@go-to-k/cdkd 0.103.2 → 0.105.0

package/dist/cli.js

@@ -9,7 +9,7 @@ import { CreateTopicCommand, DeleteTopicCommand, GetSubscriptionAttributesComman
 import { AddPermissionCommand, CreateEventSourceMappingCommand, CreateFunctionCommand, CreateFunctionUrlConfigCommand, DeleteEventSourceMappingCommand, DeleteFunctionCommand, DeleteFunctionUrlConfigCommand, DeleteLayerVersionCommand, GetEventSourceMappingCommand, GetFunctionCommand, GetFunctionUrlConfigCommand, GetLayerVersionByArnCommand, GetPolicyCommand, LambdaClient, ListFunctionsCommand, ListLayersCommand, ListTagsCommand, PublishLayerVersionCommand, RemovePermissionCommand, ResourceNotFoundException, TagResourceCommand as TagResourceCommand$1, UntagResourceCommand as UntagResourceCommand$1, UpdateEventSourceMappingCommand, UpdateFunctionCodeCommand, UpdateFunctionConfigurationCommand, UpdateFunctionUrlConfigCommand, waitUntilFunctionUpdatedV2 } from "@aws-sdk/client-lambda";
 import { AssumeRoleCommand, GetCallerIdentityCommand, STSClient } from "@aws-sdk/client-sts";
 import { AssociateRouteTableCommand, AttachInternetGatewayCommand, AuthorizeSecurityGroupEgressCommand, AuthorizeSecurityGroupIngressCommand, CreateInternetGatewayCommand, CreateNatGatewayCommand, CreateNetworkAclCommand, CreateNetworkAclEntryCommand, CreateRouteCommand, CreateRouteTableCommand, CreateSecurityGroupCommand, CreateSubnetCommand, CreateTagsCommand, CreateVpcCommand, DeleteInternetGatewayCommand, DeleteNatGatewayCommand, DeleteNetworkAclCommand, DeleteNetworkAclEntryCommand, DeleteNetworkInterfaceCommand, DeleteRouteCommand, DeleteRouteTableCommand, DeleteSecurityGroupCommand, DeleteSubnetCommand, DeleteTagsCommand, DeleteVpcCommand, DescribeAvailabilityZonesCommand, DescribeInstanceAttributeCommand, DescribeInstancesCommand, DescribeInternetGatewaysCommand, DescribeNatGatewaysCommand, DescribeNetworkAclsCommand, DescribeNetworkInterfacesCommand, DescribeRouteTablesCommand, DescribeSecurityGroupsCommand, DescribeSubnetsCommand, DescribeVolumesCommand, DescribeVpcAttributeCommand, DescribeVpcsCommand, DetachInternetGatewayCommand, DisassociateRouteTableCommand, EC2Client, ModifyInstanceAttributeCommand, ModifySubnetAttributeCommand, ModifyVpcAttributeCommand, ReplaceNetworkAclAssociationCommand, RevokeSecurityGroupEgressCommand, RevokeSecurityGroupIngressCommand, RunInstancesCommand, TerminateInstancesCommand, waitUntilInstanceRunning, waitUntilInstanceTerminated, waitUntilNatGatewayAvailable, waitUntilNatGatewayDeleted } from "@aws-sdk/client-ec2";
-import { CreateTableCommand, DeleteTableCommand, DescribeTableCommand, DynamoDBClient, ListTablesCommand, ListTagsOfResourceCommand, ResourceNotFoundException as ResourceNotFoundException$1, TagResourceCommand as TagResourceCommand$2, UntagResourceCommand as UntagResourceCommand$2, UpdateTableCommand, UpdateTimeToLiveCommand } from "@aws-sdk/client-dynamodb";
+import { CreateTableCommand, DeleteTableCommand, DescribeContinuousBackupsCommand, DescribeContributorInsightsCommand, DescribeKinesisStreamingDestinationCommand, DescribeTableCommand, DescribeTimeToLiveCommand, DynamoDBClient, ListTablesCommand, ListTagsOfResourceCommand, ResourceNotFoundException as ResourceNotFoundException$1, TagResourceCommand as TagResourceCommand$2, UntagResourceCommand as UntagResourceCommand$2, UpdateTableCommand, UpdateTimeToLiveCommand } from "@aws-sdk/client-dynamodb";
 import { CloudFormationClient, CreateChangeSetCommand, DeleteChangeSetCommand, DeleteStackCommand, DescribeChangeSetCommand, DescribeStackEventsCommand, DescribeStackResourcesCommand, DescribeStacksCommand, DescribeTypeCommand, ExecuteChangeSetCommand, GetTemplateCommand, UpdateStackCommand, waitUntilChangeSetCreateComplete, waitUntilStackDeleteComplete, waitUntilStackImportComplete, waitUntilStackUpdateComplete } from "@aws-sdk/client-cloudformation";
 import { APIGatewayClient, CreateAuthorizerCommand, CreateDeploymentCommand, CreateResourceCommand, CreateStageCommand, DeleteAuthorizerCommand, DeleteDeploymentCommand, DeleteMethodCommand, DeleteResourceCommand, DeleteStageCommand, GetAccountCommand, GetAuthorizerCommand, GetDeploymentCommand, GetMethodCommand, GetResourceCommand, GetStageCommand, NotFoundException as NotFoundException$1, PutIntegrationCommand, PutIntegrationResponseCommand, PutMethodCommand, PutMethodResponseCommand, TagResourceCommand as TagResourceCommand$3, UntagResourceCommand as UntagResourceCommand$3, UpdateAccountCommand, UpdateAuthorizerCommand, UpdateMethodCommand, UpdateStageCommand } from "@aws-sdk/client-api-gateway";
 import { CreateEventBusCommand, DeleteEventBusCommand, DeleteRuleCommand, DescribeEventBusCommand, DescribeRuleCommand, EventBridgeClient, ListEventBusesCommand, ListRulesCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$1, ListTargetsByRuleCommand, PutRuleCommand, PutTargetsCommand, RemoveTargetsCommand, ResourceNotFoundException as ResourceNotFoundException$2, TagResourceCommand as TagResourceCommand$4, UntagResourceCommand as UntagResourceCommand$4, UpdateEventBusCommand } from "@aws-sdk/client-eventbridge";
@@ -35,6 +35,7 @@ import { Command, Option } from "commander";
 import { writeFileSync as writeFileSync$1 } from "fs";
 import { join as join$1 } from "path";
 import * as zlib from "node:zlib";
+import { ApplicationAutoScalingClient, DescribeScalingPoliciesCommand } from "@aws-sdk/client-application-auto-scaling";
 import { ApiGatewayV2Client, CreateApiCommand, CreateAuthorizerCommand as CreateAuthorizerCommand$1, CreateIntegrationCommand, CreateRouteCommand as CreateRouteCommand$1, CreateStageCommand as CreateStageCommand$1, DeleteApiCommand, DeleteAuthorizerCommand as DeleteAuthorizerCommand$1, DeleteIntegrationCommand, DeleteRouteCommand as DeleteRouteCommand$1, DeleteStageCommand as DeleteStageCommand$1, GetApiCommand, GetApisCommand, GetAuthorizerCommand as GetAuthorizerCommand$1, GetIntegrationCommand, GetRouteCommand, GetStageCommand as GetStageCommand$1, NotFoundException as NotFoundException$3, UpdateApiCommand, UpdateAuthorizerCommand as UpdateAuthorizerCommand$1, UpdateIntegrationCommand, UpdateRouteCommand, UpdateStageCommand as UpdateStageCommand$1 } from "@aws-sdk/client-apigatewayv2";
 import { CreateStateMachineCommand, DeleteStateMachineCommand, DescribeStateMachineCommand, ListStateMachinesCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$9, SFNClient, StateMachineDoesNotExist, TagResourceCommand as TagResourceCommand$10, UntagResourceCommand as UntagResourceCommand$9, UpdateStateMachineCommand } from "@aws-sdk/client-sfn";
 import { CreateClusterCommand, CreateServiceCommand, DeleteClusterCommand, DeleteServiceCommand, DeregisterTaskDefinitionCommand, DescribeClustersCommand, DescribeServicesCommand, DescribeTaskDefinitionCommand, ECSClient, ListClustersCommand, ListServicesCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$10, PutClusterCapacityProvidersCommand, RegisterTaskDefinitionCommand, TagResourceCommand as TagResourceCommand$11, UntagResourceCommand as UntagResourceCommand$10, UpdateClusterCommand, UpdateServiceCommand } from "@aws-sdk/client-ecs";
@@ -7864,20 +7865,49 @@ var DynamoDBTableProvider = class {
 * is the 2019.11.21 generation, which uses the regular DynamoDB CRUD API
 * (`CreateTableCommand` + `UpdateTableCommand` with `ReplicaUpdates`).
 *
-* MVP scope:
-*  - `update()` throws `ResourceUpdateNotSupportedError`. In-place GlobalTable
-*    updates (replica add/remove, GSI add/remove, BillingMode flip, throughput
-*    rewrites) are out of scope and a follow-up PR.
-*  - `getDriftUnknownPaths` declares TTL + throughput-settings paths because
-*    cdkd's create/update flows surface them but the read-side reverse
-*    mapping is non-trivial and would fire false drift.
+* In-place update support (post-PR #384 follow-up):
+*  - `update()` covers every mutable surface — Tags, DeletionProtection,
+*    TableClass, SSE, StreamSpec, OnDemand throughput, BillingMode flip,
+*    Replica add / remove / modify, GSI add / remove / modify, TTL toggle.
+*  - The serialization is load-bearing: AWS's `UpdateTable` accepts only
+*    ONE of `{BillingMode, ReplicaUpdates, GlobalSecondaryIndexUpdates}`
+*    per call, so each category is its own SDK round-trip with a wait-for
+*    -ACTIVE in between. Immutable property changes (TableName, KeySchema,
+*    AttributeDefinitions removal, LocalSecondaryIndexes) throw
+*    `ProvisioningError` naming the offending field — the deploy engine's
+*    diff classification should catch these as REPLACEMENT before ever
+*    calling `update()`, but the guard is defense-in-depth.
 *  - Per-replica drift (`ContributorInsightsSpecification` /
-*    `PointInTimeRecoverySpecification` / `KinesisStreamSpecification`) is
-*    out of scope for v1.
+*    `PointInTimeRecoverySpecification` / `KinesisStreamSpecification`)
+*    is surfaced for BOTH the LOCAL replica AND cross-region replicas
+*    via per-region SDK clients (cached in `regionalClientCache` for
+*    the deploy run). Issue #389 lifted the v1 LOCAL-only limitation.
+*  - Cross-region replica Tags propagation (Issue #389): when the
+*    update path detects a Tags-only diff on a non-local replica,
+*    cdkd resolves the replica's table ARN by swapping the region
+*    segment of the local ARN and issues `TagResource` /
+*    `UntagResource` against a per-region client.
 */
 var DynamoDBGlobalTableProvider = class {
 	dynamoDBClient;
 	logger = getLogger().child("DynamoDBGlobalTableProvider");
+	/**
+	* Caches per-region `DynamoDBClient` instances for cross-region drift
+	* reads (`readCurrentState`) and cross-region Tag propagation
+	* (`update()`). Keyed by region string; reuses the default credential
+	* chain. Lifetime is the provider instance — one deploy run.
+	*/
+	regionalClientCache = /* @__PURE__ */ new Map();
+	/**
+	* Caches `getAttribute(physicalId, attribute)` results for the lifetime
+	* of this provider instance (one deploy run). Safe under the current
+	* `update()` contract because `update()` cannot mid-deploy mutate
+	* StreamArn / Arn / TableId — those are AWS-managed identifiers that
+	* only change on REPLACEMENT (which destroys the provider instance).
+	* If a future PR adds a stream toggle path that flips StreamArn on the
+	* same physicalId, the cache must be invalidated on the matching
+	* UpdateTable success.
+	*/
 	attributeCache = /* @__PURE__ */ new Map();
 	handledProperties = new Map([["AWS::DynamoDB::GlobalTable", new Set([
 		"TableName",
@@ -7893,14 +7923,57 @@ var DynamoDBGlobalTableProvider = class {
 		"TimeToLiveSpecification",
 		"WriteProvisionedThroughputSettings",
 		"WriteOnDemandThroughputSettings",
-		"DeletionProtectionEnabled",
-		"Tags"
+		"DeletionProtectionEnabled"
 	])]]);
 	constructor() {
 		const awsClients = getAwsClients();
 		this.dynamoDBClient = awsClients.dynamoDB;
 	}
 	/**
+	* Return a `DynamoDBClient` pinned to the given region, caching per
+	* region for the lifetime of this provider instance. Uses the default
+	* credential chain (env / shared config / IAM role) — no explicit
+	* credential plumbing needed.
+	*
+	* Used by `readCurrentState` (cross-region per-replica sub-spec reads)
+	* and `update()` (cross-region replica Tag propagation). Both code
+	* paths fire region-scoped DynamoDB APIs (`DescribeContributorInsights`
+	* / `DescribeContinuousBackups` / `DescribeKinesisStreamingDestination`
+	* / `TagResource` / `UntagResource`) against the replica's region.
+	*
+	* The cache may return `this.dynamoDBClient` when `region` happens to
+	* match the local client's region — in tests the local mock is
+	* intercepted via `vi.mock('../../utils/aws-clients.js')` so reuse
+	* is safe (and explicitly desired so the mock catches the call).
+	*/
+	getRegionalClient(region) {
+		const cached = this.regionalClientCache.get(region);
+		if (cached) return cached;
+		const client = new DynamoDBClient({ region });
+		this.regionalClientCache.set(region, client);
+		return client;
+	}
+	/**
+	* Construct the regional table ARN for a cross-region replica of a
+	* GlobalTable. AWS replicates the same `TableName` across every
+	* replica region, with each replica's ARN differing only in the
+	* `:<region>:` segment. Cheaper than a second `DescribeTable` round-
+	* trip on the regional client.
+	*
+	* Example:
+	*   local ARN:   arn:aws:dynamodb:us-east-1:123:table/Foo
+	*   for eu-west-1 → arn:aws:dynamodb:eu-west-1:123:table/Foo
+	*
+	* Returns `undefined` when the local ARN is malformed (defensive —
+	* downstream callers omit the offending operation rather than throw).
+	*/
+	replicaArnForRegion(localTableArn, targetRegion) {
+		const segments = localTableArn.split(":");
+		if (segments.length < 6) return void 0;
+		segments[3] = targetRegion;
+		return segments.join(":");
+	}
+	/**
 	* Create a DynamoDB Global Table (CDK TableV2).
 	*
 	* GlobalTable is built on the regular DynamoDB Table primitive: cdkd issues
@@ -7935,15 +8008,7 @@ var DynamoDBGlobalTableProvider = class {
 			AttributeDefinitions: attributeDefinitions,
 			BillingMode: billingMode
 		};
-		if (billingMode === "PROVISIONED") {
-			const writeAutoScaling = properties["WriteProvisionedThroughputSettings"]?.["WriteCapacityAutoScalingSettings"];
-			const writeCapacity = Number(writeAutoScaling?.["MinCapacity"] ?? 5);
-			const readAutoScaling = (replicas.find((r) => r["Region"] === currentRegion)?.["ReadProvisionedThroughputSettings"])?.["ReadCapacityAutoScalingSettings"];
-			createParams.ProvisionedThroughput = {
-				ReadCapacityUnits: Number(readAutoScaling?.["MinCapacity"] ?? 5),
-				WriteCapacityUnits: writeCapacity
-			};
-		}
+		if (billingMode === "PROVISIONED") createParams.ProvisionedThroughput = derivePerCallProvisionedThroughput(properties, currentRegion);
 		const streamSpecInput = properties["StreamSpecification"];
 		const needsStream = replicas.some((r) => r["Region"] !== currentRegion) || replicas.length > 1;
 		if (streamSpecInput) createParams.StreamSpecification = {
@@ -7969,7 +8034,8 @@ var DynamoDBGlobalTableProvider = class {
 		if (properties["TableClass"]) createParams.TableClass = properties["TableClass"];
 		const wodts = properties["WriteOnDemandThroughputSettings"];
 		if (wodts?.["MaxWriteRequestUnits"] !== void 0) createParams.OnDemandThroughput = { MaxWriteRequestUnits: Number(wodts["MaxWriteRequestUnits"]) };
-		if (properties["Tags"]) createParams.Tags = properties["Tags"];
+		const localReplicaTags = replicas.find((r) => r["Region"] === currentRegion)?.["Tags"];
+		if (localReplicaTags && localReplicaTags.length > 0) createParams.Tags = localReplicaTags;
 		try {
 			await this.dynamoDBClient.send(new CreateTableCommand(createParams));
 			this.logger.debug(`CreateTable initiated for ${tableName}, waiting for ACTIVE`);
@@ -7978,11 +8044,11 @@ var DynamoDBGlobalTableProvider = class {
 			throw new ProvisioningError(`Failed to create DynamoDB GlobalTable ${logicalId}: ${error instanceof Error ? error.message : String(error)}`, resourceType, logicalId, tableName, cause);
 		}
 		try {
-			const tableInfo = await this.waitForTableActive(tableName);
+			const tableInfo = await this.waitForTableActive(tableName, logicalId);
 			for (const replica of replicas) {
 				const region = replica["Region"];
 				if (!region || region === currentRegion) continue;
-				await this.addReplica(tableName, replica, region);
+				await this.addReplica(tableName, replica, region, logicalId);
 			}
 			if (properties["TimeToLiveSpecification"]) {
 				const ttl = properties["TimeToLiveSpecification"];
@@ -8009,6 +8075,21 @@ var DynamoDBGlobalTableProvider = class {
 		} catch (wiringError) {
 			this.logger.warn(`Wiring failed after CreateTable for ${tableName}; attempting best-effort cleanup`);
 			try {
+				const replicasForCleanup = (await this.dynamoDBClient.send(new DescribeTableCommand({ TableName: tableName }))).Table?.Replicas ?? [];
+				for (const replica of replicasForCleanup) {
+					const region = replica.RegionName;
+					if (!region || region === currentRegion) continue;
+					try {
+						await this.dynamoDBClient.send(new UpdateTableCommand({
+							TableName: tableName,
+							ReplicaUpdates: [{ Delete: { RegionName: region } }]
+						}));
+						await this.waitForReplicaGone(tableName, region, logicalId);
+					} catch (replicaCleanupErr) {
+						const msg = replicaCleanupErr instanceof Error ? replicaCleanupErr.message : String(replicaCleanupErr);
+						this.logger.warn(`Partial-create cleanup: failed to drop replica ${region} on ${tableName}: ${msg}. Run: aws dynamodb update-table --table-name ${tableName} --replica-updates 'Delete={RegionName=${region}}' --region ${currentRegion}`);
+					}
+				}
 				await this.dynamoDBClient.send(new DeleteTableCommand({ TableName: tableName }));
 			} catch (cleanupErr) {
 				const cleanupMsg = cleanupErr instanceof Error ? cleanupErr.message : String(cleanupErr);
@@ -8025,7 +8106,7 @@ var DynamoDBGlobalTableProvider = class {
 	* Capped at 10 minutes per replica (AWS Replica provisioning typically
 	* takes 1–5 min).
 	*/
-	async addReplica(tableName, replica, region) {
+	async addReplica(tableName, replica, region, logicalId) {
 		const create = { RegionName: region };
 		if (replica["KMSMasterKeyId"]) create.KMSMasterKeyId = replica["KMSMasterKeyId"];
 		if (replica["GlobalSecondaryIndexes"]) create.GlobalSecondaryIndexes = replica["GlobalSecondaryIndexes"];
@@ -8035,19 +8116,263 @@ var DynamoDBGlobalTableProvider = class {
 			TableName: tableName,
 			ReplicaUpdates: replicaUpdates
 		}));
-		await this.waitForReplicaActive(tableName, region);
+		await this.waitForReplicaActive(tableName, region, logicalId);
+	}
+	/**
+	* Update a DynamoDB Global Table in place.
+	*
+	* AWS-side state-machine constraint: `UpdateTable` accepts only ONE of
+	* `{BillingMode, ReplicaUpdates, GlobalSecondaryIndexUpdates}` per call,
+	* so each category must serialize into its own SDK round-trip with a
+	* `waitForTableActiveAfterUpdate` between every step. Order:
+	*   1. Wait for current ACTIVE (defensive).
+	*   2. Tags diff (TagResource / UntagResource — no wait needed).
+	*   3. Non-conflicting flat fields (DeletionProtectionEnabled / TableClass
+	*      / SSESpecification / StreamSpecification / OnDemandThroughput)
+	*      in one combined `UpdateTableCommand`. Wait ACTIVE.
+	*   4. BillingMode flip (separate UpdateTable). Wait ACTIVE.
+	*   5. Replica diff (serial per Create / Update / Delete). Wait ACTIVE
+	*      after each.
+	*   6. GSI diff (serial per Create / Update / Delete; new GSIs may need
+	*      additional AttributeDefinitions). Wait ACTIVE after each.
+	*   7. TimeToLiveSpecification toggle.
+	*
+	* Immutable properties (TableName / KeySchema / AttributeDefinitions
+	* removals / LocalSecondaryIndexes changes) throw `ProvisioningError`
+	* naming the offending field — the deploy engine's diff classifier
+	* should catch these as REPLACEMENT before ever calling `update()`,
+	* but the guard is defense-in-depth.
+	*/
+	async update(logicalId, physicalId, resourceType, properties, previousProperties) {
+		this.logger.debug(`Updating DynamoDB GlobalTable ${logicalId}: ${physicalId}`);
+		if (properties["TableName"] !== void 0 && previousProperties["TableName"] !== void 0 && properties["TableName"] !== previousProperties["TableName"]) throw new ProvisioningError(`TableName is immutable on AWS::DynamoDB::GlobalTable; replacement required (deploy with --replace, or destroy + redeploy)`, resourceType, logicalId, physicalId);
+		if (properties["KeySchema"] !== void 0 && previousProperties["KeySchema"] !== void 0 && !deepEqual$1(properties["KeySchema"], previousProperties["KeySchema"])) throw new ProvisioningError(`KeySchema is immutable on AWS::DynamoDB::GlobalTable; replacement required (deploy with --replace, or destroy + redeploy)`, resourceType, logicalId, physicalId);
+		if (properties["LocalSecondaryIndexes"] !== void 0 && previousProperties["LocalSecondaryIndexes"] !== void 0 && !deepEqual$1(properties["LocalSecondaryIndexes"], previousProperties["LocalSecondaryIndexes"])) throw new ProvisioningError(`LocalSecondaryIndexes is immutable on AWS::DynamoDB::GlobalTable; replacement required (deploy with --replace, or destroy + redeploy)`, resourceType, logicalId, physicalId);
+		const oldAttrs = previousProperties["AttributeDefinitions"] ?? [];
+		const newAttrs = properties["AttributeDefinitions"] ?? [];
+		const removedAttrs = oldAttrs.filter((o) => !newAttrs.some((n) => n.AttributeName === o.AttributeName));
+		if (removedAttrs.length > 0) throw new ProvisioningError(`AttributeDefinitions removals are immutable on AWS::DynamoDB::GlobalTable (offenders: ${removedAttrs.map((a) => a.AttributeName).join(", ")}); replacement required`, resourceType, logicalId, physicalId);
+		const currentRegion = await this.dynamoDBClient.config.region() ?? "";
+		try {
+			await this.waitForTableActiveAfterUpdate(physicalId, logicalId);
+			const tableArn = (await this.dynamoDBClient.send(new DescribeTableCommand({ TableName: physicalId }))).Table?.TableArn;
+			const extractLocalTags = (props) => {
+				return (props["Replicas"] ?? []).find((r) => r["Region"] === currentRegion)?.["Tags"];
+			};
+			if (tableArn) await this.applyTagDiff(tableArn, extractLocalTags(previousProperties), extractLocalTags(properties));
+			const flatUpdate = { TableName: physicalId };
+			let flatChanged = false;
+			if (properties["DeletionProtectionEnabled"] !== previousProperties["DeletionProtectionEnabled"]) {
+				flatUpdate.DeletionProtectionEnabled = Boolean(properties["DeletionProtectionEnabled"] ?? false);
+				flatChanged = true;
+			}
+			if (properties["TableClass"] !== void 0 && properties["TableClass"] !== previousProperties["TableClass"]) {
+				flatUpdate.TableClass = properties["TableClass"];
+				flatChanged = true;
+			}
+			if (properties["SSESpecification"] !== void 0 && !deepEqual$1(properties["SSESpecification"], previousProperties["SSESpecification"])) {
+				const sse = properties["SSESpecification"];
+				flatUpdate.SSESpecification = {
+					Enabled: sse["SSEEnabled"] !== void 0 ? Boolean(sse["SSEEnabled"]) : true,
+					...sse["SSEType"] !== void 0 && { SSEType: sse["SSEType"] }
+				};
+				flatChanged = true;
+			}
+			if (properties["StreamSpecification"] !== void 0 && !deepEqual$1(properties["StreamSpecification"], previousProperties["StreamSpecification"])) {
+				flatUpdate.StreamSpecification = {
+					StreamEnabled: true,
+					StreamViewType: properties["StreamSpecification"]["StreamViewType"]
+				};
+				flatChanged = true;
+			}
+			if (!deepEqual$1(properties["WriteOnDemandThroughputSettings"], previousProperties["WriteOnDemandThroughputSettings"])) {
+				const wodts = properties["WriteOnDemandThroughputSettings"];
+				if (wodts?.["MaxWriteRequestUnits"] !== void 0) {
+					flatUpdate.OnDemandThroughput = { MaxWriteRequestUnits: Number(wodts["MaxWriteRequestUnits"]) };
+					flatChanged = true;
+				}
+			}
+			if (flatChanged) {
+				await this.dynamoDBClient.send(new UpdateTableCommand(flatUpdate));
+				await this.waitForTableActiveAfterUpdate(physicalId, logicalId);
+			}
+			const oldBilling = previousProperties["BillingMode"] ?? "PAY_PER_REQUEST";
+			const newBilling = properties["BillingMode"] ?? "PAY_PER_REQUEST";
+			if (oldBilling !== newBilling) {
+				const billingUpdate = {
+					TableName: physicalId,
+					BillingMode: newBilling
+				};
+				if (newBilling === "PROVISIONED") billingUpdate.ProvisionedThroughput = derivePerCallProvisionedThroughput(properties, currentRegion);
+				await this.dynamoDBClient.send(new UpdateTableCommand(billingUpdate));
+				await this.waitForTableActiveAfterUpdate(physicalId, logicalId);
+			}
+			const replicaDiff = diffReplicas(previousProperties["Replicas"] ?? [], properties["Replicas"] ?? []);
+			for (const replica of replicaDiff.removed) {
+				const region = replica["Region"];
+				if (!region || region === currentRegion) continue;
+				await this.dynamoDBClient.send(new UpdateTableCommand({
+					TableName: physicalId,
+					ReplicaUpdates: [{ Delete: { RegionName: region } }]
+				}));
+				await this.waitForReplicaGone(physicalId, region, logicalId);
+			}
+			for (const replica of replicaDiff.added) {
+				const region = replica["Region"];
+				if (!region || region === currentRegion) continue;
+				await this.addReplica(physicalId, replica, region, logicalId);
+			}
+			for (const replica of replicaDiff.modified) {
+				const region = replica["Region"];
+				if (!region || region === currentRegion) continue;
+				const oldReplicaTags = (previousProperties["Replicas"] ?? []).find((r) => r["Region"] === region)?.["Tags"];
+				const newReplicaTags = replica["Tags"];
+				if (!deepEqual$1(oldReplicaTags, newReplicaTags)) if (tableArn) {
+					const replicaArn = this.replicaArnForRegion(tableArn, region);
+					if (replicaArn) try {
+						const regionalClient = this.getRegionalClient(region);
+						await this.applyTagDiffOnClient(regionalClient, replicaArn, oldReplicaTags, newReplicaTags);
+					} catch (tagErr) {
+						this.logger.warn(`Could not apply Tags diff to cross-region replica ${region} of ${physicalId}: ${tagErr instanceof Error ? tagErr.message : String(tagErr)}. The replica's Tags state will surface as drift until the next successful deploy.`);
+					}
+					else this.logger.warn(`Could not derive replica ARN for region ${region} from ${tableArn} — skipping Tags propagation for ${physicalId}`);
+				} else this.logger.warn(`Local DescribeTable returned no TableArn — cannot propagate Tags to cross-region replica ${region} of ${physicalId}`);
+				const updateAction = { RegionName: region };
+				if (replica["KMSMasterKeyId"] !== void 0) updateAction.KMSMasterKeyId = replica["KMSMasterKeyId"];
+				if (replica["GlobalSecondaryIndexes"]) updateAction.GlobalSecondaryIndexes = replica["GlobalSecondaryIndexes"];
+				if (replica["TableClassOverride"]) updateAction.TableClassOverride = replica["TableClassOverride"];
+				if (!(updateAction.KMSMasterKeyId !== void 0 || updateAction.GlobalSecondaryIndexes !== void 0 || updateAction.TableClassOverride !== void 0)) {
+					this.logger.debug(`Cross-region replica ${region} of ${physicalId}: only Tags-style changes detected; UpdateReplica skipped (AWS rejects empty Update actions). Tags propagation handled above via per-region client.`);
+					continue;
+				}
+				await this.dynamoDBClient.send(new UpdateTableCommand({
+					TableName: physicalId,
+					ReplicaUpdates: [{ Update: updateAction }]
+				}));
+				await this.waitForReplicaActive(physicalId, region, logicalId);
+			}
+			const gsiDiff = diffGlobalSecondaryIndexes(previousProperties["GlobalSecondaryIndexes"] ?? [], properties["GlobalSecondaryIndexes"] ?? []);
+			for (const gsi of gsiDiff.removed) {
+				if (!gsi.IndexName) continue;
+				const gsiUpdate = { Delete: { IndexName: gsi.IndexName } };
+				await this.dynamoDBClient.send(new UpdateTableCommand({
+					TableName: physicalId,
+					GlobalSecondaryIndexUpdates: [gsiUpdate]
+				}));
+				await this.waitForTableActiveAfterUpdate(physicalId, logicalId);
+			}
+			for (const gsi of gsiDiff.added) {
+				if (!gsi.IndexName || !gsi.KeySchema || !gsi.Projection) continue;
+				const gsiUpdate = { Create: {
+					IndexName: gsi.IndexName,
+					KeySchema: gsi.KeySchema,
+					Projection: gsi.Projection,
+					...gsi.ProvisionedThroughput && { ProvisionedThroughput: gsi.ProvisionedThroughput },
+					...gsi.OnDemandThroughput && { OnDemandThroughput: gsi.OnDemandThroughput }
+				} };
+				await this.dynamoDBClient.send(new UpdateTableCommand({
+					TableName: physicalId,
+					AttributeDefinitions: newAttrs,
+					GlobalSecondaryIndexUpdates: [gsiUpdate]
+				}));
+				await this.waitForTableActiveAfterUpdate(physicalId, logicalId);
+			}
+			for (const gsi of gsiDiff.modified) {
+				if (!gsi.IndexName) continue;
+				const gsiUpdate = { Update: {
+					IndexName: gsi.IndexName,
+					...gsi.ProvisionedThroughput && { ProvisionedThroughput: gsi.ProvisionedThroughput },
+					...gsi.OnDemandThroughput && { OnDemandThroughput: gsi.OnDemandThroughput }
+				} };
+				await this.dynamoDBClient.send(new UpdateTableCommand({
+					TableName: physicalId,
+					GlobalSecondaryIndexUpdates: [gsiUpdate]
+				}));
+				await this.waitForTableActiveAfterUpdate(physicalId, logicalId);
+			}
+			if (!deepEqual$1(properties["TimeToLiveSpecification"], previousProperties["TimeToLiveSpecification"])) {
+				const ttl = properties["TimeToLiveSpecification"];
+				if (ttl?.["AttributeName"]) await this.dynamoDBClient.send(new UpdateTimeToLiveCommand({
+					TableName: physicalId,
+					TimeToLiveSpecification: {
+						Enabled: ttl["Enabled"] !== void 0 ? Boolean(ttl["Enabled"]) : true,
+						AttributeName: ttl["AttributeName"]
+					}
+				}));
+				else if (previousProperties["TimeToLiveSpecification"]) {
+					const prevTtl = previousProperties["TimeToLiveSpecification"];
+					if (prevTtl["AttributeName"]) await this.dynamoDBClient.send(new UpdateTimeToLiveCommand({
+						TableName: physicalId,
+						TimeToLiveSpecification: {
+							Enabled: false,
+							AttributeName: prevTtl["AttributeName"]
+						}
+					}));
+				}
+			}
+			const finalDescribe = await this.dynamoDBClient.send(new DescribeTableCommand({ TableName: physicalId }));
+			return {
+				physicalId,
+				wasReplaced: false,
+				attributes: {
+					Arn: finalDescribe.Table?.TableArn,
+					TableId: finalDescribe.Table?.TableId,
+					StreamArn: finalDescribe.Table?.LatestStreamArn,
+					TableName: physicalId
+				}
+			};
+		} catch (error) {
+			if (error instanceof ProvisioningError) throw error;
+			const cause = error instanceof Error ? error : void 0;
+			throw new ProvisioningError(`Failed to update DynamoDB GlobalTable ${logicalId}: ${error instanceof Error ? error.message : String(error)}`, resourceType, logicalId, physicalId, cause);
+		}
 	}
 	/**
-	* Update a DynamoDB Global Table.
+	* Apply a diff between old and new CFn-shape Tags arrays via DynamoDB's
+	* `TagResource` / `UntagResource` APIs against the local client. Both
+	* take the table ARN as `ResourceArn`.
 	*
-	* MVP: in-place updates are out of scope — replica add/remove, GSI
-	* add/remove, BillingMode flip, and throughput rewrites each have
-	* distinct UpdateTable shapes and ordering rules. `cdkd drift --revert`
-	* surfaces this as `ResourceUpdateNotSupportedError` (exit code 2);
-	* the user falls back to `cdkd deploy --replace` or destroy + redeploy.
+	* Local-replica convenience wrapper around `applyTagDiffOnClient` so
+	* existing call sites stay unchanged.
 	*/
-	async update(logicalId, _physicalId, resourceType, _properties, _previousProperties) {
-		throw new ResourceUpdateNotSupportedError(resourceType, logicalId, "GlobalTable in-place updates are not yet supported; use 'cdkd deploy --replace' or destroy + redeploy");
+	async applyTagDiff(tableArn, oldTagsRaw, newTagsRaw) {
+		await this.applyTagDiffOnClient(this.dynamoDBClient, tableArn, oldTagsRaw, newTagsRaw);
+	}
+	/**
+	* Apply a Tags diff against the given `DynamoDBClient` (which may be
+	* the local client or a per-region client returned by
+	* `getRegionalClient`). Used by the local-replica path AND the
+	* cross-region replica Tags propagation path (Issue #389).
+	*/
+	async applyTagDiffOnClient(client, tableArn, oldTagsRaw, newTagsRaw) {
+		const toMap = (tags) => {
+			const m = /* @__PURE__ */ new Map();
+			for (const t of tags ?? []) if (t.Key !== void 0 && t.Value !== void 0) m.set(t.Key, t.Value);
+			return m;
+		};
+		const oldMap = toMap(oldTagsRaw);
+		const newMap = toMap(newTagsRaw);
+		const tagsToAdd = [];
+		for (const [k, v] of newMap) if (oldMap.get(k) !== v) tagsToAdd.push({
+			Key: k,
+			Value: v
+		});
+		const tagsToRemove = [];
+		for (const k of oldMap.keys()) if (!newMap.has(k)) tagsToRemove.push(k);
+		if (tagsToRemove.length > 0) {
+			await client.send(new UntagResourceCommand$2({
+				ResourceArn: tableArn,
+				TagKeys: tagsToRemove
+			}));
+			this.logger.debug(`Removed ${tagsToRemove.length} tag(s) from DynamoDB GlobalTable ${tableArn}`);
+		}
+		if (tagsToAdd.length > 0) {
+			await client.send(new TagResourceCommand$2({
+				ResourceArn: tableArn,
+				Tags: tagsToAdd
+			}));
+			this.logger.debug(`Added/updated ${tagsToAdd.length} tag(s) on DynamoDB GlobalTable ${tableArn}`);
+		}
 	}
 	/**
 	* Delete a DynamoDB Global Table.
@@ -8075,7 +8400,7 @@ var DynamoDBGlobalTableProvider = class {
 			}));
 			this.logger.debug(`Disabled DeletionProtectionEnabled on ${logicalId}, waiting for ACTIVE`);
 			try {
-				await this.waitForTableActiveAfterUpdate(physicalId);
+				await this.waitForTableActiveAfterUpdate(physicalId, logicalId);
 			} catch (waitErr) {
 				this.logger.debug(`Could not wait for table ${physicalId} ACTIVE after protection flip: ${waitErr instanceof Error ? waitErr.message : String(waitErr)}`);
 			}
@@ -8099,7 +8424,7 @@ var DynamoDBGlobalTableProvider = class {
 						TableName: physicalId,
 						ReplicaUpdates: [{ Delete: { RegionName: region } }]
 					}));
-					await this.waitForReplicaGone(physicalId, region);
+					await this.waitForReplicaGone(physicalId, region, logicalId);
 				} catch (replicaErr) {
 					if (!(replicaErr instanceof ResourceNotFoundException$1)) throw replicaErr;
 				}
@@ -8112,7 +8437,7 @@ var DynamoDBGlobalTableProvider = class {
 		}
 		try {
 			await this.dynamoDBClient.send(new DeleteTableCommand({ TableName: physicalId }));
-			await this.waitForTableGone(physicalId);
+			await this.waitForTableGone(physicalId, logicalId);
 			this.logger.debug(`Successfully deleted DynamoDB GlobalTable ${logicalId}`);
 		} catch (error) {
 			if (error instanceof ResourceNotFoundException$1) {
@@ -8158,22 +8483,29 @@ var DynamoDBGlobalTableProvider = class {
 	/**
 	* Read the AWS-current DynamoDB GlobalTable configuration in CFn-property shape.
 	*
-	* Reverse-maps `DescribeTable` + `ListTagsOfResource` into the
-	* `AWS::DynamoDB::GlobalTable` property set.
+	* Reverse-maps `DescribeTable` + `ListTagsOfResource` + `DescribeTimeToLive`
+	* + per-replica `DescribeContributorInsights` /
+	* `DescribeContinuousBackups` / `DescribeKinesisStreamingDestination`
+	* into the `AWS::DynamoDB::GlobalTable` property set.
 	*
 	* Type-discriminator gating (memory rule
 	* `feedback_always_emit_check_type_discriminator.md`):
-	*  - `ProvisionedThroughput`-bearing fields are only surfaced when
-	*    `BillingMode === 'PROVISIONED'`. Emitting placeholders on
-	*    PAY_PER_REQUEST tables (or vice versa) would fire false drift on
-	*    every clean run.
 	*  - StreamSpecification / SSESpecification follow the existing
 	*    DynamoDB::Table provider's Class 1 guard: only surfaced when AWS
 	*    reports the feature actually enabled.
-	*
-	* `getDriftUnknownPaths` declares TTL + write-throughput-settings —
-	* those round-trip in the create path but the reverse-mapping is not
-	* yet implemented and would fire guaranteed false drift.
+	*  - `ProvisionedThroughput`-bearing fields are declared in
+	*    `getDriftUnknownPaths` and intentionally not emitted in v1 — the
+	*    reverse-mapping from AWS's `ProvisionedThroughput` shape into
+	*    CFn's `WriteProvisionedThroughputSettings` /
+	*    `ReadProvisionedThroughputSettings` wrappers (which carry
+	*    `WriteCapacityAutoScalingSettings` etc.) needs more work to round
+	*    -trip cleanly.
+	*
+	* Per-replica sub-specifications (`ContributorInsightsSpecification` /
+	* `PointInTimeRecoverySpecification` / `KinesisStreamSpecification`)
+	* are surfaced only for the LOCAL replica. Cross-region replicas
+	* require per-region SDK clients (`new DynamoDBClient({region})`),
+	* deferred to a follow-up PR.
 	*/
 	async readCurrentState(physicalId, _logicalId, _resourceType) {
 		try {
@@ -8196,19 +8528,54 @@ var DynamoDBGlobalTableProvider = class {
 				if (table.SSEDescription.SSEType !== void 0) sse["SSEType"] = table.SSEDescription.SSEType;
 				result["SSESpecification"] = sse;
 			}
-			result["Replicas"] = (table.Replicas ?? []).map((r) => ({
-				Region: r.RegionName,
-				...r.KMSMasterKeyId !== void 0 && { KMSMasterKeyId: r.KMSMasterKeyId }
-			}));
 			if (table.TableClassSummary?.TableClass) result["TableClass"] = table.TableClassSummary.TableClass;
 			if (table.DeletionProtectionEnabled !== void 0) result["DeletionProtectionEnabled"] = table.DeletionProtectionEnabled;
-			if (table.TableArn) try {
-				result["Tags"] = normalizeAwsTagsToCfn((await this.dynamoDBClient.send(new ListTagsOfResourceCommand({ ResourceArn: table.TableArn }))).Tags);
-			} catch (err) {
-				if (err instanceof ResourceNotFoundException$1) return void 0;
-				result["Tags"] = [];
+			const currentRegion = await this.dynamoDBClient.config.region() ?? "";
+			const tableNameForSubs = table.TableName ?? physicalId;
+			result["Replicas"] = await Promise.all((table.Replicas ?? []).map(async (r) => {
+				const entry = { Region: r.RegionName };
+				if (r.KMSMasterKeyId !== void 0) entry["KMSMasterKeyId"] = r.KMSMasterKeyId;
+				if (!r.RegionName) return entry;
+				const isLocal = r.RegionName === currentRegion;
+				const client = isLocal ? this.dynamoDBClient : this.getRegionalClient(r.RegionName);
+				const regionLabel = r.RegionName;
+				const replicaArn = isLocal ? table.TableArn : table.TableArn ? this.replicaArnForRegion(table.TableArn, r.RegionName) : void 0;
+				const subs = await this.readReplicaSubSpecs(client, tableNameForSubs, regionLabel);
+				Object.assign(entry, subs);
+				if (replicaArn) try {
+					entry["Tags"] = normalizeAwsTagsToCfn((await client.send(new ListTagsOfResourceCommand({ ResourceArn: replicaArn }))).Tags);
+				} catch (tagErr) {
+					if (tagErr instanceof ResourceNotFoundException$1) {
+						if (isLocal) throw tagErr;
+						this.logger.debug(`Cross-region replica ${regionLabel} returned RNF on ListTagsOfResource; omitting Tags`);
+						entry["Tags"] = [];
+					} else {
+						this.logger.warn(`Could not fetch tags for DynamoDB GlobalTable ${tableNameForSubs} in ${regionLabel}: ${tagErr instanceof Error ? tagErr.message : String(tagErr)}`);
+						entry["Tags"] = [];
+					}
+				}
+				else entry["Tags"] = [];
+				return entry;
+			}));
+			if (table.OnDemandThroughput?.MaxWriteRequestUnits !== void 0) result["WriteOnDemandThroughputSettings"] = { MaxWriteRequestUnits: table.OnDemandThroughput.MaxWriteRequestUnits };
+			else result["WriteOnDemandThroughputSettings"] = {};
+			if (billingMode === "PROVISIONED") {
+				const writeCapacity = table.ProvisionedThroughput?.WriteCapacityUnits;
+				if (writeCapacity !== void 0) if (!await this.hasWriteAutoScalingPolicy(tableNameForSubs)) result["WriteProvisionedThroughputSettings"] = { WriteCapacityUnits: writeCapacity };
+				else result["WriteProvisionedThroughputSettings"] = {};
+				else result["WriteProvisionedThroughputSettings"] = {};
+			} else result["WriteProvisionedThroughputSettings"] = {};
+			try {
+				const ttlDesc = (await this.dynamoDBClient.send(new DescribeTimeToLiveCommand({ TableName: tableNameForSubs }))).TimeToLiveDescription;
+				const ttlStatus = ttlDesc?.TimeToLiveStatus;
+				if (ttlStatus === "ENABLED" && ttlDesc?.AttributeName) result["TimeToLiveSpecification"] = {
+					AttributeName: ttlDesc.AttributeName,
+					Enabled: true
+				};
+				else if (ttlStatus === "DISABLED") {}
+			} catch (ttlErr) {
+				this.logger.debug(`Could not read TimeToLive for ${tableNameForSubs}: ${ttlErr instanceof Error ? ttlErr.message : String(ttlErr)}`);
 			}
-			else result["Tags"] = [];
 			return result;
 		} catch (err) {
 			if (err instanceof ResourceNotFoundException$1) return void 0;
@@ -8216,25 +8583,101 @@ var DynamoDBGlobalTableProvider = class {
 		}
 	}
 	/**
+	* Read per-replica sub-specifications against the given `DynamoDBClient`
+	* (which may be the local client or a per-region client returned by
+	* `getRegionalClient`):
+	*  - `ContributorInsightsSpecification` via `DescribeContributorInsights`
+	*    (table-level; GSI overrides are NOT surfaced in v1 — they would
+	*    require one call per GSI and a different CFn nesting under the
+	*    `Replicas[].GlobalSecondaryIndexes[]` shape).
+	*  - `PointInTimeRecoverySpecification` via `DescribeContinuousBackups`.
+	*  - `KinesisStreamSpecification` via
+	*    `DescribeKinesisStreamingDestination` (filtered to the local
+	*    region's destination when AWS reports more than one).
+	*
+	* Each call is best-effort: errors omit the offending key rather than
+	* fail the whole drift read.
+	*
+	* Issue #389 lifted the LOCAL-only limitation by parameterizing the
+	* client — the same reverse-mapping logic runs against any region's
+	* client.
+	*/
+	async readReplicaSubSpecs(client, tableName, regionLabel) {
+		const out = {};
+		try {
+			const ci = await client.send(new DescribeContributorInsightsCommand({ TableName: tableName }));
+			if (ci.ContributorInsightsStatus) out["ContributorInsightsSpecification"] = { Enabled: ci.ContributorInsightsStatus === "ENABLED" };
+		} catch (err) {
+			this.logger.debug(`Could not read ContributorInsights for ${tableName} in ${regionLabel}: ${err instanceof Error ? err.message : String(err)}`);
+		}
+		try {
+			const pitrStatus = (await client.send(new DescribeContinuousBackupsCommand({ TableName: tableName }))).ContinuousBackupsDescription?.PointInTimeRecoveryDescription?.PointInTimeRecoveryStatus;
+			if (pitrStatus) out["PointInTimeRecoverySpecification"] = { PointInTimeRecoveryEnabled: pitrStatus === "ENABLED" };
+		} catch (err) {
+			this.logger.debug(`Could not read PointInTimeRecovery for ${tableName} in ${regionLabel}: ${err instanceof Error ? err.message : String(err)}`);
+		}
+		try {
+			const active = ((await client.send(new DescribeKinesisStreamingDestinationCommand({ TableName: tableName }))).KinesisDataStreamDestinations ?? []).find((d) => d.DestinationStatus === "ACTIVE" || d.DestinationStatus === "ENABLING");
+			if (active?.StreamArn) {
+				const ksOut = { StreamArn: active.StreamArn };
+				if (active.ApproximateCreationDateTimePrecision !== void 0) ksOut["ApproximateCreationDateTimePrecision"] = active.ApproximateCreationDateTimePrecision;
+				out["KinesisStreamSpecification"] = ksOut;
+			}
+		} catch (err) {
+			this.logger.debug(`Could not read KinesisStreamingDestination for ${tableName} in ${regionLabel}: ${err instanceof Error ? err.message : String(err)}`);
+		}
+		return out;
+	}
+	/**
+	* Detect whether application-autoscaling has a scaling policy on this
+	* table's WriteCapacityUnits dimension. Used to decide whether the
+	* `WriteProvisionedThroughputSettings.WriteCapacityUnits` flat-value
+	* surface in `readCurrentState` is safe to emit (auto-scaling
+	* dynamically mutates capacity, so a flat snapshot would fire false
+	* drift on every scale event — when an autoscaling policy is in play
+	* we omit the flat surface so a follow-up PR can reverse-map the
+	* full `WriteCapacityAutoScalingSettings` shape).
+	*
+	* Best-effort: errors return `false` (no autoscaling detected) so a
+	* permissions gap on `application-autoscaling:DescribeScalingPolicies`
+	* does not abort drift reads. Logged at debug.
+	*/
+	async hasWriteAutoScalingPolicy(tableName) {
+		try {
+			return ((await new ApplicationAutoScalingClient({ region: await this.dynamoDBClient.config.region() ?? "" }).send(new DescribeScalingPoliciesCommand({
+				ServiceNamespace: "dynamodb",
+				ResourceId: `table/${tableName}`,
+				ScalableDimension: "dynamodb:table:WriteCapacityUnits"
+			}))).ScalingPolicies ?? []).length > 0;
+		} catch (err) {
+			this.logger.debug(`Could not query application-autoscaling for ${tableName}: ${err instanceof Error ? err.message : String(err)}`);
+			return false;
+		}
+	}
+	/**
 	* State property paths cdkd's GlobalTable readCurrentState cannot (yet)
 	* reverse-map. The drift comparator skips these so a templated value
 	* doesn't fire guaranteed false drift on every clean run.
 	*
-	* - `TimeToLiveSpecification`: cdkd's create() applies it via
-	*   UpdateTimeToLive, but the reverse-mapping needs a separate
-	*   DescribeTimeToLive call (not yet implemented).
-	* - `WriteProvisionedThroughputSettings` /
-	*   `WriteOnDemandThroughputSettings`: CFn's shapes wrap
-	*   auto-scaling / on-demand max-RU settings whose reverse-mapping
-	*   from `DescribeTable.ProvisionedThroughput` / `OnDemandThroughput`
-	*   is non-trivial and would fire false drift in v1.
+	* Issue #389 emptied this list:
+	*  - `WriteProvisionedThroughputSettings` (flat-WriteCapacityUnits
+	*    subset) is now reverse-mapped from `Table.ProvisionedThroughput`
+	*    when BillingMode is PROVISIONED AND application-autoscaling has
+	*    no policy on the WriteCapacityUnits dimension. Auto-scaling
+	*    cases emit an empty `{}` placeholder so the comparator does NOT
+	*    fire false drift on the literal `WriteCapacityUnits` subtree.
+	*  - `WriteOnDemandThroughputSettings` is reverse-mapped from
+	*    `Table.OnDemandThroughput.MaxWriteRequestUnits`. Always-emit
+	*    `{}` placeholder when AWS reports no override.
+	*  - `TimeToLiveSpecification` is reverse-mapped via
+	*    `DescribeTimeToLive` in `readCurrentState`.
+	*
+	* Returning an empty list is the canonical "no known-unknown paths"
+	* shape — keeping the method present (rather than removing it) for
+	* future additions and for backward compat on test reflection.
 	*/
 	getDriftUnknownPaths(_resourceType) {
-		return [
-			"TimeToLiveSpecification",
-			"WriteProvisionedThroughputSettings",
-			"WriteOnDemandThroughputSettings"
-		];
+		return [];
 	}
 	/**
 	* Adopt an existing DynamoDB GlobalTable into cdkd state.
@@ -8278,7 +8721,7 @@ var DynamoDBGlobalTableProvider = class {
 		} while (exclusiveStartTableName);
 		return null;
 	}
-	async waitForTableActive(tableName, maxAttempts = 120) {
+	async waitForTableActive(tableName, logicalId, maxAttempts = 120) {
 		for (let attempt = 1; attempt <= maxAttempts; attempt++) {
 			const response = await this.dynamoDBClient.send(new DescribeTableCommand({ TableName: tableName }));
 			const status = response.Table?.TableStatus;
@@ -8288,10 +8731,10 @@ var DynamoDBGlobalTableProvider = class {
 				tableId: response.Table?.TableId,
 				streamArn: response.Table?.LatestStreamArn
 			};
-			if (status !== "CREATING" && status !== "UPDATING") throw new Error(`Unexpected table status: ${status}`);
+			if (status !== "CREATING" && status !== "UPDATING") throw new ProvisioningError(`Unexpected table status while waiting for ACTIVE on ${tableName}: ${status}`, "AWS::DynamoDB::GlobalTable", logicalId, tableName);
 			await new Promise((resolve) => setTimeout(resolve, 1e3));
 		}
-		throw new Error(`Table ${tableName} did not reach ACTIVE within ${maxAttempts}s`);
+		throw new ProvisioningError(`Table ${tableName} did not reach ACTIVE within ${maxAttempts}s`, "AWS::DynamoDB::GlobalTable", logicalId, tableName);
 	}
 	/**
 	* Wait for the table to reach ACTIVE after an UpdateTable call. Unlike
@@ -8299,32 +8742,32 @@ var DynamoDBGlobalTableProvider = class {
 	* table may already be ACTIVE on the no-op path (already-disabled
 	* protection) or transition through UPDATING.
 	*/
-	async waitForTableActiveAfterUpdate(tableName, maxAttempts = 120) {
+	async waitForTableActiveAfterUpdate(tableName, logicalId, maxAttempts = 600) {
 		for (let attempt = 1; attempt <= maxAttempts; attempt++) {
 			if ((await this.dynamoDBClient.send(new DescribeTableCommand({ TableName: tableName }))).Table?.TableStatus === "ACTIVE") return;
 			await new Promise((resolve) => setTimeout(resolve, 1e3));
 		}
-		throw new Error(`Table ${tableName} did not reach ACTIVE within ${maxAttempts}s after UpdateTable`);
+		throw new ProvisioningError(`Table ${tableName} did not reach ACTIVE within ${maxAttempts}s after UpdateTable`, "AWS::DynamoDB::GlobalTable", logicalId, tableName);
 	}
 	/**
 	* Wait until a specific replica's `ReplicaStatus` flips to ACTIVE.
 	* Replica provisioning typically takes 1–5 min; cap at 10 min.
 	*/
-	async waitForReplicaActive(tableName, region, maxAttempts = 600) {
+	async waitForReplicaActive(tableName, region, logicalId, maxAttempts = 600) {
 		for (let attempt = 1; attempt <= maxAttempts; attempt++) {
 			const replica = (await this.dynamoDBClient.send(new DescribeTableCommand({ TableName: tableName }))).Table?.Replicas?.find((r) => r.RegionName === region);
 			if (replica?.ReplicaStatus === "ACTIVE") return;
 			this.logger.debug(`Replica ${region} status: ${replica?.ReplicaStatus} (attempt ${attempt}/${maxAttempts})`);
 			await new Promise((resolve) => setTimeout(resolve, 1e3));
 		}
-		throw new Error(`Replica ${region} for table ${tableName} did not reach ACTIVE within ${maxAttempts}s`);
+		throw new ProvisioningError(`Replica ${region} for table ${tableName} did not reach ACTIVE within ${maxAttempts}s`, "AWS::DynamoDB::GlobalTable", logicalId, tableName);
 	}
 	/**
 	* Wait until a specific replica disappears from `Replicas[]` after a
 	* Delete replica update. Replica deletion typically takes 1–5 min;
 	* cap at 10 min.
 	*/
-	async waitForReplicaGone(tableName, region, maxAttempts = 600) {
+	async waitForReplicaGone(tableName, region, logicalId, maxAttempts = 600) {
 		for (let attempt = 1; attempt <= maxAttempts; attempt++) try {
 			if (!(await this.dynamoDBClient.send(new DescribeTableCommand({ TableName: tableName }))).Table?.Replicas?.find((r) => r.RegionName === region)) return;
 			await new Promise((resolve) => setTimeout(resolve, 1e3));
@@ -8332,7 +8775,7 @@ var DynamoDBGlobalTableProvider = class {
 			if (err instanceof ResourceNotFoundException$1) return;
 			throw err;
 		}
-		throw new Error(`Replica ${region} for table ${tableName} did not disappear within ${maxAttempts}s`);
+		throw new ProvisioningError(`Replica ${region} for table ${tableName} did not disappear within ${maxAttempts}s`, "AWS::DynamoDB::GlobalTable", logicalId, tableName);
 	}
 	/**
 	* Wait for `DescribeTable` to return `ResourceNotFoundException`,
@@ -8345,7 +8788,7 @@ var DynamoDBGlobalTableProvider = class {
 	* Typical small-table delete completes in 5–30s; cap at 10 min for
 	* worst-case large-table / replica-cascade scenarios.
 	*/
-	async waitForTableGone(tableName, maxAttempts = 600) {
+	async waitForTableGone(tableName, logicalId, maxAttempts = 600) {
 		for (let attempt = 1; attempt <= maxAttempts; attempt++) try {
 			await this.dynamoDBClient.send(new DescribeTableCommand({ TableName: tableName }));
 			await new Promise((resolve) => setTimeout(resolve, 1e3));
@@ -8353,9 +8796,104 @@ var DynamoDBGlobalTableProvider = class {
 			if (err instanceof ResourceNotFoundException$1) return;
 			throw err;
 		}
-		throw new Error(`Table ${tableName} did not disappear within ${maxAttempts}s`);
+		throw new ProvisioningError(`Table ${tableName} did not disappear within ${maxAttempts}s`, "AWS::DynamoDB::GlobalTable", logicalId, tableName);
 	}
 };
+/**
+* Diff CFn `Replicas[]` arrays. Keyed by `Region`. Returns adds, removes,
+* and modifies (entries whose other keys — KMSMasterKeyId,
+* GlobalSecondaryIndexes, TableClassOverride — differ from the old shape).
+*/
+/**
+* Derive the per-call `ProvisionedThroughput` shape required by
+* `CreateTableCommand` / `UpdateTableCommand` when BillingMode flips to
+* PROVISIONED. Shared between create() and the BillingMode-flip path in
+* update() so a user template's non-default read/write capacity is
+* preserved consistently across both code paths.
+*
+* Source of truth (CFn `AWS::DynamoDB::GlobalTable` shape):
+*  - WriteCapacityUnits → `properties.WriteProvisionedThroughputSettings`
+*    (top-level on the table). Literal `WriteCapacityUnits` wins over
+*    auto-scaling `MinCapacity`; both default to 5 if absent.
+*  - ReadCapacityUnits → `Replicas[?Region==<region>].ReadProvisionedThroughputSettings`
+*    (per-replica, the deploy region's setting). Same literal-vs-auto-
+*    scaling-vs-default-5 precedence.
+*/
+function derivePerCallProvisionedThroughput(properties, region) {
+	const wps = properties["WriteProvisionedThroughputSettings"];
+	const writeAutoScaling = wps?.["WriteCapacityAutoScalingSettings"];
+	const writeCapacity = Number(wps?.["WriteCapacityUnits"] ?? writeAutoScaling?.["MinCapacity"] ?? 5);
+	const localReadSettings = (properties["Replicas"] ?? []).find((r) => r["Region"] === region)?.["ReadProvisionedThroughputSettings"];
+	const readAutoScaling = localReadSettings?.["ReadCapacityAutoScalingSettings"];
+	return {
+		ReadCapacityUnits: Number(localReadSettings?.["ReadCapacityUnits"] ?? readAutoScaling?.["MinCapacity"] ?? 5),
+		WriteCapacityUnits: writeCapacity
+	};
+}
+function diffReplicas(oldReplicas, newReplicas) {
+	const oldByRegion = /* @__PURE__ */ new Map();
+	const newByRegion = /* @__PURE__ */ new Map();
+	for (const r of oldReplicas) {
+		const region = r["Region"];
+		if (region) oldByRegion.set(region, r);
+	}
+	for (const r of newReplicas) {
+		const region = r["Region"];
+		if (region) newByRegion.set(region, r);
+	}
+	const added = [];
+	const removed = [];
+	const modified = [];
+	for (const [region, replica] of newByRegion) if (!oldByRegion.has(region)) added.push(replica);
+	else if (!deepEqual$1(oldByRegion.get(region), replica)) modified.push(replica);
+	for (const [region, replica] of oldByRegion) if (!newByRegion.has(region)) removed.push(replica);
+	return {
+		added,
+		removed,
+		modified
+	};
+}
+/**
+* Diff CFn `GlobalSecondaryIndexes[]` arrays. Keyed by `IndexName`.
+* Modified = same IndexName but other fields (ProvisionedThroughput /
+* OnDemandThroughput) differ. KeySchema / Projection changes count as
+* "modified" too — AWS rejects those via UpdateGSI, but the diff caller
+* surfaces the AWS-side error rather than this helper second-guessing.
+*/
+function diffGlobalSecondaryIndexes(oldGsi, newGsi) {
+	const oldByName = /* @__PURE__ */ new Map();
+	const newByName = /* @__PURE__ */ new Map();
+	for (const g of oldGsi) if (g.IndexName) oldByName.set(g.IndexName, g);
+	for (const g of newGsi) if (g.IndexName) newByName.set(g.IndexName, g);
+	const added = [];
+	const removed = [];
+	const modified = [];
+	for (const [name, gsi] of newByName) if (!oldByName.has(name)) added.push(gsi);
+	else if (!deepEqual$1(oldByName.get(name), gsi)) modified.push(gsi);
+	for (const [name, gsi] of oldByName) if (!newByName.has(name)) removed.push(gsi);
+	return {
+		added,
+		removed,
+		modified
+	};
+}
+/**
+* Structural equality via JSON.stringify. Both inputs are CFn-shape
+* POJOs (no functions, no symbols, no cycles), so JSON round-trip is
+* sufficient and free of the property-order pitfalls of deeper
+* comparators. Object property order from `Object.keys` is insertion
+* order in modern engines; AWS-SDK shapes are constructed by the SDK
+* in stable order, so this is safe in practice.
+*/
+function deepEqual$1(a, b) {
+	if (a === b) return true;
+	if (a === void 0 || b === void 0) return false;
+	try {
+		return JSON.stringify(a) === JSON.stringify(b);
+	} catch {
+		return false;
+	}
+}
 
 //#endregion
 //#region src/provisioning/providers/logs-loggroup-provider.ts
@@ -43625,7 +44163,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.103.2");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.105.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());