@go-to-k/cdkd 0.0.3 → 0.0.4

package/dist/cli.js

@@ -3519,6 +3519,11 @@ var TemplateParser = class {
 
 // src/analyzer/dag-builder.ts
 var { Graph, alg } = graphlib;
+var IAM_ROLE_POLICY_TYPES = /* @__PURE__ */ new Set([
+  "AWS::IAM::Policy",
+  "AWS::IAM::RolePolicy",
+  "AWS::IAM::ManagedPolicy"
+]);
 var DagBuilder = class {
   logger = getLogger().child("DagBuilder");
   parser = new TemplateParser();
@@ -3559,6 +3564,7 @@ var DagBuilder = class {
       }
     }
     this.logger.debug(`Dependency graph built: ${resourceIds.length} nodes, ${edgeCount} edges`);
+    edgeCount += this.addCustomResourcePolicyEdges(graph, template);
     if (!alg.isAcyclic(graph)) {
       const cycles = this.findCycles(graph);
       throw new DependencyError(
@@ -3701,6 +3707,123 @@ var DagBuilder = class {
     const deps = this.getAllDependencies(graph, resourceA);
     return deps.has(resourceB);
   }
+  /**
+   * Add implicit edges from IAM::Policy resources to Custom Resources whose
+   * ServiceToken Lambda's execution role those policies attach to.
+   *
+   * Returns the number of edges added.
+   */
+  addCustomResourcePolicyEdges(graph, template) {
+    const rolePolicies = this.buildRolePoliciesMap(template);
+    if (rolePolicies.size === 0) {
+      return 0;
+    }
+    let added = 0;
+    for (const logicalId of this.parser.getResourceIds(template)) {
+      const resource = this.parser.getResource(template, logicalId);
+      if (!resource || !this.isCustomResourceType(resource.Type)) {
+        continue;
+      }
+      const serviceToken = (resource.Properties ?? {})["ServiceToken"];
+      const lambdaId = this.extractLogicalIdFromReference(serviceToken);
+      if (!lambdaId)
+        continue;
+      const lambdaResource = this.parser.getResource(template, lambdaId);
+      if (!lambdaResource || lambdaResource.Type !== "AWS::Lambda::Function") {
+        continue;
+      }
+      const roleId = this.extractLogicalIdFromReference((lambdaResource.Properties ?? {})["Role"]);
+      if (!roleId)
+        continue;
+      const policies = rolePolicies.get(roleId);
+      if (!policies)
+        continue;
+      for (const policyId of policies) {
+        if (policyId === logicalId)
+          continue;
+        if (!graph.hasNode(policyId))
+          continue;
+        if (graph.hasEdge(policyId, logicalId))
+          continue;
+        graph.setEdge(policyId, logicalId);
+        added++;
+        this.logger.debug(
+          `Added implicit edge (custom resource policy): ${policyId} -> ${logicalId}`
+        );
+      }
+    }
+    if (added > 0) {
+      this.logger.debug(`Added ${added} implicit edges for custom resource policies`);
+    }
+    return added;
+  }
+  isCustomResourceType(type) {
+    return type === "AWS::CloudFormation::CustomResource" || type.startsWith("Custom::");
+  }
+  /**
+   * Build a map of roleLogicalId -> Set<policyLogicalId> by scanning the
+   * template for IAM::Policy / IAM::RolePolicy / IAM::ManagedPolicy resources
+   * that attach to a role by Ref/GetAtt.
+   */
+  buildRolePoliciesMap(template) {
+    const map = /* @__PURE__ */ new Map();
+    for (const [policyId, resource] of Object.entries(template.Resources)) {
+      if (!IAM_ROLE_POLICY_TYPES.has(resource.Type))
+        continue;
+      for (const roleId of this.extractAttachedRoleIds(resource)) {
+        let set = map.get(roleId);
+        if (!set) {
+          set = /* @__PURE__ */ new Set();
+          map.set(roleId, set);
+        }
+        set.add(policyId);
+      }
+    }
+    return map;
+  }
+  /**
+   * Extract the logical IDs of IAM::Role resources that a policy resource
+   * attaches to. Supports both `Roles: [Ref]` (IAM::Policy / IAM::ManagedPolicy)
+   * and `RoleName: Ref` (IAM::RolePolicy) shapes.
+   */
+  extractAttachedRoleIds(resource) {
+    const ids = [];
+    const props = resource.Properties ?? {};
+    const roles = props["Roles"];
+    if (Array.isArray(roles)) {
+      for (const entry of roles) {
+        const id = this.extractLogicalIdFromReference(entry);
+        if (id)
+          ids.push(id);
+      }
+    }
+    const roleName = props["RoleName"];
+    const roleNameId = this.extractLogicalIdFromReference(roleName);
+    if (roleNameId)
+      ids.push(roleNameId);
+    return ids;
+  }
+  /**
+   * Extract a resource logical ID from a direct Ref or Fn::GetAtt expression.
+   * Returns undefined for literals or intrinsics we can't statically resolve
+   * (Fn::Join, Fn::ImportValue, etc.) — callers should skip in that case.
+   */
+  extractLogicalIdFromReference(value) {
+    if (typeof value !== "object" || value === null)
+      return void 0;
+    const obj = value;
+    if ("Ref" in obj && typeof obj["Ref"] === "string") {
+      const ref = obj["Ref"];
+      return ref.startsWith("AWS::") ? void 0 : ref;
+    }
+    if ("Fn::GetAtt" in obj) {
+      const getAtt = obj["Fn::GetAtt"];
+      if (Array.isArray(getAtt) && typeof getAtt[0] === "string") {
+        return getAtt[0];
+      }
+    }
+    return void 0;
+  }
 };
 
 // src/analyzer/replacement-rules.ts
@@ -26890,7 +27013,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command8();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.0.3");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.0.4");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createDeployCommand());