deploy: Surface CloudFormation early validation errors in CLI output

[blimmer]

Describe the feature

When CloudFormation changeset creation fails due to early validation (e.g., AWS::EarlyValidation::ResourceExistenceCheck), the CDK CLI should automatically fetch and display the detailed validation errors from the CloudFormation DescribeEvents API, rather than directing users to manually query the API or use the AWS Console.

Use Case

I'm now getting early validation errors like this (which are great, in theory!):

❌  MyStack failed: ToolkitError: Failed to create ChangeSet cdk-deploy-change-set on MyStack: FAILED, The following hook(s)/validation failed: [AWS::EarlyValidation::ResourceExistenceCheck]. To troubleshoot Early Validation errors, use the DescribeEvents API for detailed failure information.

This error message tells me validation failed but doesn't tell me why. I have to:

1. Log into the AWS Console
2. Navigate to CloudFormation → Stacks → Events
3. Find the actual error message

When I do, I see clear, actionable information:

Resource of type 'AWS::Lambda::Function' with identifier 'my-lambda-function' already exists.

Proposed Solution

When changeset creation fails with an early validation error, the CDK CLI should:

1. Detect early validation failure patterns (e.g., AWS::EarlyValidation::* in the status reason)
2. Call the DescribeEvents API with FailedEvents=true filter
3. Extract and display the detailed validation error messages inline

Desired output:

❌  MyStack failed: Early validation failed

   AWS::Lambda::Function (my-lambda-function)
   Resource of type 'AWS::Lambda::Function' with identifier 'my-lambda-function' already exists.

To see all events: aws cloudformation describe-events --stack-name MyStack --failed-events true

Other Information

• CloudFormation early validation was released November 2025: AWS Announcement
• Related documentation: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/validate-stack-deployments.html
• The DescribeEvents API now supports filtering by operation ID and failed events, making it easy to retrieve only the relevant errors: DescribeEvents API

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.1031.0 (build 3d7b09b)

Environment details (OS name and version, etc.)

MacOS

[mrgrain]

This has been fixed already in the latest version of the CLI. Please update. Let me know if it doesn't work in the latest version for some reason.

https://github.com/aws/aws-cdk-cli/releases/tag/aws-cdk%40v2.1034.0

[blimmer]

Whoops, sorry! Thanks.

[zhartaunik]

According to this:

https://docs.amplify.aws/react/build-a-backend/troubleshooting/cdktoolkit-stack/

~ $ cdk bootstrap aws://$(aws sts get-caller-identity --query Account --output text)/$AWS_REGION
⏳ Bootstrapping environment aws://xxxxxxxxxx/eu-central-1...
Trusted accounts for deployment: (none)
Trusted accounts for lookup: (none)
Using default execution policy of 'arn:aws:iam::aws:policy/AdministratorAccess'. Pass '--cloudformation-execution-policies' to customize.
CDKToolkit: creating CloudFormation changeset...
❌ Environment aws://xxxxxxxxxx/eu-central-1 failed bootstrapping: ToolkitError: Failed to create ChangeSet cdk-deploy-change-set on CDKToolkit: FAILED, The following hook(s)/validation failed: [AWS::EarlyValidation::ResourceExistenceCheck]. To troubleshoot Early Validation errors, use the DescribeEvents API for detailed failure information.

[mrgrain]

@zhartaunik Are you using the latest version of the CLI? We are not able to reproduce this, see #1032