@go-to-k/cdkd 0.113.0 → 0.114.1

package/dist/cli.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { a as setAwsClients, i as resetAwsClients, r as getAwsClients, t as AwsClients } from "./aws-clients-CuHRHcyW.js";
-import { A as resolveApp, B as CdkdError, C as AssetPublisher, D as Synthesizer, E as buildDockerImage, F as warnDeprecatedNoPrefixCliFlag, G as PartialFailureError, I as AssemblyReader, J as ResourceUpdateNotSupportedError, K as ProvisioningError, M as resolveSkipPrefix, N as resolveStateBucketWithDefault, O as getDefaultStateBucketName, P as resolveStateBucketWithDefaultAndSource, R as resolveBucketRegion, S as shouldRetainResource, T as WorkGraph, U as LocalInvokeBuildError, X as StackHasActiveImportsError, Y as RouteDiscoveryError, Z as StackTerminationProtectionError, _ as DiffCalculator, a as withRetry, at as getLogger, b as LockManager, c as collectInlinePolicyNamesManagedBySiblings, ct as getLiveRenderer, d as normalizeAwsTagsToCfn, dt as generateResourceName, f as resolveExplicitPhysicalId, ft as generateResourceNameWithFallback, g as IntrinsicFunctionResolver, h as assertRegionMatch, i as withResourceDeadline, j as resolveCaptureObservedState, k as getLegacyStateBucketName, l as CDK_PATH_TAG, lt as PATTERN_B_NAME_PROPERTIES, m as CloudControlProvider, mt as withStackName, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as normalizeAwsError, o as IMPLICIT_DELETE_DEPENDENCIES, p as ProviderRegistry, pt as withSkipPrefix, q as ResourceTimeoutError, r as DeployEngine, rt as withErrorHandling, s as IAMRoleProvider, st as runStackBuffered, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as matchesCdkPath, ut as PATTERN_B_RESOURCE_TYPES, v as DagBuilder, w as stringifyValue, x as S3StateBackend, y as TemplateParser } from "./deploy-engine-Br8DvrvB.js";
+import { A as resolveApp, B as CdkdError, C as AssetPublisher, D as Synthesizer, E as buildDockerImage, F as warnDeprecatedNoPrefixCliFlag, G as PartialFailureError, I as AssemblyReader, J as ResourceUpdateNotSupportedError, K as ProvisioningError, M as resolveSkipPrefix, N as resolveStateBucketWithDefault, O as getDefaultStateBucketName, P as resolveStateBucketWithDefaultAndSource, R as resolveBucketRegion, S as shouldRetainResource, T as WorkGraph, U as LocalInvokeBuildError, X as StackHasActiveImportsError, Y as RouteDiscoveryError, Z as StackTerminationProtectionError, _ as DiffCalculator, a as withRetry, at as getLogger, b as LockManager, c as collectInlinePolicyNamesManagedBySiblings, ct as getLiveRenderer, d as normalizeAwsTagsToCfn, dt as generateResourceName, f as resolveExplicitPhysicalId, ft as generateResourceNameWithFallback, g as IntrinsicFunctionResolver, h as assertRegionMatch, i as withResourceDeadline, j as resolveCaptureObservedState, k as getLegacyStateBucketName, l as CDK_PATH_TAG, lt as PATTERN_B_NAME_PROPERTIES, m as CloudControlProvider, mt as withStackName, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as normalizeAwsError, o as IMPLICIT_DELETE_DEPENDENCIES, p as ProviderRegistry, pt as withSkipPrefix, q as ResourceTimeoutError, r as DeployEngine, rt as withErrorHandling, s as IAMRoleProvider, st as runStackBuffered, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as matchesCdkPath, ut as PATTERN_B_RESOURCE_TYPES, v as DagBuilder, w as stringifyValue, x as S3StateBackend, y as TemplateParser } from "./deploy-engine-CAg_d5uX.js";
 import { createHash, createPublicKey, createVerify, randomBytes, randomUUID } from "node:crypto";
 import { CopyObjectCommand, CreateBucketCommand, DeleteBucketAnalyticsConfigurationCommand, DeleteBucketCommand, DeleteBucketCorsCommand, DeleteBucketIntelligentTieringConfigurationCommand, DeleteBucketInventoryConfigurationCommand, DeleteBucketLifecycleCommand, DeleteBucketMetricsConfigurationCommand, DeleteBucketPolicyCommand, DeleteBucketReplicationCommand, DeleteBucketTaggingCommand, DeleteBucketWebsiteCommand, DeleteObjectCommand, DeleteObjectsCommand, GetBucketAccelerateConfigurationCommand, GetBucketCorsCommand, GetBucketEncryptionCommand, GetBucketLifecycleConfigurationCommand, GetBucketLocationCommand, GetBucketLoggingCommand, GetBucketNotificationConfigurationCommand, GetBucketPolicyCommand, GetBucketReplicationCommand, GetBucketTaggingCommand, GetBucketVersioningCommand, GetBucketWebsiteCommand, GetObjectCommand, GetObjectLockConfigurationCommand, GetPublicAccessBlockCommand, HeadBucketCommand, ListBucketAnalyticsConfigurationsCommand, ListBucketIntelligentTieringConfigurationsCommand, ListBucketInventoryConfigurationsCommand, ListBucketMetricsConfigurationsCommand, ListBucketsCommand, ListDirectoryBucketsCommand, ListObjectVersionsCommand, ListObjectsV2Command, NoSuchBucket, PutBucketAccelerateConfigurationCommand, PutBucketAnalyticsConfigurationCommand, PutBucketCorsCommand, PutBucketEncryptionCommand, PutBucketIntelligentTieringConfigurationCommand, PutBucketInventoryConfigurationCommand, PutBucketLifecycleConfigurationCommand, PutBucketLoggingCommand, PutBucketMetricsConfigurationCommand, PutBucketNotificationConfigurationCommand, PutBucketOwnershipControlsCommand, PutBucketPolicyCommand, PutBucketReplicationCommand, PutBucketTaggingCommand, PutBucketVersioningCommand, PutBucketWebsiteCommand, PutObjectCommand, PutObjectLockConfigurationCommand, PutPublicAccessBlockCommand, S3Client, S3ServiceException } from "@aws-sdk/client-s3";
 import { AddRoleToInstanceProfileCommand, AddUserToGroupCommand, AttachGroupPolicyCommand, AttachUserPolicyCommand, CreateGroupCommand, CreateInstanceProfileCommand, CreateLoginProfileCommand, CreateUserCommand, DeleteAccessKeyCommand, DeleteGroupCommand, DeleteGroupPolicyCommand, DeleteInstanceProfileCommand, DeleteLoginProfileCommand, DeleteRolePolicyCommand, DeleteUserCommand, DeleteUserPermissionsBoundaryCommand, DeleteUserPolicyCommand, DetachGroupPolicyCommand, DetachUserPolicyCommand, GetGroupCommand, GetGroupPolicyCommand, GetInstanceProfileCommand, GetRolePolicyCommand, GetUserCommand, GetUserPolicyCommand, IAMClient, ListAccessKeysCommand, ListAttachedGroupPoliciesCommand, ListAttachedUserPoliciesCommand, ListGroupPoliciesCommand, ListGroupsForUserCommand, ListInstanceProfilesCommand, ListUserPoliciesCommand, ListUserTagsCommand, ListUsersCommand, NoSuchEntityException, PutGroupPolicyCommand, PutRolePolicyCommand, PutUserPermissionsBoundaryCommand, PutUserPolicyCommand, RemoveRoleFromInstanceProfileCommand, RemoveUserFromGroupCommand, TagUserCommand, UntagUserCommand, UpdateLoginProfileCommand } from "@aws-sdk/client-iam";
@@ -45300,7 +45300,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.113.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.114.1");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());

package/dist/{deploy-engine-Br8DvrvB.js → deploy-engine-CAg_d5uX.js}

@@ -5074,19 +5074,36 @@ var DiffCalculator = class DiffCalculator {
 	/**
 	* Deep equality check for values
 	*
-	* When comparing state (resolved values) with template (unresolved intrinsics),
-	* treats intrinsic function nodes as "not comparable" and assumes equal.
-	* This check happens at each level of recursion, so only the specific value
-	* that IS an intrinsic gets skipped — sibling values are still compared normally.
-	*
-	* Example: { Variables: { AZURE_REGION: "japaneast", SECRET_NAME: { "Fn::Join": ... } } }
-	* - AZURE_REGION: compared normally (string vs string)
-	* - SECRET_NAME: one side is intrinsic → treated as equal (skip)
+	* State stores resolved values (`"arn:aws:s3:::my-bucket"`); the synth
+	* template holds unresolved intrinsics (`{ "Fn::GetAtt": ["MyBucket", "Arn"] }`).
+	* Before reaching this comparator, `resolveBestEffort` already tried to
+	* resolve the template side against current state, so a remaining raw
+	* intrinsic typically means the resolver couldn't resolve it — most
+	* commonly because the intrinsic references a resource NOT YET in state
+	* (e.g., a newly-introduced resource the next deploy will CREATE).
+	*
+	* Two cases when an intrinsic still reaches here:
+	*
+	* 1. Both sides intrinsic: state was written by an older cdkd that didn't
+	*    fully resolve at deploy time. Structural compare suffices —
+	*    `Fn::GetAtt: [X, Arn]` matches `Fn::GetAtt: [X, Arn]` byte-for-byte.
+	*
+	* 2. One side intrinsic, other side concrete: the unresolvable intrinsic
+	*    points at something different from what's currently in state. Treat
+	*    as NOT equal so the resource is classified as UPDATE.
+	*
+	* Pre-fix this branch returned `true` (equal) for case 2, which silently
+	* dropped real diffs — e.g., when an IAM Policy's `Resource: Fn::GetAtt:
+	* [Bucket, Arn]` is rebound to a renamed bucket (logical ID changed
+	* because the construct path moved), the resolver couldn't find the new
+	* bucket in state and the policy stayed at the old bucket's ARN after
+	* deploy. The next CR invocation against the new bucket then failed with
+	* AccessDenied because the IAM Policy was never UPDATED.
 	*/
 	valuesEqual(a, b) {
 		if (a === b) return true;
 		if (a == null || b == null) return a === b;
-		if (DiffCalculator.isIntrinsic(a) || DiffCalculator.isIntrinsic(b)) return true;
+		if (DiffCalculator.isIntrinsic(a) !== DiffCalculator.isIntrinsic(b)) return false;
 		if (Array.isArray(a) && Array.isArray(b)) {
 			if (a.length !== b.length) return false;
 			return a.every((val, index) => this.valuesEqual(val, b[index]));
@@ -9589,4 +9606,4 @@ var DeployEngine = class {
 
 //#endregion
 export { SynthesisError as $, resolveApp as A, CdkdError as B, AssetPublisher as C, Synthesizer as D, buildDockerImage as E, warnDeprecatedNoPrefixCliFlag as F, PartialFailureError as G, DependencyError as H, AssemblyReader as I, ResourceUpdateNotSupportedError as J, ProvisioningError as K, clearBucketRegionCache as L, resolveSkipPrefix as M, resolveStateBucketWithDefault as N, getDefaultStateBucketName as O, resolveStateBucketWithDefaultAndSource as P, StateError as Q, resolveBucketRegion as R, shouldRetainResource as S, WorkGraph as T, LocalInvokeBuildError as U, ConfigError as V, LockError as W, StackHasActiveImportsError as X, RouteDiscoveryError as Y, StackTerminationProtectionError as Z, DiffCalculator as _, withRetry as a, getLogger as at, LockManager as b, collectInlinePolicyNamesManagedBySiblings as c, getLiveRenderer as ct, normalizeAwsTagsToCfn as d, generateResourceName as dt, formatError as et, resolveExplicitPhysicalId as f, generateResourceNameWithFallback as ft, IntrinsicFunctionResolver as g, assertRegionMatch as h, withResourceDeadline as i, ConsoleLogger as it, resolveCaptureObservedState as j, getLegacyStateBucketName as k, CDK_PATH_TAG as l, PATTERN_B_NAME_PROPERTIES as lt, CloudControlProvider as m, withStackName as mt, DEFAULT_RESOURCE_WARN_AFTER_MS as n, normalizeAwsError as nt, IMPLICIT_DELETE_DEPENDENCIES as o, setLogger as ot, ProviderRegistry as p, withSkipPrefix as pt, ResourceTimeoutError as q, DeployEngine as r, withErrorHandling as rt, IAMRoleProvider as s, runStackBuffered as st, DEFAULT_RESOURCE_TIMEOUT_MS as t, isCdkdError as tt, matchesCdkPath as u, PATTERN_B_RESOURCE_TYPES as ut, DagBuilder as v, stringifyValue as w, S3StateBackend as x, TemplateParser as y, AssetError as z };
-//# sourceMappingURL=deploy-engine-Br8DvrvB.js.map
+//# sourceMappingURL=deploy-engine-CAg_d5uX.js.map