@go-to-k/cdkd 0.107.0 → 0.109.0

package/dist/cli.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { a as setAwsClients, i as resetAwsClients, r as getAwsClients, t as AwsClients } from "./aws-clients-CuHRHcyW.js";
-import { A as resolveApp, B as CdkdError, C as AssetPublisher, D as Synthesizer, E as buildDockerImage, F as warnDeprecatedNoPrefixCliFlag, G as PartialFailureError, I as AssemblyReader, J as ResourceUpdateNotSupportedError, K as ProvisioningError, M as resolveSkipPrefix, N as resolveStateBucketWithDefault, O as getDefaultStateBucketName, P as resolveStateBucketWithDefaultAndSource, R as resolveBucketRegion, S as shouldRetainResource, T as WorkGraph, U as LocalInvokeBuildError, X as StackHasActiveImportsError, Y as RouteDiscoveryError, Z as StackTerminationProtectionError, _ as DiffCalculator, a as withRetry, at as getLogger, b as LockManager, c as collectInlinePolicyNamesManagedBySiblings, ct as getLiveRenderer, d as normalizeAwsTagsToCfn, dt as generateResourceName, f as resolveExplicitPhysicalId, ft as generateResourceNameWithFallback, g as IntrinsicFunctionResolver, h as assertRegionMatch, i as withResourceDeadline, j as resolveCaptureObservedState, k as getLegacyStateBucketName, l as CDK_PATH_TAG, lt as PATTERN_B_NAME_PROPERTIES, m as CloudControlProvider, mt as withStackName, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as normalizeAwsError, o as IMPLICIT_DELETE_DEPENDENCIES, p as ProviderRegistry, pt as withSkipPrefix, q as ResourceTimeoutError, r as DeployEngine, rt as withErrorHandling, s as IAMRoleProvider, st as runStackBuffered, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as matchesCdkPath, ut as PATTERN_B_RESOURCE_TYPES, v as DagBuilder, w as stringifyValue, x as S3StateBackend, y as TemplateParser } from "./deploy-engine-D6nbHjNM.js";
+import { A as resolveApp, B as CdkdError, C as AssetPublisher, D as Synthesizer, E as buildDockerImage, F as warnDeprecatedNoPrefixCliFlag, G as PartialFailureError, I as AssemblyReader, J as ResourceUpdateNotSupportedError, K as ProvisioningError, M as resolveSkipPrefix, N as resolveStateBucketWithDefault, O as getDefaultStateBucketName, P as resolveStateBucketWithDefaultAndSource, R as resolveBucketRegion, S as shouldRetainResource, T as WorkGraph, U as LocalInvokeBuildError, X as StackHasActiveImportsError, Y as RouteDiscoveryError, Z as StackTerminationProtectionError, _ as DiffCalculator, a as withRetry, at as getLogger, b as LockManager, c as collectInlinePolicyNamesManagedBySiblings, ct as getLiveRenderer, d as normalizeAwsTagsToCfn, dt as generateResourceName, f as resolveExplicitPhysicalId, ft as generateResourceNameWithFallback, g as IntrinsicFunctionResolver, h as assertRegionMatch, i as withResourceDeadline, j as resolveCaptureObservedState, k as getLegacyStateBucketName, l as CDK_PATH_TAG, lt as PATTERN_B_NAME_PROPERTIES, m as CloudControlProvider, mt as withStackName, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as normalizeAwsError, o as IMPLICIT_DELETE_DEPENDENCIES, p as ProviderRegistry, pt as withSkipPrefix, q as ResourceTimeoutError, r as DeployEngine, rt as withErrorHandling, s as IAMRoleProvider, st as runStackBuffered, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as matchesCdkPath, ut as PATTERN_B_RESOURCE_TYPES, v as DagBuilder, w as stringifyValue, x as S3StateBackend, y as TemplateParser } from "./deploy-engine-Br8DvrvB.js";
 import { createHash, createPublicKey, createVerify, randomBytes, randomUUID } from "node:crypto";
 import { CopyObjectCommand, CreateBucketCommand, DeleteBucketAnalyticsConfigurationCommand, DeleteBucketCommand, DeleteBucketCorsCommand, DeleteBucketIntelligentTieringConfigurationCommand, DeleteBucketInventoryConfigurationCommand, DeleteBucketLifecycleCommand, DeleteBucketMetricsConfigurationCommand, DeleteBucketPolicyCommand, DeleteBucketReplicationCommand, DeleteBucketTaggingCommand, DeleteBucketWebsiteCommand, DeleteObjectCommand, DeleteObjectsCommand, GetBucketAccelerateConfigurationCommand, GetBucketCorsCommand, GetBucketEncryptionCommand, GetBucketLifecycleConfigurationCommand, GetBucketLocationCommand, GetBucketLoggingCommand, GetBucketNotificationConfigurationCommand, GetBucketPolicyCommand, GetBucketReplicationCommand, GetBucketTaggingCommand, GetBucketVersioningCommand, GetBucketWebsiteCommand, GetObjectCommand, GetObjectLockConfigurationCommand, GetPublicAccessBlockCommand, HeadBucketCommand, ListBucketAnalyticsConfigurationsCommand, ListBucketIntelligentTieringConfigurationsCommand, ListBucketInventoryConfigurationsCommand, ListBucketMetricsConfigurationsCommand, ListBucketsCommand, ListDirectoryBucketsCommand, ListObjectVersionsCommand, ListObjectsV2Command, NoSuchBucket, PutBucketAccelerateConfigurationCommand, PutBucketAnalyticsConfigurationCommand, PutBucketCorsCommand, PutBucketEncryptionCommand, PutBucketIntelligentTieringConfigurationCommand, PutBucketInventoryConfigurationCommand, PutBucketLifecycleConfigurationCommand, PutBucketLoggingCommand, PutBucketMetricsConfigurationCommand, PutBucketNotificationConfigurationCommand, PutBucketOwnershipControlsCommand, PutBucketPolicyCommand, PutBucketReplicationCommand, PutBucketTaggingCommand, PutBucketVersioningCommand, PutBucketWebsiteCommand, PutObjectCommand, PutObjectLockConfigurationCommand, PutPublicAccessBlockCommand, S3Client, S3ServiceException } from "@aws-sdk/client-s3";
 import { AddRoleToInstanceProfileCommand, AddUserToGroupCommand, AttachGroupPolicyCommand, AttachUserPolicyCommand, CreateGroupCommand, CreateInstanceProfileCommand, CreateLoginProfileCommand, CreateUserCommand, DeleteAccessKeyCommand, DeleteGroupCommand, DeleteGroupPolicyCommand, DeleteInstanceProfileCommand, DeleteLoginProfileCommand, DeleteRolePolicyCommand, DeleteUserCommand, DeleteUserPermissionsBoundaryCommand, DeleteUserPolicyCommand, DetachGroupPolicyCommand, DetachUserPolicyCommand, GetGroupCommand, GetGroupPolicyCommand, GetInstanceProfileCommand, GetRolePolicyCommand, GetUserCommand, GetUserPolicyCommand, IAMClient, ListAccessKeysCommand, ListAttachedGroupPoliciesCommand, ListAttachedUserPoliciesCommand, ListGroupPoliciesCommand, ListGroupsForUserCommand, ListInstanceProfilesCommand, ListUserPoliciesCommand, ListUserTagsCommand, ListUsersCommand, NoSuchEntityException, PutGroupPolicyCommand, PutRolePolicyCommand, PutUserPermissionsBoundaryCommand, PutUserPolicyCommand, RemoveRoleFromInstanceProfileCommand, RemoveUserFromGroupCommand, TagUserCommand, UntagUserCommand, UpdateLoginProfileCommand } from "@aws-sdk/client-iam";
@@ -30,12 +30,12 @@ import { CreateAliasCommand, CreateKeyCommand, DeleteAliasCommand, DescribeKeyCo
 import { promisify } from "node:util";
 import { CreateRepositoryCommand, DeleteLifecyclePolicyCommand, DeleteRepositoryCommand, DeleteRepositoryPolicyCommand, DescribeRepositoriesCommand, ECRClient, GetAuthorizationTokenCommand, GetLifecyclePolicyCommand, LifecyclePolicyNotFoundException, ListTagsForResourceCommand as ListTagsForResourceCommand$7, PutImageScanningConfigurationCommand, PutImageTagMutabilityCommand, PutLifecyclePolicyCommand, RepositoryNotFoundException, SetRepositoryPolicyCommand, TagResourceCommand as TagResourceCommand$9 } from "@aws-sdk/client-ecr";
 import graphlib from "graphlib";
-import { AddTagsToResourceCommand as AddTagsToResourceCommand$1, CreateDBClusterCommand, CreateDBInstanceCommand, CreateDBProxyCommand, CreateDBSubnetGroupCommand, DBProxyNotFoundFault, DBProxyTargetGroupNotFoundFault, DBProxyTargetNotFoundFault, DeleteDBClusterCommand, DeleteDBInstanceCommand, DeleteDBProxyCommand, DeleteDBSubnetGroupCommand, DeregisterDBProxyTargetsCommand, DescribeDBClustersCommand, DescribeDBInstancesCommand, DescribeDBProxiesCommand, DescribeDBProxyTargetGroupsCommand, DescribeDBSubnetGroupsCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$8, ModifyDBClusterCommand, ModifyDBInstanceCommand, ModifyDBProxyCommand, ModifyDBProxyTargetGroupCommand, ModifyDBSubnetGroupCommand, RDSClient, RegisterDBProxyTargetsCommand, RemoveTagsFromResourceCommand as RemoveTagsFromResourceCommand$1 } from "@aws-sdk/client-rds";
+import { AddTagsToResourceCommand as AddTagsToResourceCommand$1, CreateDBClusterCommand, CreateDBInstanceCommand, CreateDBProxyCommand, CreateDBProxyEndpointCommand, CreateDBSubnetGroupCommand, DBProxyEndpointNotFoundFault, DBProxyNotFoundFault, DBProxyTargetGroupNotFoundFault, DBProxyTargetNotFoundFault, DeleteDBClusterCommand, DeleteDBInstanceCommand, DeleteDBProxyCommand, DeleteDBProxyEndpointCommand, DeleteDBSubnetGroupCommand, DeregisterDBProxyTargetsCommand, DescribeDBClustersCommand, DescribeDBInstancesCommand, DescribeDBProxiesCommand, DescribeDBProxyEndpointsCommand, DescribeDBProxyTargetGroupsCommand, DescribeDBSubnetGroupsCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$8, ModifyDBClusterCommand, ModifyDBInstanceCommand, ModifyDBProxyCommand, ModifyDBProxyEndpointCommand, ModifyDBProxyTargetGroupCommand, ModifyDBSubnetGroupCommand, RDSClient, RegisterDBProxyTargetsCommand, RemoveTagsFromResourceCommand as RemoveTagsFromResourceCommand$1 } from "@aws-sdk/client-rds";
 import { Command, Option } from "commander";
 import { writeFileSync as writeFileSync$1 } from "fs";
 import { join as join$1 } from "path";
 import * as zlib from "node:zlib";
-import { ApplicationAutoScalingClient, DescribeScalableTargetsCommand, DescribeScalingPoliciesCommand } from "@aws-sdk/client-application-auto-scaling";
+import { ApplicationAutoScalingClient, DeleteScalingPolicyCommand, DeregisterScalableTargetCommand, DescribeScalableTargetsCommand, DescribeScalingPoliciesCommand, PutScalingPolicyCommand, RegisterScalableTargetCommand } from "@aws-sdk/client-application-auto-scaling";
 import { ApiGatewayV2Client, CreateApiCommand, CreateAuthorizerCommand as CreateAuthorizerCommand$1, CreateIntegrationCommand, CreateRouteCommand as CreateRouteCommand$1, CreateStageCommand as CreateStageCommand$1, DeleteApiCommand, DeleteAuthorizerCommand as DeleteAuthorizerCommand$1, DeleteIntegrationCommand, DeleteRouteCommand as DeleteRouteCommand$1, DeleteStageCommand as DeleteStageCommand$1, GetApiCommand, GetApisCommand, GetAuthorizerCommand as GetAuthorizerCommand$1, GetIntegrationCommand, GetRouteCommand, GetStageCommand as GetStageCommand$1, NotFoundException as NotFoundException$3, UpdateApiCommand, UpdateAuthorizerCommand as UpdateAuthorizerCommand$1, UpdateIntegrationCommand, UpdateRouteCommand, UpdateStageCommand as UpdateStageCommand$1 } from "@aws-sdk/client-apigatewayv2";
 import { CreateStateMachineCommand, DeleteStateMachineCommand, DescribeStateMachineCommand, ListStateMachinesCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$9, SFNClient, StateMachineDoesNotExist, TagResourceCommand as TagResourceCommand$10, UntagResourceCommand as UntagResourceCommand$9, UpdateStateMachineCommand } from "@aws-sdk/client-sfn";
 import { CreateClusterCommand, CreateServiceCommand, DeleteClusterCommand, DeleteServiceCommand, DeregisterTaskDefinitionCommand, DescribeClustersCommand, DescribeServicesCommand, DescribeTaskDefinitionCommand, ECSClient, ListClustersCommand, ListServicesCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$10, PutClusterCapacityProvidersCommand, RegisterTaskDefinitionCommand, TagResourceCommand as TagResourceCommand$11, UntagResourceCommand as UntagResourceCommand$10, UpdateClusterCommand, UpdateServiceCommand } from "@aws-sdk/client-ecs";
@@ -7984,6 +7984,20 @@ var DynamoDBGlobalTableProvider = class {
 		return client;
 	}
 	/**
+	* Lazy-init + cache the local-region `ApplicationAutoScalingClient`.
+	* Previously `applyAutoScalingDiff` constructed a fresh client per
+	* call when no `client` arg was passed, leaking SDK clients (each
+	* holds its own HTTP agent) on multi-stack runs with many
+	* GlobalTables (PR #403 review minor #4).
+	*/
+	localAutoScalingClient;
+	async getLocalAutoScalingClient() {
+		if (this.localAutoScalingClient) return this.localAutoScalingClient;
+		const region = await this.dynamoDBClient.config.region() ?? "";
+		this.localAutoScalingClient = new ApplicationAutoScalingClient({ region });
+		return this.localAutoScalingClient;
+	}
+	/**
 	* Construct the regional table ARN for a cross-region replica of a
 	* GlobalTable. AWS replicates the same `TableName` across every
 	* replica region, with each replica's ARN differing only in the
@@ -8237,10 +8251,19 @@ var DynamoDBGlobalTableProvider = class {
 				await this.dynamoDBClient.send(new UpdateTableCommand(billingUpdate));
 				await this.waitForTableActiveAfterUpdate(physicalId, logicalId);
 			}
+			const writeAutoScalingOld = (previousProperties["WriteProvisionedThroughputSettings"] ?? {})["WriteCapacityAutoScalingSettings"];
+			const writeAutoScalingNew = (properties["WriteProvisionedThroughputSettings"] ?? {})["WriteCapacityAutoScalingSettings"];
+			const effectiveNewAutoScaling = oldBilling === "PROVISIONED" && newBilling === "PAY_PER_REQUEST" ? void 0 : writeAutoScalingNew;
+			if ((newBilling === "PROVISIONED" || oldBilling === "PROVISIONED") && !deepEqual$1(writeAutoScalingOld, effectiveNewAutoScaling)) await this.applyAutoScalingDiff(physicalId, "dynamodb:table:WriteCapacityUnits", writeAutoScalingOld, effectiveNewAutoScaling);
 			const replicaDiff = diffReplicas(previousProperties["Replicas"] ?? [], properties["Replicas"] ?? []);
 			for (const replica of replicaDiff.removed) {
 				const region = replica["Region"];
 				if (!region || region === currentRegion) continue;
+				const removedReadAutoScaling = (replica["ReadProvisionedThroughputSettings"] ?? {})["ReadCapacityAutoScalingSettings"];
+				if (removedReadAutoScaling) {
+					const regionalAutoScalingClient = this.getRegionalAutoScalingClient(region);
+					await this.applyAutoScalingDiff(physicalId, "dynamodb:table:ReadCapacityUnits", removedReadAutoScaling, void 0, regionalAutoScalingClient);
+				}
 				await this.dynamoDBClient.send(new UpdateTableCommand({
 					TableName: physicalId,
 					ReplicaUpdates: [{ Delete: { RegionName: region } }]
@@ -8251,11 +8274,17 @@ var DynamoDBGlobalTableProvider = class {
 				const region = replica["Region"];
 				if (!region || region === currentRegion) continue;
 				await this.addReplica(physicalId, replica, region, logicalId);
+				const newReadAutoScaling = (replica["ReadProvisionedThroughputSettings"] ?? {})["ReadCapacityAutoScalingSettings"];
+				if (newBilling === "PROVISIONED" && newReadAutoScaling) {
+					const regionalAutoScalingClient = this.getRegionalAutoScalingClient(region);
+					await this.applyAutoScalingDiff(physicalId, "dynamodb:table:ReadCapacityUnits", void 0, newReadAutoScaling, regionalAutoScalingClient);
+				}
 			}
 			for (const replica of replicaDiff.modified) {
 				const region = replica["Region"];
 				if (!region || region === currentRegion) continue;
-				const oldReplicaTags = (previousProperties["Replicas"] ?? []).find((r) => r["Region"] === region)?.["Tags"];
+				const oldReplica = (previousProperties["Replicas"] ?? []).find((r) => r["Region"] === region);
+				const oldReplicaTags = oldReplica?.["Tags"];
 				const newReplicaTags = replica["Tags"];
 				if (!deepEqual$1(oldReplicaTags, newReplicaTags)) if (tableArn) {
 					const replicaArn = this.replicaArnForRegion(tableArn, region);
@@ -8267,6 +8296,13 @@ var DynamoDBGlobalTableProvider = class {
 					}
 					else this.logger.warn(`Could not derive replica ARN for region ${region} from ${tableArn} — skipping Tags propagation for ${physicalId}`);
 				} else this.logger.warn(`Local DescribeTable returned no TableArn — cannot propagate Tags to cross-region replica ${region} of ${physicalId}`);
+				const oldReadAutoScaling = (oldReplica?.["ReadProvisionedThroughputSettings"] ?? {})["ReadCapacityAutoScalingSettings"];
+				const newReadAutoScaling = (replica["ReadProvisionedThroughputSettings"] ?? {})["ReadCapacityAutoScalingSettings"];
+				const effectiveNewReadAutoScaling = newBilling === "PAY_PER_REQUEST" ? void 0 : newReadAutoScaling;
+				if ((newBilling === "PROVISIONED" || oldBilling === "PROVISIONED") && !deepEqual$1(oldReadAutoScaling, effectiveNewReadAutoScaling)) {
+					const regionalAutoScalingClient = this.getRegionalAutoScalingClient(region);
+					await this.applyAutoScalingDiff(physicalId, "dynamodb:table:ReadCapacityUnits", oldReadAutoScaling, effectiveNewReadAutoScaling, regionalAutoScalingClient);
+				}
 				const updateAction = { RegionName: region };
 				if (replica["KMSMasterKeyId"] !== void 0) updateAction.KMSMasterKeyId = replica["KMSMasterKeyId"];
 				if (replica["GlobalSecondaryIndexes"]) updateAction.GlobalSecondaryIndexes = replica["GlobalSecondaryIndexes"];
@@ -8405,6 +8441,127 @@ var DynamoDBGlobalTableProvider = class {
 		}
 	}
 	/**
+	* Apply an application-autoscaling diff for one (tableName, dimension)
+	* pair (Issue #402 / PR closing Issue #395's deferred items).
+	*
+	* Dimension is either:
+	*  - `dynamodb:table:WriteCapacityUnits` (table-level write capacity),
+	*    paired with the local-region autoscaling client.
+	*  - `dynamodb:table:ReadCapacityUnits` (per-replica read capacity),
+	*    paired with a region-scoped autoscaling client returned by
+	*    `getRegionalAutoScalingClient`.
+	*
+	* Diff semantics (idempotent upsert, per Issue #402 spec):
+	*  - new auto-scaling settings present (Min/Max + TargetValue) →
+	*    `RegisterScalableTarget` (upsert) + `PutScalingPolicy` (upsert).
+	*    AWS's `RegisterScalableTarget` accepts no-op Min/Max changes
+	*    silently, and `PutScalingPolicy` is idempotent on the same
+	*    policy name (`DynamoDB{Write,Read}CapacityUtilization:table/<name>`).
+	*  - old auto-scaling settings present but new ones absent (= null) →
+	*    `DeleteScalingPolicy` + `DeregisterScalableTarget`. AWS rejects
+	*    `DeregisterScalableTarget` on a still-policy-attached target,
+	*    so the policy must be deleted FIRST.
+	*  - neither side has auto-scaling settings → no-op.
+	*
+	* **Best-effort**: any AWS error is logged at WARN with the per-API
+	* recovery command and the deploy continues — auto-scaling drift is
+	* recoverable on the next deploy, and an aborted deploy is much worse
+	* UX than a transient auto-scaling miss. This matches the cross-region
+	* Tags propagation contract (PR #393).
+	*
+	* **Policy naming** matches AWS's CDK / console default:
+	*   `DynamoDBWriteCapacityUtilization:table/<table-name>` (write)
+	*   `DynamoDBReadCapacityUtilization:table/<table-name>`  (read)
+	* so re-imports against a console-created target also match.
+	*
+	* **`SeedCapacity` is intentionally NOT forwarded** — it is a CFn
+	* create-only field with no corresponding `RegisterScalableTarget`
+	* surface; `readAutoScalingSettings` also explicitly skips it.
+	*/
+	async applyAutoScalingDiff(tableName, dimension, oldSettings, newSettings, client) {
+		const isWrite = dimension === "dynamodb:table:WriteCapacityUnits";
+		const policyName = isWrite ? `DynamoDBWriteCapacityUtilization:table/${tableName}` : `DynamoDBReadCapacityUtilization:table/${tableName}`;
+		const metricType = isWrite ? "DynamoDBWriteCapacityUtilization" : "DynamoDBReadCapacityUtilization";
+		const resourceId = `table/${tableName}`;
+		const asClient = client ?? await this.getLocalAutoScalingClient();
+		const oldEnabled = oldSettings !== void 0 && oldSettings !== null;
+		const newEnabled = newSettings !== void 0 && newSettings !== null;
+		if (!oldEnabled && !newEnabled) return;
+		if (newEnabled) {
+			const minCapacity = Number(newSettings["MinCapacity"] ?? 0);
+			const maxCapacity = Number(newSettings["MaxCapacity"] ?? 0);
+			if (!Number.isFinite(minCapacity) || !Number.isFinite(maxCapacity)) {
+				this.logger.warn(`Cannot apply auto-scaling diff on ${tableName} (${dimension}): MinCapacity / MaxCapacity must be numbers, got ${String(newSettings["MinCapacity"])} / ${String(newSettings["MaxCapacity"])}`);
+				return;
+			}
+			try {
+				await asClient.send(new RegisterScalableTargetCommand({
+					ServiceNamespace: "dynamodb",
+					ResourceId: resourceId,
+					ScalableDimension: dimension,
+					MinCapacity: minCapacity,
+					MaxCapacity: maxCapacity
+				}));
+			} catch (err) {
+				this.logger.warn(`Could not register auto-scaling target on ${tableName} (${dimension}): ${err instanceof Error ? err.message : String(err)}. Run: aws application-autoscaling register-scalable-target --service-namespace dynamodb --resource-id ${resourceId} --scalable-dimension ${dimension} --min-capacity ${minCapacity} --max-capacity ${maxCapacity}`);
+				return;
+			}
+			const tttCfg = newSettings["TargetTrackingScalingPolicyConfiguration"] ?? {};
+			const targetValue = Number(tttCfg["TargetValue"]);
+			if (!Number.isFinite(targetValue)) {
+				this.logger.warn(`Auto-scaling target registered on ${tableName} (${dimension}) but TargetValue is missing or non-numeric — skipping PutScalingPolicy. Provide TargetTrackingScalingPolicyConfiguration.TargetValue in the template.`);
+				return;
+			}
+			const targetTrackingConfig = {
+				PredefinedMetricSpecification: { PredefinedMetricType: metricType },
+				TargetValue: targetValue
+			};
+			if (tttCfg["ScaleInCooldown"] !== void 0) targetTrackingConfig["ScaleInCooldown"] = Number(tttCfg["ScaleInCooldown"]);
+			if (tttCfg["ScaleOutCooldown"] !== void 0) targetTrackingConfig["ScaleOutCooldown"] = Number(tttCfg["ScaleOutCooldown"]);
+			if (tttCfg["DisableScaleIn"] !== void 0) targetTrackingConfig["DisableScaleIn"] = Boolean(tttCfg["DisableScaleIn"]);
+			try {
+				await asClient.send(new PutScalingPolicyCommand({
+					PolicyName: policyName,
+					ServiceNamespace: "dynamodb",
+					ResourceId: resourceId,
+					ScalableDimension: dimension,
+					PolicyType: "TargetTrackingScaling",
+					TargetTrackingScalingPolicyConfiguration: targetTrackingConfig
+				}));
+				this.logger.debug(`Upserted auto-scaling policy ${policyName} on ${tableName} (${dimension})`);
+			} catch (err) {
+				this.logger.warn(`Could not put auto-scaling policy on ${tableName} (${dimension}): ${err instanceof Error ? err.message : String(err)}. Run: aws application-autoscaling put-scaling-policy --policy-name ${policyName} --service-namespace dynamodb --resource-id ${resourceId} --scalable-dimension ${dimension} --policy-type TargetTrackingScaling`);
+			}
+			return;
+		}
+		const isObjectNotFound = (err) => {
+			if (!(err instanceof Error)) return false;
+			const name = err.name ?? "";
+			const msg = err.message ?? "";
+			return name === "ObjectNotFoundException" || msg.includes("No scaling policy found") || msg.includes("No scalable target found");
+		};
+		try {
+			await asClient.send(new DeleteScalingPolicyCommand({
+				PolicyName: policyName,
+				ServiceNamespace: "dynamodb",
+				ResourceId: resourceId,
+				ScalableDimension: dimension
+			}));
+		} catch (err) {
+			if (!isObjectNotFound(err)) this.logger.warn(`Could not delete auto-scaling policy on ${tableName} (${dimension}): ${err instanceof Error ? err.message : String(err)}. Run: aws application-autoscaling delete-scaling-policy --policy-name ${policyName} --service-namespace dynamodb --resource-id ${resourceId} --scalable-dimension ${dimension}`);
+		}
+		try {
+			await asClient.send(new DeregisterScalableTargetCommand({
+				ServiceNamespace: "dynamodb",
+				ResourceId: resourceId,
+				ScalableDimension: dimension
+			}));
+			this.logger.debug(`Deregistered auto-scaling target ${resourceId} (${dimension})`);
+		} catch (err) {
+			if (!isObjectNotFound(err)) this.logger.warn(`Could not deregister auto-scaling target on ${tableName} (${dimension}): ${err instanceof Error ? err.message : String(err)}. Run: aws application-autoscaling deregister-scalable-target --service-namespace dynamodb --resource-id ${resourceId} --scalable-dimension ${dimension}`);
+		}
+	}
+	/**
 	* Delete a DynamoDB Global Table.
 	*
 	* Order is load-bearing:
@@ -8450,6 +8607,7 @@ var DynamoDBGlobalTableProvider = class {
 				const region = replica.RegionName;
 				if (!region || region === currentRegion) continue;
 				try {
+					await this.applyAutoScalingDiff(physicalId, "dynamodb:table:ReadCapacityUnits", {}, void 0, this.getRegionalAutoScalingClient(region));
 					await this.dynamoDBClient.send(new UpdateTableCommand({
 						TableName: physicalId,
 						ReplicaUpdates: [{ Delete: { RegionName: region } }]
@@ -8459,6 +8617,9 @@ var DynamoDBGlobalTableProvider = class {
 					if (!(replicaErr instanceof ResourceNotFoundException$1)) throw replicaErr;
 				}
 			}
+			const localAsClient = await this.getLocalAutoScalingClient();
+			await this.applyAutoScalingDiff(physicalId, "dynamodb:table:ReadCapacityUnits", {}, void 0, localAsClient);
+			await this.applyAutoScalingDiff(physicalId, "dynamodb:table:WriteCapacityUnits", {}, void 0, localAsClient);
 		} catch (describeErr) {
 			if (!(describeErr instanceof ResourceNotFoundException$1)) {
 				const cause = describeErr instanceof Error ? describeErr : void 0;
@@ -18395,8 +18556,8 @@ var RDSProvider = class {
 
 //#endregion
 //#region src/provisioning/providers/rds-dbproxy-provider.ts
-const POLL_INTERVAL_MS = 5e3;
-const POLL_TIMEOUT_MS = 900 * 1e3;
+const POLL_INTERVAL_MS$1 = 5e3;
+const POLL_TIMEOUT_MS$1 = 900 * 1e3;
 /**
 * AWS RDS DBProxy Provider
 *
@@ -18483,7 +18644,7 @@ var RDSDBProxyProvider = class {
 		let endpoint;
 		let dbProxyArn;
 		let vpcId;
-		const deadline = Date.now() + POLL_TIMEOUT_MS;
+		const deadline = Date.now() + POLL_TIMEOUT_MS$1;
 		let status;
 		while (Date.now() < deadline) {
 			try {
@@ -18500,7 +18661,7 @@ var RDSDBProxyProvider = class {
 				if (error instanceof DBProxyNotFoundFault) {} else if (error instanceof ProvisioningError) throw error;
 				else throw this.wrapError(error, "CREATE (poll)", resourceType, logicalId, dbProxyName);
 			}
-			await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS));
+			await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS$1));
 		}
 		if (!endpoint || !dbProxyArn) throw new ProvisioningError(`Timed out waiting for DBProxy ${dbProxyName} to become available (last status: ${status ?? "unknown"})`, resourceType, logicalId, dbProxyName);
 		return {
@@ -18514,6 +18675,11 @@ var RDSDBProxyProvider = class {
 	}
 	async update(logicalId, physicalId, resourceType, properties, previousProperties) {
 		const client = this.getClient();
+		for (const field of [
+			"DBProxyName",
+			"EngineFamily",
+			"VpcSubnetIds"
+		]) if (JSON.stringify(properties[field]) !== JSON.stringify(previousProperties[field])) throw new ResourceUpdateNotSupportedError(resourceType, logicalId, `${field} is immutable on AWS::RDS::DBProxy — destroy + redeploy to change it`);
 		const input = { DBProxyName: physicalId };
 		let hasModify = false;
 		for (const key of [
@@ -18556,7 +18722,7 @@ var RDSDBProxyProvider = class {
 			}
 			throw this.wrapError(error, "DELETE", resourceType, logicalId, physicalId);
 		}
-		const deadline = Date.now() + POLL_TIMEOUT_MS;
+		const deadline = Date.now() + POLL_TIMEOUT_MS$1;
 		while (Date.now() < deadline) {
 			try {
 				await client.send(new DescribeDBProxiesCommand({ DBProxyName: physicalId }));
@@ -18567,7 +18733,7 @@ var RDSDBProxyProvider = class {
 				}
 				throw this.wrapError(error, "DELETE (poll)", resourceType, logicalId, physicalId);
 			}
-			await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS));
+			await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS$1));
 		}
 		throw new ProvisioningError(`Timed out waiting for DBProxy ${physicalId} to fully delete`, resourceType, logicalId, physicalId);
 	}
@@ -18742,6 +18908,337 @@ var RDSDBProxyProvider = class {
 	}
 };
 
+//#endregion
+//#region src/provisioning/providers/rds-dbproxy-endpoint-provider.ts
+const POLL_INTERVAL_MS = 5e3;
+const POLL_TIMEOUT_MS = 900 * 1e3;
+/**
+* AWS RDS DBProxyEndpoint Provider
+*
+* Implements resource provisioning for `AWS::RDS::DBProxyEndpoint` — the
+* additional read/write or read-only endpoint that can be attached to a
+* parent DBProxy.
+*
+* **Why a dedicated SDK provider** (per `feedback_dedicated_provider_over_special_case.md`):
+* completes the RDS DBProxy family started in PR #387 (`DBProxyTargetGroup`)
+* and PR #394 (`DBProxy`). Keeps the whole family on one codebase so create /
+* update / delete handling stays consistent across the parent + endpoints +
+* target-group children.
+*
+* **Lifecycle**:
+* - `create`: validates required fields (`DBProxyName` / `VpcSubnetIds`),
+*   issues `CreateDBProxyEndpointCommand`, then polls `DescribeDBProxyEndpoints`
+*   until `Status === 'available'`. Returns `physicalId = DBProxyEndpointName`
+*   plus `Endpoint` / `DBProxyEndpointArn` / `IsDefault` / `VpcId` in
+*   `attributes`.
+* - `update`: `ModifyDBProxyEndpointCommand` for the mutable fields
+*   (`VpcSecurityGroupIds` → SDK input `VpcSecurityGroupIds`,
+*   `NewDBProxyEndpointName` via rename). Tags diff via separate
+*   `AddTagsToResource` / `RemoveTagsFromResource` calls. DBProxyName /
+*   VpcSubnetIds / TargetRole are immutable on AWS.
+* - `delete`: `DeleteDBProxyEndpointCommand`, then polls until
+*   `DBProxyEndpointNotFoundFault`. Idempotent on NotFound (region-match
+*   gated). `DBProxyNotFoundFault` also idempotent — if the parent DBProxy
+*   is already gone via CASCADE, the endpoint is too.
+* - `getAttribute`: `Endpoint` / `DBProxyEndpointArn` / `IsDefault` / `VpcId`
+*   via `DescribeDBProxyEndpoints`, cached per `(physicalId, attribute)`.
+* - `import`: explicit `--resource <id>=<DBProxyEndpointName>` first; falls
+*   back to paginated auto-lookup via `DescribeDBProxyEndpoints` +
+*   `ListTagsForResource` matching `aws:cdk:path`.
+*
+* **physicalId** = DBProxyEndpointName (matches CFn `primaryIdentifier`).
+*/
+var RDSDBProxyEndpointProvider = class {
+	rdsClient;
+	providerRegion = process.env["AWS_REGION"];
+	logger = getLogger().child("RDSDBProxyEndpointProvider");
+	attributeCache = /* @__PURE__ */ new Map();
+	handledProperties = new Map([["AWS::RDS::DBProxyEndpoint", new Set([
+		"DBProxyEndpointName",
+		"DBProxyName",
+		"VpcSubnetIds",
+		"VpcSecurityGroupIds",
+		"TargetRole",
+		"Tags"
+	])]]);
+	getClient() {
+		if (!this.rdsClient) this.rdsClient = new RDSClient(this.providerRegion ? { region: this.providerRegion } : {});
+		return this.rdsClient;
+	}
+	async create(logicalId, resourceType, properties) {
+		const dbProxyName = properties["DBProxyName"];
+		if (!dbProxyName) throw new ProvisioningError(`DBProxyName is required for AWS::RDS::DBProxyEndpoint ${logicalId}`, resourceType, logicalId);
+		const dbProxyEndpointName = properties["DBProxyEndpointName"] ?? generateResourceName(logicalId, { maxLength: 64 });
+		const vpcSubnetIds = properties["VpcSubnetIds"];
+		if (!vpcSubnetIds || vpcSubnetIds.length === 0) throw new ProvisioningError(`VpcSubnetIds (at least one) is required for AWS::RDS::DBProxyEndpoint ${logicalId}`, resourceType, logicalId);
+		const client = this.getClient();
+		this.logger.debug(`Creating DBProxyEndpoint ${dbProxyEndpointName} (proxy=${dbProxyName})`);
+		try {
+			await client.send(new CreateDBProxyEndpointCommand({
+				DBProxyName: dbProxyName,
+				DBProxyEndpointName: dbProxyEndpointName,
+				VpcSubnetIds: vpcSubnetIds,
+				VpcSecurityGroupIds: properties["VpcSecurityGroupIds"],
+				TargetRole: properties["TargetRole"],
+				Tags: this.toAwsTags(properties["Tags"])
+			}));
+		} catch (error) {
+			throw this.wrapError(error, "CREATE", resourceType, logicalId, void 0);
+		}
+		let endpoint;
+		let arn;
+		let isDefault;
+		let vpcId;
+		const deadline = Date.now() + POLL_TIMEOUT_MS;
+		let status;
+		while (Date.now() < deadline) {
+			try {
+				const ep = (await client.send(new DescribeDBProxyEndpointsCommand({
+					DBProxyName: dbProxyName,
+					DBProxyEndpointName: dbProxyEndpointName
+				}))).DBProxyEndpoints?.[0];
+				status = ep?.Status;
+				if (status === "available") {
+					endpoint = ep?.Endpoint;
+					arn = ep?.DBProxyEndpointArn;
+					isDefault = ep?.IsDefault;
+					vpcId = ep?.VpcId;
+					break;
+				}
+				if (status === "incompatible-network" || status === "insufficient-resource-limits") throw new ProvisioningError(`DBProxyEndpoint ${dbProxyEndpointName} entered terminal failure state: ${status}`, resourceType, logicalId, dbProxyEndpointName);
+			} catch (error) {
+				if (error instanceof DBProxyEndpointNotFoundFault || error instanceof DBProxyNotFoundFault) {} else if (error instanceof ProvisioningError) throw error;
+				else throw this.wrapError(error, "CREATE (poll)", resourceType, logicalId, dbProxyEndpointName);
+			}
+			await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS));
+		}
+		if (!endpoint || !arn) throw new ProvisioningError(`Timed out waiting for DBProxyEndpoint ${dbProxyEndpointName} to become available (last status: ${status ?? "unknown"})`, resourceType, logicalId, dbProxyEndpointName);
+		return {
+			physicalId: dbProxyEndpointName,
+			attributes: {
+				Endpoint: endpoint,
+				DBProxyEndpointArn: arn,
+				IsDefault: isDefault ?? false,
+				VpcId: vpcId ?? ""
+			}
+		};
+	}
+	async update(logicalId, physicalId, resourceType, properties, previousProperties) {
+		const client = this.getClient();
+		for (const field of [
+			"DBProxyName",
+			"DBProxyEndpointName",
+			"VpcSubnetIds",
+			"TargetRole"
+		]) if (JSON.stringify(properties[field]) !== JSON.stringify(previousProperties[field])) throw new ResourceUpdateNotSupportedError(resourceType, logicalId, `${field} is immutable on AWS::RDS::DBProxyEndpoint — destroy + redeploy to change it`);
+		const oldSG = previousProperties["VpcSecurityGroupIds"] ?? [];
+		const newSG = properties["VpcSecurityGroupIds"] ?? [];
+		if (JSON.stringify(oldSG) !== JSON.stringify(newSG)) {
+			this.logger.debug(`Updating DBProxyEndpoint ${physicalId} security groups`);
+			try {
+				await client.send(new ModifyDBProxyEndpointCommand({
+					DBProxyEndpointName: physicalId,
+					VpcSecurityGroupIds: newSG
+				}));
+			} catch (error) {
+				throw this.wrapError(error, "UPDATE", resourceType, logicalId, physicalId);
+			}
+		}
+		await this.applyTagDiff(physicalId, previousProperties["Tags"], properties["Tags"], resourceType, logicalId);
+		this.invalidateAttributeCache(physicalId);
+		return {
+			physicalId,
+			wasReplaced: false
+		};
+	}
+	async delete(logicalId, physicalId, resourceType, _properties, context) {
+		const client = this.getClient();
+		this.logger.debug(`Deleting DBProxyEndpoint ${physicalId}`);
+		try {
+			await client.send(new DeleteDBProxyEndpointCommand({ DBProxyEndpointName: physicalId }));
+		} catch (error) {
+			if (error instanceof DBProxyEndpointNotFoundFault || error instanceof DBProxyNotFoundFault) {
+				assertRegionMatch(await client.config.region(), context?.expectedRegion, resourceType, logicalId, physicalId);
+				this.logger.debug(`DBProxyEndpoint ${physicalId} or parent already gone, treating as success`);
+				return;
+			}
+			throw this.wrapError(error, "DELETE", resourceType, logicalId, physicalId);
+		}
+		const deadline = Date.now() + POLL_TIMEOUT_MS;
+		while (Date.now() < deadline) {
+			try {
+				await client.send(new DescribeDBProxyEndpointsCommand({ DBProxyEndpointName: physicalId }));
+			} catch (error) {
+				if (error instanceof DBProxyEndpointNotFoundFault || error instanceof DBProxyNotFoundFault) {
+					this.logger.debug(`DBProxyEndpoint ${physicalId} fully deleted`);
+					return;
+				}
+				throw this.wrapError(error, "DELETE (poll)", resourceType, logicalId, physicalId);
+			}
+			await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS));
+		}
+		throw new ProvisioningError(`Timed out waiting for DBProxyEndpoint ${physicalId} to fully delete`, resourceType, logicalId, physicalId);
+	}
+	async getAttribute(physicalId, _resourceType, attributeName) {
+		const cacheKey = `${physicalId}:${attributeName}`;
+		const cached = this.attributeCache.get(cacheKey);
+		if (cached !== void 0) return cached;
+		if (attributeName !== "Endpoint" && attributeName !== "DBProxyEndpointArn" && attributeName !== "IsDefault" && attributeName !== "VpcId") {
+			this.logger.warn(`Unknown attribute ${attributeName} for AWS::RDS::DBProxyEndpoint, returning undefined`);
+			return;
+		}
+		try {
+			const ep = (await this.getClient().send(new DescribeDBProxyEndpointsCommand({ DBProxyEndpointName: physicalId }))).DBProxyEndpoints?.[0];
+			if (!ep) return void 0;
+			const value = {
+				Endpoint: ep.Endpoint,
+				DBProxyEndpointArn: ep.DBProxyEndpointArn,
+				IsDefault: ep.IsDefault ?? false,
+				VpcId: ep.VpcId
+			}[attributeName];
+			if (value !== void 0) this.attributeCache.set(cacheKey, value);
+			return value;
+		} catch (error) {
+			if (error instanceof DBProxyEndpointNotFoundFault || error instanceof DBProxyNotFoundFault) return;
+			throw error;
+		}
+	}
+	async import(input) {
+		const explicit = resolveExplicitPhysicalId(input, "DBProxyEndpointName");
+		if (explicit) return this.buildImportResult(explicit);
+		const client = this.getClient();
+		let marker;
+		do {
+			const describe = await client.send(new DescribeDBProxyEndpointsCommand({
+				Marker: marker,
+				MaxRecords: 100
+			}));
+			for (const ep of describe.DBProxyEndpoints ?? []) {
+				if (!ep.DBProxyEndpointArn) continue;
+				try {
+					if (matchesCdkPath((await client.send(new ListTagsForResourceCommand$8({ ResourceName: ep.DBProxyEndpointArn }))).TagList ?? [], input.cdkPath)) return this.buildImportResult(ep.DBProxyEndpointName ?? "");
+				} catch (error) {
+					this.logger.debug(`ListTagsForResource failed for ${ep.DBProxyEndpointName}: ${error instanceof Error ? error.message : String(error)}`);
+				}
+			}
+			marker = describe.Marker;
+		} while (marker);
+		return null;
+	}
+	async readCurrentState(physicalId) {
+		const client = this.getClient();
+		let ep;
+		try {
+			ep = (await client.send(new DescribeDBProxyEndpointsCommand({ DBProxyEndpointName: physicalId }))).DBProxyEndpoints?.[0];
+			if (!ep) return void 0;
+		} catch (error) {
+			if (error instanceof DBProxyEndpointNotFoundFault || error instanceof DBProxyNotFoundFault) return;
+			throw error;
+		}
+		const e = ep;
+		const result = {
+			DBProxyEndpointName: e.DBProxyEndpointName,
+			DBProxyName: e.DBProxyName,
+			VpcSubnetIds: e.VpcSubnetIds ?? [],
+			VpcSecurityGroupIds: e.VpcSecurityGroupIds ?? [],
+			TargetRole: e.TargetRole ?? "READ_WRITE"
+		};
+		if (e.DBProxyEndpointArn) try {
+			result["Tags"] = normalizeAwsTagsToCfn((await client.send(new ListTagsForResourceCommand$8({ ResourceName: e.DBProxyEndpointArn }))).TagList ?? []);
+		} catch (error) {
+			this.logger.debug(`ListTagsForResource failed for ${physicalId}: ${error instanceof Error ? error.message : String(error)}`);
+			result["Tags"] = [];
+		}
+		else result["Tags"] = [];
+		return result;
+	}
+	async applyTagDiff(physicalId, oldTags, newTags, resourceType, logicalId) {
+		const oldMap = this.toTagMap(oldTags);
+		const newMap = this.toTagMap(newTags);
+		if (oldMap.size === newMap.size && [...oldMap.keys()].every((k) => newMap.has(k)) && [...oldMap.entries()].every(([k, v]) => newMap.get(k) === v)) return;
+		const client = this.getClient();
+		const arnCacheKey = `${physicalId}:DBProxyEndpointArn`;
+		let arn = this.attributeCache.get(arnCacheKey);
+		if (!arn) try {
+			arn = (await client.send(new DescribeDBProxyEndpointsCommand({ DBProxyEndpointName: physicalId }))).DBProxyEndpoints?.[0]?.DBProxyEndpointArn;
+			if (arn) this.attributeCache.set(arnCacheKey, arn);
+		} catch (error) {
+			this.logger.debug(`Skipping tag diff for ${physicalId} (no ARN): ${error instanceof Error ? error.message : String(error)}`);
+			return;
+		}
+		if (!arn) return;
+		const toRemove = [];
+		const toAdd = [];
+		for (const k of oldMap.keys()) if (!newMap.has(k)) toRemove.push(k);
+		for (const [k, v] of newMap.entries()) if (oldMap.get(k) !== v) toAdd.push({
+			Key: k,
+			Value: v
+		});
+		if (toRemove.length > 0) try {
+			await client.send(new RemoveTagsFromResourceCommand$1({
+				ResourceName: arn,
+				TagKeys: toRemove
+			}));
+		} catch (error) {
+			throw this.wrapError(error, "UPDATE (remove tags)", resourceType, logicalId, physicalId);
+		}
+		if (toAdd.length > 0) try {
+			await client.send(new AddTagsToResourceCommand$1({
+				ResourceName: arn,
+				Tags: toAdd
+			}));
+		} catch (error) {
+			throw this.wrapError(error, "UPDATE (add tags)", resourceType, logicalId, physicalId);
+		}
+	}
+	toTagMap(tags) {
+		const map = /* @__PURE__ */ new Map();
+		if (Array.isArray(tags)) {
+			for (const entry of tags) if (entry?.Key !== void 0) map.set(entry.Key, entry.Value ?? "");
+		}
+		return map;
+	}
+	toAwsTags(tags) {
+		if (!Array.isArray(tags) || tags.length === 0) return void 0;
+		return tags.filter((t) => t.Key !== void 0).map((t) => ({
+			Key: t.Key,
+			Value: t.Value ?? ""
+		}));
+	}
+	async buildImportResult(physicalId) {
+		try {
+			const ep = (await this.getClient().send(new DescribeDBProxyEndpointsCommand({ DBProxyEndpointName: physicalId }))).DBProxyEndpoints?.[0];
+			return {
+				physicalId,
+				attributes: {
+					Endpoint: ep?.Endpoint ?? "",
+					DBProxyEndpointArn: ep?.DBProxyEndpointArn ?? "",
+					IsDefault: ep?.IsDefault ?? false,
+					VpcId: ep?.VpcId ?? ""
+				}
+			};
+		} catch {
+			return {
+				physicalId,
+				attributes: {
+					Endpoint: "",
+					DBProxyEndpointArn: "",
+					IsDefault: false,
+					VpcId: ""
+				}
+			};
+		}
+	}
+	invalidateAttributeCache(physicalId) {
+		for (const key of this.attributeCache.keys()) if (key.startsWith(`${physicalId}:`)) this.attributeCache.delete(key);
+	}
+	wrapError(error, op, resourceType, logicalId, physicalId) {
+		const message = error instanceof Error ? error.message : String(error);
+		const cause = error instanceof Error ? error : void 0;
+		return new ProvisioningError(`${op} failed for ${logicalId}: ${message}`, resourceType, logicalId, physicalId, cause);
+	}
+};
+
 //#endregion
 //#region src/provisioning/providers/rds-dbproxy-targetgroup-provider.ts
 /**
@@ -18861,6 +19358,12 @@ var RDSDBProxyTargetGroupProvider = class {
 		const dbProxyName = properties["DBProxyName"];
 		if (!dbProxyName) throw new ProvisioningError(`DBProxyName is required for AWS::RDS::DBProxyTargetGroup ${logicalId} update`, resourceType, logicalId, physicalId);
 		const targetGroupName = properties["TargetGroupName"] ?? "default";
+		for (const field of ["DBProxyName", "TargetGroupName"]) {
+			const oldVal = previousProperties[field];
+			const newVal = properties[field];
+			const normalize = (v) => field === "TargetGroupName" && (v === void 0 || v === "default") ? "default" : v;
+			if (JSON.stringify(normalize(oldVal)) !== JSON.stringify(normalize(newVal))) throw new ResourceUpdateNotSupportedError(resourceType, logicalId, `${field} is immutable on AWS::RDS::DBProxyTargetGroup — destroy + redeploy to change it`);
+		}
 		const client = this.getClient();
 		const oldPool = previousProperties["ConnectionPoolConfigurationInfo"];
 		const newPool = properties["ConnectionPoolConfigurationInfo"];
@@ -29703,6 +30206,7 @@ function registerAllProviders(registry) {
 	registry.register("AWS::RDS::DBCluster", rdsProvider);
 	registry.register("AWS::RDS::DBInstance", rdsProvider);
 	registry.register("AWS::RDS::DBProxy", new RDSDBProxyProvider());
+	registry.register("AWS::RDS::DBProxyEndpoint", new RDSDBProxyEndpointProvider());
 	registry.register("AWS::RDS::DBProxyTargetGroup", new RDSDBProxyTargetGroupProvider());
 	const docdbProvider = new DocDBProvider();
 	registry.register("AWS::DocDB::DBSubnetGroup", docdbProvider);
@@ -44683,7 +45187,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.107.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.109.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());