npm - @go-to-k/cdkd - Versions diffs - 0.102.7 → 0.103.0 - Mend

@go-to-k/cdkd 0.102.7 → 0.103.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -609,6 +609,7 @@ types:
 | `AWS::Neptune::DBCluster` | `DeletionProtection` |
 | `AWS::Neptune::DBInstance` | `DeletionProtection` |
 | `AWS::DynamoDB::Table` | `DeletionProtectionEnabled` |
+| `AWS::DynamoDB::GlobalTable` | `DeletionProtectionEnabled` (CDK v2 `dynamodb.TableV2`) |
 | `AWS::EC2::Instance` | `DisableApiTermination` |
 | `AWS::ElasticLoadBalancingV2::LoadBalancer` | attribute `deletion_protection.enabled` |
 | `AWS::Cognito::UserPool` | `DeletionProtection` (`ACTIVE` / `INACTIVE`) |

package/dist/cli.js CHANGED Viewed

@@ -9,7 +9,7 @@ import { CreateTopicCommand, DeleteTopicCommand, GetSubscriptionAttributesComman
 import { AddPermissionCommand, CreateEventSourceMappingCommand, CreateFunctionCommand, CreateFunctionUrlConfigCommand, DeleteEventSourceMappingCommand, DeleteFunctionCommand, DeleteFunctionUrlConfigCommand, DeleteLayerVersionCommand, GetEventSourceMappingCommand, GetFunctionCommand, GetFunctionUrlConfigCommand, GetLayerVersionByArnCommand, GetPolicyCommand, LambdaClient, ListFunctionsCommand, ListLayersCommand, ListTagsCommand, PublishLayerVersionCommand, RemovePermissionCommand, ResourceNotFoundException, TagResourceCommand as TagResourceCommand$1, UntagResourceCommand as UntagResourceCommand$1, UpdateEventSourceMappingCommand, UpdateFunctionCodeCommand, UpdateFunctionConfigurationCommand, UpdateFunctionUrlConfigCommand, waitUntilFunctionUpdatedV2 } from "@aws-sdk/client-lambda";
 import { AssumeRoleCommand, GetCallerIdentityCommand, STSClient } from "@aws-sdk/client-sts";
 import { AssociateRouteTableCommand, AttachInternetGatewayCommand, AuthorizeSecurityGroupEgressCommand, AuthorizeSecurityGroupIngressCommand, CreateInternetGatewayCommand, CreateNatGatewayCommand, CreateNetworkAclCommand, CreateNetworkAclEntryCommand, CreateRouteCommand, CreateRouteTableCommand, CreateSecurityGroupCommand, CreateSubnetCommand, CreateTagsCommand, CreateVpcCommand, DeleteInternetGatewayCommand, DeleteNatGatewayCommand, DeleteNetworkAclCommand, DeleteNetworkAclEntryCommand, DeleteNetworkInterfaceCommand, DeleteRouteCommand, DeleteRouteTableCommand, DeleteSecurityGroupCommand, DeleteSubnetCommand, DeleteTagsCommand, DeleteVpcCommand, DescribeAvailabilityZonesCommand, DescribeInstanceAttributeCommand, DescribeInstancesCommand, DescribeInternetGatewaysCommand, DescribeNatGatewaysCommand, DescribeNetworkAclsCommand, DescribeNetworkInterfacesCommand, DescribeRouteTablesCommand, DescribeSecurityGroupsCommand, DescribeSubnetsCommand, DescribeVolumesCommand, DescribeVpcAttributeCommand, DescribeVpcsCommand, DetachInternetGatewayCommand, DisassociateRouteTableCommand, EC2Client, ModifyInstanceAttributeCommand, ModifySubnetAttributeCommand, ModifyVpcAttributeCommand, ReplaceNetworkAclAssociationCommand, RevokeSecurityGroupEgressCommand, RevokeSecurityGroupIngressCommand, RunInstancesCommand, TerminateInstancesCommand, waitUntilInstanceRunning, waitUntilInstanceTerminated, waitUntilNatGatewayAvailable, waitUntilNatGatewayDeleted } from "@aws-sdk/client-ec2";
-import { CreateTableCommand, DeleteTableCommand, DescribeTableCommand, DynamoDBClient, ListTablesCommand, ListTagsOfResourceCommand, ResourceNotFoundException as ResourceNotFoundException$1, TagResourceCommand as TagResourceCommand$2, UntagResourceCommand as UntagResourceCommand$2, UpdateTableCommand } from "@aws-sdk/client-dynamodb";
+import { CreateTableCommand, DeleteTableCommand, DescribeTableCommand, DynamoDBClient, ListTablesCommand, ListTagsOfResourceCommand, ResourceNotFoundException as ResourceNotFoundException$1, TagResourceCommand as TagResourceCommand$2, UntagResourceCommand as UntagResourceCommand$2, UpdateTableCommand, UpdateTimeToLiveCommand } from "@aws-sdk/client-dynamodb";
 import { CloudFormationClient, CreateChangeSetCommand, DeleteChangeSetCommand, DeleteStackCommand, DescribeChangeSetCommand, DescribeStackEventsCommand, DescribeStackResourcesCommand, DescribeStacksCommand, DescribeTypeCommand, ExecuteChangeSetCommand, GetTemplateCommand, UpdateStackCommand, waitUntilChangeSetCreateComplete, waitUntilStackDeleteComplete, waitUntilStackImportComplete, waitUntilStackUpdateComplete } from "@aws-sdk/client-cloudformation";
 import { APIGatewayClient, CreateAuthorizerCommand, CreateDeploymentCommand, CreateResourceCommand, CreateStageCommand, DeleteAuthorizerCommand, DeleteDeploymentCommand, DeleteMethodCommand, DeleteResourceCommand, DeleteStageCommand, GetAccountCommand, GetAuthorizerCommand, GetDeploymentCommand, GetMethodCommand, GetResourceCommand, GetStageCommand, NotFoundException as NotFoundException$1, PutIntegrationCommand, PutIntegrationResponseCommand, PutMethodCommand, PutMethodResponseCommand, TagResourceCommand as TagResourceCommand$3, UntagResourceCommand as UntagResourceCommand$3, UpdateAccountCommand, UpdateAuthorizerCommand, UpdateMethodCommand, UpdateStageCommand } from "@aws-sdk/client-api-gateway";
 import { CreateEventBusCommand, DeleteEventBusCommand, DeleteRuleCommand, DescribeEventBusCommand, DescribeRuleCommand, EventBridgeClient, ListEventBusesCommand, ListRulesCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$1, ListTargetsByRuleCommand, PutRuleCommand, PutTargetsCommand, RemoveTargetsCommand, ResourceNotFoundException as ResourceNotFoundException$2, TagResourceCommand as TagResourceCommand$4, UntagResourceCommand as UntagResourceCommand$4, UpdateEventBusCommand } from "@aws-sdk/client-eventbridge";
@@ -7839,6 +7839,524 @@ var DynamoDBTableProvider = class {
 	}
 };
+//#endregion
+//#region src/provisioning/providers/dynamodb-globaltable-provider.ts
+/**
+* AWS DynamoDB GlobalTable Provider
+*
+* Implements resource provisioning for AWS::DynamoDB::GlobalTable using the
+* standard DynamoDB SDK (2019.11.21 API generation, NOT the legacy
+* 2017.11.29 endpoints). CDK v2's `dynamodb.TableV2` construct synthesizes
+* as this type.
+*
+* WHY a dedicated SDK provider:
+*   - Pre-PR the type fell through to Cloud Control API which did not pass
+*     a `TableName` field, so AWS auto-generated random names like
+*     `yq2phLewTEUtzr4sy2gYFRU4I-1OGJ0UFLOKOOV` instead of the cdkd
+*     `${stackName}-X<hash>` shape (Issue #383).
+*   - Per memory rule `feedback_dedicated_provider_over_special_case.md`,
+*     the consistent fix is a dedicated SDK Provider rather than adding
+*     the type to `FALLBACK_NAME_RULES`.
+*
+* **CRITICAL**: do NOT use the legacy 2017.11.29 endpoints
+* (`CreateGlobalTableCommand` / `UpdateGlobalTableCommand` /
+* `DescribeGlobalTableCommand`). The CFn type `AWS::DynamoDB::GlobalTable`
+* is the 2019.11.21 generation, which uses the regular DynamoDB CRUD API
+* (`CreateTableCommand` + `UpdateTableCommand` with `ReplicaUpdates`).
+*
+* MVP scope:
+*  - `update()` throws `ResourceUpdateNotSupportedError`. In-place GlobalTable
+*    updates (replica add/remove, GSI add/remove, BillingMode flip, throughput
+*    rewrites) are out of scope and a follow-up PR.
+*  - `getDriftUnknownPaths` declares TTL + throughput-settings paths because
+*    cdkd's create/update flows surface them but the read-side reverse
+*    mapping is non-trivial and would fire false drift.
+*  - Per-replica drift (`ContributorInsightsSpecification` /
+*    `PointInTimeRecoverySpecification` / `KinesisStreamSpecification`) is
+*    out of scope for v1.
+*/
+var DynamoDBGlobalTableProvider = class {
+	dynamoDBClient;
+	logger = getLogger().child("DynamoDBGlobalTableProvider");
+	attributeCache = /* @__PURE__ */ new Map();
+	handledProperties = new Map([["AWS::DynamoDB::GlobalTable", new Set([
+		"TableName",
+		"KeySchema",
+		"AttributeDefinitions",
+		"BillingMode",
+		"StreamSpecification",
+		"GlobalSecondaryIndexes",
+		"LocalSecondaryIndexes",
+		"SSESpecification",
+		"Replicas",
+		"TableClass",
+		"TimeToLiveSpecification",
+		"WriteProvisionedThroughputSettings",
+		"WriteOnDemandThroughputSettings",
+		"DeletionProtectionEnabled",
+		"Tags"
+	])]]);
+	constructor() {
+		const awsClients = getAwsClients();
+		this.dynamoDBClient = awsClients.dynamoDB;
+	}
+	/**
+	* Create a DynamoDB Global Table (CDK TableV2).
+	*
+	* GlobalTable is built on the regular DynamoDB Table primitive: cdkd issues
+	* `CreateTableCommand` first (which only creates the table in the local
+	* region), waits for `ACTIVE`, then issues one `UpdateTableCommand` per
+	* additional replica region via `ReplicaUpdates: [{ Create: {...} }]`.
+	*
+	* Streams must be enabled with `NEW_AND_OLD_IMAGES` when the table has any
+	* cross-region replicas — AWS rejects the replica-add otherwise. cdkd
+	* auto-enables them with an info log when the template omits it.
+	*
+	* Partial-create cleanup (PR #374-class): if any post-`CreateTableCommand`
+	* wiring (wait ACTIVE → replica adds → TTL → Tags) throws, cdkd issues a
+	* best-effort `DeleteTableCommand` so AWS is not left holding a billing
+	* orphan with no cdkd state record. Cleanup failures escalate to WARN
+	* with the exact `aws dynamodb delete-table --table-name <id>` recovery
+	* command.
+	*/
+	async create(logicalId, resourceType, properties) {
+		this.logger.debug(`Creating DynamoDB GlobalTable ${logicalId}`);
+		const tableName = properties["TableName"] || generateResourceName(logicalId, { maxLength: 255 });
+		const keySchema = properties["KeySchema"];
+		const attributeDefinitions = properties["AttributeDefinitions"];
+		if (!keySchema) throw new ProvisioningError(`KeySchema is required for DynamoDB GlobalTable ${logicalId}`, resourceType, logicalId);
+		if (!attributeDefinitions) throw new ProvisioningError(`AttributeDefinitions is required for DynamoDB GlobalTable ${logicalId}`, resourceType, logicalId);
+		const billingMode = properties["BillingMode"] ?? "PAY_PER_REQUEST";
+		const currentRegion = await this.dynamoDBClient.config.region() ?? "";
+		const replicas = properties["Replicas"] ?? [];
+		const createParams = {
+			TableName: tableName,
+			KeySchema: keySchema,
+			AttributeDefinitions: attributeDefinitions,
+			BillingMode: billingMode
+		};
+		if (billingMode === "PROVISIONED") {
+			const writeAutoScaling = properties["WriteProvisionedThroughputSettings"]?.["WriteCapacityAutoScalingSettings"];
+			const writeCapacity = Number(writeAutoScaling?.["MinCapacity"] ?? 5);
+			const readAutoScaling = (replicas.find((r) => r["Region"] === currentRegion)?.["ReadProvisionedThroughputSettings"])?.["ReadCapacityAutoScalingSettings"];
+			createParams.ProvisionedThroughput = {
+				ReadCapacityUnits: Number(readAutoScaling?.["MinCapacity"] ?? 5),
+				WriteCapacityUnits: writeCapacity
+			};
+		}
+		const streamSpecInput = properties["StreamSpecification"];
+		const needsStream = replicas.some((r) => r["Region"] !== currentRegion) || replicas.length > 1;
+		if (streamSpecInput) createParams.StreamSpecification = {
+			StreamEnabled: true,
+			StreamViewType: streamSpecInput["StreamViewType"] ?? "NEW_AND_OLD_IMAGES"
+		};
+		else if (needsStream) {
+			this.logger.info(`Auto-enabling streams (NEW_AND_OLD_IMAGES) on ${logicalId} — required for cross-region replication`);
+			createParams.StreamSpecification = {
+				StreamEnabled: true,
+				StreamViewType: "NEW_AND_OLD_IMAGES"
+			};
+		}
+		if (properties["GlobalSecondaryIndexes"]) createParams.GlobalSecondaryIndexes = properties["GlobalSecondaryIndexes"];
+		if (properties["LocalSecondaryIndexes"]) createParams.LocalSecondaryIndexes = properties["LocalSecondaryIndexes"];
+		if (properties["SSESpecification"]) {
+			const sse = properties["SSESpecification"];
+			const sseInput = { Enabled: sse["SSEEnabled"] !== void 0 ? Boolean(sse["SSEEnabled"]) : true };
+			if (sse["SSEType"]) sseInput.SSEType = sse["SSEType"];
+			createParams.SSESpecification = sseInput;
+		}
+		if (properties["DeletionProtectionEnabled"] !== void 0) createParams.DeletionProtectionEnabled = properties["DeletionProtectionEnabled"];
+		if (properties["TableClass"]) createParams.TableClass = properties["TableClass"];
+		const wodts = properties["WriteOnDemandThroughputSettings"];
+		if (wodts?.["MaxWriteRequestUnits"] !== void 0) createParams.OnDemandThroughput = { MaxWriteRequestUnits: Number(wodts["MaxWriteRequestUnits"]) };
+		if (properties["Tags"]) createParams.Tags = properties["Tags"];
+		try {
+			await this.dynamoDBClient.send(new CreateTableCommand(createParams));
+			this.logger.debug(`CreateTable initiated for ${tableName}, waiting for ACTIVE`);
+		} catch (error) {
+			const cause = error instanceof Error ? error : void 0;
+			throw new ProvisioningError(`Failed to create DynamoDB GlobalTable ${logicalId}: ${error instanceof Error ? error.message : String(error)}`, resourceType, logicalId, tableName, cause);
+		}
+		try {
+			const tableInfo = await this.waitForTableActive(tableName);
+			for (const replica of replicas) {
+				const region = replica["Region"];
+				if (!region || region === currentRegion) continue;
+				await this.addReplica(tableName, replica, region);
+			}
+			if (properties["TimeToLiveSpecification"]) {
+				const ttl = properties["TimeToLiveSpecification"];
+				const attributeName = ttl["AttributeName"];
+				const enabled = ttl["Enabled"] !== void 0 ? Boolean(ttl["Enabled"]) : true;
+				if (attributeName) await this.dynamoDBClient.send(new UpdateTimeToLiveCommand({
+					TableName: tableName,
+					TimeToLiveSpecification: {
+						Enabled: enabled,
+						AttributeName: attributeName
+					}
+				}));
+			}
+			this.logger.debug(`Successfully created DynamoDB GlobalTable ${logicalId}: ${tableName}`);
+			return {
+				physicalId: tableName,
+				attributes: {
+					Arn: tableInfo.tableArn,
+					TableId: tableInfo.tableId,
+					StreamArn: tableInfo.streamArn,
+					TableName: tableName
+				}
+			};
+		} catch (wiringError) {
+			this.logger.warn(`Wiring failed after CreateTable for ${tableName}; attempting best-effort cleanup`);
+			try {
+				await this.dynamoDBClient.send(new DeleteTableCommand({ TableName: tableName }));
+			} catch (cleanupErr) {
+				const cleanupMsg = cleanupErr instanceof Error ? cleanupErr.message : String(cleanupErr);
+				this.logger.warn(`Partial-create cleanup failed for ${tableName}: ${cleanupMsg}. Run: aws dynamodb delete-table --table-name ${tableName} to remove the orphaned AWS-side table.`);
+			}
+			const cause = wiringError instanceof Error ? wiringError : void 0;
+			throw new ProvisioningError(`Failed to create DynamoDB GlobalTable ${logicalId}: ${wiringError instanceof Error ? wiringError.message : String(wiringError)}`, resourceType, logicalId, tableName, cause);
+		}
+	}
+	/**
+	* Add a single replica region. Issues one `UpdateTableCommand` with
+	* `ReplicaUpdates: [{ Create: { RegionName, ... } }]` and polls
+	* `DescribeTable` until the replica's `ReplicaStatus` flips to ACTIVE.
+	* Capped at 10 minutes per replica (AWS Replica provisioning typically
+	* takes 1–5 min).
+	*/
+	async addReplica(tableName, replica, region) {
+		const create = { RegionName: region };
+		if (replica["KMSMasterKeyId"]) create.KMSMasterKeyId = replica["KMSMasterKeyId"];
+		if (replica["GlobalSecondaryIndexes"]) create.GlobalSecondaryIndexes = replica["GlobalSecondaryIndexes"];
+		if (replica["TableClassOverride"]) create.TableClassOverride = replica["TableClassOverride"];
+		const replicaUpdates = [{ Create: create }];
+		await this.dynamoDBClient.send(new UpdateTableCommand({
+			TableName: tableName,
+			ReplicaUpdates: replicaUpdates
+		}));
+		await this.waitForReplicaActive(tableName, region);
+	}
+	/**
+	* Update a DynamoDB Global Table.
+	*
+	* MVP: in-place updates are out of scope — replica add/remove, GSI
+	* add/remove, BillingMode flip, and throughput rewrites each have
+	* distinct UpdateTable shapes and ordering rules. `cdkd drift --revert`
+	* surfaces this as `ResourceUpdateNotSupportedError` (exit code 2);
+	* the user falls back to `cdkd deploy --replace` or destroy + redeploy.
+	*/
+	async update(logicalId, _physicalId, resourceType, _properties, _previousProperties) {
+		throw new ResourceUpdateNotSupportedError(resourceType, logicalId, "GlobalTable in-place updates are not yet supported; use 'cdkd deploy --replace' or destroy + redeploy");
+	}
+	/**
+	* Delete a DynamoDB Global Table.
+	*
+	* Order is load-bearing:
+	*  1. Optional `--remove-protection` flip-off (idempotent).
+	*  2. `DescribeTable` → drop every non-local replica via UpdateTable
+	*     `ReplicaUpdates: [{ Delete: { RegionName } }]`, one at a time
+	*     (AWS rejects multiple replica updates per call). Each delete
+	*     polls until the replica disappears from `Replicas[]`.
+	*  3. `DeleteTableCommand` on the local region only.
+	*  4. Wait for `ResourceNotFoundException` on subsequent DescribeTable.
+	*
+	* DELETE idempotency: a `ResourceNotFoundException` is treated as
+	* success ONLY when the client region matches the state region
+	* (`assertRegionMatch`). A mismatched destroy would otherwise silently
+	* strip a still-existing resource from state.
+	*/
+	async delete(logicalId, physicalId, resourceType, _properties, context) {
+		this.logger.debug(`Deleting DynamoDB GlobalTable ${logicalId}: ${physicalId}`);
+		if (context?.removeProtection === true) try {
+			await this.dynamoDBClient.send(new UpdateTableCommand({
+				TableName: physicalId,
+				DeletionProtectionEnabled: false
+			}));
+			this.logger.debug(`Disabled DeletionProtectionEnabled on ${logicalId}, waiting for ACTIVE`);
+			try {
+				await this.waitForTableActiveAfterUpdate(physicalId);
+			} catch (waitErr) {
+				this.logger.debug(`Could not wait for table ${physicalId} ACTIVE after protection flip: ${waitErr instanceof Error ? waitErr.message : String(waitErr)}`);
+			}
+		} catch (flipError) {
+			if (!(flipError instanceof ResourceNotFoundException$1)) this.logger.debug(`Could not disable DeletionProtectionEnabled on ${physicalId}: ${flipError instanceof Error ? flipError.message : String(flipError)}`);
+		}
+		let currentRegion;
+		try {
+			currentRegion = await this.dynamoDBClient.config.region();
+		} catch (regionErr) {
+			const cause = regionErr instanceof Error ? regionErr : void 0;
+			throw new ProvisioningError(`Could not resolve client region for DynamoDB GlobalTable ${logicalId} delete — would risk dropping the local replica`, resourceType, logicalId, physicalId, cause);
+		}
+		try {
+			const replicas = (await this.dynamoDBClient.send(new DescribeTableCommand({ TableName: physicalId }))).Table?.Replicas ?? [];
+			for (const replica of replicas) {
+				const region = replica.RegionName;
+				if (!region || region === currentRegion) continue;
+				try {
+					await this.dynamoDBClient.send(new UpdateTableCommand({
+						TableName: physicalId,
+						ReplicaUpdates: [{ Delete: { RegionName: region } }]
+					}));
+					await this.waitForReplicaGone(physicalId, region);
+				} catch (replicaErr) {
+					if (!(replicaErr instanceof ResourceNotFoundException$1)) throw replicaErr;
+				}
+			}
+		} catch (describeErr) {
+			if (!(describeErr instanceof ResourceNotFoundException$1)) {
+				const cause = describeErr instanceof Error ? describeErr : void 0;
+				throw new ProvisioningError(`Failed to describe DynamoDB GlobalTable ${logicalId} before delete: ${describeErr instanceof Error ? describeErr.message : String(describeErr)}`, resourceType, logicalId, physicalId, cause);
+			}
+		}
+		try {
+			await this.dynamoDBClient.send(new DeleteTableCommand({ TableName: physicalId }));
+			await this.waitForTableGone(physicalId);
+			this.logger.debug(`Successfully deleted DynamoDB GlobalTable ${logicalId}`);
+		} catch (error) {
+			if (error instanceof ResourceNotFoundException$1) {
+				assertRegionMatch(await this.dynamoDBClient.config.region(), context?.expectedRegion, resourceType, logicalId, physicalId);
+				this.logger.debug(`DynamoDB GlobalTable ${physicalId} does not exist, skipping`);
+				return;
+			}
+			const cause = error instanceof Error ? error : void 0;
+			throw new ProvisioningError(`Failed to delete DynamoDB GlobalTable ${logicalId}: ${error instanceof Error ? error.message : String(error)}`, resourceType, logicalId, physicalId, cause);
+		}
+	}
+	/**
+	* Resolve a single `Fn::GetAtt` attribute for an existing DynamoDB GlobalTable.
+	*
+	* Cached per `(physicalId, attribute)` for the deploy run to avoid
+	* repeated `DescribeTable` calls.
+	*/
+	async getAttribute(physicalId, _resourceType, attributeName) {
+		const cacheKey = `${physicalId}::${attributeName}`;
+		if (this.attributeCache.has(cacheKey)) return this.attributeCache.get(cacheKey);
+		try {
+			const resp = await this.dynamoDBClient.send(new DescribeTableCommand({ TableName: physicalId }));
+			let value;
+			switch (attributeName) {
+				case "Arn":
+					value = resp.Table?.TableArn;
+					break;
+				case "StreamArn":
+					value = resp.Table?.LatestStreamArn;
+					break;
+				case "TableId":
+					value = resp.Table?.TableId;
+					break;
+				default: value = void 0;
+			}
+			this.attributeCache.set(cacheKey, value);
+			return value;
+		} catch (err) {
+			if (err instanceof ResourceNotFoundException$1) return void 0;
+			throw err;
+		}
+	}
+	/**
+	* Read the AWS-current DynamoDB GlobalTable configuration in CFn-property shape.
+	*
+	* Reverse-maps `DescribeTable` + `ListTagsOfResource` into the
+	* `AWS::DynamoDB::GlobalTable` property set.
+	*
+	* Type-discriminator gating (memory rule
+	* `feedback_always_emit_check_type_discriminator.md`):
+	*  - `ProvisionedThroughput`-bearing fields are only surfaced when
+	*    `BillingMode === 'PROVISIONED'`. Emitting placeholders on
+	*    PAY_PER_REQUEST tables (or vice versa) would fire false drift on
+	*    every clean run.
+	*  - StreamSpecification / SSESpecification follow the existing
+	*    DynamoDB::Table provider's Class 1 guard: only surfaced when AWS
+	*    reports the feature actually enabled.
+	*
+	* `getDriftUnknownPaths` declares TTL + write-throughput-settings —
+	* those round-trip in the create path but the reverse-mapping is not
+	* yet implemented and would fire guaranteed false drift.
+	*/
+	async readCurrentState(physicalId, _logicalId, _resourceType) {
+		try {
+			const table = (await this.dynamoDBClient.send(new DescribeTableCommand({ TableName: physicalId }))).Table;
+			if (!table) return void 0;
+			const result = {};
+			if (table.TableName !== void 0) result["TableName"] = table.TableName;
+			if (table.KeySchema) result["KeySchema"] = table.KeySchema;
+			if (table.AttributeDefinitions) result["AttributeDefinitions"] = table.AttributeDefinitions;
+			const billingMode = table.BillingModeSummary?.BillingMode;
+			if (billingMode) result["BillingMode"] = billingMode;
+			if (table.GlobalSecondaryIndexes && table.GlobalSecondaryIndexes.length > 0) result["GlobalSecondaryIndexes"] = table.GlobalSecondaryIndexes;
+			if (table.LocalSecondaryIndexes && table.LocalSecondaryIndexes.length > 0) result["LocalSecondaryIndexes"] = table.LocalSecondaryIndexes;
+			if (table.StreamSpecification?.StreamEnabled && table.StreamSpecification.StreamViewType) result["StreamSpecification"] = {
+				StreamEnabled: true,
+				StreamViewType: table.StreamSpecification.StreamViewType
+			};
+			if (table.SSEDescription?.Status === "ENABLED") {
+				const sse = { SSEEnabled: true };
+				if (table.SSEDescription.SSEType !== void 0) sse["SSEType"] = table.SSEDescription.SSEType;
+				result["SSESpecification"] = sse;
+			}
+			result["Replicas"] = (table.Replicas ?? []).map((r) => ({
+				Region: r.RegionName,
+				...r.KMSMasterKeyId !== void 0 && { KMSMasterKeyId: r.KMSMasterKeyId }
+			}));
+			if (table.TableClassSummary?.TableClass) result["TableClass"] = table.TableClassSummary.TableClass;
+			if (table.DeletionProtectionEnabled !== void 0) result["DeletionProtectionEnabled"] = table.DeletionProtectionEnabled;
+			if (table.TableArn) try {
+				result["Tags"] = normalizeAwsTagsToCfn((await this.dynamoDBClient.send(new ListTagsOfResourceCommand({ ResourceArn: table.TableArn }))).Tags);
+			} catch (err) {
+				if (err instanceof ResourceNotFoundException$1) return void 0;
+				result["Tags"] = [];
+			}
+			else result["Tags"] = [];
+			return result;
+		} catch (err) {
+			if (err instanceof ResourceNotFoundException$1) return void 0;
+			throw err;
+		}
+	}
+	/**
+	* State property paths cdkd's GlobalTable readCurrentState cannot (yet)
+	* reverse-map. The drift comparator skips these so a templated value
+	* doesn't fire guaranteed false drift on every clean run.
+	*
+	* - `TimeToLiveSpecification`: cdkd's create() applies it via
+	*   UpdateTimeToLive, but the reverse-mapping needs a separate
+	*   DescribeTimeToLive call (not yet implemented).
+	* - `WriteProvisionedThroughputSettings` /
+	*   `WriteOnDemandThroughputSettings`: CFn's shapes wrap
+	*   auto-scaling / on-demand max-RU settings whose reverse-mapping
+	*   from `DescribeTable.ProvisionedThroughput` / `OnDemandThroughput`
+	*   is non-trivial and would fire false drift in v1.
+	*/
+	getDriftUnknownPaths(_resourceType) {
+		return [
+			"TimeToLiveSpecification",
+			"WriteProvisionedThroughputSettings",
+			"WriteOnDemandThroughputSettings"
+		];
+	}
+	/**
+	* Adopt an existing DynamoDB GlobalTable into cdkd state.
+	*
+	* Lookup order:
+	*   1. `--resource` override or `Properties.TableName` → verify via DescribeTable.
+	*   2. `ListTables` + `ListTagsOfResource`, match `aws:cdk:path` tag.
+	*
+	* Same shape as `DynamoDBTableProvider.import()`. The provider returns
+	* the physical id only; cdkd's import flow does the attribute capture
+	* separately.
+	*/
+	async import(input) {
+		const explicit = resolveExplicitPhysicalId(input, "TableName");
+		if (explicit) try {
+			await this.dynamoDBClient.send(new DescribeTableCommand({ TableName: explicit }));
+			return {
+				physicalId: explicit,
+				attributes: {}
+			};
+		} catch (err) {
+			if (err instanceof ResourceNotFoundException$1) return null;
+			throw err;
+		}
+		if (!input.cdkPath) return null;
+		let exclusiveStartTableName;
+		do {
+			const list = await this.dynamoDBClient.send(new ListTablesCommand({ ...exclusiveStartTableName && { ExclusiveStartTableName: exclusiveStartTableName } }));
+			for (const name of list.TableNames ?? []) try {
+				const arn = (await this.dynamoDBClient.send(new DescribeTableCommand({ TableName: name }))).Table?.TableArn;
+				if (!arn) continue;
+				if (matchesCdkPath((await this.dynamoDBClient.send(new ListTagsOfResourceCommand({ ResourceArn: arn }))).Tags, input.cdkPath)) return {
+					physicalId: name,
+					attributes: {}
+				};
+			} catch (err) {
+				if (err instanceof ResourceNotFoundException$1) continue;
+				throw err;
+			}
+			exclusiveStartTableName = list.LastEvaluatedTableName;
+		} while (exclusiveStartTableName);
+		return null;
+	}
+	async waitForTableActive(tableName, maxAttempts = 120) {
+		for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+			const response = await this.dynamoDBClient.send(new DescribeTableCommand({ TableName: tableName }));
+			const status = response.Table?.TableStatus;
+			this.logger.debug(`Table ${tableName} status: ${status} (attempt ${attempt}/${maxAttempts})`);
+			if (status === "ACTIVE") return {
+				tableArn: response.Table?.TableArn,
+				tableId: response.Table?.TableId,
+				streamArn: response.Table?.LatestStreamArn
+			};
+			if (status !== "CREATING" && status !== "UPDATING") throw new Error(`Unexpected table status: ${status}`);
+			await new Promise((resolve) => setTimeout(resolve, 1e3));
+		}
+		throw new Error(`Table ${tableName} did not reach ACTIVE within ${maxAttempts}s`);
+	}
+	/**
+	* Wait for the table to reach ACTIVE after an UpdateTable call. Unlike
+	* `waitForTableActive`, this tolerates any non-terminal status — the
+	* table may already be ACTIVE on the no-op path (already-disabled
+	* protection) or transition through UPDATING.
+	*/
+	async waitForTableActiveAfterUpdate(tableName, maxAttempts = 120) {
+		for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+			if ((await this.dynamoDBClient.send(new DescribeTableCommand({ TableName: tableName }))).Table?.TableStatus === "ACTIVE") return;
+			await new Promise((resolve) => setTimeout(resolve, 1e3));
+		}
+		throw new Error(`Table ${tableName} did not reach ACTIVE within ${maxAttempts}s after UpdateTable`);
+	}
+	/**
+	* Wait until a specific replica's `ReplicaStatus` flips to ACTIVE.
+	* Replica provisioning typically takes 1–5 min; cap at 10 min.
+	*/
+	async waitForReplicaActive(tableName, region, maxAttempts = 600) {
+		for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+			const replica = (await this.dynamoDBClient.send(new DescribeTableCommand({ TableName: tableName }))).Table?.Replicas?.find((r) => r.RegionName === region);
+			if (replica?.ReplicaStatus === "ACTIVE") return;
+			this.logger.debug(`Replica ${region} status: ${replica?.ReplicaStatus} (attempt ${attempt}/${maxAttempts})`);
+			await new Promise((resolve) => setTimeout(resolve, 1e3));
+		}
+		throw new Error(`Replica ${region} for table ${tableName} did not reach ACTIVE within ${maxAttempts}s`);
+	}
+	/**
+	* Wait until a specific replica disappears from `Replicas[]` after a
+	* Delete replica update. Replica deletion typically takes 1–5 min;
+	* cap at 10 min.
+	*/
+	async waitForReplicaGone(tableName, region, maxAttempts = 600) {
+		for (let attempt = 1; attempt <= maxAttempts; attempt++) try {
+			if (!(await this.dynamoDBClient.send(new DescribeTableCommand({ TableName: tableName }))).Table?.Replicas?.find((r) => r.RegionName === region)) return;
+			await new Promise((resolve) => setTimeout(resolve, 1e3));
+		} catch (err) {
+			if (err instanceof ResourceNotFoundException$1) return;
+			throw err;
+		}
+		throw new Error(`Replica ${region} for table ${tableName} did not disappear within ${maxAttempts}s`);
+	}
+	/**
+	* Wait for `DescribeTable` to return `ResourceNotFoundException`,
+	* confirming the table has actually been removed. `DeleteTable` is
+	* async — the call returns immediately with `TableStatus: DELETING`
+	* and AWS only removes the table some seconds later. Without this
+	* wait, downstream observers (siblings deleted in the same destroy
+	* run, integ scripts that re-check via `aws dynamodb describe-table`)
+	* see "destroy succeeded" but the table is still listed by AWS.
+	* Typical small-table delete completes in 5–30s; cap at 10 min for
+	* worst-case large-table / replica-cascade scenarios.
+	*/
+	async waitForTableGone(tableName, maxAttempts = 600) {
+		for (let attempt = 1; attempt <= maxAttempts; attempt++) try {
+			await this.dynamoDBClient.send(new DescribeTableCommand({ TableName: tableName }));
+			await new Promise((resolve) => setTimeout(resolve, 1e3));
+		} catch (err) {
+			if (err instanceof ResourceNotFoundException$1) return;
+			throw err;
+		}
+		throw new Error(`Table ${tableName} did not disappear within ${maxAttempts}s`);
+	}
+};
 //#endregion
 //#region src/provisioning/providers/logs-loggroup-provider.ts
 /**
@@ -27905,6 +28423,7 @@ function registerAllProviders(registry) {
 	registry.register("AWS::Lambda::EventSourceMapping", new LambdaEventSourceMappingProvider());
 	registry.register("AWS::Lambda::LayerVersion", new LambdaLayerVersionProvider());
 	registry.register("AWS::DynamoDB::Table", new DynamoDBTableProvider());
+	registry.register("AWS::DynamoDB::GlobalTable", new DynamoDBGlobalTableProvider());
 	registry.register("AWS::Logs::LogGroup", new LogsLogGroupProvider());
 	registry.register("AWS::CloudWatch::Alarm", new CloudWatchAlarmProvider());
 	registry.register("AWS::SecretsManager::Secret", new SecretsManagerSecretProvider());
@@ -29427,6 +29946,7 @@ const PROTECTION_PROPERTY_BY_TYPE = {
 	"AWS::Neptune::DBCluster": "DeletionProtection",
 	"AWS::Neptune::DBInstance": "DeletionProtection",
 	"AWS::DynamoDB::Table": "DeletionProtectionEnabled",
+	"AWS::DynamoDB::GlobalTable": "DeletionProtectionEnabled",
 	"AWS::EC2::Instance": "DisableApiTermination",
 	"AWS::Cognito::UserPool": "DeletionProtection",
 	"AWS::AutoScaling::AutoScalingGroup": "DeletionProtection"
@@ -42932,7 +43452,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.102.7");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.103.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());