@go-to-k/cdkd 0.105.0 → 0.107.0

package/dist/cli.js

@@ -30,12 +30,12 @@ import { CreateAliasCommand, CreateKeyCommand, DeleteAliasCommand, DescribeKeyCo
 import { promisify } from "node:util";
 import { CreateRepositoryCommand, DeleteLifecyclePolicyCommand, DeleteRepositoryCommand, DeleteRepositoryPolicyCommand, DescribeRepositoriesCommand, ECRClient, GetAuthorizationTokenCommand, GetLifecyclePolicyCommand, LifecyclePolicyNotFoundException, ListTagsForResourceCommand as ListTagsForResourceCommand$7, PutImageScanningConfigurationCommand, PutImageTagMutabilityCommand, PutLifecyclePolicyCommand, RepositoryNotFoundException, SetRepositoryPolicyCommand, TagResourceCommand as TagResourceCommand$9 } from "@aws-sdk/client-ecr";
 import graphlib from "graphlib";
-import { AddTagsToResourceCommand as AddTagsToResourceCommand$1, CreateDBClusterCommand, CreateDBInstanceCommand, CreateDBSubnetGroupCommand, DBProxyNotFoundFault, DBProxyTargetGroupNotFoundFault, DBProxyTargetNotFoundFault, DeleteDBClusterCommand, DeleteDBInstanceCommand, DeleteDBSubnetGroupCommand, DeregisterDBProxyTargetsCommand, DescribeDBClustersCommand, DescribeDBInstancesCommand, DescribeDBProxyTargetGroupsCommand, DescribeDBSubnetGroupsCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$8, ModifyDBClusterCommand, ModifyDBInstanceCommand, ModifyDBProxyTargetGroupCommand, ModifyDBSubnetGroupCommand, RDSClient, RegisterDBProxyTargetsCommand, RemoveTagsFromResourceCommand as RemoveTagsFromResourceCommand$1 } from "@aws-sdk/client-rds";
+import { AddTagsToResourceCommand as AddTagsToResourceCommand$1, CreateDBClusterCommand, CreateDBInstanceCommand, CreateDBProxyCommand, CreateDBSubnetGroupCommand, DBProxyNotFoundFault, DBProxyTargetGroupNotFoundFault, DBProxyTargetNotFoundFault, DeleteDBClusterCommand, DeleteDBInstanceCommand, DeleteDBProxyCommand, DeleteDBSubnetGroupCommand, DeregisterDBProxyTargetsCommand, DescribeDBClustersCommand, DescribeDBInstancesCommand, DescribeDBProxiesCommand, DescribeDBProxyTargetGroupsCommand, DescribeDBSubnetGroupsCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$8, ModifyDBClusterCommand, ModifyDBInstanceCommand, ModifyDBProxyCommand, ModifyDBProxyTargetGroupCommand, ModifyDBSubnetGroupCommand, RDSClient, RegisterDBProxyTargetsCommand, RemoveTagsFromResourceCommand as RemoveTagsFromResourceCommand$1 } from "@aws-sdk/client-rds";
 import { Command, Option } from "commander";
 import { writeFileSync as writeFileSync$1 } from "fs";
 import { join as join$1 } from "path";
 import * as zlib from "node:zlib";
-import { ApplicationAutoScalingClient, DescribeScalingPoliciesCommand } from "@aws-sdk/client-application-auto-scaling";
+import { ApplicationAutoScalingClient, DescribeScalableTargetsCommand, DescribeScalingPoliciesCommand } from "@aws-sdk/client-application-auto-scaling";
 import { ApiGatewayV2Client, CreateApiCommand, CreateAuthorizerCommand as CreateAuthorizerCommand$1, CreateIntegrationCommand, CreateRouteCommand as CreateRouteCommand$1, CreateStageCommand as CreateStageCommand$1, DeleteApiCommand, DeleteAuthorizerCommand as DeleteAuthorizerCommand$1, DeleteIntegrationCommand, DeleteRouteCommand as DeleteRouteCommand$1, DeleteStageCommand as DeleteStageCommand$1, GetApiCommand, GetApisCommand, GetAuthorizerCommand as GetAuthorizerCommand$1, GetIntegrationCommand, GetRouteCommand, GetStageCommand as GetStageCommand$1, NotFoundException as NotFoundException$3, UpdateApiCommand, UpdateAuthorizerCommand as UpdateAuthorizerCommand$1, UpdateIntegrationCommand, UpdateRouteCommand, UpdateStageCommand as UpdateStageCommand$1 } from "@aws-sdk/client-apigatewayv2";
 import { CreateStateMachineCommand, DeleteStateMachineCommand, DescribeStateMachineCommand, ListStateMachinesCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$9, SFNClient, StateMachineDoesNotExist, TagResourceCommand as TagResourceCommand$10, UntagResourceCommand as UntagResourceCommand$9, UpdateStateMachineCommand } from "@aws-sdk/client-sfn";
 import { CreateClusterCommand, CreateServiceCommand, DeleteClusterCommand, DeleteServiceCommand, DeregisterTaskDefinitionCommand, DescribeClustersCommand, DescribeServicesCommand, DescribeTaskDefinitionCommand, ECSClient, ListClustersCommand, ListServicesCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$10, PutClusterCapacityProvidersCommand, RegisterTaskDefinitionCommand, TagResourceCommand as TagResourceCommand$11, UntagResourceCommand as UntagResourceCommand$10, UpdateClusterCommand, UpdateServiceCommand } from "@aws-sdk/client-ecs";
@@ -7899,6 +7899,18 @@ var DynamoDBGlobalTableProvider = class {
 	*/
 	regionalClientCache = /* @__PURE__ */ new Map();
 	/**
+	* Caches per-region `ApplicationAutoScalingClient` instances for
+	* per-replica `ReadCapacityAutoScalingSettings` reverse-mapping in
+	* `readCurrentState`. Same lifetime / shape as `regionalClientCache`
+	* — one per region for the duration of the provider instance.
+	*
+	* Issue #395: per-replica read capacity autoscaling lives in the
+	* replica's region (each replica has its own scaling target +
+	* policy registered against `application-autoscaling` in that
+	* region), so we cannot reuse the local-region client.
+	*/
+	regionalAutoScalingClientCache = /* @__PURE__ */ new Map();
+	/**
 	* Caches `getAttribute(physicalId, attribute)` results for the lifetime
 	* of this provider instance (one deploy run). Safe under the current
 	* `update()` contract because `update()` cannot mid-deploy mutate
@@ -7954,6 +7966,24 @@ var DynamoDBGlobalTableProvider = class {
 		return client;
 	}
 	/**
+	* Return an `ApplicationAutoScalingClient` pinned to the given region,
+	* caching per region for the lifetime of this provider instance. Mirrors
+	* `getRegionalClient` but for the application-autoscaling service.
+	*
+	* Used by `readAutoScalingSettings` (Issue #395) to recover per-replica
+	* `ReadCapacityAutoScalingSettings` shapes — each cross-region replica's
+	* scaling target + policy are registered with the autoscaling control
+	* plane in the replica's region, so cross-region drift reads need a
+	* region-scoped client.
+	*/
+	getRegionalAutoScalingClient(region) {
+		const cached = this.regionalAutoScalingClientCache.get(region);
+		if (cached) return cached;
+		const client = new ApplicationAutoScalingClient({ region });
+		this.regionalAutoScalingClientCache.set(region, client);
+		return client;
+	}
+	/**
 	* Construct the regional table ARN for a cross-region replica of a
 	* GlobalTable. AWS replicates the same `TableName` across every
 	* replica region, with each replica's ARN differing only in the
@@ -8493,13 +8523,17 @@ var DynamoDBGlobalTableProvider = class {
 	*  - StreamSpecification / SSESpecification follow the existing
 	*    DynamoDB::Table provider's Class 1 guard: only surfaced when AWS
 	*    reports the feature actually enabled.
-	*  - `ProvisionedThroughput`-bearing fields are declared in
-	*    `getDriftUnknownPaths` and intentionally not emitted in v1 — the
-	*    reverse-mapping from AWS's `ProvisionedThroughput` shape into
-	*    CFn's `WriteProvisionedThroughputSettings` /
-	*    `ReadProvisionedThroughputSettings` wrappers (which carry
-	*    `WriteCapacityAutoScalingSettings` etc.) needs more work to round
-	*    -trip cleanly.
+	*  - `WriteProvisionedThroughputSettings` reverse-maps both shapes:
+	*    flat `{WriteCapacityUnits}` (no autoscaling) and full
+	*    `{WriteCapacityAutoScalingSettings}` (Issue #395; recovered from
+	*    application-autoscaling's `DescribeScalableTargets` +
+	*    `DescribeScalingPolicies` for the
+	*    `dynamodb:table:WriteCapacityUnits` dimension).
+	*  - Per-replica `ReadProvisionedThroughputSettings` reverse-maps the
+	*    `{ReadCapacityAutoScalingSettings}` shape only — there is no
+	*    per-replica flat read capacity in `DescribeTable`'s response
+	*    (the local `ProvisionedThroughput` block is table-level, not
+	*    replica-level), so non-autoscaled replicas omit the key.
 	*
 	* Per-replica sub-specifications (`ContributorInsightsSpecification` /
 	* `PointInTimeRecoverySpecification` / `KinesisStreamSpecification`)
@@ -8555,15 +8589,23 @@ var DynamoDBGlobalTableProvider = class {
 					}
 				}
 				else entry["Tags"] = [];
+				if (billingMode === "PROVISIONED") {
+					const replicaAutoScalingClient = isLocal ? void 0 : this.getRegionalAutoScalingClient(regionLabel);
+					const readAutoScaling = await this.readAutoScalingSettings(tableNameForSubs, "dynamodb:table:ReadCapacityUnits", replicaAutoScalingClient);
+					if (readAutoScaling) entry["ReadProvisionedThroughputSettings"] = { ReadCapacityAutoScalingSettings: readAutoScaling };
+				}
 				return entry;
 			}));
 			if (table.OnDemandThroughput?.MaxWriteRequestUnits !== void 0) result["WriteOnDemandThroughputSettings"] = { MaxWriteRequestUnits: table.OnDemandThroughput.MaxWriteRequestUnits };
 			else result["WriteOnDemandThroughputSettings"] = {};
 			if (billingMode === "PROVISIONED") {
-				const writeCapacity = table.ProvisionedThroughput?.WriteCapacityUnits;
-				if (writeCapacity !== void 0) if (!await this.hasWriteAutoScalingPolicy(tableNameForSubs)) result["WriteProvisionedThroughputSettings"] = { WriteCapacityUnits: writeCapacity };
-				else result["WriteProvisionedThroughputSettings"] = {};
-				else result["WriteProvisionedThroughputSettings"] = {};
+				const autoScaling = await this.readAutoScalingSettings(tableNameForSubs, "dynamodb:table:WriteCapacityUnits");
+				if (autoScaling) result["WriteProvisionedThroughputSettings"] = { WriteCapacityAutoScalingSettings: autoScaling };
+				else {
+					const writeCapacity = table.ProvisionedThroughput?.WriteCapacityUnits;
+					if (writeCapacity !== void 0) result["WriteProvisionedThroughputSettings"] = { WriteCapacityUnits: writeCapacity };
+					else result["WriteProvisionedThroughputSettings"] = {};
+				}
 			} else result["WriteProvisionedThroughputSettings"] = {};
 			try {
 				const ttlDesc = (await this.dynamoDBClient.send(new DescribeTimeToLiveCommand({ TableName: tableNameForSubs }))).TimeToLiveDescription;
@@ -8629,29 +8671,90 @@ var DynamoDBGlobalTableProvider = class {
 		return out;
 	}
 	/**
-	* Detect whether application-autoscaling has a scaling policy on this
-	* table's WriteCapacityUnits dimension. Used to decide whether the
-	* `WriteProvisionedThroughputSettings.WriteCapacityUnits` flat-value
-	* surface in `readCurrentState` is safe to emit (auto-scaling
-	* dynamically mutates capacity, so a flat snapshot would fire false
-	* drift on every scale event — when an autoscaling policy is in play
-	* we omit the flat surface so a follow-up PR can reverse-map the
-	* full `WriteCapacityAutoScalingSettings` shape).
-	*
-	* Best-effort: errors return `false` (no autoscaling detected) so a
-	* permissions gap on `application-autoscaling:DescribeScalingPolicies`
-	* does not abort drift reads. Logged at debug.
-	*/
-	async hasWriteAutoScalingPolicy(tableName) {
-		try {
-			return ((await new ApplicationAutoScalingClient({ region: await this.dynamoDBClient.config.region() ?? "" }).send(new DescribeScalingPoliciesCommand({
+	* Reverse-map application-autoscaling state for the given DynamoDB table
+	* dimension into the CFn `*CapacityAutoScalingSettings` shape (Issue
+	* #395). Used for BOTH the table-level write dimension
+	* (`dynamodb:table:WriteCapacityUnits`) and the per-replica read
+	* dimension (`dynamodb:table:ReadCapacityUnits`); the CFn shape is
+	* symmetric.
+	*
+	* Returns shape (CFn-canonical PascalCase keys, verified via `cdk synth`
+	* on a real `TableV2` with `Capacity.autoscaled(...)` on 2026-05-16 —
+	* see PR notes for the probe transcript):
+	*
+	* ```
+	* {
+	*   MinCapacity: number;
+	*   MaxCapacity: number;
+	*   TargetTrackingScalingPolicyConfiguration: {
+	*     TargetValue: number;
+	*     DisableScaleIn?: boolean;
+	*     ScaleInCooldown?: number;
+	*     ScaleOutCooldown?: number;
+	*   };
+	* }
+	* ```
+	*
+	* `SeedCapacity` is intentionally NOT round-tripped — it is a CFn
+	* create-only field with no corresponding application-autoscaling
+	* surface (AWS does not retain the initial seed value once the
+	* scaling target is registered).
+	*
+	* Resolution order:
+	*  1. `DescribeScalableTargets` → recover `MinCapacity` / `MaxCapacity`
+	*     for the matching `ScalableDimension`. Returns `null` when no
+	*     target is registered (= no autoscaling in play for this
+	*     dimension — caller falls back to the flat capacity surface).
+	*  2. `DescribeScalingPolicies` → find the `TargetTrackingScaling`
+	*     policy (filter out `StepScaling` / `PredictiveScaling` — CFn's
+	*     shape only carries the target-tracking variant). Returns `null`
+	*     when no `TargetTrackingScaling` policy is present (a scaling
+	*     target without a target-tracking policy is not cdkd-managed
+	*     drift territory; surface the flat capacity instead).
+	*
+	* Best-effort: any error (permissions gap, throttle, network) returns
+	* `null` and the caller falls back to the flat-capacity branch. Logged
+	* at debug so a real permissions misconfiguration is still visible
+	* under `--verbose`.
+	*
+	* @param tableName DynamoDB table name (the `physicalId`).
+	* @param scalableDimension `'dynamodb:table:WriteCapacityUnits'` or
+	*   `'dynamodb:table:ReadCapacityUnits'`.
+	* @param client Pre-built region-scoped autoscaling client. Defaults to
+	*   a fresh client in the local region — pass an explicit client when
+	*   reading from a cross-region replica.
+	*/
+	async readAutoScalingSettings(tableName, scalableDimension, client) {
+		try {
+			const asClient = client ?? new ApplicationAutoScalingClient({ region: await this.dynamoDBClient.config.region() ?? "" });
+			const targets = (await asClient.send(new DescribeScalableTargetsCommand({
+				ServiceNamespace: "dynamodb",
+				ResourceIds: [`table/${tableName}`],
+				ScalableDimension: scalableDimension
+			}))).ScalableTargets ?? [];
+			if (targets.length === 0) return null;
+			const target = targets[0];
+			if (target.MinCapacity === void 0 || target.MaxCapacity === void 0) return null;
+			const targetTracking = ((await asClient.send(new DescribeScalingPoliciesCommand({
 				ServiceNamespace: "dynamodb",
 				ResourceId: `table/${tableName}`,
-				ScalableDimension: "dynamodb:table:WriteCapacityUnits"
-			}))).ScalingPolicies ?? []).length > 0;
+				ScalableDimension: scalableDimension
+			}))).ScalingPolicies ?? []).find((p) => p.PolicyType === "TargetTrackingScaling");
+			if (!targetTracking) return null;
+			const cfg = targetTracking.TargetTrackingScalingPolicyConfiguration;
+			if (!cfg || cfg.TargetValue === void 0) return null;
+			const tttConfig = { TargetValue: cfg.TargetValue };
+			if (cfg.DisableScaleIn !== void 0) tttConfig["DisableScaleIn"] = cfg.DisableScaleIn;
+			if (cfg.ScaleInCooldown !== void 0) tttConfig["ScaleInCooldown"] = cfg.ScaleInCooldown;
+			if (cfg.ScaleOutCooldown !== void 0) tttConfig["ScaleOutCooldown"] = cfg.ScaleOutCooldown;
+			return {
+				MinCapacity: target.MinCapacity,
+				MaxCapacity: target.MaxCapacity,
+				TargetTrackingScalingPolicyConfiguration: tttConfig
+			};
 		} catch (err) {
-			this.logger.debug(`Could not query application-autoscaling for ${tableName}: ${err instanceof Error ? err.message : String(err)}`);
-			return false;
+			this.logger.debug(`Could not read application-autoscaling settings for ${tableName} (${scalableDimension}): ${err instanceof Error ? err.message : String(err)}`);
+			return null;
 		}
 	}
 	/**
@@ -8659,13 +8762,17 @@ var DynamoDBGlobalTableProvider = class {
 	* reverse-map. The drift comparator skips these so a templated value
 	* doesn't fire guaranteed false drift on every clean run.
 	*
-	* Issue #389 emptied this list:
-	*  - `WriteProvisionedThroughputSettings` (flat-WriteCapacityUnits
-	*    subset) is now reverse-mapped from `Table.ProvisionedThroughput`
-	*    when BillingMode is PROVISIONED AND application-autoscaling has
-	*    no policy on the WriteCapacityUnits dimension. Auto-scaling
-	*    cases emit an empty `{}` placeholder so the comparator does NOT
-	*    fire false drift on the literal `WriteCapacityUnits` subtree.
+	* Issue #389 + #395 emptied this list:
+	*  - `WriteProvisionedThroughputSettings` reverse-maps both the flat
+	*    `{WriteCapacityUnits}` shape (no autoscaling) AND the full
+	*    `{WriteCapacityAutoScalingSettings}` shape (autoscaling-managed;
+	*    recovered from `DescribeScalableTargets` +
+	*    `DescribeScalingPolicies`). PAY_PER_REQUEST tables emit `{}`.
+	*  - Per-replica `ReadProvisionedThroughputSettings.ReadCapacityAutoScalingSettings`
+	*    reverse-maps from a region-scoped application-autoscaling client
+	*    for the `dynamodb:table:ReadCapacityUnits` dimension. Non-
+	*    autoscaled replicas omit the key (no per-replica flat read
+	*    capacity available in `DescribeTable`).
 	*  - `WriteOnDemandThroughputSettings` is reverse-mapped from
 	*    `Table.OnDemandThroughput.MaxWriteRequestUnits`. Always-emit
 	*    `{}` placeholder when AWS reports no override.
@@ -18007,7 +18114,7 @@ var RDSProvider = class {
 	/**
 	* Wait for a DBCluster to become available
 	*/
-	async waitForClusterAvailable(dbClusterIdentifier, maxWaitMs = 6e5) {
+	async waitForClusterAvailable(dbClusterIdentifier, maxWaitMs = 18e5) {
 		const startTime = Date.now();
 		let delay = 5e3;
 		while (Date.now() - startTime < maxWaitMs) {
@@ -18022,7 +18129,7 @@ var RDSProvider = class {
 	/**
 	* Wait for a DBCluster to be deleted
 	*/
-	async waitForClusterDeleted(dbClusterIdentifier, maxWaitMs = 6e5) {
+	async waitForClusterDeleted(dbClusterIdentifier, maxWaitMs = 18e5) {
 		const startTime = Date.now();
 		let delay = 5e3;
 		while (Date.now() - startTime < maxWaitMs) {
@@ -18043,7 +18150,7 @@ var RDSProvider = class {
 	/**
 	* Wait for a DBInstance to become available
 	*/
-	async waitForInstanceAvailable(dbInstanceIdentifier, maxWaitMs = 6e5) {
+	async waitForInstanceAvailable(dbInstanceIdentifier, maxWaitMs = 18e5) {
 		const startTime = Date.now();
 		let delay = 1e4;
 		while (Date.now() - startTime < maxWaitMs) {
@@ -18058,7 +18165,7 @@ var RDSProvider = class {
 	/**
 	* Wait for a DBInstance to be deleted
 	*/
-	async waitForInstanceDeleted(dbInstanceIdentifier, maxWaitMs = 6e5) {
+	async waitForInstanceDeleted(dbInstanceIdentifier, maxWaitMs = 18e5) {
 		const startTime = Date.now();
 		let delay = 1e4;
 		while (Date.now() - startTime < maxWaitMs) {
@@ -18286,6 +18393,355 @@ var RDSProvider = class {
 	}
 };
 
+//#endregion
+//#region src/provisioning/providers/rds-dbproxy-provider.ts
+const POLL_INTERVAL_MS = 5e3;
+const POLL_TIMEOUT_MS = 900 * 1e3;
+/**
+* AWS RDS DBProxy Provider
+*
+* Implements resource provisioning for `AWS::RDS::DBProxy`.
+*
+* **Why a dedicated SDK provider** (per `feedback_dedicated_provider_over_special_case.md`):
+* keeps the AWS::RDS::DBProxy family (DBProxy + DBProxyTargetGroup) on one
+* codebase. Pre-PR DBProxy went through CC API, which worked for create
+* and delete but the sibling DBProxyTargetGroup type was broken — moving
+* the parent type to a dedicated provider ensures the whole family is
+* consistent and lets us evolve both surfaces together (e.g. shared
+* `DescribeDBProxies` calls in future enrichment, common error handling).
+*
+* **Lifecycle**:
+* - `create`: `CreateDBProxyCommand`, then poll `DescribeDBProxies` until
+*   `DBProxyStatus === 'available'`. Returns physicalId=DBProxyName plus
+*   `Endpoint` / `DBProxyArn` / `VpcId` in attributes.
+* - `update`: `ModifyDBProxyCommand` for the mutable fields (Auth /
+*   DebugLogging / IdleClientTimeout / RequireTLS / RoleArn /
+*   SecurityGroups). Tags handled via separate `AddTagsToResource` /
+*   `RemoveTagsFromResource` diff. EngineFamily and VpcSubnetIds are
+*   immutable on AWS; a diff in those surfaces as `ResourceReplacement`
+*   from the deploy engine, not handled here.
+* - `delete`: `DeleteDBProxyCommand`, then poll for `DBProxyNotFoundFault`
+*   to confirm full removal (AWS keeps the proxy in `deleting` state for
+*   ~30-60s after the delete returns). `DBProxyNotFoundFault` at any
+*   point is treated as idempotent success (region-match-gated).
+* - `getAttribute`: `DescribeDBProxies` for `Endpoint` / `DBProxyArn` /
+*   `VpcId`, cached per `(physicalId, attribute)`.
+* - `import`: explicit `--resource` override OR auto-lookup via
+*   `DescribeDBProxies` + `ListTagsForResource` matching `aws:cdk:path`.
+*
+* **physicalId** = DBProxyName (matches CFn `primaryIdentifier`).
+*/
+var RDSDBProxyProvider = class {
+	rdsClient;
+	providerRegion = process.env["AWS_REGION"];
+	logger = getLogger().child("RDSDBProxyProvider");
+	attributeCache = /* @__PURE__ */ new Map();
+	handledProperties = new Map([["AWS::RDS::DBProxy", new Set([
+		"DBProxyName",
+		"EngineFamily",
+		"Auth",
+		"RoleArn",
+		"VpcSubnetIds",
+		"VpcSecurityGroupIds",
+		"RequireTLS",
+		"IdleClientTimeout",
+		"DebugLogging",
+		"Tags"
+	])]]);
+	getClient() {
+		if (!this.rdsClient) this.rdsClient = new RDSClient(this.providerRegion ? { region: this.providerRegion } : {});
+		return this.rdsClient;
+	}
+	async create(logicalId, resourceType, properties) {
+		const dbProxyName = properties["DBProxyName"] ?? generateResourceName(logicalId, { maxLength: 64 });
+		const engineFamily = properties["EngineFamily"];
+		if (!engineFamily) throw new ProvisioningError(`EngineFamily is required for AWS::RDS::DBProxy ${logicalId}`, resourceType, logicalId);
+		const auth = properties["Auth"];
+		if (!auth || auth.length === 0) throw new ProvisioningError(`Auth (at least one entry) is required for AWS::RDS::DBProxy ${logicalId}`, resourceType, logicalId);
+		const roleArn = properties["RoleArn"];
+		if (!roleArn) throw new ProvisioningError(`RoleArn is required for AWS::RDS::DBProxy ${logicalId}`, resourceType, logicalId);
+		const vpcSubnetIds = properties["VpcSubnetIds"];
+		if (!vpcSubnetIds || vpcSubnetIds.length === 0) throw new ProvisioningError(`VpcSubnetIds (at least one) is required for AWS::RDS::DBProxy ${logicalId}`, resourceType, logicalId);
+		const client = this.getClient();
+		this.logger.debug(`Creating DBProxy ${dbProxyName} (${engineFamily})`);
+		try {
+			await client.send(new CreateDBProxyCommand({
+				DBProxyName: dbProxyName,
+				EngineFamily: engineFamily,
+				Auth: auth,
+				RoleArn: roleArn,
+				VpcSubnetIds: vpcSubnetIds,
+				VpcSecurityGroupIds: properties["VpcSecurityGroupIds"],
+				RequireTLS: properties["RequireTLS"],
+				IdleClientTimeout: properties["IdleClientTimeout"],
+				DebugLogging: properties["DebugLogging"],
+				Tags: this.toAwsTags(properties["Tags"])
+			}));
+		} catch (error) {
+			throw this.wrapError(error, "CREATE", resourceType, logicalId, void 0);
+		}
+		let endpoint;
+		let dbProxyArn;
+		let vpcId;
+		const deadline = Date.now() + POLL_TIMEOUT_MS;
+		let status;
+		while (Date.now() < deadline) {
+			try {
+				const proxy = (await client.send(new DescribeDBProxiesCommand({ DBProxyName: dbProxyName }))).DBProxies?.[0];
+				status = proxy?.Status;
+				if (status === "available") {
+					endpoint = proxy?.Endpoint;
+					dbProxyArn = proxy?.DBProxyArn;
+					vpcId = proxy?.VpcId;
+					break;
+				}
+				if (status === "incompatible-network" || status === "insufficient-resource-limits") throw new ProvisioningError(`DBProxy ${dbProxyName} entered terminal failure state: ${status}`, resourceType, logicalId, dbProxyName);
+			} catch (error) {
+				if (error instanceof DBProxyNotFoundFault) {} else if (error instanceof ProvisioningError) throw error;
+				else throw this.wrapError(error, "CREATE (poll)", resourceType, logicalId, dbProxyName);
+			}
+			await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS));
+		}
+		if (!endpoint || !dbProxyArn) throw new ProvisioningError(`Timed out waiting for DBProxy ${dbProxyName} to become available (last status: ${status ?? "unknown"})`, resourceType, logicalId, dbProxyName);
+		return {
+			physicalId: dbProxyName,
+			attributes: {
+				DBProxyArn: dbProxyArn,
+				Endpoint: endpoint,
+				VpcId: vpcId ?? ""
+			}
+		};
+	}
+	async update(logicalId, physicalId, resourceType, properties, previousProperties) {
+		const client = this.getClient();
+		const input = { DBProxyName: physicalId };
+		let hasModify = false;
+		for (const key of [
+			"Auth",
+			"RequireTLS",
+			"IdleClientTimeout",
+			"DebugLogging",
+			"RoleArn",
+			"VpcSecurityGroupIds"
+		]) if (JSON.stringify(properties[key]) !== JSON.stringify(previousProperties[key])) {
+			const sdkKey = key === "VpcSecurityGroupIds" ? "SecurityGroups" : key;
+			input[sdkKey] = properties[key];
+			hasModify = true;
+		}
+		if (hasModify) {
+			this.logger.debug(`Updating DBProxy ${physicalId}: ${Object.keys(input).filter((k) => k !== "DBProxyName").join(", ")}`);
+			try {
+				await client.send(new ModifyDBProxyCommand(input));
+			} catch (error) {
+				throw this.wrapError(error, "UPDATE", resourceType, logicalId, physicalId);
+			}
+		}
+		await this.applyTagDiff(physicalId, previousProperties["Tags"], properties["Tags"], resourceType, logicalId);
+		this.invalidateAttributeCache(physicalId);
+		return {
+			physicalId,
+			wasReplaced: false
+		};
+	}
+	async delete(logicalId, physicalId, resourceType, _properties, context) {
+		const client = this.getClient();
+		this.logger.debug(`Deleting DBProxy ${physicalId}`);
+		try {
+			await client.send(new DeleteDBProxyCommand({ DBProxyName: physicalId }));
+		} catch (error) {
+			if (error instanceof DBProxyNotFoundFault) {
+				assertRegionMatch(await client.config.region(), context?.expectedRegion, resourceType, logicalId, physicalId);
+				this.logger.debug(`DBProxy ${physicalId} already gone, treating as success`);
+				return;
+			}
+			throw this.wrapError(error, "DELETE", resourceType, logicalId, physicalId);
+		}
+		const deadline = Date.now() + POLL_TIMEOUT_MS;
+		while (Date.now() < deadline) {
+			try {
+				await client.send(new DescribeDBProxiesCommand({ DBProxyName: physicalId }));
+			} catch (error) {
+				if (error instanceof DBProxyNotFoundFault) {
+					this.logger.debug(`DBProxy ${physicalId} fully deleted`);
+					return;
+				}
+				throw this.wrapError(error, "DELETE (poll)", resourceType, logicalId, physicalId);
+			}
+			await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS));
+		}
+		throw new ProvisioningError(`Timed out waiting for DBProxy ${physicalId} to fully delete`, resourceType, logicalId, physicalId);
+	}
+	async getAttribute(physicalId, _resourceType, attributeName) {
+		const cacheKey = `${physicalId}:${attributeName}`;
+		const cached = this.attributeCache.get(cacheKey);
+		if (cached !== void 0) return cached;
+		if (attributeName !== "Endpoint" && attributeName !== "DBProxyArn" && attributeName !== "VpcId") {
+			this.logger.warn(`Unknown attribute ${attributeName} for AWS::RDS::DBProxy, returning undefined`);
+			return;
+		}
+		try {
+			const proxy = (await this.getClient().send(new DescribeDBProxiesCommand({ DBProxyName: physicalId }))).DBProxies?.[0];
+			if (!proxy) return void 0;
+			const value = {
+				Endpoint: proxy.Endpoint,
+				DBProxyArn: proxy.DBProxyArn,
+				VpcId: proxy.VpcId
+			}[attributeName];
+			if (value !== void 0) this.attributeCache.set(cacheKey, value);
+			return value;
+		} catch (error) {
+			if (error instanceof DBProxyNotFoundFault) return void 0;
+			throw error;
+		}
+	}
+	async import(input) {
+		const explicit = resolveExplicitPhysicalId(input, "DBProxyName");
+		if (explicit) return this.buildImportResult(explicit);
+		const client = this.getClient();
+		let marker;
+		do {
+			const describe = await client.send(new DescribeDBProxiesCommand({
+				Marker: marker,
+				MaxRecords: 100
+			}));
+			for (const proxy of describe.DBProxies ?? []) {
+				if (!proxy.DBProxyArn) continue;
+				try {
+					if (matchesCdkPath((await client.send(new ListTagsForResourceCommand$8({ ResourceName: proxy.DBProxyArn }))).TagList ?? [], input.cdkPath)) return this.buildImportResult(proxy.DBProxyName ?? "");
+				} catch (error) {
+					this.logger.debug(`ListTagsForResource failed for ${proxy.DBProxyName}: ${error instanceof Error ? error.message : String(error)}`);
+				}
+			}
+			marker = describe.Marker;
+		} while (marker);
+		return null;
+	}
+	/**
+	* Reads the AWS-current configuration. Drift comparator uses this as the
+	* authoritative snapshot for resources written under schema v3+.
+	*/
+	async readCurrentState(physicalId) {
+		const client = this.getClient();
+		let proxy;
+		try {
+			proxy = (await client.send(new DescribeDBProxiesCommand({ DBProxyName: physicalId }))).DBProxies?.[0];
+			if (!proxy) return void 0;
+		} catch (error) {
+			if (error instanceof DBProxyNotFoundFault) return void 0;
+			throw error;
+		}
+		const p = proxy;
+		const result = {
+			DBProxyName: p.DBProxyName,
+			EngineFamily: p.EngineFamily,
+			RoleArn: p.RoleArn,
+			VpcSubnetIds: p.VpcSubnetIds ?? [],
+			VpcSecurityGroupIds: p.VpcSecurityGroupIds ?? [],
+			RequireTLS: p.RequireTLS ?? false,
+			IdleClientTimeout: p.IdleClientTimeout,
+			DebugLogging: p.DebugLogging ?? false,
+			Auth: (p.Auth ?? []).map((a) => ({
+				Description: a.Description,
+				UserName: a.UserName,
+				AuthScheme: a.AuthScheme,
+				SecretArn: a.SecretArn,
+				IAMAuth: a.IAMAuth,
+				ClientPasswordAuthType: a.ClientPasswordAuthType
+			}))
+		};
+		if (p.DBProxyArn) try {
+			result["Tags"] = normalizeAwsTagsToCfn((await client.send(new ListTagsForResourceCommand$8({ ResourceName: p.DBProxyArn }))).TagList ?? []);
+		} catch (error) {
+			this.logger.debug(`ListTagsForResource failed for ${physicalId}: ${error instanceof Error ? error.message : String(error)}`);
+			result["Tags"] = [];
+		}
+		else result["Tags"] = [];
+		return result;
+	}
+	async applyTagDiff(physicalId, oldTags, newTags, resourceType, logicalId) {
+		const client = this.getClient();
+		const arnCacheKey = `${physicalId}:DBProxyArn`;
+		let arn = this.attributeCache.get(arnCacheKey);
+		if (!arn) try {
+			arn = (await client.send(new DescribeDBProxiesCommand({ DBProxyName: physicalId }))).DBProxies?.[0]?.DBProxyArn;
+			if (arn) this.attributeCache.set(arnCacheKey, arn);
+		} catch (error) {
+			this.logger.debug(`Skipping tag diff for ${physicalId} (no ARN): ${error instanceof Error ? error.message : String(error)}`);
+			return;
+		}
+		if (!arn) return;
+		const oldMap = this.toTagMap(oldTags);
+		const newMap = this.toTagMap(newTags);
+		const toRemove = [];
+		const toAdd = [];
+		for (const k of oldMap.keys()) if (!newMap.has(k)) toRemove.push(k);
+		for (const [k, v] of newMap.entries()) if (oldMap.get(k) !== v) toAdd.push({
+			Key: k,
+			Value: v
+		});
+		if (toRemove.length > 0) try {
+			await client.send(new RemoveTagsFromResourceCommand$1({
+				ResourceName: arn,
+				TagKeys: toRemove
+			}));
+		} catch (error) {
+			throw this.wrapError(error, "UPDATE (remove tags)", resourceType, logicalId, physicalId);
+		}
+		if (toAdd.length > 0) try {
+			await client.send(new AddTagsToResourceCommand$1({
+				ResourceName: arn,
+				Tags: toAdd
+			}));
+		} catch (error) {
+			throw this.wrapError(error, "UPDATE (add tags)", resourceType, logicalId, physicalId);
+		}
+	}
+	toTagMap(tags) {
+		const map = /* @__PURE__ */ new Map();
+		if (Array.isArray(tags)) {
+			for (const entry of tags) if (entry?.Key !== void 0) map.set(entry.Key, entry.Value ?? "");
+		}
+		return map;
+	}
+	toAwsTags(tags) {
+		if (!Array.isArray(tags) || tags.length === 0) return void 0;
+		return tags.filter((t) => t.Key !== void 0).map((t) => ({
+			Key: t.Key,
+			Value: t.Value ?? ""
+		}));
+	}
+	async buildImportResult(physicalId) {
+		try {
+			const proxy = (await this.getClient().send(new DescribeDBProxiesCommand({ DBProxyName: physicalId }))).DBProxies?.[0];
+			return {
+				physicalId,
+				attributes: {
+					DBProxyArn: proxy?.DBProxyArn ?? "",
+					Endpoint: proxy?.Endpoint ?? "",
+					VpcId: proxy?.VpcId ?? ""
+				}
+			};
+		} catch {
+			return {
+				physicalId,
+				attributes: {
+					DBProxyArn: "",
+					Endpoint: "",
+					VpcId: ""
+				}
+			};
+		}
+	}
+	invalidateAttributeCache(physicalId) {
+		for (const key of this.attributeCache.keys()) if (key.startsWith(`${physicalId}:`)) this.attributeCache.delete(key);
+	}
+	wrapError(error, op, resourceType, logicalId, physicalId) {
+		const message = error instanceof Error ? error.message : String(error);
+		const cause = error instanceof Error ? error : void 0;
+		return new ProvisioningError(`${op} failed for ${logicalId}: ${message}`, resourceType, logicalId, physicalId, cause);
+	}
+};
+
 //#endregion
 //#region src/provisioning/providers/rds-dbproxy-targetgroup-provider.ts
 /**
@@ -18393,8 +18849,71 @@ var RDSDBProxyTargetGroupProvider = class {
 			}
 		};
 	}
-	async update(logicalId, _physicalId, resourceType, _oldProperties, _newProperties) {
-		throw new ResourceUpdateNotSupportedError(resourceType, logicalId, "destroy + redeploy; in-place updates of registered targets / connection pool config are not yet supported");
+	/**
+	* In-place update support: target add/remove (DBClusterIdentifiers /
+	* DBInstanceIdentifiers diff) via `RegisterDBProxyTargets` /
+	* `DeregisterDBProxyTargets`, and ConnectionPoolConfigurationInfo
+	* rewrite via `ModifyDBProxyTargetGroup`. DBProxyName + TargetGroupName
+	* are part of the resource identity — a diff in either surfaces as
+	* replacement upstream (not handled here).
+	*/
+	async update(logicalId, physicalId, resourceType, properties, previousProperties) {
+		const dbProxyName = properties["DBProxyName"];
+		if (!dbProxyName) throw new ProvisioningError(`DBProxyName is required for AWS::RDS::DBProxyTargetGroup ${logicalId} update`, resourceType, logicalId, physicalId);
+		const targetGroupName = properties["TargetGroupName"] ?? "default";
+		const client = this.getClient();
+		const oldPool = previousProperties["ConnectionPoolConfigurationInfo"];
+		const newPool = properties["ConnectionPoolConfigurationInfo"];
+		if (JSON.stringify(oldPool) !== JSON.stringify(newPool)) {
+			this.logger.debug(`Updating connection pool config for ${dbProxyName}/${targetGroupName}`);
+			try {
+				await client.send(new ModifyDBProxyTargetGroupCommand({
+					DBProxyName: dbProxyName,
+					TargetGroupName: targetGroupName,
+					ConnectionPoolConfig: newPool ?? {}
+				}));
+			} catch (error) {
+				throw this.wrapError(error, "UPDATE (pool config)", resourceType, logicalId, physicalId);
+			}
+		}
+		const oldClusters = new Set(previousProperties["DBClusterIdentifiers"] ?? []);
+		const newClusters = new Set(properties["DBClusterIdentifiers"] ?? []);
+		const oldInstances = new Set(previousProperties["DBInstanceIdentifiers"] ?? []);
+		const newInstances = new Set(properties["DBInstanceIdentifiers"] ?? []);
+		const clustersToRemove = [...oldClusters].filter((c) => !newClusters.has(c));
+		const clustersToAdd = [...newClusters].filter((c) => !oldClusters.has(c));
+		const instancesToRemove = [...oldInstances].filter((i) => !newInstances.has(i));
+		const instancesToAdd = [...newInstances].filter((i) => !oldInstances.has(i));
+		if (clustersToRemove.length > 0 || instancesToRemove.length > 0) {
+			this.logger.debug(`Deregistering targets from ${dbProxyName}/${targetGroupName}: clusters=[${clustersToRemove.join(",")}], instances=[${instancesToRemove.join(",")}]`);
+			try {
+				await client.send(new DeregisterDBProxyTargetsCommand({
+					DBProxyName: dbProxyName,
+					TargetGroupName: targetGroupName,
+					DBClusterIdentifiers: clustersToRemove.length > 0 ? clustersToRemove : void 0,
+					DBInstanceIdentifiers: instancesToRemove.length > 0 ? instancesToRemove : void 0
+				}));
+			} catch (error) {
+				if (!(error instanceof DBProxyTargetNotFoundFault)) throw this.wrapError(error, "UPDATE (deregister)", resourceType, logicalId, physicalId);
+			}
+		}
+		if (clustersToAdd.length > 0 || instancesToAdd.length > 0) {
+			this.logger.debug(`Registering targets to ${dbProxyName}/${targetGroupName}: clusters=[${clustersToAdd.join(",")}], instances=[${instancesToAdd.join(",")}]`);
+			try {
+				await client.send(new RegisterDBProxyTargetsCommand({
+					DBProxyName: dbProxyName,
+					TargetGroupName: targetGroupName,
+					DBClusterIdentifiers: clustersToAdd.length > 0 ? clustersToAdd : void 0,
+					DBInstanceIdentifiers: instancesToAdd.length > 0 ? instancesToAdd : void 0
+				}));
+			} catch (error) {
+				throw this.wrapError(error, "UPDATE (register)", resourceType, logicalId, physicalId);
+			}
+		}
+		return {
+			physicalId,
+			wasReplaced: false
+		};
 	}
 	async delete(logicalId, physicalId, resourceType, properties, context) {
 		const props = properties ?? {};
@@ -29183,6 +29702,7 @@ function registerAllProviders(registry) {
 	registry.register("AWS::RDS::DBSubnetGroup", rdsProvider);
 	registry.register("AWS::RDS::DBCluster", rdsProvider);
 	registry.register("AWS::RDS::DBInstance", rdsProvider);
+	registry.register("AWS::RDS::DBProxy", new RDSDBProxyProvider());
 	registry.register("AWS::RDS::DBProxyTargetGroup", new RDSDBProxyTargetGroupProvider());
 	const docdbProvider = new DocDBProvider();
 	registry.register("AWS::DocDB::DBSubnetGroup", docdbProvider);
@@ -44163,7 +44683,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.105.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.107.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());