@go-to-k/cdkd 0.0.3 → 0.1.0

package/dist/index.js

@@ -649,7 +649,7 @@ Caused by: ${error.cause.message}`;
 init_aws_clients();
 
 // src/synthesis/synthesizer.ts
-import { mkdirSync } from "node:fs";
+import { existsSync as existsSync3, mkdirSync, statSync } from "node:fs";
 import { resolve as resolve3 } from "node:path";
 import { GetCallerIdentityCommand, STSClient as STSClient2 } from "@aws-sdk/client-sts";
 
@@ -1846,6 +1846,14 @@ var Synthesizer = class {
    * 5. Return assembly with stacks
    */
   async synthesize(options) {
+    const appPath = resolve3(options.app);
+    if (existsSync3(appPath) && statSync(appPath).isDirectory()) {
+      this.logger.debug(`Using pre-synthesized cloud assembly at ${appPath}`);
+      const manifest = this.assemblyReader.readManifest(appPath);
+      const stacks = this.assemblyReader.getAllStacks(appPath, manifest);
+      this.logger.debug(`Loaded ${stacks.length} stack(s) from pre-synthesized assembly`);
+      return { manifest, assemblyDir: appPath, stacks };
+    }
     const outputDir = resolve3(options.output || "cdk.out");
     mkdirSync(outputDir, { recursive: true });
     const userCdkJson = loadUserCdkJson();
@@ -1933,7 +1941,7 @@ function setsEqual(a, b) {
 import { readFileSync as readFileSync4 } from "node:fs";
 
 // src/assets/file-asset-publisher.ts
-import { createReadStream, statSync } from "node:fs";
+import { createReadStream, statSync as statSync2 } from "node:fs";
 import { join as join4, basename } from "node:path";
 import { S3Client as S3Client2, HeadObjectCommand, PutObjectCommand } from "@aws-sdk/client-s3";
 var FileAssetPublisher = class {
@@ -2003,7 +2011,7 @@ var FileAssetPublisher = class {
    * Upload a single file to S3
    */
   async uploadFile(client, filePath, bucket, key) {
-    const stat = statSync(filePath);
+    const stat = statSync2(filePath);
     const stream = createReadStream(filePath);
     await client.send(
       new PutObjectCommand({
@@ -2025,7 +2033,7 @@ var FileAssetPublisher = class {
       archive.on("data", (chunk) => chunks.push(chunk));
       archive.on("end", () => resolve4(Buffer.concat(chunks)));
       archive.on("error", reject);
-      const stat = statSync(dirPath);
+      const stat = statSync2(dirPath);
       if (stat.isDirectory()) {
         archive.directory(dirPath, false);
       } else {
@@ -3132,6 +3140,11 @@ var TemplateParser = class {
 // src/analyzer/dag-builder.ts
 import graphlib from "graphlib";
 var { Graph, alg } = graphlib;
+var IAM_ROLE_POLICY_TYPES = /* @__PURE__ */ new Set([
+  "AWS::IAM::Policy",
+  "AWS::IAM::RolePolicy",
+  "AWS::IAM::ManagedPolicy"
+]);
 var DagBuilder = class {
   logger = getLogger().child("DagBuilder");
   parser = new TemplateParser();
@@ -3172,6 +3185,7 @@ var DagBuilder = class {
       }
     }
     this.logger.debug(`Dependency graph built: ${resourceIds.length} nodes, ${edgeCount} edges`);
+    edgeCount += this.addCustomResourcePolicyEdges(graph, template);
     if (!alg.isAcyclic(graph)) {
       const cycles = this.findCycles(graph);
       throw new DependencyError(
@@ -3314,6 +3328,123 @@ var DagBuilder = class {
     const deps = this.getAllDependencies(graph, resourceA);
     return deps.has(resourceB);
   }
+  /**
+   * Add implicit edges from IAM::Policy resources to Custom Resources whose
+   * ServiceToken Lambda's execution role those policies attach to.
+   *
+   * Returns the number of edges added.
+   */
+  addCustomResourcePolicyEdges(graph, template) {
+    const rolePolicies = this.buildRolePoliciesMap(template);
+    if (rolePolicies.size === 0) {
+      return 0;
+    }
+    let added = 0;
+    for (const logicalId of this.parser.getResourceIds(template)) {
+      const resource = this.parser.getResource(template, logicalId);
+      if (!resource || !this.isCustomResourceType(resource.Type)) {
+        continue;
+      }
+      const serviceToken = (resource.Properties ?? {})["ServiceToken"];
+      const lambdaId = this.extractLogicalIdFromReference(serviceToken);
+      if (!lambdaId)
+        continue;
+      const lambdaResource = this.parser.getResource(template, lambdaId);
+      if (!lambdaResource || lambdaResource.Type !== "AWS::Lambda::Function") {
+        continue;
+      }
+      const roleId = this.extractLogicalIdFromReference((lambdaResource.Properties ?? {})["Role"]);
+      if (!roleId)
+        continue;
+      const policies = rolePolicies.get(roleId);
+      if (!policies)
+        continue;
+      for (const policyId of policies) {
+        if (policyId === logicalId)
+          continue;
+        if (!graph.hasNode(policyId))
+          continue;
+        if (graph.hasEdge(policyId, logicalId))
+          continue;
+        graph.setEdge(policyId, logicalId);
+        added++;
+        this.logger.debug(
+          `Added implicit edge (custom resource policy): ${policyId} -> ${logicalId}`
+        );
+      }
+    }
+    if (added > 0) {
+      this.logger.debug(`Added ${added} implicit edges for custom resource policies`);
+    }
+    return added;
+  }
+  isCustomResourceType(type) {
+    return type === "AWS::CloudFormation::CustomResource" || type.startsWith("Custom::");
+  }
+  /**
+   * Build a map of roleLogicalId -> Set<policyLogicalId> by scanning the
+   * template for IAM::Policy / IAM::RolePolicy / IAM::ManagedPolicy resources
+   * that attach to a role by Ref/GetAtt.
+   */
+  buildRolePoliciesMap(template) {
+    const map = /* @__PURE__ */ new Map();
+    for (const [policyId, resource] of Object.entries(template.Resources)) {
+      if (!IAM_ROLE_POLICY_TYPES.has(resource.Type))
+        continue;
+      for (const roleId of this.extractAttachedRoleIds(resource)) {
+        let set = map.get(roleId);
+        if (!set) {
+          set = /* @__PURE__ */ new Set();
+          map.set(roleId, set);
+        }
+        set.add(policyId);
+      }
+    }
+    return map;
+  }
+  /**
+   * Extract the logical IDs of IAM::Role resources that a policy resource
+   * attaches to. Supports both `Roles: [Ref]` (IAM::Policy / IAM::ManagedPolicy)
+   * and `RoleName: Ref` (IAM::RolePolicy) shapes.
+   */
+  extractAttachedRoleIds(resource) {
+    const ids = [];
+    const props = resource.Properties ?? {};
+    const roles = props["Roles"];
+    if (Array.isArray(roles)) {
+      for (const entry of roles) {
+        const id = this.extractLogicalIdFromReference(entry);
+        if (id)
+          ids.push(id);
+      }
+    }
+    const roleName = props["RoleName"];
+    const roleNameId = this.extractLogicalIdFromReference(roleName);
+    if (roleNameId)
+      ids.push(roleNameId);
+    return ids;
+  }
+  /**
+   * Extract a resource logical ID from a direct Ref or Fn::GetAtt expression.
+   * Returns undefined for literals or intrinsics we can't statically resolve
+   * (Fn::Join, Fn::ImportValue, etc.) — callers should skip in that case.
+   */
+  extractLogicalIdFromReference(value) {
+    if (typeof value !== "object" || value === null)
+      return void 0;
+    const obj = value;
+    if ("Ref" in obj && typeof obj["Ref"] === "string") {
+      const ref = obj["Ref"];
+      return ref.startsWith("AWS::") ? void 0 : ref;
+    }
+    if ("Fn::GetAtt" in obj) {
+      const getAtt = obj["Fn::GetAtt"];
+      if (Array.isArray(getAtt) && typeof getAtt[0] === "string") {
+        return getAtt[0];
+      }
+    }
+    return void 0;
+  }
 };
 
 // src/analyzer/replacement-rules.ts