npm - @go-to-k/cdkd - Versions diffs - 0.0.2 → 0.0.4 - Mend

@go-to-k/cdkd 0.0.2 → 0.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md +4 -4
package/dist/cli.js +153 -1
package/dist/cli.js.map +3 -3
package/dist/go-to-k-cdkd-0.0.4.tgz +0 -0
package/dist/index.js +146 -0
package/dist/index.js.map +2 -2
package/package.json +1 -1
package/dist/go-to-k-cdkd-0.0.2.tgz +0 -0

package/README.md CHANGED Viewed

@@ -306,16 +306,16 @@ Reproduce with `./tests/benchmark/run-benchmark.sh all`. See [tests/benchmark/RE
 ## Installation
-### From npm (experimental)
+### From npm
 ```bash
-npm i -g @go-to-k/cdkd@experimental   # latest experimental
-npm i -g @go-to-k/cdkd@0.1.0          # pin to a specific version
+npm i -g @go-to-k/cdkd          # latest release
+npm i -g @go-to-k/cdkd@0.0.2    # pin to a specific version
 ```
 The installed binary is `cdkd` — run it the same way in either install path.
-> Published under the `experimental` dist-tag while the project is in early development. There is no `latest` tag yet — always pin to `@experimental` (or a specific version) so `npm i -g @go-to-k/cdkd` does not silently resolve to a future stable release with different behavior.
+> cdkd is an experimental / educational project and is not intended for production use — see the warning at the top of this README. Pin to a specific version if you need reproducible installs.
 ### From source

package/dist/cli.js CHANGED Viewed

@@ -2893,6 +2893,7 @@ import {
   GetObjectCommand,
   PutObjectCommand as PutObjectCommand2,
   DeleteObjectCommand,
+  HeadBucketCommand as HeadBucketCommand2,
   HeadObjectCommand as HeadObjectCommand2,
   ListObjectsV2Command,
   NoSuchKey
@@ -2909,6 +2910,28 @@ var S3StateBackend = class {
   getStateKey(stackName) {
     return `${this.config.prefix}/${stackName}/state.json`;
   }
+  /**
+   * Verify that the configured state bucket exists.
+   *
+   * Called early in deploy/destroy to fail fast before expensive work
+   * (asset publishing, Docker builds) runs against a missing bucket.
+   */
+  async verifyBucketExists() {
+    try {
+      await this.s3Client.send(new HeadBucketCommand2({ Bucket: this.config.bucket }));
+    } catch (error) {
+      const name = error.name;
+      if (name === "NotFound" || name === "NoSuchBucket") {
+        throw new StateError(
+          `State bucket '${this.config.bucket}' does not exist. Run 'cdkd bootstrap' to create it, or specify an existing bucket via --state-bucket, CDKD_STATE_BUCKET, or cdk.json context.cdkd.stateBucket.`
+        );
+      }
+      throw new StateError(
+        `Failed to verify state bucket '${this.config.bucket}': ${error instanceof Error ? error.message : String(error)}`,
+        error instanceof Error ? error : void 0
+      );
+    }
+  }
   /**
    * Check if state exists for a stack
    */
@@ -3496,6 +3519,11 @@ var TemplateParser = class {
 // src/analyzer/dag-builder.ts
 var { Graph, alg } = graphlib;
+var IAM_ROLE_POLICY_TYPES = /* @__PURE__ */ new Set([
+  "AWS::IAM::Policy",
+  "AWS::IAM::RolePolicy",
+  "AWS::IAM::ManagedPolicy"
+]);
 var DagBuilder = class {
   logger = getLogger().child("DagBuilder");
   parser = new TemplateParser();
@@ -3536,6 +3564,7 @@ var DagBuilder = class {
       }
     }
     this.logger.debug(`Dependency graph built: ${resourceIds.length} nodes, ${edgeCount} edges`);
+    edgeCount += this.addCustomResourcePolicyEdges(graph, template);
     if (!alg.isAcyclic(graph)) {
       const cycles = this.findCycles(graph);
       throw new DependencyError(
@@ -3678,6 +3707,123 @@ var DagBuilder = class {
     const deps = this.getAllDependencies(graph, resourceA);
     return deps.has(resourceB);
   }
+  /**
+   * Add implicit edges from IAM::Policy resources to Custom Resources whose
+   * ServiceToken Lambda's execution role those policies attach to.
+   *
+   * Returns the number of edges added.
+   */
+  addCustomResourcePolicyEdges(graph, template) {
+    const rolePolicies = this.buildRolePoliciesMap(template);
+    if (rolePolicies.size === 0) {
+      return 0;
+    }
+    let added = 0;
+    for (const logicalId of this.parser.getResourceIds(template)) {
+      const resource = this.parser.getResource(template, logicalId);
+      if (!resource || !this.isCustomResourceType(resource.Type)) {
+        continue;
+      }
+      const serviceToken = (resource.Properties ?? {})["ServiceToken"];
+      const lambdaId = this.extractLogicalIdFromReference(serviceToken);
+      if (!lambdaId)
+        continue;
+      const lambdaResource = this.parser.getResource(template, lambdaId);
+      if (!lambdaResource || lambdaResource.Type !== "AWS::Lambda::Function") {
+        continue;
+      }
+      const roleId = this.extractLogicalIdFromReference((lambdaResource.Properties ?? {})["Role"]);
+      if (!roleId)
+        continue;
+      const policies = rolePolicies.get(roleId);
+      if (!policies)
+        continue;
+      for (const policyId of policies) {
+        if (policyId === logicalId)
+          continue;
+        if (!graph.hasNode(policyId))
+          continue;
+        if (graph.hasEdge(policyId, logicalId))
+          continue;
+        graph.setEdge(policyId, logicalId);
+        added++;
+        this.logger.debug(
+          `Added implicit edge (custom resource policy): ${policyId} -> ${logicalId}`
+        );
+      }
+    }
+    if (added > 0) {
+      this.logger.debug(`Added ${added} implicit edges for custom resource policies`);
+    }
+    return added;
+  }
+  isCustomResourceType(type) {
+    return type === "AWS::CloudFormation::CustomResource" || type.startsWith("Custom::");
+  }
+  /**
+   * Build a map of roleLogicalId -> Set<policyLogicalId> by scanning the
+   * template for IAM::Policy / IAM::RolePolicy / IAM::ManagedPolicy resources
+   * that attach to a role by Ref/GetAtt.
+   */
+  buildRolePoliciesMap(template) {
+    const map = /* @__PURE__ */ new Map();
+    for (const [policyId, resource] of Object.entries(template.Resources)) {
+      if (!IAM_ROLE_POLICY_TYPES.has(resource.Type))
+        continue;
+      for (const roleId of this.extractAttachedRoleIds(resource)) {
+        let set = map.get(roleId);
+        if (!set) {
+          set = /* @__PURE__ */ new Set();
+          map.set(roleId, set);
+        }
+        set.add(policyId);
+      }
+    }
+    return map;
+  }
+  /**
+   * Extract the logical IDs of IAM::Role resources that a policy resource
+   * attaches to. Supports both `Roles: [Ref]` (IAM::Policy / IAM::ManagedPolicy)
+   * and `RoleName: Ref` (IAM::RolePolicy) shapes.
+   */
+  extractAttachedRoleIds(resource) {
+    const ids = [];
+    const props = resource.Properties ?? {};
+    const roles = props["Roles"];
+    if (Array.isArray(roles)) {
+      for (const entry of roles) {
+        const id = this.extractLogicalIdFromReference(entry);
+        if (id)
+          ids.push(id);
+      }
+    }
+    const roleName = props["RoleName"];
+    const roleNameId = this.extractLogicalIdFromReference(roleName);
+    if (roleNameId)
+      ids.push(roleNameId);
+    return ids;
+  }
+  /**
+   * Extract a resource logical ID from a direct Ref or Fn::GetAtt expression.
+   * Returns undefined for literals or intrinsics we can't statically resolve
+   * (Fn::Join, Fn::ImportValue, etc.) — callers should skip in that case.
+   */
+  extractLogicalIdFromReference(value) {
+    if (typeof value !== "object" || value === null)
+      return void 0;
+    const obj = value;
+    if ("Ref" in obj && typeof obj["Ref"] === "string") {
+      const ref = obj["Ref"];
+      return ref.startsWith("AWS::") ? void 0 : ref;
+    }
+    if ("Fn::GetAtt" in obj) {
+      const getAtt = obj["Fn::GetAtt"];
+      if (Array.isArray(getAtt) && typeof getAtt[0] === "string") {
+        return getAtt[0];
+      }
+    }
+    return void 0;
+  }
 };
 // src/analyzer/replacement-rules.ts
@@ -26028,6 +26174,11 @@ async function deployCommand(stacks, options) {
     ...options.profile && { profile: options.profile }
   });
   setAwsClients(awsClients);
+  const preflightStateBackend = new S3StateBackend(awsClients.s3, {
+    bucket: stateBucket,
+    prefix: options.statePrefix
+  });
+  await preflightStateBackend.verifyBucketExists();
   let deployInterrupted = false;
   const topLevelSigintHandler = () => {
     if (deployInterrupted) {
@@ -26481,6 +26632,7 @@ async function destroyCommand(stackArgs, options) {
       prefix: options.statePrefix
     };
     const stateBackend = new S3StateBackend(awsClients.s3, stateConfig);
+    await stateBackend.verifyBucketExists();
     const lockManager = new LockManager(awsClients.s3, stateConfig);
     const dagBuilder = new DagBuilder();
     const providerRegistry = new ProviderRegistry();
@@ -26861,7 +27013,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command8();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.0.2");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.0.4");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createDeployCommand());