@go-to-k/cdkd 0.116.0 → 0.117.0

package/dist/cli.js

@@ -6434,11 +6434,14 @@ var LambdaFunctionProvider = class {
 	* etc.) are filtered at compare time — we still avoid serializing them on
 	* the wire.
 	*
-	* `Code` is intentionally omitted: `GetFunction` returns a pre-signed S3
-	* URL for the deployed code, not the asset hash cdkd state holds, so they
-	* could never match. Lambda code drift is best detected separately (the
-	* function's `CodeSha256` does live in `GetFunction` but is not what
-	* cdkd's `Code: { S3Bucket, S3Key }` state property carries).
+	* `Code.S3Bucket` / `Code.S3Key` / `Code.S3ObjectVersion` / `Code.ZipFile`
+	* are not surfaced: `GetFunction` returns a pre-signed S3 URL for the
+	* deployed code, not the asset hash cdkd state holds, so they could
+	* never match. Those keys are declared via `getDriftUnknownPaths` so
+	* the drift comparator skips them. `Code.ImageUri` IS surfaced for
+	* container Lambdas (`PackageType: 'Image'`) — AWS returns it on the
+	* `GetFunction.Code.ImageUri` field, so a console-side image swap is
+	* detectable as drift.
 	*
 	* `Tags` is surfaced from the `Tags` map on the same `GetFunction`
 	* response. CDK's auto-injected `aws:cdk:*` tags (which AWS happily
@@ -6467,6 +6470,7 @@ var LambdaFunctionProvider = class {
 			result["Layers"] = (cfg.Layers ?? []).map((l) => l.Arn).filter((arn) => !!arn);
 			result["Architectures"] = cfg.Architectures ? [...cfg.Architectures] : [];
 			if (cfg.PackageType !== void 0) result["PackageType"] = cfg.PackageType;
+			if (resp.Code?.ImageUri !== void 0) result["Code"] = { ImageUri: resp.Code.ImageUri };
 			result["TracingConfig"] = { Mode: cfg.TracingConfig?.Mode ?? "PassThrough" };
 			if (cfg.EphemeralStorage?.Size !== void 0) result["EphemeralStorage"] = { Size: cfg.EphemeralStorage.Size };
 			result["VpcConfig"] = {
@@ -6482,15 +6486,30 @@ var LambdaFunctionProvider = class {
 		}
 	}
 	/**
-	* `Code: { S3Bucket, S3Key }` is set on create / update but `GetFunction`
-	* only returns a pre-signed URL for the deployed code, never the original
-	* asset key — so a state-recorded `Code` value can never match an
-	* AWS-current snapshot. Tell the drift comparator to skip the whole
-	* `Code` subtree to avoid the guaranteed false-positive that would fire
-	* on every clean run.
+	* Lambda ZIP-package `Code` sub-paths AWS does not return on read.
+	*
+	* `GetFunction` returns a pre-signed S3 URL for ZIP-deployed code
+	* (`Code.Location`), not the original `S3Bucket` / `S3Key` cdkd state
+	* holds. `ZipFile` is inline source that AWS never echoes back. These
+	* three fields are write-only via the GetFunction API (Category 1).
+	*
+	* `Code.ImageUri` IS recoverable — `GetFunction.Code.ImageUri` returns
+	* the templated image URI for container Lambdas — so it is surfaced by
+	* `readCurrentState` and NOT declared drift-unknown. `Code.SourceKMSKeyArn`
+	* is also write-only on the FunctionCodeLocation read shape.
+	*
+	* Pre-PR this method returned the whole `['Code']` subtree as
+	* drift-unknown, which also hid `Code.ImageUri` drift on container
+	* Lambdas. Narrowing the skip-list re-enables that detection.
 	*/
 	getDriftUnknownPaths() {
-		return ["Code"];
+		return [
+			"Code.S3Bucket",
+			"Code.S3Key",
+			"Code.S3ObjectVersion",
+			"Code.ZipFile",
+			"Code.SourceKMSKeyArn"
+		];
 	}
 	/**
 	* Adopt an existing Lambda function into cdkd state.
@@ -35764,6 +35783,7 @@ function extractLambdaProperties(stack, logicalId, resource, resources) {
 	const props = resource.Properties ?? {};
 	const memoryMb = typeof props["MemorySize"] === "number" ? props["MemorySize"] : 128;
 	const timeoutSec = typeof props["Timeout"] === "number" ? props["Timeout"] : 3;
+	const ephemeralStorageMb = extractEphemeralStorageMb(props, logicalId);
 	const code = props["Code"] ?? {};
 	const imageUri = extractImageUri(code["ImageUri"], logicalId, stack.stackName, resources);
 	if (imageUri !== void 0) return extractImageLambdaProperties({
@@ -35773,7 +35793,8 @@ function extractLambdaProperties(stack, logicalId, resource, resources) {
 		memoryMb,
 		timeoutSec,
 		props,
-		imageUri
+		imageUri,
+		...ephemeralStorageMb !== void 0 && { ephemeralStorageMb }
 	});
 	const runtime = typeof props["Runtime"] === "string" ? props["Runtime"] : "";
 	const handler = typeof props["Handler"] === "string" ? props["Handler"] : "";
@@ -35794,10 +35815,44 @@ function extractLambdaProperties(stack, logicalId, resource, resources) {
 		timeoutSec,
 		codePath,
 		layers,
+		...ephemeralStorageMb !== void 0 && { ephemeralStorageMb },
 		...inlineCode !== void 0 && { inlineCode }
 	};
 }
 /**
+* Parse `Properties.EphemeralStorage.Size` (issue #440). CFn shape:
+* `{ EphemeralStorage: { Size: <MiB> } }`. CDK's
+* `cdk.Size.gibibytes(N)` serializes to `N * 1024`. AWS-side range is
+* 512..10240 MiB (the deployed function rejects anything outside that
+* range at create time); cdkd rejects > 10240 here so a misconfigured
+* template fails fast at `cdkd local invoke` boot rather than hanging
+* on a `docker run` that AWS would have refused anyway. The 512 floor
+* is AWS's minimum (the default when `EphemeralStorage` is omitted is
+* also 512), but we deliberately accept values DOWN to 1 so users can
+* exercise the cap with a deliberately-small `/tmp` in local tests —
+* `--tmpfs /tmp:size=Nm` itself enforces no lower bound; the only
+* cross-check is "would AWS accept this?", which the deploy side
+* already gates upstream.
+*
+* Returns `undefined` when the property is absent, NaN, < 1, or
+* non-numeric. Hard-rejects > 10240. Intrinsic-valued sizes (the
+* `{ Ref: 'SomeParam' }` shape that's uncommon for EphemeralStorage
+* but theoretically valid) drop to `undefined` with a one-line warn
+* via the calling logger — local invoke can't resolve those without
+* the template's Parameters context the deploy engine has, and the
+* fallback (no `--tmpfs`) is safer than guessing.
+*/
+function extractEphemeralStorageMb(props, logicalId) {
+	const raw = props["EphemeralStorage"];
+	if (raw === void 0 || raw === null) return void 0;
+	if (typeof raw !== "object" || Array.isArray(raw)) return void 0;
+	const size = raw["Size"];
+	if (typeof size !== "number") return;
+	if (!Number.isFinite(size) || size < 1) return void 0;
+	if (size > 10240) throw new LocalInvokeResolutionError(`Lambda '${logicalId}' has Properties.EphemeralStorage.Size = ${size} MiB, which exceeds the AWS limit of 10240 MiB. AWS would reject the function at deploy time; cap the value to <= 10240 (10 GiB) and retry.`);
+	return Math.floor(size);
+}
+/**
 * Extract the `Code.ImageUri` value across the shapes CDK actually synthesizes.
 *
 * Supported shapes:
@@ -35849,7 +35904,7 @@ function extractImageUri(value, logicalId, stackName, resources) {
 * optional in CFn — the defaults match the AWS-side defaults.
 */
 function extractImageLambdaProperties(args) {
-	const { stack, logicalId, resource, memoryMb, timeoutSec, props, imageUri } = args;
+	const { stack, logicalId, resource, memoryMb, timeoutSec, ephemeralStorageMb, props, imageUri } = args;
 	const rawImageConfig = props["ImageConfig"] ?? {};
 	const imageConfig = {};
 	if (Array.isArray(rawImageConfig["Command"])) imageConfig.command = rawImageConfig["Command"].filter((s) => typeof s === "string");
@@ -35873,7 +35928,8 @@ function extractImageLambdaProperties(args) {
 		imageUri,
 		imageConfig,
 		architecture,
-		layers: []
+		layers: [],
+		...ephemeralStorageMb !== void 0 && { ephemeralStorageMb }
 	};
 }
 /**
@@ -37413,6 +37469,7 @@ async function runDetached(opts) {
 		args.push("-v", `${mount.hostPath}:${mount.containerPath}${ro}`);
 	}
 	for (const [k, v] of Object.entries(opts.env)) args.push("-e", `${k}=${v}`);
+	if (opts.tmpfs) args.push("--tmpfs", `${opts.tmpfs.target}:rw,size=${opts.tmpfs.sizeMb}m`);
 	if (opts.workingDir) args.push("--workdir", opts.workingDir);
 	let entryPointTail = [];
 	if (opts.entryPoint && opts.entryPoint.length > 0) {
@@ -38863,7 +38920,8 @@ function createContainerPool(specs, options) {
 			hostPort,
 			host: spec.containerHost,
 			name,
-			...spec.debugPort !== void 0 && { debugPort: spec.debugPort }
+			...spec.debugPort !== void 0 && { debugPort: spec.debugPort },
+			...spec.tmpfs !== void 0 && { tmpfs: spec.tmpfs }
 		});
 		const stopLogStream = streamingEnabled ? streamLogs(containerId) : () => void 0;
 		try {
@@ -42294,13 +42352,18 @@ async function buildContainerSpec(args) {
 		if (stsRegion) dockerEnv["AWS_REGION"] = stsRegion;
 	} else forwardAwsEnv$1(dockerEnv);
 	if (debugPort !== void 0) dockerEnv["NODE_OPTIONS"] = `--inspect-brk=0.0.0.0:${debugPort}`;
+	const tmpfs = lambda.ephemeralStorageMb !== void 0 ? {
+		target: "/tmp",
+		sizeMb: lambda.ephemeralStorageMb
+	} : void 0;
 	return {
 		lambda,
 		codeDir,
 		env: dockerEnv,
 		containerHost,
 		...optDir !== void 0 && { optDir },
-		...debugPort !== void 0 && { debugPort }
+		...debugPort !== void 0 && { debugPort },
+		...tmpfs !== void 0 && { tmpfs }
 	};
 }
 /**
@@ -42352,6 +42415,7 @@ function resolveLambdaByLogicalId(logicalId, stacks) {
 		let codePath = null;
 		if (!inlineCode) codePath = resolveAssetCodePath(stack, logicalId, resource);
 		const layers = resolveLambdaLayers(stack, logicalId, props);
+		const ephemeralStorageMb = extractEphemeralStorageMb(props, logicalId);
 		return {
 			kind: "zip",
 			stack,
@@ -42363,7 +42427,8 @@ function resolveLambdaByLogicalId(logicalId, stacks) {
 			timeoutSec,
 			codePath,
 			layers,
-			...inlineCode !== void 0 && { inlineCode }
+			...inlineCode !== void 0 && { inlineCode },
+			...ephemeralStorageMb !== void 0 && { ephemeralStorageMb }
 		};
 	}
 	throw new Error(`No AWS::Lambda::Function resource named '${logicalId}' found in target stacks. This is likely a synthesis bug — the route-discovery phase resolved a route to this logical ID.`);
@@ -43921,7 +43986,8 @@ async function localInvokeCommand(target, options) {
 			...debugPort !== void 0 && { debugPort },
 			...imagePlan.platform !== void 0 && { platform: imagePlan.platform },
 			...imagePlan.entryPoint !== void 0 && { entryPoint: imagePlan.entryPoint },
-			...imagePlan.workingDir !== void 0 && { workingDir: imagePlan.workingDir }
+			...imagePlan.workingDir !== void 0 && { workingDir: imagePlan.workingDir },
+			...imagePlan.tmpfs !== void 0 && { tmpfs: imagePlan.tmpfs }
 		});
 		stopLogs = streamLogs(containerId);
 		sigintHandler = () => {
@@ -43968,6 +44034,7 @@ async function resolveZipImagePlan(lambda, options) {
 	await pullImage(image, options.pull === false);
 	const layerPlan = materializeLambdaLayers(lambda.layers);
 	const containerCodePath = resolveRuntimeCodeMountPath(lambda.runtime);
+	const tmpfs = resolveTmpfsForLambda(lambda);
 	return {
 		image,
 		mounts: [{
@@ -43978,7 +44045,36 @@ async function resolveZipImagePlan(lambda, options) {
 		extraMounts: layerPlan.mount ? [layerPlan.mount] : [],
 		cmd: [lambda.handler],
 		...inlineTmpDir !== void 0 && { inlineTmpDir },
-		...layerPlan.tmpDir !== void 0 && { layersTmpDir: layerPlan.tmpDir }
+		...layerPlan.tmpDir !== void 0 && { layersTmpDir: layerPlan.tmpDir },
+		...tmpfs !== void 0 && { tmpfs }
+	};
+}
+/**
+* Build the `--tmpfs /tmp:rw,size=<N>m` plan for a Lambda (issue #440).
+*
+* The shape is identical for ZIP and IMAGE Lambdas — `--tmpfs` overlays
+* mount-time inside any container, regardless of whether the image is a
+* public Lambda base image (ZIP path) or a user-built container Lambda.
+* Returns `undefined` when the template did not declare
+* `EphemeralStorage`, in which case the caller emits no `--tmpfs` flag
+* and the container's `/tmp` is whatever the base image provides
+* (matches pre-#440 behavior). The lambda-resolver's
+* `extractEphemeralStorageMb` already enforces the AWS 10240 MiB
+* ceiling at parse time.
+*
+* Target path is always `/tmp` — AWS Lambda's `/tmp` is the ONLY
+* sized-tmpfs surface the `EphemeralStorage.Size` property controls,
+* and the constant is centralized here so a future fixture / docs
+* update has a single grep target.
+*/
+function resolveTmpfsForLambda(lambda) {
+	if (lambda.ephemeralStorageMb === void 0) return void 0;
+	const logger = getLogger();
+	if (lambda.kind === "image") logger.info(`Lambda ${lambda.logicalId}: capping /tmp at ${lambda.ephemeralStorageMb} MiB via --tmpfs (overlays any base-image /tmp content)`);
+	else logger.debug(`Lambda ${lambda.logicalId}: applying EphemeralStorage cap via --tmpfs /tmp:size=${lambda.ephemeralStorageMb}m`);
+	return {
+		target: "/tmp",
+		sizeMb: lambda.ephemeralStorageMb
 	};
 }
 /**
@@ -44046,6 +44142,7 @@ async function resolveContainerImagePlan(lambda, options) {
 			...options.region !== void 0 && { region: options.region }
 		});
 	}
+	const tmpfs = resolveTmpfsForLambda(lambda);
 	return {
 		image: imageRef,
 		mounts: [],
@@ -44053,7 +44150,8 @@ async function resolveContainerImagePlan(lambda, options) {
 		cmd: lambda.imageConfig.command ?? [],
 		platform,
 		...lambda.imageConfig.entryPoint && lambda.imageConfig.entryPoint.length > 0 && { entryPoint: lambda.imageConfig.entryPoint },
-		...lambda.imageConfig.workingDirectory !== void 0 && { workingDir: lambda.imageConfig.workingDirectory }
+		...lambda.imageConfig.workingDirectory !== void 0 && { workingDir: lambda.imageConfig.workingDirectory },
+		...tmpfs !== void 0 && { tmpfs }
 	};
 }
 /**
@@ -45623,7 +45721,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.116.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.117.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());