npm - @go-to-k/cdkd - Versions diffs - 0.0.3 → 0.0.4 - Mend

@go-to-k/cdkd 0.0.3 → 0.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/cli.js +124 -1
package/dist/cli.js.map +2 -2
package/dist/go-to-k-cdkd-0.0.4.tgz +0 -0
package/dist/index.js +123 -0
package/dist/index.js.map +2 -2
package/package.json +1 -1
package/dist/go-to-k-cdkd-0.0.3.tgz +0 -0

package/dist/go-to-k-cdkd-0.0.4.tgz ADDED Viewed

Binary file

package/dist/index.js CHANGED Viewed

@@ -3132,6 +3132,11 @@ var TemplateParser = class {
 // src/analyzer/dag-builder.ts
 import graphlib from "graphlib";
 var { Graph, alg } = graphlib;
+var IAM_ROLE_POLICY_TYPES = /* @__PURE__ */ new Set([
+  "AWS::IAM::Policy",
+  "AWS::IAM::RolePolicy",
+  "AWS::IAM::ManagedPolicy"
+]);
 var DagBuilder = class {
   logger = getLogger().child("DagBuilder");
   parser = new TemplateParser();
@@ -3172,6 +3177,7 @@ var DagBuilder = class {
       }
     }
     this.logger.debug(`Dependency graph built: ${resourceIds.length} nodes, ${edgeCount} edges`);
+    edgeCount += this.addCustomResourcePolicyEdges(graph, template);
     if (!alg.isAcyclic(graph)) {
       const cycles = this.findCycles(graph);
       throw new DependencyError(
@@ -3314,6 +3320,123 @@ var DagBuilder = class {
     const deps = this.getAllDependencies(graph, resourceA);
     return deps.has(resourceB);
   }
+  /**
+   * Add implicit edges from IAM::Policy resources to Custom Resources whose
+   * ServiceToken Lambda's execution role those policies attach to.
+   *
+   * Returns the number of edges added.
+   */
+  addCustomResourcePolicyEdges(graph, template) {
+    const rolePolicies = this.buildRolePoliciesMap(template);
+    if (rolePolicies.size === 0) {
+      return 0;
+    }
+    let added = 0;
+    for (const logicalId of this.parser.getResourceIds(template)) {
+      const resource = this.parser.getResource(template, logicalId);
+      if (!resource || !this.isCustomResourceType(resource.Type)) {
+        continue;
+      }
+      const serviceToken = (resource.Properties ?? {})["ServiceToken"];
+      const lambdaId = this.extractLogicalIdFromReference(serviceToken);
+      if (!lambdaId)
+        continue;
+      const lambdaResource = this.parser.getResource(template, lambdaId);
+      if (!lambdaResource || lambdaResource.Type !== "AWS::Lambda::Function") {
+        continue;
+      }
+      const roleId = this.extractLogicalIdFromReference((lambdaResource.Properties ?? {})["Role"]);
+      if (!roleId)
+        continue;
+      const policies = rolePolicies.get(roleId);
+      if (!policies)
+        continue;
+      for (const policyId of policies) {
+        if (policyId === logicalId)
+          continue;
+        if (!graph.hasNode(policyId))
+          continue;
+        if (graph.hasEdge(policyId, logicalId))
+          continue;
+        graph.setEdge(policyId, logicalId);
+        added++;
+        this.logger.debug(
+          `Added implicit edge (custom resource policy): ${policyId} -> ${logicalId}`
+        );
+      }
+    }
+    if (added > 0) {
+      this.logger.debug(`Added ${added} implicit edges for custom resource policies`);
+    }
+    return added;
+  }
+  isCustomResourceType(type) {
+    return type === "AWS::CloudFormation::CustomResource" || type.startsWith("Custom::");
+  }
+  /**
+   * Build a map of roleLogicalId -> Set<policyLogicalId> by scanning the
+   * template for IAM::Policy / IAM::RolePolicy / IAM::ManagedPolicy resources
+   * that attach to a role by Ref/GetAtt.
+   */
+  buildRolePoliciesMap(template) {
+    const map = /* @__PURE__ */ new Map();
+    for (const [policyId, resource] of Object.entries(template.Resources)) {
+      if (!IAM_ROLE_POLICY_TYPES.has(resource.Type))
+        continue;
+      for (const roleId of this.extractAttachedRoleIds(resource)) {
+        let set = map.get(roleId);
+        if (!set) {
+          set = /* @__PURE__ */ new Set();
+          map.set(roleId, set);
+        }
+        set.add(policyId);
+      }
+    }
+    return map;
+  }
+  /**
+   * Extract the logical IDs of IAM::Role resources that a policy resource
+   * attaches to. Supports both `Roles: [Ref]` (IAM::Policy / IAM::ManagedPolicy)
+   * and `RoleName: Ref` (IAM::RolePolicy) shapes.
+   */
+  extractAttachedRoleIds(resource) {
+    const ids = [];
+    const props = resource.Properties ?? {};
+    const roles = props["Roles"];
+    if (Array.isArray(roles)) {
+      for (const entry of roles) {
+        const id = this.extractLogicalIdFromReference(entry);
+        if (id)
+          ids.push(id);
+      }
+    }
+    const roleName = props["RoleName"];
+    const roleNameId = this.extractLogicalIdFromReference(roleName);
+    if (roleNameId)
+      ids.push(roleNameId);
+    return ids;
+  }
+  /**
+   * Extract a resource logical ID from a direct Ref or Fn::GetAtt expression.
+   * Returns undefined for literals or intrinsics we can't statically resolve
+   * (Fn::Join, Fn::ImportValue, etc.) — callers should skip in that case.
+   */
+  extractLogicalIdFromReference(value) {
+    if (typeof value !== "object" || value === null)
+      return void 0;
+    const obj = value;
+    if ("Ref" in obj && typeof obj["Ref"] === "string") {
+      const ref = obj["Ref"];
+      return ref.startsWith("AWS::") ? void 0 : ref;
+    }
+    if ("Fn::GetAtt" in obj) {
+      const getAtt = obj["Fn::GetAtt"];
+      if (Array.isArray(getAtt) && typeof getAtt[0] === "string") {
+        return getAtt[0];
+      }
+    }
+    return void 0;
+  }
 };
 // src/analyzer/replacement-rules.ts