@go-to-k/cdkd 0.107.0 → 0.108.0

package/dist/cli.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { a as setAwsClients, i as resetAwsClients, r as getAwsClients, t as AwsClients } from "./aws-clients-CuHRHcyW.js";
-import { A as resolveApp, B as CdkdError, C as AssetPublisher, D as Synthesizer, E as buildDockerImage, F as warnDeprecatedNoPrefixCliFlag, G as PartialFailureError, I as AssemblyReader, J as ResourceUpdateNotSupportedError, K as ProvisioningError, M as resolveSkipPrefix, N as resolveStateBucketWithDefault, O as getDefaultStateBucketName, P as resolveStateBucketWithDefaultAndSource, R as resolveBucketRegion, S as shouldRetainResource, T as WorkGraph, U as LocalInvokeBuildError, X as StackHasActiveImportsError, Y as RouteDiscoveryError, Z as StackTerminationProtectionError, _ as DiffCalculator, a as withRetry, at as getLogger, b as LockManager, c as collectInlinePolicyNamesManagedBySiblings, ct as getLiveRenderer, d as normalizeAwsTagsToCfn, dt as generateResourceName, f as resolveExplicitPhysicalId, ft as generateResourceNameWithFallback, g as IntrinsicFunctionResolver, h as assertRegionMatch, i as withResourceDeadline, j as resolveCaptureObservedState, k as getLegacyStateBucketName, l as CDK_PATH_TAG, lt as PATTERN_B_NAME_PROPERTIES, m as CloudControlProvider, mt as withStackName, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as normalizeAwsError, o as IMPLICIT_DELETE_DEPENDENCIES, p as ProviderRegistry, pt as withSkipPrefix, q as ResourceTimeoutError, r as DeployEngine, rt as withErrorHandling, s as IAMRoleProvider, st as runStackBuffered, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as matchesCdkPath, ut as PATTERN_B_RESOURCE_TYPES, v as DagBuilder, w as stringifyValue, x as S3StateBackend, y as TemplateParser } from "./deploy-engine-D6nbHjNM.js";
+import { A as resolveApp, B as CdkdError, C as AssetPublisher, D as Synthesizer, E as buildDockerImage, F as warnDeprecatedNoPrefixCliFlag, G as PartialFailureError, I as AssemblyReader, J as ResourceUpdateNotSupportedError, K as ProvisioningError, M as resolveSkipPrefix, N as resolveStateBucketWithDefault, O as getDefaultStateBucketName, P as resolveStateBucketWithDefaultAndSource, R as resolveBucketRegion, S as shouldRetainResource, T as WorkGraph, U as LocalInvokeBuildError, X as StackHasActiveImportsError, Y as RouteDiscoveryError, Z as StackTerminationProtectionError, _ as DiffCalculator, a as withRetry, at as getLogger, b as LockManager, c as collectInlinePolicyNamesManagedBySiblings, ct as getLiveRenderer, d as normalizeAwsTagsToCfn, dt as generateResourceName, f as resolveExplicitPhysicalId, ft as generateResourceNameWithFallback, g as IntrinsicFunctionResolver, h as assertRegionMatch, i as withResourceDeadline, j as resolveCaptureObservedState, k as getLegacyStateBucketName, l as CDK_PATH_TAG, lt as PATTERN_B_NAME_PROPERTIES, m as CloudControlProvider, mt as withStackName, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as normalizeAwsError, o as IMPLICIT_DELETE_DEPENDENCIES, p as ProviderRegistry, pt as withSkipPrefix, q as ResourceTimeoutError, r as DeployEngine, rt as withErrorHandling, s as IAMRoleProvider, st as runStackBuffered, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as matchesCdkPath, ut as PATTERN_B_RESOURCE_TYPES, v as DagBuilder, w as stringifyValue, x as S3StateBackend, y as TemplateParser } from "./deploy-engine-Br8DvrvB.js";
 import { createHash, createPublicKey, createVerify, randomBytes, randomUUID } from "node:crypto";
 import { CopyObjectCommand, CreateBucketCommand, DeleteBucketAnalyticsConfigurationCommand, DeleteBucketCommand, DeleteBucketCorsCommand, DeleteBucketIntelligentTieringConfigurationCommand, DeleteBucketInventoryConfigurationCommand, DeleteBucketLifecycleCommand, DeleteBucketMetricsConfigurationCommand, DeleteBucketPolicyCommand, DeleteBucketReplicationCommand, DeleteBucketTaggingCommand, DeleteBucketWebsiteCommand, DeleteObjectCommand, DeleteObjectsCommand, GetBucketAccelerateConfigurationCommand, GetBucketCorsCommand, GetBucketEncryptionCommand, GetBucketLifecycleConfigurationCommand, GetBucketLocationCommand, GetBucketLoggingCommand, GetBucketNotificationConfigurationCommand, GetBucketPolicyCommand, GetBucketReplicationCommand, GetBucketTaggingCommand, GetBucketVersioningCommand, GetBucketWebsiteCommand, GetObjectCommand, GetObjectLockConfigurationCommand, GetPublicAccessBlockCommand, HeadBucketCommand, ListBucketAnalyticsConfigurationsCommand, ListBucketIntelligentTieringConfigurationsCommand, ListBucketInventoryConfigurationsCommand, ListBucketMetricsConfigurationsCommand, ListBucketsCommand, ListDirectoryBucketsCommand, ListObjectVersionsCommand, ListObjectsV2Command, NoSuchBucket, PutBucketAccelerateConfigurationCommand, PutBucketAnalyticsConfigurationCommand, PutBucketCorsCommand, PutBucketEncryptionCommand, PutBucketIntelligentTieringConfigurationCommand, PutBucketInventoryConfigurationCommand, PutBucketLifecycleConfigurationCommand, PutBucketLoggingCommand, PutBucketMetricsConfigurationCommand, PutBucketNotificationConfigurationCommand, PutBucketOwnershipControlsCommand, PutBucketPolicyCommand, PutBucketReplicationCommand, PutBucketTaggingCommand, PutBucketVersioningCommand, PutBucketWebsiteCommand, PutObjectCommand, PutObjectLockConfigurationCommand, PutPublicAccessBlockCommand, S3Client, S3ServiceException } from "@aws-sdk/client-s3";
 import { AddRoleToInstanceProfileCommand, AddUserToGroupCommand, AttachGroupPolicyCommand, AttachUserPolicyCommand, CreateGroupCommand, CreateInstanceProfileCommand, CreateLoginProfileCommand, CreateUserCommand, DeleteAccessKeyCommand, DeleteGroupCommand, DeleteGroupPolicyCommand, DeleteInstanceProfileCommand, DeleteLoginProfileCommand, DeleteRolePolicyCommand, DeleteUserCommand, DeleteUserPermissionsBoundaryCommand, DeleteUserPolicyCommand, DetachGroupPolicyCommand, DetachUserPolicyCommand, GetGroupCommand, GetGroupPolicyCommand, GetInstanceProfileCommand, GetRolePolicyCommand, GetUserCommand, GetUserPolicyCommand, IAMClient, ListAccessKeysCommand, ListAttachedGroupPoliciesCommand, ListAttachedUserPoliciesCommand, ListGroupPoliciesCommand, ListGroupsForUserCommand, ListInstanceProfilesCommand, ListUserPoliciesCommand, ListUserTagsCommand, ListUsersCommand, NoSuchEntityException, PutGroupPolicyCommand, PutRolePolicyCommand, PutUserPermissionsBoundaryCommand, PutUserPolicyCommand, RemoveRoleFromInstanceProfileCommand, RemoveUserFromGroupCommand, TagUserCommand, UntagUserCommand, UpdateLoginProfileCommand } from "@aws-sdk/client-iam";
@@ -30,7 +30,7 @@ import { CreateAliasCommand, CreateKeyCommand, DeleteAliasCommand, DescribeKeyCo
 import { promisify } from "node:util";
 import { CreateRepositoryCommand, DeleteLifecyclePolicyCommand, DeleteRepositoryCommand, DeleteRepositoryPolicyCommand, DescribeRepositoriesCommand, ECRClient, GetAuthorizationTokenCommand, GetLifecyclePolicyCommand, LifecyclePolicyNotFoundException, ListTagsForResourceCommand as ListTagsForResourceCommand$7, PutImageScanningConfigurationCommand, PutImageTagMutabilityCommand, PutLifecyclePolicyCommand, RepositoryNotFoundException, SetRepositoryPolicyCommand, TagResourceCommand as TagResourceCommand$9 } from "@aws-sdk/client-ecr";
 import graphlib from "graphlib";
-import { AddTagsToResourceCommand as AddTagsToResourceCommand$1, CreateDBClusterCommand, CreateDBInstanceCommand, CreateDBProxyCommand, CreateDBSubnetGroupCommand, DBProxyNotFoundFault, DBProxyTargetGroupNotFoundFault, DBProxyTargetNotFoundFault, DeleteDBClusterCommand, DeleteDBInstanceCommand, DeleteDBProxyCommand, DeleteDBSubnetGroupCommand, DeregisterDBProxyTargetsCommand, DescribeDBClustersCommand, DescribeDBInstancesCommand, DescribeDBProxiesCommand, DescribeDBProxyTargetGroupsCommand, DescribeDBSubnetGroupsCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$8, ModifyDBClusterCommand, ModifyDBInstanceCommand, ModifyDBProxyCommand, ModifyDBProxyTargetGroupCommand, ModifyDBSubnetGroupCommand, RDSClient, RegisterDBProxyTargetsCommand, RemoveTagsFromResourceCommand as RemoveTagsFromResourceCommand$1 } from "@aws-sdk/client-rds";
+import { AddTagsToResourceCommand as AddTagsToResourceCommand$1, CreateDBClusterCommand, CreateDBInstanceCommand, CreateDBProxyCommand, CreateDBProxyEndpointCommand, CreateDBSubnetGroupCommand, DBProxyEndpointNotFoundFault, DBProxyNotFoundFault, DBProxyTargetGroupNotFoundFault, DBProxyTargetNotFoundFault, DeleteDBClusterCommand, DeleteDBInstanceCommand, DeleteDBProxyCommand, DeleteDBProxyEndpointCommand, DeleteDBSubnetGroupCommand, DeregisterDBProxyTargetsCommand, DescribeDBClustersCommand, DescribeDBInstancesCommand, DescribeDBProxiesCommand, DescribeDBProxyEndpointsCommand, DescribeDBProxyTargetGroupsCommand, DescribeDBSubnetGroupsCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$8, ModifyDBClusterCommand, ModifyDBInstanceCommand, ModifyDBProxyCommand, ModifyDBProxyEndpointCommand, ModifyDBProxyTargetGroupCommand, ModifyDBSubnetGroupCommand, RDSClient, RegisterDBProxyTargetsCommand, RemoveTagsFromResourceCommand as RemoveTagsFromResourceCommand$1 } from "@aws-sdk/client-rds";
 import { Command, Option } from "commander";
 import { writeFileSync as writeFileSync$1 } from "fs";
 import { join as join$1 } from "path";
@@ -18395,8 +18395,8 @@ var RDSProvider = class {
 
 //#endregion
 //#region src/provisioning/providers/rds-dbproxy-provider.ts
-const POLL_INTERVAL_MS = 5e3;
-const POLL_TIMEOUT_MS = 900 * 1e3;
+const POLL_INTERVAL_MS$1 = 5e3;
+const POLL_TIMEOUT_MS$1 = 900 * 1e3;
 /**
 * AWS RDS DBProxy Provider
 *
@@ -18483,7 +18483,7 @@ var RDSDBProxyProvider = class {
 		let endpoint;
 		let dbProxyArn;
 		let vpcId;
-		const deadline = Date.now() + POLL_TIMEOUT_MS;
+		const deadline = Date.now() + POLL_TIMEOUT_MS$1;
 		let status;
 		while (Date.now() < deadline) {
 			try {
@@ -18500,7 +18500,7 @@ var RDSDBProxyProvider = class {
 				if (error instanceof DBProxyNotFoundFault) {} else if (error instanceof ProvisioningError) throw error;
 				else throw this.wrapError(error, "CREATE (poll)", resourceType, logicalId, dbProxyName);
 			}
-			await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS));
+			await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS$1));
 		}
 		if (!endpoint || !dbProxyArn) throw new ProvisioningError(`Timed out waiting for DBProxy ${dbProxyName} to become available (last status: ${status ?? "unknown"})`, resourceType, logicalId, dbProxyName);
 		return {
@@ -18514,6 +18514,11 @@ var RDSDBProxyProvider = class {
 	}
 	async update(logicalId, physicalId, resourceType, properties, previousProperties) {
 		const client = this.getClient();
+		for (const field of [
+			"DBProxyName",
+			"EngineFamily",
+			"VpcSubnetIds"
+		]) if (JSON.stringify(properties[field]) !== JSON.stringify(previousProperties[field])) throw new ResourceUpdateNotSupportedError(resourceType, logicalId, `${field} is immutable on AWS::RDS::DBProxy — destroy + redeploy to change it`);
 		const input = { DBProxyName: physicalId };
 		let hasModify = false;
 		for (const key of [
@@ -18556,7 +18561,7 @@ var RDSDBProxyProvider = class {
 			}
 			throw this.wrapError(error, "DELETE", resourceType, logicalId, physicalId);
 		}
-		const deadline = Date.now() + POLL_TIMEOUT_MS;
+		const deadline = Date.now() + POLL_TIMEOUT_MS$1;
 		while (Date.now() < deadline) {
 			try {
 				await client.send(new DescribeDBProxiesCommand({ DBProxyName: physicalId }));
@@ -18567,7 +18572,7 @@ var RDSDBProxyProvider = class {
 				}
 				throw this.wrapError(error, "DELETE (poll)", resourceType, logicalId, physicalId);
 			}
-			await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS));
+			await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS$1));
 		}
 		throw new ProvisioningError(`Timed out waiting for DBProxy ${physicalId} to fully delete`, resourceType, logicalId, physicalId);
 	}
@@ -18742,6 +18747,337 @@ var RDSDBProxyProvider = class {
 	}
 };
 
+//#endregion
+//#region src/provisioning/providers/rds-dbproxy-endpoint-provider.ts
+const POLL_INTERVAL_MS = 5e3;
+const POLL_TIMEOUT_MS = 900 * 1e3;
+/**
+* AWS RDS DBProxyEndpoint Provider
+*
+* Implements resource provisioning for `AWS::RDS::DBProxyEndpoint` — the
+* additional read/write or read-only endpoint that can be attached to a
+* parent DBProxy.
+*
+* **Why a dedicated SDK provider** (per `feedback_dedicated_provider_over_special_case.md`):
+* completes the RDS DBProxy family started in PR #387 (`DBProxyTargetGroup`)
+* and PR #394 (`DBProxy`). Keeps the whole family on one codebase so create /
+* update / delete handling stays consistent across the parent + endpoints +
+* target-group children.
+*
+* **Lifecycle**:
+* - `create`: validates required fields (`DBProxyName` / `VpcSubnetIds`),
+*   issues `CreateDBProxyEndpointCommand`, then polls `DescribeDBProxyEndpoints`
+*   until `Status === 'available'`. Returns `physicalId = DBProxyEndpointName`
+*   plus `Endpoint` / `DBProxyEndpointArn` / `IsDefault` / `VpcId` in
+*   `attributes`.
+* - `update`: `ModifyDBProxyEndpointCommand` for the mutable fields
+*   (`VpcSecurityGroupIds` → SDK input `VpcSecurityGroupIds`,
+*   `NewDBProxyEndpointName` via rename). Tags diff via separate
+*   `AddTagsToResource` / `RemoveTagsFromResource` calls. DBProxyName /
+*   VpcSubnetIds / TargetRole are immutable on AWS.
+* - `delete`: `DeleteDBProxyEndpointCommand`, then polls until
+*   `DBProxyEndpointNotFoundFault`. Idempotent on NotFound (region-match
+*   gated). `DBProxyNotFoundFault` also idempotent — if the parent DBProxy
+*   is already gone via CASCADE, the endpoint is too.
+* - `getAttribute`: `Endpoint` / `DBProxyEndpointArn` / `IsDefault` / `VpcId`
+*   via `DescribeDBProxyEndpoints`, cached per `(physicalId, attribute)`.
+* - `import`: explicit `--resource <id>=<DBProxyEndpointName>` first; falls
+*   back to paginated auto-lookup via `DescribeDBProxyEndpoints` +
+*   `ListTagsForResource` matching `aws:cdk:path`.
+*
+* **physicalId** = DBProxyEndpointName (matches CFn `primaryIdentifier`).
+*/
+var RDSDBProxyEndpointProvider = class {
+	rdsClient;
+	providerRegion = process.env["AWS_REGION"];
+	logger = getLogger().child("RDSDBProxyEndpointProvider");
+	attributeCache = /* @__PURE__ */ new Map();
+	handledProperties = new Map([["AWS::RDS::DBProxyEndpoint", new Set([
+		"DBProxyEndpointName",
+		"DBProxyName",
+		"VpcSubnetIds",
+		"VpcSecurityGroupIds",
+		"TargetRole",
+		"Tags"
+	])]]);
+	getClient() {
+		if (!this.rdsClient) this.rdsClient = new RDSClient(this.providerRegion ? { region: this.providerRegion } : {});
+		return this.rdsClient;
+	}
+	async create(logicalId, resourceType, properties) {
+		const dbProxyName = properties["DBProxyName"];
+		if (!dbProxyName) throw new ProvisioningError(`DBProxyName is required for AWS::RDS::DBProxyEndpoint ${logicalId}`, resourceType, logicalId);
+		const dbProxyEndpointName = properties["DBProxyEndpointName"] ?? generateResourceName(logicalId, { maxLength: 64 });
+		const vpcSubnetIds = properties["VpcSubnetIds"];
+		if (!vpcSubnetIds || vpcSubnetIds.length === 0) throw new ProvisioningError(`VpcSubnetIds (at least one) is required for AWS::RDS::DBProxyEndpoint ${logicalId}`, resourceType, logicalId);
+		const client = this.getClient();
+		this.logger.debug(`Creating DBProxyEndpoint ${dbProxyEndpointName} (proxy=${dbProxyName})`);
+		try {
+			await client.send(new CreateDBProxyEndpointCommand({
+				DBProxyName: dbProxyName,
+				DBProxyEndpointName: dbProxyEndpointName,
+				VpcSubnetIds: vpcSubnetIds,
+				VpcSecurityGroupIds: properties["VpcSecurityGroupIds"],
+				TargetRole: properties["TargetRole"],
+				Tags: this.toAwsTags(properties["Tags"])
+			}));
+		} catch (error) {
+			throw this.wrapError(error, "CREATE", resourceType, logicalId, void 0);
+		}
+		let endpoint;
+		let arn;
+		let isDefault;
+		let vpcId;
+		const deadline = Date.now() + POLL_TIMEOUT_MS;
+		let status;
+		while (Date.now() < deadline) {
+			try {
+				const ep = (await client.send(new DescribeDBProxyEndpointsCommand({
+					DBProxyName: dbProxyName,
+					DBProxyEndpointName: dbProxyEndpointName
+				}))).DBProxyEndpoints?.[0];
+				status = ep?.Status;
+				if (status === "available") {
+					endpoint = ep?.Endpoint;
+					arn = ep?.DBProxyEndpointArn;
+					isDefault = ep?.IsDefault;
+					vpcId = ep?.VpcId;
+					break;
+				}
+				if (status === "incompatible-network" || status === "insufficient-resource-limits") throw new ProvisioningError(`DBProxyEndpoint ${dbProxyEndpointName} entered terminal failure state: ${status}`, resourceType, logicalId, dbProxyEndpointName);
+			} catch (error) {
+				if (error instanceof DBProxyEndpointNotFoundFault || error instanceof DBProxyNotFoundFault) {} else if (error instanceof ProvisioningError) throw error;
+				else throw this.wrapError(error, "CREATE (poll)", resourceType, logicalId, dbProxyEndpointName);
+			}
+			await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS));
+		}
+		if (!endpoint || !arn) throw new ProvisioningError(`Timed out waiting for DBProxyEndpoint ${dbProxyEndpointName} to become available (last status: ${status ?? "unknown"})`, resourceType, logicalId, dbProxyEndpointName);
+		return {
+			physicalId: dbProxyEndpointName,
+			attributes: {
+				Endpoint: endpoint,
+				DBProxyEndpointArn: arn,
+				IsDefault: isDefault ?? false,
+				VpcId: vpcId ?? ""
+			}
+		};
+	}
+	async update(logicalId, physicalId, resourceType, properties, previousProperties) {
+		const client = this.getClient();
+		for (const field of [
+			"DBProxyName",
+			"DBProxyEndpointName",
+			"VpcSubnetIds",
+			"TargetRole"
+		]) if (JSON.stringify(properties[field]) !== JSON.stringify(previousProperties[field])) throw new ResourceUpdateNotSupportedError(resourceType, logicalId, `${field} is immutable on AWS::RDS::DBProxyEndpoint — destroy + redeploy to change it`);
+		const oldSG = previousProperties["VpcSecurityGroupIds"] ?? [];
+		const newSG = properties["VpcSecurityGroupIds"] ?? [];
+		if (JSON.stringify(oldSG) !== JSON.stringify(newSG)) {
+			this.logger.debug(`Updating DBProxyEndpoint ${physicalId} security groups`);
+			try {
+				await client.send(new ModifyDBProxyEndpointCommand({
+					DBProxyEndpointName: physicalId,
+					VpcSecurityGroupIds: newSG
+				}));
+			} catch (error) {
+				throw this.wrapError(error, "UPDATE", resourceType, logicalId, physicalId);
+			}
+		}
+		await this.applyTagDiff(physicalId, previousProperties["Tags"], properties["Tags"], resourceType, logicalId);
+		this.invalidateAttributeCache(physicalId);
+		return {
+			physicalId,
+			wasReplaced: false
+		};
+	}
+	async delete(logicalId, physicalId, resourceType, _properties, context) {
+		const client = this.getClient();
+		this.logger.debug(`Deleting DBProxyEndpoint ${physicalId}`);
+		try {
+			await client.send(new DeleteDBProxyEndpointCommand({ DBProxyEndpointName: physicalId }));
+		} catch (error) {
+			if (error instanceof DBProxyEndpointNotFoundFault || error instanceof DBProxyNotFoundFault) {
+				assertRegionMatch(await client.config.region(), context?.expectedRegion, resourceType, logicalId, physicalId);
+				this.logger.debug(`DBProxyEndpoint ${physicalId} or parent already gone, treating as success`);
+				return;
+			}
+			throw this.wrapError(error, "DELETE", resourceType, logicalId, physicalId);
+		}
+		const deadline = Date.now() + POLL_TIMEOUT_MS;
+		while (Date.now() < deadline) {
+			try {
+				await client.send(new DescribeDBProxyEndpointsCommand({ DBProxyEndpointName: physicalId }));
+			} catch (error) {
+				if (error instanceof DBProxyEndpointNotFoundFault || error instanceof DBProxyNotFoundFault) {
+					this.logger.debug(`DBProxyEndpoint ${physicalId} fully deleted`);
+					return;
+				}
+				throw this.wrapError(error, "DELETE (poll)", resourceType, logicalId, physicalId);
+			}
+			await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS));
+		}
+		throw new ProvisioningError(`Timed out waiting for DBProxyEndpoint ${physicalId} to fully delete`, resourceType, logicalId, physicalId);
+	}
+	async getAttribute(physicalId, _resourceType, attributeName) {
+		const cacheKey = `${physicalId}:${attributeName}`;
+		const cached = this.attributeCache.get(cacheKey);
+		if (cached !== void 0) return cached;
+		if (attributeName !== "Endpoint" && attributeName !== "DBProxyEndpointArn" && attributeName !== "IsDefault" && attributeName !== "VpcId") {
+			this.logger.warn(`Unknown attribute ${attributeName} for AWS::RDS::DBProxyEndpoint, returning undefined`);
+			return;
+		}
+		try {
+			const ep = (await this.getClient().send(new DescribeDBProxyEndpointsCommand({ DBProxyEndpointName: physicalId }))).DBProxyEndpoints?.[0];
+			if (!ep) return void 0;
+			const value = {
+				Endpoint: ep.Endpoint,
+				DBProxyEndpointArn: ep.DBProxyEndpointArn,
+				IsDefault: ep.IsDefault ?? false,
+				VpcId: ep.VpcId
+			}[attributeName];
+			if (value !== void 0) this.attributeCache.set(cacheKey, value);
+			return value;
+		} catch (error) {
+			if (error instanceof DBProxyEndpointNotFoundFault || error instanceof DBProxyNotFoundFault) return;
+			throw error;
+		}
+	}
+	async import(input) {
+		const explicit = resolveExplicitPhysicalId(input, "DBProxyEndpointName");
+		if (explicit) return this.buildImportResult(explicit);
+		const client = this.getClient();
+		let marker;
+		do {
+			const describe = await client.send(new DescribeDBProxyEndpointsCommand({
+				Marker: marker,
+				MaxRecords: 100
+			}));
+			for (const ep of describe.DBProxyEndpoints ?? []) {
+				if (!ep.DBProxyEndpointArn) continue;
+				try {
+					if (matchesCdkPath((await client.send(new ListTagsForResourceCommand$8({ ResourceName: ep.DBProxyEndpointArn }))).TagList ?? [], input.cdkPath)) return this.buildImportResult(ep.DBProxyEndpointName ?? "");
+				} catch (error) {
+					this.logger.debug(`ListTagsForResource failed for ${ep.DBProxyEndpointName}: ${error instanceof Error ? error.message : String(error)}`);
+				}
+			}
+			marker = describe.Marker;
+		} while (marker);
+		return null;
+	}
+	async readCurrentState(physicalId) {
+		const client = this.getClient();
+		let ep;
+		try {
+			ep = (await client.send(new DescribeDBProxyEndpointsCommand({ DBProxyEndpointName: physicalId }))).DBProxyEndpoints?.[0];
+			if (!ep) return void 0;
+		} catch (error) {
+			if (error instanceof DBProxyEndpointNotFoundFault || error instanceof DBProxyNotFoundFault) return;
+			throw error;
+		}
+		const e = ep;
+		const result = {
+			DBProxyEndpointName: e.DBProxyEndpointName,
+			DBProxyName: e.DBProxyName,
+			VpcSubnetIds: e.VpcSubnetIds ?? [],
+			VpcSecurityGroupIds: e.VpcSecurityGroupIds ?? [],
+			TargetRole: e.TargetRole ?? "READ_WRITE"
+		};
+		if (e.DBProxyEndpointArn) try {
+			result["Tags"] = normalizeAwsTagsToCfn((await client.send(new ListTagsForResourceCommand$8({ ResourceName: e.DBProxyEndpointArn }))).TagList ?? []);
+		} catch (error) {
+			this.logger.debug(`ListTagsForResource failed for ${physicalId}: ${error instanceof Error ? error.message : String(error)}`);
+			result["Tags"] = [];
+		}
+		else result["Tags"] = [];
+		return result;
+	}
+	async applyTagDiff(physicalId, oldTags, newTags, resourceType, logicalId) {
+		const oldMap = this.toTagMap(oldTags);
+		const newMap = this.toTagMap(newTags);
+		if (oldMap.size === newMap.size && [...oldMap.keys()].every((k) => newMap.has(k)) && [...oldMap.entries()].every(([k, v]) => newMap.get(k) === v)) return;
+		const client = this.getClient();
+		const arnCacheKey = `${physicalId}:DBProxyEndpointArn`;
+		let arn = this.attributeCache.get(arnCacheKey);
+		if (!arn) try {
+			arn = (await client.send(new DescribeDBProxyEndpointsCommand({ DBProxyEndpointName: physicalId }))).DBProxyEndpoints?.[0]?.DBProxyEndpointArn;
+			if (arn) this.attributeCache.set(arnCacheKey, arn);
+		} catch (error) {
+			this.logger.debug(`Skipping tag diff for ${physicalId} (no ARN): ${error instanceof Error ? error.message : String(error)}`);
+			return;
+		}
+		if (!arn) return;
+		const toRemove = [];
+		const toAdd = [];
+		for (const k of oldMap.keys()) if (!newMap.has(k)) toRemove.push(k);
+		for (const [k, v] of newMap.entries()) if (oldMap.get(k) !== v) toAdd.push({
+			Key: k,
+			Value: v
+		});
+		if (toRemove.length > 0) try {
+			await client.send(new RemoveTagsFromResourceCommand$1({
+				ResourceName: arn,
+				TagKeys: toRemove
+			}));
+		} catch (error) {
+			throw this.wrapError(error, "UPDATE (remove tags)", resourceType, logicalId, physicalId);
+		}
+		if (toAdd.length > 0) try {
+			await client.send(new AddTagsToResourceCommand$1({
+				ResourceName: arn,
+				Tags: toAdd
+			}));
+		} catch (error) {
+			throw this.wrapError(error, "UPDATE (add tags)", resourceType, logicalId, physicalId);
+		}
+	}
+	toTagMap(tags) {
+		const map = /* @__PURE__ */ new Map();
+		if (Array.isArray(tags)) {
+			for (const entry of tags) if (entry?.Key !== void 0) map.set(entry.Key, entry.Value ?? "");
+		}
+		return map;
+	}
+	toAwsTags(tags) {
+		if (!Array.isArray(tags) || tags.length === 0) return void 0;
+		return tags.filter((t) => t.Key !== void 0).map((t) => ({
+			Key: t.Key,
+			Value: t.Value ?? ""
+		}));
+	}
+	async buildImportResult(physicalId) {
+		try {
+			const ep = (await this.getClient().send(new DescribeDBProxyEndpointsCommand({ DBProxyEndpointName: physicalId }))).DBProxyEndpoints?.[0];
+			return {
+				physicalId,
+				attributes: {
+					Endpoint: ep?.Endpoint ?? "",
+					DBProxyEndpointArn: ep?.DBProxyEndpointArn ?? "",
+					IsDefault: ep?.IsDefault ?? false,
+					VpcId: ep?.VpcId ?? ""
+				}
+			};
+		} catch {
+			return {
+				physicalId,
+				attributes: {
+					Endpoint: "",
+					DBProxyEndpointArn: "",
+					IsDefault: false,
+					VpcId: ""
+				}
+			};
+		}
+	}
+	invalidateAttributeCache(physicalId) {
+		for (const key of this.attributeCache.keys()) if (key.startsWith(`${physicalId}:`)) this.attributeCache.delete(key);
+	}
+	wrapError(error, op, resourceType, logicalId, physicalId) {
+		const message = error instanceof Error ? error.message : String(error);
+		const cause = error instanceof Error ? error : void 0;
+		return new ProvisioningError(`${op} failed for ${logicalId}: ${message}`, resourceType, logicalId, physicalId, cause);
+	}
+};
+
 //#endregion
 //#region src/provisioning/providers/rds-dbproxy-targetgroup-provider.ts
 /**
@@ -18861,6 +19197,12 @@ var RDSDBProxyTargetGroupProvider = class {
 		const dbProxyName = properties["DBProxyName"];
 		if (!dbProxyName) throw new ProvisioningError(`DBProxyName is required for AWS::RDS::DBProxyTargetGroup ${logicalId} update`, resourceType, logicalId, physicalId);
 		const targetGroupName = properties["TargetGroupName"] ?? "default";
+		for (const field of ["DBProxyName", "TargetGroupName"]) {
+			const oldVal = previousProperties[field];
+			const newVal = properties[field];
+			const normalize = (v) => field === "TargetGroupName" && (v === void 0 || v === "default") ? "default" : v;
+			if (JSON.stringify(normalize(oldVal)) !== JSON.stringify(normalize(newVal))) throw new ResourceUpdateNotSupportedError(resourceType, logicalId, `${field} is immutable on AWS::RDS::DBProxyTargetGroup — destroy + redeploy to change it`);
+		}
 		const client = this.getClient();
 		const oldPool = previousProperties["ConnectionPoolConfigurationInfo"];
 		const newPool = properties["ConnectionPoolConfigurationInfo"];
@@ -29703,6 +30045,7 @@ function registerAllProviders(registry) {
 	registry.register("AWS::RDS::DBCluster", rdsProvider);
 	registry.register("AWS::RDS::DBInstance", rdsProvider);
 	registry.register("AWS::RDS::DBProxy", new RDSDBProxyProvider());
+	registry.register("AWS::RDS::DBProxyEndpoint", new RDSDBProxyEndpointProvider());
 	registry.register("AWS::RDS::DBProxyTargetGroup", new RDSDBProxyTargetGroupProvider());
 	const docdbProvider = new DocDBProvider();
 	registry.register("AWS::DocDB::DBSubnetGroup", docdbProvider);
@@ -44683,7 +45026,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.107.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.108.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());