate

Hotswap Registration (lib/api/hotswap/hotswap-deployments.ts)

Registers the QuickSight detector for all five resource types in the RESOURCE_DETECTORS map.

Test Infrastructure (test/_helpers/mock-sdk.ts)

Adds mockQuickSightClient for testing QuickSight hotswap operations.

Testing

Added comprehensive test suite (test/api/hotswap/quicksight-hotswap-deployments.test.ts) covering:

• New resource additions (no hotswap, falls back to CFN)
• Property changes for all five resource types
• Non-hotswappable property changes (correctly falls back)
• Both FALL_BACK and HOTSWAP_ONLY modes

Usage Example

bash

Deploy with hotswap enabled - QuickSight changes will be applied directly

cdk deploy --hotswap

Or hotswap-only mode (skip non-hotswappable changes)

cdk deploy --hotswap-fallback

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.78%. Comparing base (970da46) to head (82a72c6).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1055      +/-   ##
==========================================
- Coverage   87.79%   87.78%   -0.01%     
==========================================
  Files          73       73              
  Lines       10168    10168              
  Branches     1343     1343              
==========================================
- Hits         8927     8926       -1     
- Misses       1217     1218       +1     
  Partials       24       24              

Flag	Coverage Δ
suite.unit	87.78% <ø> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[dgandhi62]

ImportMode here is passed as raw props.ImportMode without evaluation, unlike other properties that use evaluatedProps

What is the reason this is raw CFN and not being evaluated like the other properties?

[awsmadi]

Good catch. ImportMode should be evaluated through evaluateCfnExpression like other properties, otherwise CFN intrinsic functions (e.g. { Ref: 'SomeParam' }) would be passed as raw objects to the QuickSight API instead of being resolved.

Fixed in the latest commit - ImportMode is now evaluated. I also fixed the Name fallback path (evaluatedProps.Name ?? props.Name) which had the same issue: when Name hadn't changed but contained an intrinsic function, the raw CFN object was passed through instead of the resolved value. Added tests for both cases.

[dgandhi62]

Is it safe to allow hotswapping credentials? I'm unsure if there is any extra consideration here but want to clarify

[awsmadi]

Good question - I've removed Credentials from the hotswappable properties list. Several reasons:

1. Write-only property in the CFN schema: The CloudFormation resource schema for AWS::QuickSight::DataSource explicitly lists Credentials under writeOnlyProperties. This is the CloudFormation team's classification that this property contains sensitive data that cannot be read back via DescribeDataSource.

2. Sensitive data: Credentials can contain plaintext usernames/passwords (CredentialPair), private keys (KeyPairCredentials), or Secrets Manager ARNs (SecretArn). Bypassing CloudFormation's change set review for credential changes removes a safety checkpoint that's especially important for secrets.

3. Hotswap is for fast dev iteration: You'd typically iterate rapidly on dashboard definitions, dataset schemas, or data source connection parameters - not on credentials. Credential changes are infrequent and warrant the full CloudFormation deployment path for auditability and review.

No other hotswap handler in the codebase hotswaps dedicated credential/secret properties, so this is consistent with the existing pattern.

Added a test confirming that Credentials changes on DataSource are correctly rejected by the hotswap detector.

[dgandhi62]

I think there could be tests for

1. CFN intrinsic functions existing on the properties
2. Both hotswappable and non-hotswappable properties changing together

[awsmadi]

Added four new tests covering both areas:

CFN intrinsic functions on properties:

1. Fn::Join with Ref in the Dashboard Name property — verifies it resolves correctly (e.g. "dashboard-my-bucket" instead of the raw {"Fn::Join": ...} object)
2. { Ref: 'Param' } in the DataSet ImportMode — verifies the required-but-non-hotswappable property is also properly evaluated (relates to comment chore(deps): upgrade dependencies #1)

Mixed hotswappable + non-hotswappable changes:
3. PhysicalTableMap (hotswappable) + Permissions (non-hotswappable) changing together on a DataSet — verifies FALL_BACK mode returns undefined with no SDK call, and HOTSWAP_ONLY mode hotswaps only the hotswappable properties
4. Credentials-only change on DataSource — verifies it's rejected in both modes (relates to comment #2)

[dgandhi62]

Clarifying questions

[awsmadi]

All review feedback has been addressed:

• ImportMode is now properly evaluated through evaluateCfnExpression ✅
• Credentials removed from hotswappable properties (write-only CFN property, contains secrets) ✅
• Added tests for CFN intrinsic functions on properties and mixed hotswappable/non-hotswappable changes ✅

All CI checks are passing (including all integration test shards). Could I get a re-review when you have a chance? Thanks!