npm - @go-to-k/cdkd - Versions diffs - 0.103.1 → 0.104.0 - Mend

@go-to-k/cdkd 0.103.1 → 0.104.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/cli.js CHANGED Viewed

@@ -9,7 +9,7 @@ import { CreateTopicCommand, DeleteTopicCommand, GetSubscriptionAttributesComman
 import { AddPermissionCommand, CreateEventSourceMappingCommand, CreateFunctionCommand, CreateFunctionUrlConfigCommand, DeleteEventSourceMappingCommand, DeleteFunctionCommand, DeleteFunctionUrlConfigCommand, DeleteLayerVersionCommand, GetEventSourceMappingCommand, GetFunctionCommand, GetFunctionUrlConfigCommand, GetLayerVersionByArnCommand, GetPolicyCommand, LambdaClient, ListFunctionsCommand, ListLayersCommand, ListTagsCommand, PublishLayerVersionCommand, RemovePermissionCommand, ResourceNotFoundException, TagResourceCommand as TagResourceCommand$1, UntagResourceCommand as UntagResourceCommand$1, UpdateEventSourceMappingCommand, UpdateFunctionCodeCommand, UpdateFunctionConfigurationCommand, UpdateFunctionUrlConfigCommand, waitUntilFunctionUpdatedV2 } from "@aws-sdk/client-lambda";
 import { AssumeRoleCommand, GetCallerIdentityCommand, STSClient } from "@aws-sdk/client-sts";
 import { AssociateRouteTableCommand, AttachInternetGatewayCommand, AuthorizeSecurityGroupEgressCommand, AuthorizeSecurityGroupIngressCommand, CreateInternetGatewayCommand, CreateNatGatewayCommand, CreateNetworkAclCommand, CreateNetworkAclEntryCommand, CreateRouteCommand, CreateRouteTableCommand, CreateSecurityGroupCommand, CreateSubnetCommand, CreateTagsCommand, CreateVpcCommand, DeleteInternetGatewayCommand, DeleteNatGatewayCommand, DeleteNetworkAclCommand, DeleteNetworkAclEntryCommand, DeleteNetworkInterfaceCommand, DeleteRouteCommand, DeleteRouteTableCommand, DeleteSecurityGroupCommand, DeleteSubnetCommand, DeleteTagsCommand, DeleteVpcCommand, DescribeAvailabilityZonesCommand, DescribeInstanceAttributeCommand, DescribeInstancesCommand, DescribeInternetGatewaysCommand, DescribeNatGatewaysCommand, DescribeNetworkAclsCommand, DescribeNetworkInterfacesCommand, DescribeRouteTablesCommand, DescribeSecurityGroupsCommand, DescribeSubnetsCommand, DescribeVolumesCommand, DescribeVpcAttributeCommand, DescribeVpcsCommand, DetachInternetGatewayCommand, DisassociateRouteTableCommand, EC2Client, ModifyInstanceAttributeCommand, ModifySubnetAttributeCommand, ModifyVpcAttributeCommand, ReplaceNetworkAclAssociationCommand, RevokeSecurityGroupEgressCommand, RevokeSecurityGroupIngressCommand, RunInstancesCommand, TerminateInstancesCommand, waitUntilInstanceRunning, waitUntilInstanceTerminated, waitUntilNatGatewayAvailable, waitUntilNatGatewayDeleted } from "@aws-sdk/client-ec2";
-import { CreateTableCommand, DeleteTableCommand, DescribeTableCommand, DynamoDBClient, ListTablesCommand, ListTagsOfResourceCommand, ResourceNotFoundException as ResourceNotFoundException$1, TagResourceCommand as TagResourceCommand$2, UntagResourceCommand as UntagResourceCommand$2, UpdateTableCommand, UpdateTimeToLiveCommand } from "@aws-sdk/client-dynamodb";
+import { CreateTableCommand, DeleteTableCommand, DescribeContinuousBackupsCommand, DescribeContributorInsightsCommand, DescribeKinesisStreamingDestinationCommand, DescribeTableCommand, DescribeTimeToLiveCommand, DynamoDBClient, ListTablesCommand, ListTagsOfResourceCommand, ResourceNotFoundException as ResourceNotFoundException$1, TagResourceCommand as TagResourceCommand$2, UntagResourceCommand as UntagResourceCommand$2, UpdateTableCommand, UpdateTimeToLiveCommand } from "@aws-sdk/client-dynamodb";
 import { CloudFormationClient, CreateChangeSetCommand, DeleteChangeSetCommand, DeleteStackCommand, DescribeChangeSetCommand, DescribeStackEventsCommand, DescribeStackResourcesCommand, DescribeStacksCommand, DescribeTypeCommand, ExecuteChangeSetCommand, GetTemplateCommand, UpdateStackCommand, waitUntilChangeSetCreateComplete, waitUntilStackDeleteComplete, waitUntilStackImportComplete, waitUntilStackUpdateComplete } from "@aws-sdk/client-cloudformation";
 import { APIGatewayClient, CreateAuthorizerCommand, CreateDeploymentCommand, CreateResourceCommand, CreateStageCommand, DeleteAuthorizerCommand, DeleteDeploymentCommand, DeleteMethodCommand, DeleteResourceCommand, DeleteStageCommand, GetAccountCommand, GetAuthorizerCommand, GetDeploymentCommand, GetMethodCommand, GetResourceCommand, GetStageCommand, NotFoundException as NotFoundException$1, PutIntegrationCommand, PutIntegrationResponseCommand, PutMethodCommand, PutMethodResponseCommand, TagResourceCommand as TagResourceCommand$3, UntagResourceCommand as UntagResourceCommand$3, UpdateAccountCommand, UpdateAuthorizerCommand, UpdateMethodCommand, UpdateStageCommand } from "@aws-sdk/client-api-gateway";
 import { CreateEventBusCommand, DeleteEventBusCommand, DeleteRuleCommand, DescribeEventBusCommand, DescribeRuleCommand, EventBridgeClient, ListEventBusesCommand, ListRulesCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$1, ListTargetsByRuleCommand, PutRuleCommand, PutTargetsCommand, RemoveTargetsCommand, ResourceNotFoundException as ResourceNotFoundException$2, TagResourceCommand as TagResourceCommand$4, UntagResourceCommand as UntagResourceCommand$4, UpdateEventBusCommand } from "@aws-sdk/client-eventbridge";
@@ -30,7 +30,7 @@ import { CreateAliasCommand, CreateKeyCommand, DeleteAliasCommand, DescribeKeyCo
 import { promisify } from "node:util";
 import { CreateRepositoryCommand, DeleteLifecyclePolicyCommand, DeleteRepositoryCommand, DeleteRepositoryPolicyCommand, DescribeRepositoriesCommand, ECRClient, GetAuthorizationTokenCommand, GetLifecyclePolicyCommand, LifecyclePolicyNotFoundException, ListTagsForResourceCommand as ListTagsForResourceCommand$7, PutImageScanningConfigurationCommand, PutImageTagMutabilityCommand, PutLifecyclePolicyCommand, RepositoryNotFoundException, SetRepositoryPolicyCommand, TagResourceCommand as TagResourceCommand$9 } from "@aws-sdk/client-ecr";
 import graphlib from "graphlib";
-import { AddTagsToResourceCommand as AddTagsToResourceCommand$1, CreateDBClusterCommand, CreateDBInstanceCommand, CreateDBSubnetGroupCommand, DeleteDBClusterCommand, DeleteDBInstanceCommand, DeleteDBSubnetGroupCommand, DescribeDBClustersCommand, DescribeDBInstancesCommand, DescribeDBSubnetGroupsCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$8, ModifyDBClusterCommand, ModifyDBInstanceCommand, ModifyDBSubnetGroupCommand, RDSClient, RemoveTagsFromResourceCommand as RemoveTagsFromResourceCommand$1 } from "@aws-sdk/client-rds";
+import { AddTagsToResourceCommand as AddTagsToResourceCommand$1, CreateDBClusterCommand, CreateDBInstanceCommand, CreateDBSubnetGroupCommand, DBProxyNotFoundFault, DBProxyTargetGroupNotFoundFault, DBProxyTargetNotFoundFault, DeleteDBClusterCommand, DeleteDBInstanceCommand, DeleteDBSubnetGroupCommand, DeregisterDBProxyTargetsCommand, DescribeDBClustersCommand, DescribeDBInstancesCommand, DescribeDBProxyTargetGroupsCommand, DescribeDBSubnetGroupsCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$8, ModifyDBClusterCommand, ModifyDBInstanceCommand, ModifyDBProxyTargetGroupCommand, ModifyDBSubnetGroupCommand, RDSClient, RegisterDBProxyTargetsCommand, RemoveTagsFromResourceCommand as RemoveTagsFromResourceCommand$1 } from "@aws-sdk/client-rds";
 import { Command, Option } from "commander";
 import { writeFileSync as writeFileSync$1 } from "fs";
 import { join as join$1 } from "path";
@@ -7864,20 +7864,36 @@ var DynamoDBTableProvider = class {
 * is the 2019.11.21 generation, which uses the regular DynamoDB CRUD API
 * (`CreateTableCommand` + `UpdateTableCommand` with `ReplicaUpdates`).
 *
-* MVP scope:
-*  - `update()` throws `ResourceUpdateNotSupportedError`. In-place GlobalTable
-*    updates (replica add/remove, GSI add/remove, BillingMode flip, throughput
-*    rewrites) are out of scope and a follow-up PR.
-*  - `getDriftUnknownPaths` declares TTL + throughput-settings paths because
-*    cdkd's create/update flows surface them but the read-side reverse
-*    mapping is non-trivial and would fire false drift.
+* In-place update support (post-PR #384 follow-up):
+*  - `update()` covers every mutable surface — Tags, DeletionProtection,
+*    TableClass, SSE, StreamSpec, OnDemand throughput, BillingMode flip,
+*    Replica add / remove / modify, GSI add / remove / modify, TTL toggle.
+*  - The serialization is load-bearing: AWS's `UpdateTable` accepts only
+*    ONE of `{BillingMode, ReplicaUpdates, GlobalSecondaryIndexUpdates}`
+*    per call, so each category is its own SDK round-trip with a wait-for
+*    -ACTIVE in between. Immutable property changes (TableName, KeySchema,
+*    AttributeDefinitions removal, LocalSecondaryIndexes) throw
+*    `ProvisioningError` naming the offending field — the deploy engine's
+*    diff classification should catch these as REPLACEMENT before ever
+*    calling `update()`, but the guard is defense-in-depth.
 *  - Per-replica drift (`ContributorInsightsSpecification` /
-*    `PointInTimeRecoverySpecification` / `KinesisStreamSpecification`) is
-*    out of scope for v1.
+*    `PointInTimeRecoverySpecification` / `KinesisStreamSpecification`)
+*    is surfaced for the LOCAL replica only; cross-region replicas
+*    require per-region SDK clients which are out of scope for v1.
 */
 var DynamoDBGlobalTableProvider = class {
 	dynamoDBClient;
 	logger = getLogger().child("DynamoDBGlobalTableProvider");
+	/**
+	* Caches `getAttribute(physicalId, attribute)` results for the lifetime
+	* of this provider instance (one deploy run). Safe under the current
+	* `update()` contract because `update()` cannot mid-deploy mutate
+	* StreamArn / Arn / TableId — those are AWS-managed identifiers that
+	* only change on REPLACEMENT (which destroys the provider instance).
+	* If a future PR adds a stream toggle path that flips StreamArn on the
+	* same physicalId, the cache must be invalidated on the matching
+	* UpdateTable success.
+	*/
 	attributeCache = /* @__PURE__ */ new Map();
 	handledProperties = new Map([["AWS::DynamoDB::GlobalTable", new Set([
 		"TableName",
@@ -7893,8 +7909,7 @@ var DynamoDBGlobalTableProvider = class {
 		"TimeToLiveSpecification",
 		"WriteProvisionedThroughputSettings",
 		"WriteOnDemandThroughputSettings",
-		"DeletionProtectionEnabled",
-		"Tags"
+		"DeletionProtectionEnabled"
 	])]]);
 	constructor() {
 		const awsClients = getAwsClients();
@@ -7935,15 +7950,7 @@ var DynamoDBGlobalTableProvider = class {
 			AttributeDefinitions: attributeDefinitions,
 			BillingMode: billingMode
 		};
-		if (billingMode === "PROVISIONED") {
-			const writeAutoScaling = properties["WriteProvisionedThroughputSettings"]?.["WriteCapacityAutoScalingSettings"];
-			const writeCapacity = Number(writeAutoScaling?.["MinCapacity"] ?? 5);
-			const readAutoScaling = (replicas.find((r) => r["Region"] === currentRegion)?.["ReadProvisionedThroughputSettings"])?.["ReadCapacityAutoScalingSettings"];
-			createParams.ProvisionedThroughput = {
-				ReadCapacityUnits: Number(readAutoScaling?.["MinCapacity"] ?? 5),
-				WriteCapacityUnits: writeCapacity
-			};
-		}
+		if (billingMode === "PROVISIONED") createParams.ProvisionedThroughput = derivePerCallProvisionedThroughput(properties, currentRegion);
 		const streamSpecInput = properties["StreamSpecification"];
 		const needsStream = replicas.some((r) => r["Region"] !== currentRegion) || replicas.length > 1;
 		if (streamSpecInput) createParams.StreamSpecification = {
@@ -7969,7 +7976,8 @@ var DynamoDBGlobalTableProvider = class {
 		if (properties["TableClass"]) createParams.TableClass = properties["TableClass"];
 		const wodts = properties["WriteOnDemandThroughputSettings"];
 		if (wodts?.["MaxWriteRequestUnits"] !== void 0) createParams.OnDemandThroughput = { MaxWriteRequestUnits: Number(wodts["MaxWriteRequestUnits"]) };
-		if (properties["Tags"]) createParams.Tags = properties["Tags"];
+		const localReplicaTags = replicas.find((r) => r["Region"] === currentRegion)?.["Tags"];
+		if (localReplicaTags && localReplicaTags.length > 0) createParams.Tags = localReplicaTags;
 		try {
 			await this.dynamoDBClient.send(new CreateTableCommand(createParams));
 			this.logger.debug(`CreateTable initiated for ${tableName}, waiting for ACTIVE`);
@@ -7978,11 +7986,11 @@ var DynamoDBGlobalTableProvider = class {
 			throw new ProvisioningError(`Failed to create DynamoDB GlobalTable ${logicalId}: ${error instanceof Error ? error.message : String(error)}`, resourceType, logicalId, tableName, cause);
 		}
 		try {
-			const tableInfo = await this.waitForTableActive(tableName);
+			const tableInfo = await this.waitForTableActive(tableName, logicalId);
 			for (const replica of replicas) {
 				const region = replica["Region"];
 				if (!region || region === currentRegion) continue;
-				await this.addReplica(tableName, replica, region);
+				await this.addReplica(tableName, replica, region, logicalId);
 			}
 			if (properties["TimeToLiveSpecification"]) {
 				const ttl = properties["TimeToLiveSpecification"];
@@ -8009,6 +8017,21 @@ var DynamoDBGlobalTableProvider = class {
 		} catch (wiringError) {
 			this.logger.warn(`Wiring failed after CreateTable for ${tableName}; attempting best-effort cleanup`);
 			try {
+				const replicasForCleanup = (await this.dynamoDBClient.send(new DescribeTableCommand({ TableName: tableName }))).Table?.Replicas ?? [];
+				for (const replica of replicasForCleanup) {
+					const region = replica.RegionName;
+					if (!region || region === currentRegion) continue;
+					try {
+						await this.dynamoDBClient.send(new UpdateTableCommand({
+							TableName: tableName,
+							ReplicaUpdates: [{ Delete: { RegionName: region } }]
+						}));
+						await this.waitForReplicaGone(tableName, region, logicalId);
+					} catch (replicaCleanupErr) {
+						const msg = replicaCleanupErr instanceof Error ? replicaCleanupErr.message : String(replicaCleanupErr);
+						this.logger.warn(`Partial-create cleanup: failed to drop replica ${region} on ${tableName}: ${msg}. Run: aws dynamodb update-table --table-name ${tableName} --replica-updates 'Delete={RegionName=${region}}' --region ${currentRegion}`);
+					}
+				}
 				await this.dynamoDBClient.send(new DeleteTableCommand({ TableName: tableName }));
 			} catch (cleanupErr) {
 				const cleanupMsg = cleanupErr instanceof Error ? cleanupErr.message : String(cleanupErr);
@@ -8025,7 +8048,7 @@ var DynamoDBGlobalTableProvider = class {
 	* Capped at 10 minutes per replica (AWS Replica provisioning typically
 	* takes 1–5 min).
 	*/
-	async addReplica(tableName, replica, region) {
+	async addReplica(tableName, replica, region, logicalId) {
 		const create = { RegionName: region };
 		if (replica["KMSMasterKeyId"]) create.KMSMasterKeyId = replica["KMSMasterKeyId"];
 		if (replica["GlobalSecondaryIndexes"]) create.GlobalSecondaryIndexes = replica["GlobalSecondaryIndexes"];
@@ -8035,19 +8058,239 @@ var DynamoDBGlobalTableProvider = class {
 			TableName: tableName,
 			ReplicaUpdates: replicaUpdates
 		}));
-		await this.waitForReplicaActive(tableName, region);
+		await this.waitForReplicaActive(tableName, region, logicalId);
+	}
+	/**
+	* Update a DynamoDB Global Table in place.
+	*
+	* AWS-side state-machine constraint: `UpdateTable` accepts only ONE of
+	* `{BillingMode, ReplicaUpdates, GlobalSecondaryIndexUpdates}` per call,
+	* so each category must serialize into its own SDK round-trip with a
+	* `waitForTableActiveAfterUpdate` between every step. Order:
+	*   1. Wait for current ACTIVE (defensive).
+	*   2. Tags diff (TagResource / UntagResource — no wait needed).
+	*   3. Non-conflicting flat fields (DeletionProtectionEnabled / TableClass
+	*      / SSESpecification / StreamSpecification / OnDemandThroughput)
+	*      in one combined `UpdateTableCommand`. Wait ACTIVE.
+	*   4. BillingMode flip (separate UpdateTable). Wait ACTIVE.
+	*   5. Replica diff (serial per Create / Update / Delete). Wait ACTIVE
+	*      after each.
+	*   6. GSI diff (serial per Create / Update / Delete; new GSIs may need
+	*      additional AttributeDefinitions). Wait ACTIVE after each.
+	*   7. TimeToLiveSpecification toggle.
+	*
+	* Immutable properties (TableName / KeySchema / AttributeDefinitions
+	* removals / LocalSecondaryIndexes changes) throw `ProvisioningError`
+	* naming the offending field — the deploy engine's diff classifier
+	* should catch these as REPLACEMENT before ever calling `update()`,
+	* but the guard is defense-in-depth.
+	*/
+	async update(logicalId, physicalId, resourceType, properties, previousProperties) {
+		this.logger.debug(`Updating DynamoDB GlobalTable ${logicalId}: ${physicalId}`);
+		if (properties["TableName"] !== void 0 && previousProperties["TableName"] !== void 0 && properties["TableName"] !== previousProperties["TableName"]) throw new ProvisioningError(`TableName is immutable on AWS::DynamoDB::GlobalTable; replacement required (deploy with --replace, or destroy + redeploy)`, resourceType, logicalId, physicalId);
+		if (properties["KeySchema"] !== void 0 && previousProperties["KeySchema"] !== void 0 && !deepEqual$1(properties["KeySchema"], previousProperties["KeySchema"])) throw new ProvisioningError(`KeySchema is immutable on AWS::DynamoDB::GlobalTable; replacement required (deploy with --replace, or destroy + redeploy)`, resourceType, logicalId, physicalId);
+		if (properties["LocalSecondaryIndexes"] !== void 0 && previousProperties["LocalSecondaryIndexes"] !== void 0 && !deepEqual$1(properties["LocalSecondaryIndexes"], previousProperties["LocalSecondaryIndexes"])) throw new ProvisioningError(`LocalSecondaryIndexes is immutable on AWS::DynamoDB::GlobalTable; replacement required (deploy with --replace, or destroy + redeploy)`, resourceType, logicalId, physicalId);
+		const oldAttrs = previousProperties["AttributeDefinitions"] ?? [];
+		const newAttrs = properties["AttributeDefinitions"] ?? [];
+		const removedAttrs = oldAttrs.filter((o) => !newAttrs.some((n) => n.AttributeName === o.AttributeName));
+		if (removedAttrs.length > 0) throw new ProvisioningError(`AttributeDefinitions removals are immutable on AWS::DynamoDB::GlobalTable (offenders: ${removedAttrs.map((a) => a.AttributeName).join(", ")}); replacement required`, resourceType, logicalId, physicalId);
+		const currentRegion = await this.dynamoDBClient.config.region() ?? "";
+		try {
+			await this.waitForTableActiveAfterUpdate(physicalId, logicalId);
+			const tableArn = (await this.dynamoDBClient.send(new DescribeTableCommand({ TableName: physicalId }))).Table?.TableArn;
+			const extractLocalTags = (props) => {
+				return (props["Replicas"] ?? []).find((r) => r["Region"] === currentRegion)?.["Tags"];
+			};
+			if (tableArn) await this.applyTagDiff(tableArn, extractLocalTags(previousProperties), extractLocalTags(properties));
+			const flatUpdate = { TableName: physicalId };
+			let flatChanged = false;
+			if (properties["DeletionProtectionEnabled"] !== previousProperties["DeletionProtectionEnabled"]) {
+				flatUpdate.DeletionProtectionEnabled = Boolean(properties["DeletionProtectionEnabled"] ?? false);
+				flatChanged = true;
+			}
+			if (properties["TableClass"] !== void 0 && properties["TableClass"] !== previousProperties["TableClass"]) {
+				flatUpdate.TableClass = properties["TableClass"];
+				flatChanged = true;
+			}
+			if (properties["SSESpecification"] !== void 0 && !deepEqual$1(properties["SSESpecification"], previousProperties["SSESpecification"])) {
+				const sse = properties["SSESpecification"];
+				flatUpdate.SSESpecification = {
+					Enabled: sse["SSEEnabled"] !== void 0 ? Boolean(sse["SSEEnabled"]) : true,
+					...sse["SSEType"] !== void 0 && { SSEType: sse["SSEType"] }
+				};
+				flatChanged = true;
+			}
+			if (properties["StreamSpecification"] !== void 0 && !deepEqual$1(properties["StreamSpecification"], previousProperties["StreamSpecification"])) {
+				flatUpdate.StreamSpecification = {
+					StreamEnabled: true,
+					StreamViewType: properties["StreamSpecification"]["StreamViewType"]
+				};
+				flatChanged = true;
+			}
+			if (!deepEqual$1(properties["WriteOnDemandThroughputSettings"], previousProperties["WriteOnDemandThroughputSettings"])) {
+				const wodts = properties["WriteOnDemandThroughputSettings"];
+				if (wodts?.["MaxWriteRequestUnits"] !== void 0) {
+					flatUpdate.OnDemandThroughput = { MaxWriteRequestUnits: Number(wodts["MaxWriteRequestUnits"]) };
+					flatChanged = true;
+				}
+			}
+			if (flatChanged) {
+				await this.dynamoDBClient.send(new UpdateTableCommand(flatUpdate));
+				await this.waitForTableActiveAfterUpdate(physicalId, logicalId);
+			}
+			const oldBilling = previousProperties["BillingMode"] ?? "PAY_PER_REQUEST";
+			const newBilling = properties["BillingMode"] ?? "PAY_PER_REQUEST";
+			if (oldBilling !== newBilling) {
+				const billingUpdate = {
+					TableName: physicalId,
+					BillingMode: newBilling
+				};
+				if (newBilling === "PROVISIONED") billingUpdate.ProvisionedThroughput = derivePerCallProvisionedThroughput(properties, currentRegion);
+				await this.dynamoDBClient.send(new UpdateTableCommand(billingUpdate));
+				await this.waitForTableActiveAfterUpdate(physicalId, logicalId);
+			}
+			const replicaDiff = diffReplicas(previousProperties["Replicas"] ?? [], properties["Replicas"] ?? []);
+			for (const replica of replicaDiff.removed) {
+				const region = replica["Region"];
+				if (!region || region === currentRegion) continue;
+				await this.dynamoDBClient.send(new UpdateTableCommand({
+					TableName: physicalId,
+					ReplicaUpdates: [{ Delete: { RegionName: region } }]
+				}));
+				await this.waitForReplicaGone(physicalId, region, logicalId);
+			}
+			for (const replica of replicaDiff.added) {
+				const region = replica["Region"];
+				if (!region || region === currentRegion) continue;
+				await this.addReplica(physicalId, replica, region, logicalId);
+			}
+			for (const replica of replicaDiff.modified) {
+				const region = replica["Region"];
+				if (!region || region === currentRegion) continue;
+				const updateAction = { RegionName: region };
+				if (replica["KMSMasterKeyId"] !== void 0) updateAction.KMSMasterKeyId = replica["KMSMasterKeyId"];
+				if (replica["GlobalSecondaryIndexes"]) updateAction.GlobalSecondaryIndexes = replica["GlobalSecondaryIndexes"];
+				if (replica["TableClassOverride"]) updateAction.TableClassOverride = replica["TableClassOverride"];
+				if (!(updateAction.KMSMasterKeyId !== void 0 || updateAction.GlobalSecondaryIndexes !== void 0 || updateAction.TableClassOverride !== void 0)) {
+					this.logger.debug(`Cross-region replica ${region} of ${physicalId}: only Tags-style changes detected; skipping UpdateReplica (AWS rejects empty Update actions). Per-region Tag propagation is deferred.`);
+					continue;
+				}
+				await this.dynamoDBClient.send(new UpdateTableCommand({
+					TableName: physicalId,
+					ReplicaUpdates: [{ Update: updateAction }]
+				}));
+				await this.waitForReplicaActive(physicalId, region, logicalId);
+			}
+			const gsiDiff = diffGlobalSecondaryIndexes(previousProperties["GlobalSecondaryIndexes"] ?? [], properties["GlobalSecondaryIndexes"] ?? []);
+			for (const gsi of gsiDiff.removed) {
+				if (!gsi.IndexName) continue;
+				const gsiUpdate = { Delete: { IndexName: gsi.IndexName } };
+				await this.dynamoDBClient.send(new UpdateTableCommand({
+					TableName: physicalId,
+					GlobalSecondaryIndexUpdates: [gsiUpdate]
+				}));
+				await this.waitForTableActiveAfterUpdate(physicalId, logicalId);
+			}
+			for (const gsi of gsiDiff.added) {
+				if (!gsi.IndexName || !gsi.KeySchema || !gsi.Projection) continue;
+				const gsiUpdate = { Create: {
+					IndexName: gsi.IndexName,
+					KeySchema: gsi.KeySchema,
+					Projection: gsi.Projection,
+					...gsi.ProvisionedThroughput && { ProvisionedThroughput: gsi.ProvisionedThroughput },
+					...gsi.OnDemandThroughput && { OnDemandThroughput: gsi.OnDemandThroughput }
+				} };
+				await this.dynamoDBClient.send(new UpdateTableCommand({
+					TableName: physicalId,
+					AttributeDefinitions: newAttrs,
+					GlobalSecondaryIndexUpdates: [gsiUpdate]
+				}));
+				await this.waitForTableActiveAfterUpdate(physicalId, logicalId);
+			}
+			for (const gsi of gsiDiff.modified) {
+				if (!gsi.IndexName) continue;
+				const gsiUpdate = { Update: {
+					IndexName: gsi.IndexName,
+					...gsi.ProvisionedThroughput && { ProvisionedThroughput: gsi.ProvisionedThroughput },
+					...gsi.OnDemandThroughput && { OnDemandThroughput: gsi.OnDemandThroughput }
+				} };
+				await this.dynamoDBClient.send(new UpdateTableCommand({
+					TableName: physicalId,
+					GlobalSecondaryIndexUpdates: [gsiUpdate]
+				}));
+				await this.waitForTableActiveAfterUpdate(physicalId, logicalId);
+			}
+			if (!deepEqual$1(properties["TimeToLiveSpecification"], previousProperties["TimeToLiveSpecification"])) {
+				const ttl = properties["TimeToLiveSpecification"];
+				if (ttl?.["AttributeName"]) await this.dynamoDBClient.send(new UpdateTimeToLiveCommand({
+					TableName: physicalId,
+					TimeToLiveSpecification: {
+						Enabled: ttl["Enabled"] !== void 0 ? Boolean(ttl["Enabled"]) : true,
+						AttributeName: ttl["AttributeName"]
+					}
+				}));
+				else if (previousProperties["TimeToLiveSpecification"]) {
+					const prevTtl = previousProperties["TimeToLiveSpecification"];
+					if (prevTtl["AttributeName"]) await this.dynamoDBClient.send(new UpdateTimeToLiveCommand({
+						TableName: physicalId,
+						TimeToLiveSpecification: {
+							Enabled: false,
+							AttributeName: prevTtl["AttributeName"]
+						}
+					}));
+				}
+			}
+			const finalDescribe = await this.dynamoDBClient.send(new DescribeTableCommand({ TableName: physicalId }));
+			return {
+				physicalId,
+				wasReplaced: false,
+				attributes: {
+					Arn: finalDescribe.Table?.TableArn,
+					TableId: finalDescribe.Table?.TableId,
+					StreamArn: finalDescribe.Table?.LatestStreamArn,
+					TableName: physicalId
+				}
+			};
+		} catch (error) {
+			if (error instanceof ProvisioningError) throw error;
+			const cause = error instanceof Error ? error : void 0;
+			throw new ProvisioningError(`Failed to update DynamoDB GlobalTable ${logicalId}: ${error instanceof Error ? error.message : String(error)}`, resourceType, logicalId, physicalId, cause);
+		}
 	}
 	/**
-	* Update a DynamoDB Global Table.
-	*
-	* MVP: in-place updates are out of scope — replica add/remove, GSI
-	* add/remove, BillingMode flip, and throughput rewrites each have
-	* distinct UpdateTable shapes and ordering rules. `cdkd drift --revert`
-	* surfaces this as `ResourceUpdateNotSupportedError` (exit code 2);
-	* the user falls back to `cdkd deploy --replace` or destroy + redeploy.
+	* Apply a diff between old and new CFn-shape Tags arrays via DynamoDB's
+	* `TagResource` / `UntagResource` APIs. Both take the table ARN as
+	* `ResourceArn`.
 	*/
-	async update(logicalId, _physicalId, resourceType, _properties, _previousProperties) {
-		throw new ResourceUpdateNotSupportedError(resourceType, logicalId, "GlobalTable in-place updates are not yet supported; use 'cdkd deploy --replace' or destroy + redeploy");
+	async applyTagDiff(tableArn, oldTagsRaw, newTagsRaw) {
+		const toMap = (tags) => {
+			const m = /* @__PURE__ */ new Map();
+			for (const t of tags ?? []) if (t.Key !== void 0 && t.Value !== void 0) m.set(t.Key, t.Value);
+			return m;
+		};
+		const oldMap = toMap(oldTagsRaw);
+		const newMap = toMap(newTagsRaw);
+		const tagsToAdd = [];
+		for (const [k, v] of newMap) if (oldMap.get(k) !== v) tagsToAdd.push({
+			Key: k,
+			Value: v
+		});
+		const tagsToRemove = [];
+		for (const k of oldMap.keys()) if (!newMap.has(k)) tagsToRemove.push(k);
+		if (tagsToRemove.length > 0) {
+			await this.dynamoDBClient.send(new UntagResourceCommand$2({
+				ResourceArn: tableArn,
+				TagKeys: tagsToRemove
+			}));
+			this.logger.debug(`Removed ${tagsToRemove.length} tag(s) from DynamoDB GlobalTable ${tableArn}`);
+		}
+		if (tagsToAdd.length > 0) {
+			await this.dynamoDBClient.send(new TagResourceCommand$2({
+				ResourceArn: tableArn,
+				Tags: tagsToAdd
+			}));
+			this.logger.debug(`Added/updated ${tagsToAdd.length} tag(s) on DynamoDB GlobalTable ${tableArn}`);
+		}
 	}
 	/**
 	* Delete a DynamoDB Global Table.
@@ -8075,7 +8318,7 @@ var DynamoDBGlobalTableProvider = class {
 			}));
 			this.logger.debug(`Disabled DeletionProtectionEnabled on ${logicalId}, waiting for ACTIVE`);
 			try {
-				await this.waitForTableActiveAfterUpdate(physicalId);
+				await this.waitForTableActiveAfterUpdate(physicalId, logicalId);
 			} catch (waitErr) {
 				this.logger.debug(`Could not wait for table ${physicalId} ACTIVE after protection flip: ${waitErr instanceof Error ? waitErr.message : String(waitErr)}`);
 			}
@@ -8099,7 +8342,7 @@ var DynamoDBGlobalTableProvider = class {
 						TableName: physicalId,
 						ReplicaUpdates: [{ Delete: { RegionName: region } }]
 					}));
-					await this.waitForReplicaGone(physicalId, region);
+					await this.waitForReplicaGone(physicalId, region, logicalId);
 				} catch (replicaErr) {
 					if (!(replicaErr instanceof ResourceNotFoundException$1)) throw replicaErr;
 				}
@@ -8112,7 +8355,7 @@ var DynamoDBGlobalTableProvider = class {
 		}
 		try {
 			await this.dynamoDBClient.send(new DeleteTableCommand({ TableName: physicalId }));
-			await this.waitForTableGone(physicalId);
+			await this.waitForTableGone(physicalId, logicalId);
 			this.logger.debug(`Successfully deleted DynamoDB GlobalTable ${logicalId}`);
 		} catch (error) {
 			if (error instanceof ResourceNotFoundException$1) {
@@ -8158,22 +8401,29 @@ var DynamoDBGlobalTableProvider = class {
 	/**
 	* Read the AWS-current DynamoDB GlobalTable configuration in CFn-property shape.
 	*
-	* Reverse-maps `DescribeTable` + `ListTagsOfResource` into the
-	* `AWS::DynamoDB::GlobalTable` property set.
+	* Reverse-maps `DescribeTable` + `ListTagsOfResource` + `DescribeTimeToLive`
+	* + per-replica `DescribeContributorInsights` /
+	* `DescribeContinuousBackups` / `DescribeKinesisStreamingDestination`
+	* into the `AWS::DynamoDB::GlobalTable` property set.
 	*
 	* Type-discriminator gating (memory rule
 	* `feedback_always_emit_check_type_discriminator.md`):
-	*  - `ProvisionedThroughput`-bearing fields are only surfaced when
-	*    `BillingMode === 'PROVISIONED'`. Emitting placeholders on
-	*    PAY_PER_REQUEST tables (or vice versa) would fire false drift on
-	*    every clean run.
 	*  - StreamSpecification / SSESpecification follow the existing
 	*    DynamoDB::Table provider's Class 1 guard: only surfaced when AWS
 	*    reports the feature actually enabled.
-	*
-	* `getDriftUnknownPaths` declares TTL + write-throughput-settings —
-	* those round-trip in the create path but the reverse-mapping is not
-	* yet implemented and would fire guaranteed false drift.
+	*  - `ProvisionedThroughput`-bearing fields are declared in
+	*    `getDriftUnknownPaths` and intentionally not emitted in v1 — the
+	*    reverse-mapping from AWS's `ProvisionedThroughput` shape into
+	*    CFn's `WriteProvisionedThroughputSettings` /
+	*    `ReadProvisionedThroughputSettings` wrappers (which carry
+	*    `WriteCapacityAutoScalingSettings` etc.) needs more work to round
+	*    -trip cleanly.
+	*
+	* Per-replica sub-specifications (`ContributorInsightsSpecification` /
+	* `PointInTimeRecoverySpecification` / `KinesisStreamSpecification`)
+	* are surfaced only for the LOCAL replica. Cross-region replicas
+	* require per-region SDK clients (`new DynamoDBClient({region})`),
+	* deferred to a follow-up PR.
 	*/
 	async readCurrentState(physicalId, _logicalId, _resourceType) {
 		try {
@@ -8196,19 +8446,38 @@ var DynamoDBGlobalTableProvider = class {
 				if (table.SSEDescription.SSEType !== void 0) sse["SSEType"] = table.SSEDescription.SSEType;
 				result["SSESpecification"] = sse;
 			}
-			result["Replicas"] = (table.Replicas ?? []).map((r) => ({
-				Region: r.RegionName,
-				...r.KMSMasterKeyId !== void 0 && { KMSMasterKeyId: r.KMSMasterKeyId }
-			}));
 			if (table.TableClassSummary?.TableClass) result["TableClass"] = table.TableClassSummary.TableClass;
 			if (table.DeletionProtectionEnabled !== void 0) result["DeletionProtectionEnabled"] = table.DeletionProtectionEnabled;
-			if (table.TableArn) try {
-				result["Tags"] = normalizeAwsTagsToCfn((await this.dynamoDBClient.send(new ListTagsOfResourceCommand({ ResourceArn: table.TableArn }))).Tags);
-			} catch (err) {
-				if (err instanceof ResourceNotFoundException$1) return void 0;
-				result["Tags"] = [];
+			const currentRegion = await this.dynamoDBClient.config.region() ?? "";
+			const tableNameForSubs = table.TableName ?? physicalId;
+			result["Replicas"] = await Promise.all((table.Replicas ?? []).map(async (r) => {
+				const entry = { Region: r.RegionName };
+				if (r.KMSMasterKeyId !== void 0) entry["KMSMasterKeyId"] = r.KMSMasterKeyId;
+				if (r.RegionName && r.RegionName === currentRegion) {
+					const subs = await this.readLocalReplicaSubSpecs(tableNameForSubs);
+					Object.assign(entry, subs);
+					if (table.TableArn) try {
+						entry["Tags"] = normalizeAwsTagsToCfn((await this.dynamoDBClient.send(new ListTagsOfResourceCommand({ ResourceArn: table.TableArn }))).Tags);
+					} catch (tagErr) {
+						if (tagErr instanceof ResourceNotFoundException$1) throw tagErr;
+						this.logger.warn(`Could not fetch tags for DynamoDB GlobalTable ${tableNameForSubs}: ${tagErr instanceof Error ? tagErr.message : String(tagErr)}`);
+						entry["Tags"] = [];
+					}
+					else entry["Tags"] = [];
+				}
+				return entry;
+			}));
+			try {
+				const ttlDesc = (await this.dynamoDBClient.send(new DescribeTimeToLiveCommand({ TableName: tableNameForSubs }))).TimeToLiveDescription;
+				const ttlStatus = ttlDesc?.TimeToLiveStatus;
+				if (ttlStatus === "ENABLED" && ttlDesc?.AttributeName) result["TimeToLiveSpecification"] = {
+					AttributeName: ttlDesc.AttributeName,
+					Enabled: true
+				};
+				else if (ttlStatus === "DISABLED") {}
+			} catch (ttlErr) {
+				this.logger.debug(`Could not read TimeToLive for ${tableNameForSubs}: ${ttlErr instanceof Error ? ttlErr.message : String(ttlErr)}`);
 			}
-			else result["Tags"] = [];
 			return result;
 		} catch (err) {
 			if (err instanceof ResourceNotFoundException$1) return void 0;
@@ -8216,25 +8485,64 @@ var DynamoDBGlobalTableProvider = class {
 		}
 	}
 	/**
+	* Read per-replica sub-specifications for the LOCAL replica:
+	*  - `ContributorInsightsSpecification` via `DescribeContributorInsights`
+	*    (table-level; GSI overrides are NOT surfaced in v1 — they would
+	*    require one call per GSI and a different CFn nesting under the
+	*    `Replicas[].GlobalSecondaryIndexes[]` shape).
+	*  - `PointInTimeRecoverySpecification` via `DescribeContinuousBackups`.
+	*  - `KinesisStreamSpecification` via
+	*    `DescribeKinesisStreamingDestination` (filtered to the local
+	*    region's destination when AWS reports more than one).
+	*
+	* Each call is best-effort: errors omit the offending key rather than
+	* fail the whole drift read.
+	*
+	* Cross-region replicas would need per-region SDK clients (the calls
+	* are region-scoped to the replica) — deferred to a follow-up PR.
+	*/
+	async readLocalReplicaSubSpecs(tableName) {
+		const out = {};
+		try {
+			const ci = await this.dynamoDBClient.send(new DescribeContributorInsightsCommand({ TableName: tableName }));
+			if (ci.ContributorInsightsStatus) out["ContributorInsightsSpecification"] = { Enabled: ci.ContributorInsightsStatus === "ENABLED" };
+		} catch (err) {
+			this.logger.debug(`Could not read ContributorInsights for ${tableName}: ${err instanceof Error ? err.message : String(err)}`);
+		}
+		try {
+			const pitrStatus = (await this.dynamoDBClient.send(new DescribeContinuousBackupsCommand({ TableName: tableName }))).ContinuousBackupsDescription?.PointInTimeRecoveryDescription?.PointInTimeRecoveryStatus;
+			if (pitrStatus) out["PointInTimeRecoverySpecification"] = { PointInTimeRecoveryEnabled: pitrStatus === "ENABLED" };
+		} catch (err) {
+			this.logger.debug(`Could not read PointInTimeRecovery for ${tableName}: ${err instanceof Error ? err.message : String(err)}`);
+		}
+		try {
+			const active = ((await this.dynamoDBClient.send(new DescribeKinesisStreamingDestinationCommand({ TableName: tableName }))).KinesisDataStreamDestinations ?? []).find((d) => d.DestinationStatus === "ACTIVE" || d.DestinationStatus === "ENABLING");
+			if (active?.StreamArn) {
+				const ksOut = { StreamArn: active.StreamArn };
+				if (active.ApproximateCreationDateTimePrecision !== void 0) ksOut["ApproximateCreationDateTimePrecision"] = active.ApproximateCreationDateTimePrecision;
+				out["KinesisStreamSpecification"] = ksOut;
+			}
+		} catch (err) {
+			this.logger.debug(`Could not read KinesisStreamingDestination for ${tableName}: ${err instanceof Error ? err.message : String(err)}`);
+		}
+		return out;
+	}
+	/**
 	* State property paths cdkd's GlobalTable readCurrentState cannot (yet)
 	* reverse-map. The drift comparator skips these so a templated value
 	* doesn't fire guaranteed false drift on every clean run.
 	*
-	* - `TimeToLiveSpecification`: cdkd's create() applies it via
-	*   UpdateTimeToLive, but the reverse-mapping needs a separate
-	*   DescribeTimeToLive call (not yet implemented).
 	* - `WriteProvisionedThroughputSettings` /
 	*   `WriteOnDemandThroughputSettings`: CFn's shapes wrap
 	*   auto-scaling / on-demand max-RU settings whose reverse-mapping
 	*   from `DescribeTable.ProvisionedThroughput` / `OnDemandThroughput`
 	*   is non-trivial and would fire false drift in v1.
+	*
+	* `TimeToLiveSpecification` is reverse-mapped via `DescribeTimeToLive`
+	* in `readCurrentState` (no longer in this list).
 	*/
 	getDriftUnknownPaths(_resourceType) {
-		return [
-			"TimeToLiveSpecification",
-			"WriteProvisionedThroughputSettings",
-			"WriteOnDemandThroughputSettings"
-		];
+		return ["WriteProvisionedThroughputSettings", "WriteOnDemandThroughputSettings"];
 	}
 	/**
 	* Adopt an existing DynamoDB GlobalTable into cdkd state.
@@ -8278,7 +8586,7 @@ var DynamoDBGlobalTableProvider = class {
 		} while (exclusiveStartTableName);
 		return null;
 	}
-	async waitForTableActive(tableName, maxAttempts = 120) {
+	async waitForTableActive(tableName, logicalId, maxAttempts = 120) {
 		for (let attempt = 1; attempt <= maxAttempts; attempt++) {
 			const response = await this.dynamoDBClient.send(new DescribeTableCommand({ TableName: tableName }));
 			const status = response.Table?.TableStatus;
@@ -8288,10 +8596,10 @@ var DynamoDBGlobalTableProvider = class {
 				tableId: response.Table?.TableId,
 				streamArn: response.Table?.LatestStreamArn
 			};
-			if (status !== "CREATING" && status !== "UPDATING") throw new Error(`Unexpected table status: ${status}`);
+			if (status !== "CREATING" && status !== "UPDATING") throw new ProvisioningError(`Unexpected table status while waiting for ACTIVE on ${tableName}: ${status}`, "AWS::DynamoDB::GlobalTable", logicalId, tableName);
 			await new Promise((resolve) => setTimeout(resolve, 1e3));
 		}
-		throw new Error(`Table ${tableName} did not reach ACTIVE within ${maxAttempts}s`);
+		throw new ProvisioningError(`Table ${tableName} did not reach ACTIVE within ${maxAttempts}s`, "AWS::DynamoDB::GlobalTable", logicalId, tableName);
 	}
 	/**
 	* Wait for the table to reach ACTIVE after an UpdateTable call. Unlike
@@ -8299,32 +8607,32 @@ var DynamoDBGlobalTableProvider = class {
 	* table may already be ACTIVE on the no-op path (already-disabled
 	* protection) or transition through UPDATING.
 	*/
-	async waitForTableActiveAfterUpdate(tableName, maxAttempts = 120) {
+	async waitForTableActiveAfterUpdate(tableName, logicalId, maxAttempts = 600) {
 		for (let attempt = 1; attempt <= maxAttempts; attempt++) {
 			if ((await this.dynamoDBClient.send(new DescribeTableCommand({ TableName: tableName }))).Table?.TableStatus === "ACTIVE") return;
 			await new Promise((resolve) => setTimeout(resolve, 1e3));
 		}
-		throw new Error(`Table ${tableName} did not reach ACTIVE within ${maxAttempts}s after UpdateTable`);
+		throw new ProvisioningError(`Table ${tableName} did not reach ACTIVE within ${maxAttempts}s after UpdateTable`, "AWS::DynamoDB::GlobalTable", logicalId, tableName);
 	}
 	/**
 	* Wait until a specific replica's `ReplicaStatus` flips to ACTIVE.
 	* Replica provisioning typically takes 1–5 min; cap at 10 min.
 	*/
-	async waitForReplicaActive(tableName, region, maxAttempts = 600) {
+	async waitForReplicaActive(tableName, region, logicalId, maxAttempts = 600) {
 		for (let attempt = 1; attempt <= maxAttempts; attempt++) {
 			const replica = (await this.dynamoDBClient.send(new DescribeTableCommand({ TableName: tableName }))).Table?.Replicas?.find((r) => r.RegionName === region);
 			if (replica?.ReplicaStatus === "ACTIVE") return;
 			this.logger.debug(`Replica ${region} status: ${replica?.ReplicaStatus} (attempt ${attempt}/${maxAttempts})`);
 			await new Promise((resolve) => setTimeout(resolve, 1e3));
 		}
-		throw new Error(`Replica ${region} for table ${tableName} did not reach ACTIVE within ${maxAttempts}s`);
+		throw new ProvisioningError(`Replica ${region} for table ${tableName} did not reach ACTIVE within ${maxAttempts}s`, "AWS::DynamoDB::GlobalTable", logicalId, tableName);
 	}
 	/**
 	* Wait until a specific replica disappears from `Replicas[]` after a
 	* Delete replica update. Replica deletion typically takes 1–5 min;
 	* cap at 10 min.
 	*/
-	async waitForReplicaGone(tableName, region, maxAttempts = 600) {
+	async waitForReplicaGone(tableName, region, logicalId, maxAttempts = 600) {
 		for (let attempt = 1; attempt <= maxAttempts; attempt++) try {
 			if (!(await this.dynamoDBClient.send(new DescribeTableCommand({ TableName: tableName }))).Table?.Replicas?.find((r) => r.RegionName === region)) return;
 			await new Promise((resolve) => setTimeout(resolve, 1e3));
@@ -8332,7 +8640,7 @@ var DynamoDBGlobalTableProvider = class {
 			if (err instanceof ResourceNotFoundException$1) return;
 			throw err;
 		}
-		throw new Error(`Replica ${region} for table ${tableName} did not disappear within ${maxAttempts}s`);
+		throw new ProvisioningError(`Replica ${region} for table ${tableName} did not disappear within ${maxAttempts}s`, "AWS::DynamoDB::GlobalTable", logicalId, tableName);
 	}
 	/**
 	* Wait for `DescribeTable` to return `ResourceNotFoundException`,
@@ -8345,7 +8653,7 @@ var DynamoDBGlobalTableProvider = class {
 	* Typical small-table delete completes in 5–30s; cap at 10 min for
 	* worst-case large-table / replica-cascade scenarios.
 	*/
-	async waitForTableGone(tableName, maxAttempts = 600) {
+	async waitForTableGone(tableName, logicalId, maxAttempts = 600) {
 		for (let attempt = 1; attempt <= maxAttempts; attempt++) try {
 			await this.dynamoDBClient.send(new DescribeTableCommand({ TableName: tableName }));
 			await new Promise((resolve) => setTimeout(resolve, 1e3));
@@ -8353,9 +8661,104 @@ var DynamoDBGlobalTableProvider = class {
 			if (err instanceof ResourceNotFoundException$1) return;
 			throw err;
 		}
-		throw new Error(`Table ${tableName} did not disappear within ${maxAttempts}s`);
+		throw new ProvisioningError(`Table ${tableName} did not disappear within ${maxAttempts}s`, "AWS::DynamoDB::GlobalTable", logicalId, tableName);
 	}
 };
+/**
+* Diff CFn `Replicas[]` arrays. Keyed by `Region`. Returns adds, removes,
+* and modifies (entries whose other keys — KMSMasterKeyId,
+* GlobalSecondaryIndexes, TableClassOverride — differ from the old shape).
+*/
+/**
+* Derive the per-call `ProvisionedThroughput` shape required by
+* `CreateTableCommand` / `UpdateTableCommand` when BillingMode flips to
+* PROVISIONED. Shared between create() and the BillingMode-flip path in
+* update() so a user template's non-default read/write capacity is
+* preserved consistently across both code paths.
+*
+* Source of truth (CFn `AWS::DynamoDB::GlobalTable` shape):
+*  - WriteCapacityUnits → `properties.WriteProvisionedThroughputSettings`
+*    (top-level on the table). Literal `WriteCapacityUnits` wins over
+*    auto-scaling `MinCapacity`; both default to 5 if absent.
+*  - ReadCapacityUnits → `Replicas[?Region==<region>].ReadProvisionedThroughputSettings`
+*    (per-replica, the deploy region's setting). Same literal-vs-auto-
+*    scaling-vs-default-5 precedence.
+*/
+function derivePerCallProvisionedThroughput(properties, region) {
+	const wps = properties["WriteProvisionedThroughputSettings"];
+	const writeAutoScaling = wps?.["WriteCapacityAutoScalingSettings"];
+	const writeCapacity = Number(wps?.["WriteCapacityUnits"] ?? writeAutoScaling?.["MinCapacity"] ?? 5);
+	const localReadSettings = (properties["Replicas"] ?? []).find((r) => r["Region"] === region)?.["ReadProvisionedThroughputSettings"];
+	const readAutoScaling = localReadSettings?.["ReadCapacityAutoScalingSettings"];
+	return {
+		ReadCapacityUnits: Number(localReadSettings?.["ReadCapacityUnits"] ?? readAutoScaling?.["MinCapacity"] ?? 5),
+		WriteCapacityUnits: writeCapacity
+	};
+}
+function diffReplicas(oldReplicas, newReplicas) {
+	const oldByRegion = /* @__PURE__ */ new Map();
+	const newByRegion = /* @__PURE__ */ new Map();
+	for (const r of oldReplicas) {
+		const region = r["Region"];
+		if (region) oldByRegion.set(region, r);
+	}
+	for (const r of newReplicas) {
+		const region = r["Region"];
+		if (region) newByRegion.set(region, r);
+	}
+	const added = [];
+	const removed = [];
+	const modified = [];
+	for (const [region, replica] of newByRegion) if (!oldByRegion.has(region)) added.push(replica);
+	else if (!deepEqual$1(oldByRegion.get(region), replica)) modified.push(replica);
+	for (const [region, replica] of oldByRegion) if (!newByRegion.has(region)) removed.push(replica);
+	return {
+		added,
+		removed,
+		modified
+	};
+}
+/**
+* Diff CFn `GlobalSecondaryIndexes[]` arrays. Keyed by `IndexName`.
+* Modified = same IndexName but other fields (ProvisionedThroughput /
+* OnDemandThroughput) differ. KeySchema / Projection changes count as
+* "modified" too — AWS rejects those via UpdateGSI, but the diff caller
+* surfaces the AWS-side error rather than this helper second-guessing.
+*/
+function diffGlobalSecondaryIndexes(oldGsi, newGsi) {
+	const oldByName = /* @__PURE__ */ new Map();
+	const newByName = /* @__PURE__ */ new Map();
+	for (const g of oldGsi) if (g.IndexName) oldByName.set(g.IndexName, g);
+	for (const g of newGsi) if (g.IndexName) newByName.set(g.IndexName, g);
+	const added = [];
+	const removed = [];
+	const modified = [];
+	for (const [name, gsi] of newByName) if (!oldByName.has(name)) added.push(gsi);
+	else if (!deepEqual$1(oldByName.get(name), gsi)) modified.push(gsi);
+	for (const [name, gsi] of oldByName) if (!newByName.has(name)) removed.push(gsi);
+	return {
+		added,
+		removed,
+		modified
+	};
+}
+/**
+* Structural equality via JSON.stringify. Both inputs are CFn-shape
+* POJOs (no functions, no symbols, no cycles), so JSON round-trip is
+* sufficient and free of the property-order pitfalls of deeper
+* comparators. Object property order from `Object.keys` is insertion
+* order in modern engines; AWS-SDK shapes are constructed by the SDK
+* in stable order, so this is safe in practice.
+*/
+function deepEqual$1(a, b) {
+	if (a === b) return true;
+	if (a === void 0 || b === void 0) return false;
+	try {
+		return JSON.stringify(a) === JSON.stringify(b);
+	} catch {
+		return false;
+	}
+}
 //#endregion
 //#region src/provisioning/providers/logs-loggroup-provider.ts
@@ -17748,6 +18151,178 @@ var RDSProvider = class {
 	}
 };
+//#endregion
+//#region src/provisioning/providers/rds-dbproxy-targetgroup-provider.ts
+/**
+* AWS RDS DBProxyTargetGroup Provider
+*
+* Implements resource provisioning for `AWS::RDS::DBProxyTargetGroup`.
+*
+* **Why a dedicated SDK provider** (per `feedback_dedicated_provider_over_special_case.md`):
+* pre-PR this type went through Cloud Control API, but CC API's resource
+* handler for `AWS::RDS::DBProxyTargetGroup` fails the delete path with
+* `Value null at 'dBProxyName' failed to satisfy constraint`. The handler
+* cannot derive `DBProxyName` from the TargetGroup ARN (the primary
+* identifier), so the underlying RDS API call goes out with
+* `DBProxyName: null` and AWS rejects it (Issue #385).
+*
+* **What this resource actually does on AWS**: a CFn
+* `AWS::RDS::DBProxyTargetGroup` is a wiring resource — every DBProxy gets
+* a default TargetGroup (`TargetGroupName: 'default'`) auto-created by AWS;
+* the CFn resource only manages target REGISTRATIONS
+* (`RegisterDBProxyTargets` / `DeregisterDBProxyTargets`) and the
+* connection pool config (`ModifyDBProxyTargetGroup`). The TargetGroup
+* object itself is not deleted on resource delete — it lives and dies with
+* the parent DBProxy.
+*
+* **Lifecycle**:
+* - `create`: optionally `ModifyDBProxyTargetGroup` (connection pool), then
+*   `RegisterDBProxyTargets` (cluster IDs and / or instance IDs), then
+*   `DescribeDBProxyTargetGroups` to recover the TargetGroupArn for state.
+* - `update`: rejected via `ResourceUpdateNotSupportedError` in MVP. The
+*   per-property update surface (add/remove targets, pool config rewrites)
+*   is a follow-up.
+* - `delete`: `DeregisterDBProxyTargets` for every registered target.
+*   `DBProxyNotFoundFault` / `DBProxyTargetGroupNotFoundFault` /
+*   `DBProxyTargetNotFoundFault` are treated as idempotent success
+*   (region-match-gated) — the parent DBProxy may already have been
+*   deleted by a sibling cdkd delete or by AWS CASCADE.
+* - `getAttribute`: `TargetGroupArn` returns the physicalId; `TargetGroupName`
+*   returns `'default'`.
+*
+* **physicalId** = TargetGroupArn (matches the CFn `primaryIdentifier`).
+*/
+var RDSDBProxyTargetGroupProvider = class {
+	rdsClient;
+	providerRegion = process.env["AWS_REGION"];
+	logger = getLogger().child("RDSDBProxyTargetGroupProvider");
+	handledProperties = new Map([["AWS::RDS::DBProxyTargetGroup", new Set([
+		"DBProxyName",
+		"TargetGroupName",
+		"DBClusterIdentifiers",
+		"DBInstanceIdentifiers",
+		"ConnectionPoolConfigurationInfo"
+	])]]);
+	getClient() {
+		if (!this.rdsClient) this.rdsClient = new RDSClient(this.providerRegion ? { region: this.providerRegion } : {});
+		return this.rdsClient;
+	}
+	async create(logicalId, resourceType, properties) {
+		const dbProxyName = properties["DBProxyName"];
+		if (!dbProxyName) throw new ProvisioningError(`DBProxyName is required for AWS::RDS::DBProxyTargetGroup ${logicalId}`, resourceType, logicalId);
+		const targetGroupName = properties["TargetGroupName"] ?? "default";
+		const dbClusterIdentifiers = properties["DBClusterIdentifiers"];
+		const dbInstanceIdentifiers = properties["DBInstanceIdentifiers"];
+		const connectionPoolConfig = properties["ConnectionPoolConfigurationInfo"];
+		const client = this.getClient();
+		if (connectionPoolConfig) {
+			this.logger.debug(`Applying connection pool config to ${dbProxyName}/${targetGroupName}`);
+			try {
+				await client.send(new ModifyDBProxyTargetGroupCommand({
+					DBProxyName: dbProxyName,
+					TargetGroupName: targetGroupName,
+					ConnectionPoolConfig: connectionPoolConfig
+				}));
+			} catch (error) {
+				throw this.wrapError(error, "CREATE (pool config)", resourceType, logicalId, void 0);
+			}
+		}
+		if (dbClusterIdentifiers && dbClusterIdentifiers.length > 0 || dbInstanceIdentifiers && dbInstanceIdentifiers.length > 0) {
+			this.logger.debug(`Registering targets for ${dbProxyName}/${targetGroupName}: clusters=[${dbClusterIdentifiers?.join(",") ?? ""}], instances=[${dbInstanceIdentifiers?.join(",") ?? ""}]`);
+			try {
+				await client.send(new RegisterDBProxyTargetsCommand({
+					DBProxyName: dbProxyName,
+					TargetGroupName: targetGroupName,
+					DBClusterIdentifiers: dbClusterIdentifiers,
+					DBInstanceIdentifiers: dbInstanceIdentifiers
+				}));
+			} catch (error) {
+				throw this.wrapError(error, "CREATE (register targets)", resourceType, logicalId, void 0);
+			}
+		}
+		let targetGroupArn;
+		try {
+			targetGroupArn = (await client.send(new DescribeDBProxyTargetGroupsCommand({
+				DBProxyName: dbProxyName,
+				TargetGroupName: targetGroupName
+			}))).TargetGroups?.[0]?.TargetGroupArn;
+		} catch (error) {
+			throw this.wrapError(error, "CREATE (describe)", resourceType, logicalId, void 0);
+		}
+		if (!targetGroupArn) throw new ProvisioningError(`Failed to recover TargetGroupArn for ${dbProxyName}/${targetGroupName} after create`, resourceType, logicalId);
+		return {
+			physicalId: targetGroupArn,
+			attributes: {
+				TargetGroupArn: targetGroupArn,
+				TargetGroupName: targetGroupName
+			}
+		};
+	}
+	async update(logicalId, _physicalId, resourceType, _oldProperties, _newProperties) {
+		throw new ResourceUpdateNotSupportedError(resourceType, logicalId, "destroy + redeploy; in-place updates of registered targets / connection pool config are not yet supported");
+	}
+	async delete(logicalId, physicalId, resourceType, properties, context) {
+		const props = properties ?? {};
+		const dbProxyName = props["DBProxyName"];
+		const targetGroupName = props["TargetGroupName"] ?? "default";
+		const dbClusterIdentifiers = props["DBClusterIdentifiers"];
+		const dbInstanceIdentifiers = props["DBInstanceIdentifiers"];
+		if (!dbProxyName) throw new ProvisioningError(`DBProxyName missing from state.properties for AWS::RDS::DBProxyTargetGroup ${logicalId}; cannot deregister targets. Manually run: aws rds deregister-db-proxy-targets --db-proxy-name <proxy-name> --target-group-name ${targetGroupName} ...`, resourceType, logicalId, physicalId);
+		if (!(dbClusterIdentifiers && dbClusterIdentifiers.length > 0 || dbInstanceIdentifiers && dbInstanceIdentifiers.length > 0)) {
+			this.logger.debug(`No targets registered for ${dbProxyName}/${targetGroupName}; nothing to deregister`);
+			return;
+		}
+		this.logger.debug(`Deregistering targets from ${dbProxyName}/${targetGroupName}: clusters=[${dbClusterIdentifiers?.join(",") ?? ""}], instances=[${dbInstanceIdentifiers?.join(",") ?? ""}]`);
+		try {
+			await this.getClient().send(new DeregisterDBProxyTargetsCommand({
+				DBProxyName: dbProxyName,
+				TargetGroupName: targetGroupName,
+				DBClusterIdentifiers: dbClusterIdentifiers,
+				DBInstanceIdentifiers: dbInstanceIdentifiers
+			}));
+		} catch (error) {
+			if (error instanceof DBProxyNotFoundFault || error instanceof DBProxyTargetGroupNotFoundFault || error instanceof DBProxyTargetNotFoundFault) {
+				assertRegionMatch(await this.getClient().config.region(), context?.expectedRegion, resourceType, logicalId, physicalId);
+				this.logger.debug(`${dbProxyName}/${targetGroupName} or its target is already gone, treating as success`);
+				return;
+			}
+			throw this.wrapError(error, "DELETE", resourceType, logicalId, physicalId);
+		}
+	}
+	async getAttribute(physicalId, _resourceType, attributeName) {
+		switch (attributeName) {
+			case "TargetGroupArn": return physicalId;
+			case "TargetGroupName": return "default";
+			default:
+				this.logger.warn(`Unknown attribute ${attributeName} for AWS::RDS::DBProxyTargetGroup, returning undefined`);
+				return;
+		}
+	}
+	/**
+	* Adopt an existing DBProxyTargetGroup into cdkd state.
+	*
+	* **Explicit override only.** The TargetGroup itself has no tags
+	* (the parent DBProxy carries the cdkd path tag, not the wiring child),
+	* so there is no `aws:cdk:path`-based auto-lookup. Users must pass
+	* `--resource <logicalId>=<TargetGroupArn>`.
+	*/
+	async import(input) {
+		if (input.knownPhysicalId) return {
+			physicalId: input.knownPhysicalId,
+			attributes: {
+				TargetGroupArn: input.knownPhysicalId,
+				TargetGroupName: "default"
+			}
+		};
+		return null;
+	}
+	wrapError(error, op, resourceType, logicalId, physicalId) {
+		const message = error instanceof Error ? error.message : String(error);
+		const cause = error instanceof Error ? error : void 0;
+		return new ProvisioningError(`${op} failed for ${logicalId}: ${message}`, resourceType, logicalId, physicalId, cause);
+	}
+};
 //#endregion
 //#region src/provisioning/providers/docdb-provider.ts
 /**
@@ -28473,6 +29048,7 @@ function registerAllProviders(registry) {
 	registry.register("AWS::RDS::DBSubnetGroup", rdsProvider);
 	registry.register("AWS::RDS::DBCluster", rdsProvider);
 	registry.register("AWS::RDS::DBInstance", rdsProvider);
+	registry.register("AWS::RDS::DBProxyTargetGroup", new RDSDBProxyTargetGroupProvider());
 	const docdbProvider = new DocDBProvider();
 	registry.register("AWS::DocDB::DBSubnetGroup", docdbProvider);
 	registry.register("AWS::DocDB::DBCluster", docdbProvider);
@@ -43452,7 +44028,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.103.1");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.104.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());