feat(sync): add CloudFormation Language Extensions support for sam sync

Extend sam sync to fully support templates with AWS::LanguageExtensions
and Fn::ForEach. Previously, sync only had guard-level support that
skipped ForEach keys to avoid crashes.

Changes:
- Sanitize artifact properties inside Fn::ForEach body resources during
  template comparison so code-only changes don't trigger unnecessary
  infra syncs. Handles all code-syncable resource types: functions (zip
  + image), layers, APIs, HTTP APIs, state machines, and nested stacks.
- Detect code changes in ForEach-generated resources by expanding both
  the current and deployed templates, then comparing expanded resources.
  Changed resources are queued for code sync instead of triggering a
  full CloudFormation deployment.
- Code sync (sam sync --code) and watch mode (sam sync --watch) already
  work via SamLocalStackProvider.get_stacks() LE expansion. All sync
  flows (ADL, Image, API, Layer, StateMachine) work with expanded
  ForEach resource identifiers via CFN physical ID mapping.

Author: bnusunny

docs/cfn-language-extensions.md

@@ -4,7 +4,7 @@ SAM CLI now supports templates that use the `AWS::LanguageExtensions` transform,
 
 ## How it works
 
-When SAM CLI detects `AWS::LanguageExtensions` in a template's `Transform` section, it expands language extension constructs locally before running SAM transforms. This enables `sam build`, `sam package`, `sam deploy`, `sam validate`, `sam local invoke`, and `sam local start-api` to work with templates that use these constructs.
+When SAM CLI detects `AWS::LanguageExtensions` in a template's `Transform` section, it expands language extension constructs locally before running SAM transforms. This enables `sam build`, `sam package`, `sam deploy`, `sam sync`, `sam validate`, `sam local invoke`, and `sam local start-api` to work with templates that use these constructs.
 
 The expansion happens in two phases:
 

samcli/lib/sync/infra_sync_executor.py

@@ -7,7 +7,7 @@
 import re
 from datetime import datetime, timezone
 from pathlib import Path
-from typing import TYPE_CHECKING, Dict, List, Optional, Set, cast
+from typing import TYPE_CHECKING, Any, Dict, List, Optional, Set, cast
 from uuid import uuid4
 
 from boto3 import Session
@@ -348,6 +348,11 @@ def _auto_skip_infra_sync(
                 ):
                     return False
 
+        # Detect code changes in ForEach-generated resources by comparing expanded templates
+        self._detect_foreach_code_changes(
+            current_template, last_deployed_template_dict, nested_prefix
+        )
+
         LOG.debug("There are no changes from the previously deployed template for %s", packaged_template_path)
         return True
 
@@ -399,6 +404,8 @@ def _sanitize_template(
 
         for resource_logical_id in resources:
             if is_foreach_key(resource_logical_id):
+                foreach_value = resources.get(resource_logical_id)
+                self._sanitize_foreach_body(foreach_value, linked_resources, built_template_dict)
                 continue
 
             resource_dict = resources.get(resource_logical_id, {})
@@ -497,6 +504,130 @@ def _remove_resource_field(
 
         return processed_logical_id
 
+    def _sanitize_foreach_body(
+        self,
+        foreach_value: Any,
+        linked_resources: Optional[Set[str]] = None,
+        built_template_dict: Optional[Dict] = None,
+    ) -> None:
+        """
+        Sanitize code-syncable properties inside a Fn::ForEach body.
+
+        Recurses into the body dict (element [2] of the ForEach list) and removes
+        artifact properties (CodeUri, ImageUri, DefinitionUri, ContentUri, etc.)
+        from each resource definition, using the same removal maps as regular resources.
+        Also handles nested Fn::ForEach blocks by recursing further.
+
+        Parameters
+        ----------
+        foreach_value : Any
+            The Fn::ForEach value (should be a list with 3 elements: [loop_var, collection, body])
+        linked_resources : Optional[Set[str]]
+            The corresponding resources in the other template that got processed
+        built_template_dict : Optional[Dict]
+            The built template dict (not used for ForEach body since paths are dynamic)
+        """
+        if not isinstance(foreach_value, list) or len(foreach_value) < 3:
+            return
+
+        body = foreach_value[2]
+        if not isinstance(body, dict):
+            return
+
+        for key, resource_def in body.items():
+            if is_foreach_key(key):
+                self._sanitize_foreach_body(resource_def, linked_resources, built_template_dict)
+                continue
+
+            if not isinstance(resource_def, dict):
+                continue
+
+            resource_type = resource_def.get("Type")
+            if not resource_type:
+                continue
+
+            if resource_type in CODE_SYNCABLE_RESOURCES or resource_type in SYNCABLE_STACK_RESOURCES:
+                # For ForEach body resources, we always sanitize because the artifact paths
+                # are dynamic (contain loop variables or Fn::FindInMap after packaging) and
+                # will always differ between packaged and deployed templates.
+                # Pass the key as a linked resource so _remove_resource_field unconditionally removes fields.
+                self._remove_resource_field(key, resource_type, resource_def, {key}, None)
+
+            # Remove SamResourceId metadata
+            resource_def.get("Metadata", {}).pop("SamResourceId", None)
+            if not resource_def.get("Metadata"):
+                resource_def.pop("Metadata", None)
+
+    def _detect_foreach_code_changes(
+        self,
+        current_template: Dict,
+        last_deployed_template: Dict,
+        nested_prefix: Optional[str] = None,
+    ) -> None:
+        """
+        Detect code changes in ForEach-generated resources by expanding both the current
+        and last deployed templates, then comparing the expanded resources.
+
+        Only processes resources that were generated from Fn::ForEach blocks (i.e., resources
+        present in the expanded template but not in the original template as regular resources).
+
+        Parameters
+        ----------
+        current_template : Dict
+            The current packaged template (with Fn::ForEach intact)
+        last_deployed_template : Dict
+            The last deployed template (with Fn::ForEach intact)
+        nested_prefix : Optional[str]
+            The nested stack prefix for resource identifiers
+        """
+        from samcli.lib.cfn_language_extensions.sam_integration import check_using_language_extension
+
+        if not check_using_language_extension(current_template):
+            return
+
+        from samcli.lib.cfn_language_extensions.sam_integration import expand_language_extensions
+
+        try:
+            current_expanded = expand_language_extensions(current_template).expanded_template
+            deployed_expanded = expand_language_extensions(last_deployed_template).expanded_template
+        except Exception:
+            LOG.debug("Failed to expand language extensions for code change detection, skipping")
+            return
+
+        current_resources = current_expanded.get("Resources", {})
+        deployed_resources = deployed_expanded.get("Resources", {})
+
+        # Only check resources that exist in the expanded template — these include
+        # both regular resources and ForEach-generated ones. The regular resources
+        # were already checked in the main loop, so we skip them by checking if
+        # the resource key exists as a non-ForEach key in the original template.
+        original_regular_keys = {
+            k for k in current_template.get("Resources", {}) if not is_foreach_key(k)
+        }
+
+        for resource_id, resource_dict in current_resources.items():
+            if resource_id in original_regular_keys:
+                continue  # Already handled in the main loop
+
+            resource_type = resource_dict.get("Type")
+            if resource_type not in CODE_SYNCABLE_RESOURCES:
+                continue
+
+            last_resource_dict = deployed_resources.get(resource_id, {})
+            resolved_id = nested_prefix + resource_id if nested_prefix else resource_id
+
+            if resource_type == AWS_LAMBDA_FUNCTION:
+                if resource_dict.get("Properties", {}).get("Code") != last_resource_dict.get(
+                    "Properties", {}
+                ).get("Code"):
+                    self._code_sync_resources.add(ResourceIdentifier(resolved_id))
+            else:
+                for field in GENERAL_REMOVAL_MAP.get(resource_type, []):
+                    if resource_dict.get("Properties", {}).get(field) != last_resource_dict.get(
+                        "Properties", {}
+                    ).get(field):
+                        self._code_sync_resources.add(ResourceIdentifier(resolved_id))
+
     def get_template(self, template_path: str) -> Optional[Dict]:
         """
         Returns the template dict based on local or remote read logic