@go-to-k/cdkd 0.116.1 → 0.117.1

package/dist/cli.js

@@ -44,10 +44,10 @@ import { CreateWebACLCommand, DeleteWebACLCommand, GetWebACLCommand, ListTagsFor
 import { CognitoIdentityProviderClient, CreateUserPoolCommand, DeleteUserPoolCommand, DescribeUserPoolCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$14, ListUserPoolsCommand, ResourceNotFoundException as ResourceNotFoundException$6, UpdateUserPoolCommand } from "@aws-sdk/client-cognito-identity-provider";
 import { AddTagsToResourceCommand as AddTagsToResourceCommand$4, CreateCacheClusterCommand, CreateCacheSubnetGroupCommand, DeleteCacheClusterCommand, DeleteCacheSubnetGroupCommand, DescribeCacheClustersCommand, DescribeCacheSubnetGroupsCommand, ElastiCacheClient, ListTagsForResourceCommand as ListTagsForResourceCommand$15, ModifyCacheClusterCommand, ModifyCacheSubnetGroupCommand, RemoveTagsFromResourceCommand as RemoveTagsFromResourceCommand$4 } from "@aws-sdk/client-elasticache";
 import { CreatePrivateDnsNamespaceCommand, CreateServiceCommand as CreateServiceCommand$1, DeleteNamespaceCommand, DeleteServiceCommand as DeleteServiceCommand$1, GetNamespaceCommand, GetOperationCommand, GetServiceCommand, ListNamespacesCommand, ListServicesCommand as ListServicesCommand$1, ListTagsForResourceCommand as ListTagsForResourceCommand$16, NamespaceNotFound, ServiceDiscoveryClient, ServiceNotFound, UpdatePrivateDnsNamespaceCommand, UpdateServiceCommand as UpdateServiceCommand$1 } from "@aws-sdk/client-servicediscovery";
-import { AppSyncClient, CreateApiKeyCommand, CreateDataSourceCommand, CreateGraphqlApiCommand, CreateResolverCommand, DeleteApiKeyCommand, DeleteDataSourceCommand, DeleteGraphqlApiCommand, DeleteResolverCommand, GetDataSourceCommand, GetGraphqlApiCommand, GetIntrospectionSchemaCommand, GetResolverCommand, ListApiKeysCommand, ListGraphqlApisCommand, NotFoundException as NotFoundException$4, StartSchemaCreationCommand } from "@aws-sdk/client-appsync";
+import { AppSyncClient, CreateApiKeyCommand, CreateDataSourceCommand, CreateGraphqlApiCommand, CreateResolverCommand, DeleteApiKeyCommand, DeleteDataSourceCommand, DeleteGraphqlApiCommand, DeleteResolverCommand, GetDataSourceCommand, GetGraphqlApiCommand, GetIntrospectionSchemaCommand, GetResolverCommand, ListApiKeysCommand, ListGraphqlApisCommand, NotFoundException as NotFoundException$4, StartSchemaCreationCommand, TagResourceCommand as TagResourceCommand$13, UntagResourceCommand as UntagResourceCommand$12, UpdateApiKeyCommand, UpdateDataSourceCommand, UpdateGraphqlApiCommand, UpdateResolverCommand } from "@aws-sdk/client-appsync";
 import { parse, print } from "graphql";
 import { CreateConnectionCommand, CreateCrawlerCommand, CreateDatabaseCommand, CreateJobCommand, CreateSecurityConfigurationCommand, CreateTableCommand as CreateTableCommand$1, CreateTriggerCommand, CreateWorkflowCommand, DeleteConnectionCommand, DeleteCrawlerCommand, DeleteDatabaseCommand, DeleteJobCommand, DeleteSecurityConfigurationCommand, DeleteTableCommand as DeleteTableCommand$1, DeleteTriggerCommand, DeleteWorkflowCommand, EntityNotFoundException, GetConnectionCommand, GetCrawlerCommand, GetDatabaseCommand, GetDatabasesCommand, GetJobCommand, GetSecurityConfigurationCommand, GetSecurityConfigurationsCommand, GetTableCommand, GetTablesCommand, GetTagsCommand, GetTriggerCommand, GetWorkflowCommand, GlueClient, ListWorkflowsCommand, StartCrawlerScheduleCommand, StartTriggerCommand, StopCrawlerScheduleCommand, StopTriggerCommand, UpdateConnectionCommand, UpdateCrawlerCommand, UpdateDatabaseCommand, UpdateJobCommand, UpdateTableCommand as UpdateTableCommand$1, UpdateTriggerCommand, UpdateWorkflowCommand } from "@aws-sdk/client-glue";
-import { AddTagsToStreamCommand, CreateStreamCommand, DecreaseStreamRetentionPeriodCommand, DeleteStreamCommand, DeregisterStreamConsumerCommand, DescribeStreamCommand, DescribeStreamConsumerCommand, IncreaseStreamRetentionPeriodCommand, KinesisClient, ListStreamsCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$17, ListTagsForStreamCommand, RegisterStreamConsumerCommand, RemoveTagsFromStreamCommand, ResourceNotFoundException as ResourceNotFoundException$7, StartStreamEncryptionCommand, StopStreamEncryptionCommand, TagResourceCommand as TagResourceCommand$13, UntagResourceCommand as UntagResourceCommand$12, UpdateShardCountCommand } from "@aws-sdk/client-kinesis";
+import { AddTagsToStreamCommand, CreateStreamCommand, DecreaseStreamRetentionPeriodCommand, DeleteStreamCommand, DeregisterStreamConsumerCommand, DescribeStreamCommand, DescribeStreamConsumerCommand, IncreaseStreamRetentionPeriodCommand, KinesisClient, ListStreamsCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$17, ListTagsForStreamCommand, RegisterStreamConsumerCommand, RemoveTagsFromStreamCommand, ResourceNotFoundException as ResourceNotFoundException$7, StartStreamEncryptionCommand, StopStreamEncryptionCommand, TagResourceCommand as TagResourceCommand$14, UntagResourceCommand as UntagResourceCommand$13, UpdateShardCountCommand } from "@aws-sdk/client-kinesis";
 import { AccessPointNotFound, CreateAccessPointCommand, CreateFileSystemCommand, CreateMountTargetCommand, DeleteAccessPointCommand, DeleteFileSystemCommand, DeleteMountTargetCommand, DescribeAccessPointsCommand, DescribeBackupPolicyCommand, DescribeFileSystemsCommand, DescribeLifecycleConfigurationCommand, DescribeMountTargetSecurityGroupsCommand, DescribeMountTargetsCommand, EFSClient, FileSystemNotFound, ModifyMountTargetSecurityGroupsCommand, MountTargetNotFound, UpdateFileSystemCommand } from "@aws-sdk/client-efs";
 import { CreateDeliveryStreamCommand, DeleteDeliveryStreamCommand, DescribeDeliveryStreamCommand, FirehoseClient, ListDeliveryStreamsCommand, ListTagsForDeliveryStreamCommand, ResourceNotFoundException as ResourceNotFoundException$8 } from "@aws-sdk/client-firehose";
 import { AddTagsCommand as AddTagsCommand$1, CloudTrailClient, CreateTrailCommand, DeleteTrailCommand, GetEventSelectorsCommand, GetInsightSelectorsCommand, GetTrailCommand, GetTrailStatusCommand, ListTagsCommand as ListTagsCommand$1, ListTrailsCommand, PutEventSelectorsCommand, PutInsightSelectorsCommand, RemoveTagsCommand as RemoveTagsCommand$1, StartLoggingCommand, StopLoggingCommand, TrailNotFoundException, UpdateTrailCommand } from "@aws-sdk/client-cloudtrail";
@@ -7375,7 +7375,7 @@ var LambdaLayerVersionProvider = class {
 	*     template should re-deploy with `--replace`.
 	*/
 	async update(logicalId, _physicalId, resourceType, _properties, _previousProperties) {
-		return Promise.reject(new ResourceUpdateNotSupportedError(resourceType, logicalId, "Lambda layer versions are immutable on AWS; re-deploy with cdkd deploy --replace, or change the resource definition to publish a new version"));
+		return Promise.reject(new ResourceUpdateNotSupportedError(resourceType, logicalId, "AWS Lambda LayerVersion is immutable on AWS — there is no UpdateLayerVersion API; every change requires PublishLayerVersion (a new version with a new LayerVersionArn). Re-deploy with cdkd deploy --replace, or change the resource definition to publish a new version."));
 	}
 	/**
 	* Delete a Lambda layer version
@@ -11212,7 +11212,7 @@ var EC2Provider = class {
 			case "AWS::EC2::Instance": return this.updateInstance(logicalId, physicalId, resourceType, properties, previousProperties);
 			case "AWS::EC2::NetworkAcl":
 			case "AWS::EC2::NetworkAclEntry":
-			case "AWS::EC2::SubnetNetworkAclAssociation": throw new ResourceUpdateNotSupportedError(resourceType, logicalId, "destroy + redeploy. The property surface for this resource type is effectively immutable in cdkd today.");
+			case "AWS::EC2::SubnetNetworkAclAssociation": throw new ResourceUpdateNotSupportedError(resourceType, logicalId, "AWS provides no in-place Update API for this EC2 sub-resource type; every property change requires Delete + Create. Re-deploy with cdkd deploy --replace, or destroy + redeploy.");
 			default: throw new ProvisioningError(`Unsupported resource type: ${resourceType}`, resourceType, logicalId, physicalId);
 		}
 	}
@@ -13727,7 +13727,7 @@ var ApiGatewayProvider = class ApiGatewayProvider {
 	* `ResourceUpdateNotSupportedError` instead of silently no-op'ing.
 	*/
 	updateDeployment(logicalId, _physicalId, _resourceType) {
-		return Promise.reject(new ResourceUpdateNotSupportedError("AWS::ApiGateway::Deployment", logicalId, "API Gateway Deployment is immutable; re-deploy with cdkd deploy --replace, or change the resource definition to create a new Deployment"));
+		return Promise.reject(new ResourceUpdateNotSupportedError("AWS::ApiGateway::Deployment", logicalId, "API Gateway Deployment is immutable on AWS — there is no UpdateDeployment API for the deployment itself (UpdateStage is for the stage that points at the deployment); every change requires CreateDeployment to produce a new immutable deployment. Re-deploy with cdkd deploy --replace, or change the resource definition to create a new Deployment."));
 	}
 	/**
 	* Delete an API Gateway Deployment
@@ -14520,7 +14520,7 @@ var ApiGatewayV2Provider = class {
 			case "AWS::ApiGatewayV2::Integration": return this.updateIntegration(logicalId, physicalId, resourceType, properties, previousProperties);
 			case "AWS::ApiGatewayV2::Route": return this.updateRoute(logicalId, physicalId, resourceType, properties, previousProperties);
 			case "AWS::ApiGatewayV2::Authorizer": return this.updateAuthorizer(logicalId, physicalId, resourceType, properties, previousProperties);
-			default: throw new ResourceUpdateNotSupportedError(resourceType, logicalId, "unsupported API Gateway V2 resource type for in-place update; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack");
+			default: throw new ResourceUpdateNotSupportedError(resourceType, logicalId, "Unsupported API Gateway V2 resource type for in-place update in cdkd; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack.");
 		}
 	}
 	async delete(logicalId, physicalId, resourceType, properties, context) {
@@ -16617,7 +16617,7 @@ var ECSProvider = class {
 		}
 	}
 	async updateTaskDefinition(logicalId, _physicalId, _resourceType, _properties) {
-		return Promise.reject(new ResourceUpdateNotSupportedError("AWS::ECS::TaskDefinition", logicalId, "TaskDefinition revisions are immutable; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"));
+		return Promise.reject(new ResourceUpdateNotSupportedError("AWS::ECS::TaskDefinition", logicalId, "ECS TaskDefinition revisions are immutable on AWS — there is no UpdateTaskDefinition API; every change registers a new revision via RegisterTaskDefinition. Re-deploy with cdkd deploy --replace, or destroy + redeploy the stack."));
 	}
 	async deleteTaskDefinition(logicalId, physicalId, resourceType, context) {
 		this.logger.debug(`Deleting ECS task definition ${logicalId}: ${physicalId}`);
@@ -17398,7 +17398,7 @@ var ELBv2Provider = class {
 			for (const [k, v] of Object.entries(p)) if (!handledKeys.has(k)) out[k] = v;
 			return out;
 		};
-		if (JSON.stringify(stripHandled(properties)) !== JSON.stringify(stripHandled(previousProperties))) throw new ResourceUpdateNotSupportedError("AWS::ElasticLoadBalancingV2::LoadBalancer", logicalId, "ELBv2 LoadBalancer in-place updates are supported for LoadBalancerAttributes / Subnets / SubnetMappings / SecurityGroups / IpAddressType / Tags only; for Name / Type / Scheme, re-deploy with cdkd deploy --replace, or destroy + redeploy the stack");
+		if (JSON.stringify(stripHandled(properties)) !== JSON.stringify(stripHandled(previousProperties))) throw new ResourceUpdateNotSupportedError("AWS::ElasticLoadBalancingV2::LoadBalancer", logicalId, "ELBv2 LoadBalancer Name / Type / Scheme are immutable on AWS — none of the ELBv2 Modify* / Set* APIs accept these fields; they are fixed at creation. cdkd handles LoadBalancerAttributes / Subnets / SubnetMappings / SecurityGroups / IpAddressType / Tags in-place; for Name / Type / Scheme re-deploy with cdkd deploy --replace, or destroy + redeploy the stack.");
 		const newAttrs = properties["LoadBalancerAttributes"] ?? [];
 		const oldAttrs = previousProperties["LoadBalancerAttributes"] ?? [];
 		const newAttrMap = new Map(newAttrs.map((a) => [a.Key, a.Value]));
@@ -23242,6 +23242,20 @@ var AppSyncProvider = class {
 	client;
 	providerRegion = process.env["AWS_REGION"];
 	logger = getLogger().child("AppSyncProvider");
+	/**
+	* Cache of `apiId -> GraphqlApi ARN` for the lifetime of this provider
+	* instance. Populated lazily by `applyTagDiff` and reused on subsequent
+	* tag-diff updates against the same API so we don't pay an extra
+	* `GetGraphqlApi` round-trip per call. Mirrors the existing
+	* `attributeCache` pattern used elsewhere in this provider family.
+	*
+	* Invalidation: the ARN of a GraphqlApi is stable for the life of the
+	* API (it embeds the apiId), so the cache never needs to be invalidated
+	* within a process — the only way the ARN changes is if the API itself
+	* is replaced, in which case a new `physicalId` flows through `update()`
+	* and the old entry simply becomes unreachable.
+	*/
+	arnCache = /* @__PURE__ */ new Map();
 	handledProperties = new Map([
 		["AWS::AppSync::GraphQLApi", new Set([
 			"Name",
@@ -23298,15 +23312,307 @@ var AppSyncProvider = class {
 		}
 	}
 	/**
-	* AppSync resources are treated as immutable by cdkd: every supported
-	* type (`GraphQLApi`, `GraphQLSchema`, `DataSource`, `Resolver`,
-	* `ApiKey`) is recreated on property changes via the deploy engine's
-	* immutable-property replacement path. There is no in-place update,
-	* so `cdkd drift --revert` surfaces a clear "use --replace or
-	* re-deploy" message instead of silently no-op'ing the revert.
+	* Update an AppSync resource in-place via the SDK's `Update*` calls.
+	*
+	* Per-type API path:
+	*   - `GraphQLApi`   → `UpdateGraphqlApiCommand` (`AuthenticationType` /
+	*     `XrayEnabled` / `LogConfig`) + `TagResource` / `UntagResource`
+	*     for `Tags` diff. `Name` is immutable on AWS.
+	*   - `DataSource`   → `UpdateDataSourceCommand` (`Description` /
+	*     `ServiceRoleArn` / `DynamoDBConfig` / `LambdaConfig` / `HttpConfig`).
+	*     `ApiId` / `Name` / `Type` are immutable identity fields.
+	*   - `Resolver`     → `UpdateResolverCommand` (`DataSourceName` /
+	*     `RequestMappingTemplate` / `ResponseMappingTemplate` / `Kind` /
+	*     `PipelineConfig` / `Runtime` / `Code`). `ApiId` / `TypeName` /
+	*     `FieldName` are immutable identity fields.
+	*   - `ApiKey`       → `UpdateApiKeyCommand` (`Description` / `Expires`).
+	*     `ApiId` is immutable; the AWS-generated key id is immutable.
+	*   - `GraphQLSchema` → `StartSchemaCreationCommand` (re-upload the
+	*     SDL; this is the canonical AppSync schema-update path).
+	*
+	* Every Update* call uses `!== undefined` field gates per
+	* memory rule `feedback_update_optional_field_undefined_check.md` so
+	* `cdkd drift --revert` can clear a console-side ADD via an empty
+	* string / 0 / false. Identity / immutable field changes throw
+	* `ResourceUpdateNotSupportedError` as defense-in-depth — the deploy
+	* engine's replacement-detection layer should normally route those
+	* through CREATE+DELETE.
 	*/
-	update(logicalId, _physicalId, resourceType, _properties, _previousProperties) {
-		return Promise.reject(new ResourceUpdateNotSupportedError(resourceType, logicalId, "AppSync resources are recreated on property changes; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"));
+	async update(logicalId, physicalId, resourceType, properties, previousProperties) {
+		switch (resourceType) {
+			case "AWS::AppSync::GraphQLApi": return this.updateGraphQLApi(logicalId, physicalId, resourceType, properties, previousProperties);
+			case "AWS::AppSync::GraphQLSchema": return this.updateGraphQLSchema(logicalId, physicalId, resourceType, properties, previousProperties);
+			case "AWS::AppSync::DataSource": return this.updateDataSource(logicalId, physicalId, resourceType, properties, previousProperties);
+			case "AWS::AppSync::Resolver": return this.updateResolver(logicalId, physicalId, resourceType, properties, previousProperties);
+			case "AWS::AppSync::ApiKey": return this.updateApiKey(logicalId, physicalId, resourceType, properties, previousProperties);
+			default: throw new ProvisioningError(`Unsupported resource type: ${resourceType}`, resourceType, logicalId, physicalId);
+		}
+	}
+	/**
+	* Structural equality for the small object / array shapes that ride on
+	* AppSync update inputs. `JSON.stringify` is sufficient because none of
+	* these shapes contain `undefined` keys at this layer (the create /
+	* readCurrentState paths filter them out).
+	*/
+	deepEqual(a, b) {
+		return JSON.stringify(a) === JSON.stringify(b);
+	}
+	async updateGraphQLApi(logicalId, physicalId, resourceType, properties, previousProperties) {
+		if (properties["Name"] !== void 0 && previousProperties["Name"] !== void 0 && properties["Name"] !== previousProperties["Name"]) throw new ResourceUpdateNotSupportedError(resourceType, logicalId, "AWS AppSync GraphqlApi.Name is immutable — destroy + redeploy to rename");
+		const newAuthType = properties["AuthenticationType"];
+		const oldAuthType = previousProperties["AuthenticationType"];
+		const newXray = properties["XrayEnabled"];
+		const oldXray = previousProperties["XrayEnabled"];
+		const newLog = properties["LogConfig"];
+		const oldLog = previousProperties["LogConfig"];
+		const hasXrayDiff = ("XrayEnabled" in properties || "XrayEnabled" in previousProperties) && newXray !== oldXray;
+		const hasAuthDiff = ("AuthenticationType" in properties || "AuthenticationType" in previousProperties) && newAuthType !== oldAuthType;
+		const hasLogDiff = ("LogConfig" in properties || "LogConfig" in previousProperties) && !this.deepEqual(newLog, oldLog);
+		if (hasAuthDiff || hasXrayDiff || hasLogDiff) {
+			const input = {
+				apiId: physicalId,
+				name: properties["Name"] ?? previousProperties["Name"],
+				authenticationType: newAuthType ?? oldAuthType ?? "API_KEY"
+			};
+			if (newXray !== void 0) input.xrayEnabled = newXray;
+			if (newLog !== void 0) input.logConfig = {
+				cloudWatchLogsRoleArn: newLog["CloudWatchLogsRoleArn"],
+				fieldLogLevel: newLog["FieldLogLevel"],
+				excludeVerboseContent: newLog["ExcludeVerboseContent"]
+			};
+			else if (oldLog !== void 0) {
+				const existingRoleArn = oldLog["CloudWatchLogsRoleArn"];
+				if (existingRoleArn) input.logConfig = {
+					cloudWatchLogsRoleArn: existingRoleArn,
+					fieldLogLevel: "NONE"
+				};
+				else this.logger.warn(`AppSync GraphqlApi ${logicalId}: cannot clear LogConfig — previous state has no CloudWatchLogsRoleArn to reuse for the disable call`);
+			}
+			try {
+				await this.getClient().send(new UpdateGraphqlApiCommand(input));
+			} catch (error) {
+				throw this.wrapUpdateError(error, resourceType, logicalId, physicalId, "GraphqlApi");
+			}
+		}
+		await this.applyTagDiff(physicalId, resourceType, logicalId, previousProperties["Tags"], properties["Tags"]);
+		return {
+			physicalId,
+			wasReplaced: false,
+			attributes: {}
+		};
+	}
+	async updateGraphQLSchema(logicalId, physicalId, resourceType, properties, previousProperties) {
+		const newDef = properties["Definition"];
+		const oldDef = previousProperties["Definition"];
+		if (newDef === void 0 || newDef === oldDef) return {
+			physicalId,
+			wasReplaced: false,
+			attributes: {}
+		};
+		const apiId = properties["ApiId"] ?? physicalId;
+		try {
+			await this.getClient().send(new StartSchemaCreationCommand({
+				apiId,
+				definition: Buffer.from(newDef, "utf-8")
+			}));
+		} catch (error) {
+			throw this.wrapUpdateError(error, resourceType, logicalId, physicalId, "GraphqlSchema");
+		}
+		return {
+			physicalId,
+			wasReplaced: false,
+			attributes: {}
+		};
+	}
+	async updateDataSource(logicalId, physicalId, resourceType, properties, previousProperties) {
+		for (const field of [
+			"ApiId",
+			"Name",
+			"Type"
+		]) {
+			const next = properties[field];
+			const prev = previousProperties[field];
+			if (next !== void 0 && prev !== void 0 && next !== prev) throw new ResourceUpdateNotSupportedError(resourceType, logicalId, `AWS AppSync DataSource.${field} is immutable — destroy + redeploy to change`);
+		}
+		const [apiId, name] = physicalId.split("|");
+		if (!apiId || !name) throw new ProvisioningError(`Invalid DataSource physical ID format: ${physicalId}`, resourceType, logicalId, physicalId);
+		const type = properties["Type"] ?? previousProperties["Type"];
+		const newDesc = properties["Description"];
+		const oldDesc = previousProperties["Description"];
+		const newRole = properties["ServiceRoleArn"];
+		const oldRole = previousProperties["ServiceRoleArn"];
+		const newDDB = properties["DynamoDBConfig"];
+		const oldDDB = previousProperties["DynamoDBConfig"];
+		const newLambda = properties["LambdaConfig"];
+		const oldLambda = previousProperties["LambdaConfig"];
+		const newHttp = properties["HttpConfig"];
+		const oldHttp = previousProperties["HttpConfig"];
+		if (!(newDesc !== oldDesc || newRole !== oldRole || !this.deepEqual(newDDB, oldDDB) || !this.deepEqual(newLambda, oldLambda) || !this.deepEqual(newHttp, oldHttp))) return {
+			physicalId,
+			wasReplaced: false,
+			attributes: {}
+		};
+		const input = {
+			apiId,
+			name,
+			type
+		};
+		if (newDesc !== void 0) input.description = newDesc;
+		if (newRole !== void 0) input.serviceRoleArn = newRole;
+		if (newDDB !== void 0) input.dynamodbConfig = {
+			tableName: newDDB["TableName"],
+			awsRegion: newDDB["AwsRegion"],
+			useCallerCredentials: newDDB["UseCallerCredentials"]
+		};
+		if (newLambda !== void 0) input.lambdaConfig = { lambdaFunctionArn: newLambda["LambdaFunctionArn"] };
+		if (newHttp !== void 0) input.httpConfig = { endpoint: newHttp["Endpoint"] };
+		try {
+			await this.getClient().send(new UpdateDataSourceCommand(input));
+		} catch (error) {
+			throw this.wrapUpdateError(error, resourceType, logicalId, physicalId, "DataSource");
+		}
+		return {
+			physicalId,
+			wasReplaced: false,
+			attributes: {}
+		};
+	}
+	async updateResolver(logicalId, physicalId, resourceType, properties, previousProperties) {
+		for (const field of [
+			"ApiId",
+			"TypeName",
+			"FieldName"
+		]) {
+			const next = properties[field];
+			const prev = previousProperties[field];
+			if (next !== void 0 && prev !== void 0 && next !== prev) throw new ResourceUpdateNotSupportedError(resourceType, logicalId, `AWS AppSync Resolver.${field} is immutable — destroy + redeploy to change`);
+		}
+		const parts = physicalId.split("|");
+		if (parts.length < 3) throw new ProvisioningError(`Invalid Resolver physical ID format: ${physicalId}`, resourceType, logicalId, physicalId);
+		const [apiId, typeName, fieldName] = parts;
+		if (![
+			"DataSourceName",
+			"RequestMappingTemplate",
+			"ResponseMappingTemplate",
+			"Kind",
+			"PipelineConfig",
+			"Runtime",
+			"Code"
+		].some((key) => !this.deepEqual(properties[key], previousProperties[key]))) return {
+			physicalId,
+			wasReplaced: false,
+			attributes: {}
+		};
+		const input = {
+			apiId,
+			typeName,
+			fieldName
+		};
+		const effectiveKind = properties["Kind"] ?? previousProperties["Kind"] ?? "UNIT";
+		if (effectiveKind === "UNIT" && properties["DataSourceName"] !== void 0) input.dataSourceName = properties["DataSourceName"];
+		if (properties["RequestMappingTemplate"] !== void 0) input.requestMappingTemplate = properties["RequestMappingTemplate"];
+		if (properties["ResponseMappingTemplate"] !== void 0) input.responseMappingTemplate = properties["ResponseMappingTemplate"];
+		if (properties["Kind"] !== void 0) input.kind = properties["Kind"];
+		if (effectiveKind === "PIPELINE" && properties["PipelineConfig"] !== void 0) input.pipelineConfig = { functions: properties["PipelineConfig"]["Functions"] };
+		if (properties["Runtime"] !== void 0) {
+			const runtime = properties["Runtime"];
+			input.runtime = {
+				name: runtime["Name"],
+				runtimeVersion: runtime["RuntimeVersion"]
+			};
+		}
+		if (properties["Code"] !== void 0) input.code = properties["Code"];
+		try {
+			await this.getClient().send(new UpdateResolverCommand(input));
+		} catch (error) {
+			throw this.wrapUpdateError(error, resourceType, logicalId, physicalId, "Resolver");
+		}
+		return {
+			physicalId,
+			wasReplaced: false,
+			attributes: {}
+		};
+	}
+	async updateApiKey(logicalId, physicalId, resourceType, properties, previousProperties) {
+		if (properties["ApiId"] !== void 0 && previousProperties["ApiId"] !== void 0 && properties["ApiId"] !== previousProperties["ApiId"]) throw new ResourceUpdateNotSupportedError(resourceType, logicalId, "AWS AppSync ApiKey.ApiId is immutable — destroy + redeploy to change");
+		const [apiId, apiKeyId] = physicalId.split("|");
+		if (!apiId || !apiKeyId) throw new ProvisioningError(`Invalid ApiKey physical ID format: ${physicalId}`, resourceType, logicalId, physicalId);
+		const newDesc = properties["Description"];
+		const oldDesc = previousProperties["Description"];
+		const newExp = properties["Expires"];
+		const oldExp = previousProperties["Expires"];
+		if (newDesc === oldDesc && newExp === oldExp) return {
+			physicalId,
+			wasReplaced: false,
+			attributes: {}
+		};
+		const input = {
+			apiId,
+			id: apiKeyId
+		};
+		if (newDesc !== void 0) input.description = newDesc;
+		if (newExp !== void 0) input.expires = newExp;
+		try {
+			await this.getClient().send(new UpdateApiKeyCommand(input));
+		} catch (error) {
+			throw this.wrapUpdateError(error, resourceType, logicalId, physicalId, "ApiKey");
+		}
+		return {
+			physicalId,
+			wasReplaced: false,
+			attributes: {}
+		};
+	}
+	/**
+	* Apply a Tags diff to a GraphqlApi via TagResource / UntagResource.
+	*
+	* Tags are keyed by the GraphqlApi ARN — recover it from
+	* `GetGraphqlApi`. Failure to recover the ARN is a hard error (the API
+	* itself just changed) rather than a silent drop, so the user knows
+	* the tag diff was not applied.
+	*/
+	async applyTagDiff(apiId, resourceType, logicalId, oldTags, newTags) {
+		const oldMap = this.tagsToMap(oldTags ?? []);
+		const newMap = this.tagsToMap(newTags ?? []);
+		if (this.deepEqual(oldMap, newMap)) return;
+		let arn = this.arnCache.get(apiId);
+		if (!arn) {
+			try {
+				arn = (await this.getClient().send(new GetGraphqlApiCommand({ apiId }))).graphqlApi?.arn;
+			} catch (error) {
+				throw this.wrapUpdateError(error, resourceType, logicalId, apiId, "GraphqlApi");
+			}
+			if (!arn) throw new ProvisioningError(`Could not resolve ARN for AppSync GraphqlApi ${apiId} to apply tags diff`, resourceType, logicalId, apiId);
+			this.arnCache.set(apiId, arn);
+		}
+		const tagKeysToRemove = Object.keys(oldMap).filter((k) => !(k in newMap));
+		const tagsToAdd = {};
+		for (const [k, v] of Object.entries(newMap)) if (oldMap[k] !== v) tagsToAdd[k] = v;
+		if (tagKeysToRemove.length > 0) try {
+			await this.getClient().send(new UntagResourceCommand$12({
+				resourceArn: arn,
+				tagKeys: tagKeysToRemove
+			}));
+		} catch (error) {
+			throw this.wrapUpdateError(error, resourceType, logicalId, apiId, "GraphqlApi (untag)");
+		}
+		if (Object.keys(tagsToAdd).length > 0) try {
+			await this.getClient().send(new TagResourceCommand$13({
+				resourceArn: arn,
+				tags: tagsToAdd
+			}));
+		} catch (error) {
+			throw this.wrapUpdateError(error, resourceType, logicalId, apiId, "GraphqlApi (tag)");
+		}
+	}
+	tagsToMap(tags) {
+		const out = {};
+		for (const t of tags) if (t.Key !== void 0 && t.Value !== void 0) out[t.Key] = t.Value;
+		return out;
+	}
+	wrapUpdateError(error, resourceType, logicalId, physicalId, subType) {
+		const cause = error instanceof Error ? error : void 0;
+		return new ProvisioningError(`Failed to update AppSync ${subType} ${logicalId}: ${error instanceof Error ? error.message : String(error)}`, resourceType, logicalId, physicalId, cause);
 	}
 	async delete(logicalId, physicalId, resourceType, _properties, context) {
 		switch (resourceType) {
@@ -24528,7 +24834,7 @@ var GlueSecurityConfigurationProvider = class {
 		}
 	}
 	async update(logicalId, _physicalId, resourceType, _properties, _previousProperties) {
-		throw new ResourceUpdateNotSupportedError(resourceType, logicalId, "AWS::Glue::SecurityConfiguration is immutable; AWS provides no Update API. Use cdkd deploy --replace, or destroy + redeploy with the new EncryptionConfiguration.");
+		throw new ResourceUpdateNotSupportedError(resourceType, logicalId, "AWS Glue SecurityConfiguration is immutable on AWS — there is no UpdateSecurityConfiguration API; every change requires DeleteSecurityConfiguration + CreateSecurityConfiguration. Use cdkd deploy --replace, or destroy + redeploy with the new EncryptionConfiguration.");
 	}
 	async delete(logicalId, physicalId, resourceType, _properties, context) {
 		this.logger.debug(`Deleting Glue SecurityConfiguration ${logicalId}: ${physicalId}`);
@@ -26393,7 +26699,7 @@ var KinesisStreamConsumerProvider = class {
 		const oldConsumerName = previousProperties["ConsumerName"];
 		const newStreamArn = properties["StreamARN"];
 		const oldStreamArn = previousProperties["StreamARN"];
-		if (newConsumerName !== oldConsumerName || newStreamArn !== oldStreamArn) throw new ResourceUpdateNotSupportedError(resourceType, logicalId, "AWS::Kinesis::StreamConsumer ConsumerName / StreamARN are immutable; re-deploy with cdkd deploy --replace, or destroy + redeploy");
+		if (newConsumerName !== oldConsumerName || newStreamArn !== oldStreamArn) throw new ResourceUpdateNotSupportedError(resourceType, logicalId, "AWS::Kinesis::StreamConsumer ConsumerName / StreamARN are immutable on AWS — there is no UpdateStreamConsumer API; every change registers a new consumer (RegisterStreamConsumer). Re-deploy with cdkd deploy --replace, or destroy + redeploy.");
 		await this.applyTagDiff(physicalId, previousProperties["Tags"], properties["Tags"]);
 		let attrs = {};
 		try {
@@ -26508,14 +26814,14 @@ var KinesisStreamConsumerProvider = class {
 		const tagsToRemove = [];
 		for (const k of Object.keys(oldMap)) if (!(k in newMap)) tagsToRemove.push(k);
 		if (tagsToRemove.length > 0) {
-			await this.getClient().send(new UntagResourceCommand$12({
+			await this.getClient().send(new UntagResourceCommand$13({
 				ResourceARN: consumerArn,
 				TagKeys: tagsToRemove
 			}));
 			this.logger.debug(`Removed ${tagsToRemove.length} tag(s) from Kinesis stream consumer ${consumerArn}`);
 		}
 		if (Object.keys(tagsToAdd).length > 0) {
-			await this.getClient().send(new TagResourceCommand$13({
+			await this.getClient().send(new TagResourceCommand$14({
 				ResourceARN: consumerArn,
 				Tags: tagsToAdd
 			}));
@@ -26623,7 +26929,7 @@ var EFSProvider = class {
 		switch (resourceType) {
 			case "AWS::EFS::FileSystem": return this.updateFileSystem(logicalId, physicalId, resourceType, properties, previousProperties);
 			case "AWS::EFS::MountTarget": return this.updateMountTarget(logicalId, physicalId, resourceType, properties);
-			case "AWS::EFS::AccessPoint": return Promise.reject(new ResourceUpdateNotSupportedError(resourceType, logicalId, "EFS AccessPoint is recreated on property changes; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"));
+			case "AWS::EFS::AccessPoint": return Promise.reject(new ResourceUpdateNotSupportedError(resourceType, logicalId, "AWS EFS AccessPoint has no in-place update API — there is no UpdateAccessPoint command; every property change requires DeleteAccessPoint + CreateAccessPoint. Re-deploy with cdkd deploy --replace, or destroy + redeploy the stack."));
 			default: throw new ProvisioningError(`Unsupported resource type: ${resourceType}`, resourceType, logicalId, physicalId);
 		}
 	}
@@ -26635,7 +26941,7 @@ var EFSProvider = class {
 		]) {
 			const next = properties[key];
 			const prev = previousProperties[key];
-			if (next !== void 0 && prev !== void 0 && JSON.stringify(next) !== JSON.stringify(prev)) throw new ResourceUpdateNotSupportedError(resourceType, logicalId, `EFS FileSystem ${key} is immutable; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack`);
+			if (next !== void 0 && prev !== void 0 && JSON.stringify(next) !== JSON.stringify(prev)) throw new ResourceUpdateNotSupportedError(resourceType, logicalId, `AWS EFS FileSystem ${key} is immutable on AWS — UpdateFileSystem does not accept ${key}; the property is fixed at creation. Re-deploy with cdkd deploy --replace, or destroy + redeploy the stack.`);
 		}
 		const newThroughputMode = properties["ThroughputMode"];
 		const newProvisioned = properties["ProvisionedThroughputInMibps"];
@@ -27276,15 +27582,19 @@ var FirehoseProvider = class {
 		}
 	}
 	/**
-	* Firehose delivery streams are treated as immutable by cdkd. Most
-	* destination-config changes require replacement, and AWS's
-	* `UpdateDestination` API surface is deep enough that the deploy engine's
-	* immutable-property replacement path covers the common cases more
-	* reliably. `cdkd drift --revert` therefore surfaces a clear "use
-	* --replace or re-deploy" message instead of silently no-op'ing.
+	* Firehose delivery streams are treated as immutable by cdkd. AWS DOES
+	* provide an `UpdateDestination` API, but the per-destination shape
+	* matrix (Extended S3 / Redshift / OpenSearch / Splunk / HttpEndpoint /
+	* Iceberg / etc.) is deep enough that the deploy engine's immutable-
+	* property replacement path covers the common cases more reliably.
+	* Treating the type as fully immutable for `cdkd drift --revert` is
+	* the conservative choice; users who want in-place destination updates
+	* should re-deploy with `cdkd deploy --replace` so the new shape is
+	* applied via a fresh `CreateDeliveryStream`. Tracked as a follow-up
+	* to issue (#443).
 	*/
 	update(logicalId, _physicalId, resourceType, _properties, _previousProperties) {
-		return Promise.reject(new ResourceUpdateNotSupportedError(resourceType, logicalId, "Firehose delivery streams are recreated on property changes; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"));
+		return Promise.reject(new ResourceUpdateNotSupportedError(resourceType, logicalId, "AWS::KinesisFirehose::DeliveryStream in-place update is not implemented in cdkd; AWS provides UpdateDestination but the per-destination shape matrix is large. Re-deploy with cdkd deploy --replace, or destroy + redeploy the stack."));
 	}
 	/**
 	* Delete a Firehose delivery stream
@@ -29787,10 +30097,10 @@ var ASGProvider = class {
 		if (resourceType !== "AWS::AutoScaling::AutoScalingGroup") throw new ProvisioningError(`Unsupported resource type: ${resourceType}`, resourceType, logicalId, physicalId);
 		this.logger.debug(`Updating AutoScalingGroup ${logicalId}: ${physicalId}`);
 		const stringEq = (a, b) => JSON.stringify(a) === JSON.stringify(b);
-		if (!stringEq(properties["AutoScalingGroupName"], previousProperties["AutoScalingGroupName"])) throw new ResourceUpdateNotSupportedError(resourceType, logicalId, "AutoScalingGroupName is immutable; use cdkd deploy --replace to replace the group");
-		if (!stringEq(properties["Tags"] ?? [], previousProperties["Tags"] ?? [])) throw new ResourceUpdateNotSupportedError(resourceType, logicalId, "Tags updates on AWS::AutoScaling::AutoScalingGroup are not yet supported by cdkd; use cdkd deploy --replace, or update the tags via AWS console / CLI");
-		if (!stringEq(properties["LoadBalancerNames"] ?? [], previousProperties["LoadBalancerNames"] ?? [])) throw new ResourceUpdateNotSupportedError(resourceType, logicalId, "LoadBalancerNames diffs require Attach/Detach calls; use cdkd deploy --replace");
-		if (!stringEq(properties["TargetGroupARNs"] ?? [], previousProperties["TargetGroupARNs"] ?? [])) throw new ResourceUpdateNotSupportedError(resourceType, logicalId, "TargetGroupARNs diffs require Attach/Detach calls; use cdkd deploy --replace");
+		if (!stringEq(properties["AutoScalingGroupName"], previousProperties["AutoScalingGroupName"])) throw new ResourceUpdateNotSupportedError(resourceType, logicalId, "AutoScalingGroupName is immutable on AWS — UpdateAutoScalingGroup does not accept a new name; the name is fixed at creation. Use cdkd deploy --replace to replace the group.");
+		if (!stringEq(properties["Tags"] ?? [], previousProperties["Tags"] ?? [])) throw new ResourceUpdateNotSupportedError(resourceType, logicalId, "Tags updates on AWS::AutoScaling::AutoScalingGroup are not yet implemented in cdkd (AWS exposes CreateOrUpdateTags / DeleteTags); use cdkd deploy --replace, or update the tags via AWS console / CLI.");
+		if (!stringEq(properties["LoadBalancerNames"] ?? [], previousProperties["LoadBalancerNames"] ?? [])) throw new ResourceUpdateNotSupportedError(resourceType, logicalId, "LoadBalancerNames diffs on AWS::AutoScaling::AutoScalingGroup are not yet implemented in cdkd (AWS exposes AttachLoadBalancers / DetachLoadBalancers); use cdkd deploy --replace.");
+		if (!stringEq(properties["TargetGroupARNs"] ?? [], previousProperties["TargetGroupARNs"] ?? [])) throw new ResourceUpdateNotSupportedError(resourceType, logicalId, "TargetGroupARNs diffs on AWS::AutoScaling::AutoScalingGroup are not yet implemented in cdkd (AWS exposes AttachLoadBalancerTargetGroups / DetachLoadBalancerTargetGroups); use cdkd deploy --replace.");
 		try {
 			await this.applyMetricsCollectionDiff(physicalId, properties["MetricsCollection"], previousProperties["MetricsCollection"]);
 			await this.applyLifecycleHooksDiff(physicalId, properties["LifecycleHookSpecificationList"], previousProperties["LifecycleHookSpecificationList"]);
@@ -35783,6 +36093,7 @@ function extractLambdaProperties(stack, logicalId, resource, resources) {
 	const props = resource.Properties ?? {};
 	const memoryMb = typeof props["MemorySize"] === "number" ? props["MemorySize"] : 128;
 	const timeoutSec = typeof props["Timeout"] === "number" ? props["Timeout"] : 3;
+	const ephemeralStorageMb = extractEphemeralStorageMb(props, logicalId);
 	const code = props["Code"] ?? {};
 	const imageUri = extractImageUri(code["ImageUri"], logicalId, stack.stackName, resources);
 	if (imageUri !== void 0) return extractImageLambdaProperties({
@@ -35792,7 +36103,8 @@ function extractLambdaProperties(stack, logicalId, resource, resources) {
 		memoryMb,
 		timeoutSec,
 		props,
-		imageUri
+		imageUri,
+		...ephemeralStorageMb !== void 0 && { ephemeralStorageMb }
 	});
 	const runtime = typeof props["Runtime"] === "string" ? props["Runtime"] : "";
 	const handler = typeof props["Handler"] === "string" ? props["Handler"] : "";
@@ -35813,10 +36125,44 @@ function extractLambdaProperties(stack, logicalId, resource, resources) {
 		timeoutSec,
 		codePath,
 		layers,
+		...ephemeralStorageMb !== void 0 && { ephemeralStorageMb },
 		...inlineCode !== void 0 && { inlineCode }
 	};
 }
 /**
+* Parse `Properties.EphemeralStorage.Size` (issue #440). CFn shape:
+* `{ EphemeralStorage: { Size: <MiB> } }`. CDK's
+* `cdk.Size.gibibytes(N)` serializes to `N * 1024`. AWS-side range is
+* 512..10240 MiB (the deployed function rejects anything outside that
+* range at create time); cdkd rejects > 10240 here so a misconfigured
+* template fails fast at `cdkd local invoke` boot rather than hanging
+* on a `docker run` that AWS would have refused anyway. The 512 floor
+* is AWS's minimum (the default when `EphemeralStorage` is omitted is
+* also 512), but we deliberately accept values DOWN to 1 so users can
+* exercise the cap with a deliberately-small `/tmp` in local tests —
+* `--tmpfs /tmp:size=Nm` itself enforces no lower bound; the only
+* cross-check is "would AWS accept this?", which the deploy side
+* already gates upstream.
+*
+* Returns `undefined` when the property is absent, NaN, < 1, or
+* non-numeric. Hard-rejects > 10240. Intrinsic-valued sizes (the
+* `{ Ref: 'SomeParam' }` shape that's uncommon for EphemeralStorage
+* but theoretically valid) drop to `undefined` with a one-line warn
+* via the calling logger — local invoke can't resolve those without
+* the template's Parameters context the deploy engine has, and the
+* fallback (no `--tmpfs`) is safer than guessing.
+*/
+function extractEphemeralStorageMb(props, logicalId) {
+	const raw = props["EphemeralStorage"];
+	if (raw === void 0 || raw === null) return void 0;
+	if (typeof raw !== "object" || Array.isArray(raw)) return void 0;
+	const size = raw["Size"];
+	if (typeof size !== "number") return;
+	if (!Number.isFinite(size) || size < 1) return void 0;
+	if (size > 10240) throw new LocalInvokeResolutionError(`Lambda '${logicalId}' has Properties.EphemeralStorage.Size = ${size} MiB, which exceeds the AWS limit of 10240 MiB. AWS would reject the function at deploy time; cap the value to <= 10240 (10 GiB) and retry.`);
+	return Math.floor(size);
+}
+/**
 * Extract the `Code.ImageUri` value across the shapes CDK actually synthesizes.
 *
 * Supported shapes:
@@ -35868,7 +36214,7 @@ function extractImageUri(value, logicalId, stackName, resources) {
 * optional in CFn — the defaults match the AWS-side defaults.
 */
 function extractImageLambdaProperties(args) {
-	const { stack, logicalId, resource, memoryMb, timeoutSec, props, imageUri } = args;
+	const { stack, logicalId, resource, memoryMb, timeoutSec, ephemeralStorageMb, props, imageUri } = args;
 	const rawImageConfig = props["ImageConfig"] ?? {};
 	const imageConfig = {};
 	if (Array.isArray(rawImageConfig["Command"])) imageConfig.command = rawImageConfig["Command"].filter((s) => typeof s === "string");
@@ -35892,7 +36238,8 @@ function extractImageLambdaProperties(args) {
 		imageUri,
 		imageConfig,
 		architecture,
-		layers: []
+		layers: [],
+		...ephemeralStorageMb !== void 0 && { ephemeralStorageMb }
 	};
 }
 /**
@@ -37432,6 +37779,7 @@ async function runDetached(opts) {
 		args.push("-v", `${mount.hostPath}:${mount.containerPath}${ro}`);
 	}
 	for (const [k, v] of Object.entries(opts.env)) args.push("-e", `${k}=${v}`);
+	if (opts.tmpfs) args.push("--tmpfs", `${opts.tmpfs.target}:rw,size=${opts.tmpfs.sizeMb}m`);
 	if (opts.workingDir) args.push("--workdir", opts.workingDir);
 	let entryPointTail = [];
 	if (opts.entryPoint && opts.entryPoint.length > 0) {
@@ -38882,7 +39230,8 @@ function createContainerPool(specs, options) {
 			hostPort,
 			host: spec.containerHost,
 			name,
-			...spec.debugPort !== void 0 && { debugPort: spec.debugPort }
+			...spec.debugPort !== void 0 && { debugPort: spec.debugPort },
+			...spec.tmpfs !== void 0 && { tmpfs: spec.tmpfs }
 		});
 		const stopLogStream = streamingEnabled ? streamLogs(containerId) : () => void 0;
 		try {
@@ -42313,13 +42662,18 @@ async function buildContainerSpec(args) {
 		if (stsRegion) dockerEnv["AWS_REGION"] = stsRegion;
 	} else forwardAwsEnv$1(dockerEnv);
 	if (debugPort !== void 0) dockerEnv["NODE_OPTIONS"] = `--inspect-brk=0.0.0.0:${debugPort}`;
+	const tmpfs = lambda.ephemeralStorageMb !== void 0 ? {
+		target: "/tmp",
+		sizeMb: lambda.ephemeralStorageMb
+	} : void 0;
 	return {
 		lambda,
 		codeDir,
 		env: dockerEnv,
 		containerHost,
 		...optDir !== void 0 && { optDir },
-		...debugPort !== void 0 && { debugPort }
+		...debugPort !== void 0 && { debugPort },
+		...tmpfs !== void 0 && { tmpfs }
 	};
 }
 /**
@@ -42371,6 +42725,7 @@ function resolveLambdaByLogicalId(logicalId, stacks) {
 		let codePath = null;
 		if (!inlineCode) codePath = resolveAssetCodePath(stack, logicalId, resource);
 		const layers = resolveLambdaLayers(stack, logicalId, props);
+		const ephemeralStorageMb = extractEphemeralStorageMb(props, logicalId);
 		return {
 			kind: "zip",
 			stack,
@@ -42382,7 +42737,8 @@ function resolveLambdaByLogicalId(logicalId, stacks) {
 			timeoutSec,
 			codePath,
 			layers,
-			...inlineCode !== void 0 && { inlineCode }
+			...inlineCode !== void 0 && { inlineCode },
+			...ephemeralStorageMb !== void 0 && { ephemeralStorageMb }
 		};
 	}
 	throw new Error(`No AWS::Lambda::Function resource named '${logicalId}' found in target stacks. This is likely a synthesis bug — the route-discovery phase resolved a route to this logical ID.`);
@@ -43940,7 +44296,8 @@ async function localInvokeCommand(target, options) {
 			...debugPort !== void 0 && { debugPort },
 			...imagePlan.platform !== void 0 && { platform: imagePlan.platform },
 			...imagePlan.entryPoint !== void 0 && { entryPoint: imagePlan.entryPoint },
-			...imagePlan.workingDir !== void 0 && { workingDir: imagePlan.workingDir }
+			...imagePlan.workingDir !== void 0 && { workingDir: imagePlan.workingDir },
+			...imagePlan.tmpfs !== void 0 && { tmpfs: imagePlan.tmpfs }
 		});
 		stopLogs = streamLogs(containerId);
 		sigintHandler = () => {
@@ -43987,6 +44344,7 @@ async function resolveZipImagePlan(lambda, options) {
 	await pullImage(image, options.pull === false);
 	const layerPlan = materializeLambdaLayers(lambda.layers);
 	const containerCodePath = resolveRuntimeCodeMountPath(lambda.runtime);
+	const tmpfs = resolveTmpfsForLambda(lambda);
 	return {
 		image,
 		mounts: [{
@@ -43997,7 +44355,36 @@ async function resolveZipImagePlan(lambda, options) {
 		extraMounts: layerPlan.mount ? [layerPlan.mount] : [],
 		cmd: [lambda.handler],
 		...inlineTmpDir !== void 0 && { inlineTmpDir },
-		...layerPlan.tmpDir !== void 0 && { layersTmpDir: layerPlan.tmpDir }
+		...layerPlan.tmpDir !== void 0 && { layersTmpDir: layerPlan.tmpDir },
+		...tmpfs !== void 0 && { tmpfs }
+	};
+}
+/**
+* Build the `--tmpfs /tmp:rw,size=<N>m` plan for a Lambda (issue #440).
+*
+* The shape is identical for ZIP and IMAGE Lambdas — `--tmpfs` overlays
+* mount-time inside any container, regardless of whether the image is a
+* public Lambda base image (ZIP path) or a user-built container Lambda.
+* Returns `undefined` when the template did not declare
+* `EphemeralStorage`, in which case the caller emits no `--tmpfs` flag
+* and the container's `/tmp` is whatever the base image provides
+* (matches pre-#440 behavior). The lambda-resolver's
+* `extractEphemeralStorageMb` already enforces the AWS 10240 MiB
+* ceiling at parse time.
+*
+* Target path is always `/tmp` — AWS Lambda's `/tmp` is the ONLY
+* sized-tmpfs surface the `EphemeralStorage.Size` property controls,
+* and the constant is centralized here so a future fixture / docs
+* update has a single grep target.
+*/
+function resolveTmpfsForLambda(lambda) {
+	if (lambda.ephemeralStorageMb === void 0) return void 0;
+	const logger = getLogger();
+	if (lambda.kind === "image") logger.info(`Lambda ${lambda.logicalId}: capping /tmp at ${lambda.ephemeralStorageMb} MiB via --tmpfs (overlays any base-image /tmp content)`);
+	else logger.debug(`Lambda ${lambda.logicalId}: applying EphemeralStorage cap via --tmpfs /tmp:size=${lambda.ephemeralStorageMb}m`);
+	return {
+		target: "/tmp",
+		sizeMb: lambda.ephemeralStorageMb
 	};
 }
 /**
@@ -44065,6 +44452,7 @@ async function resolveContainerImagePlan(lambda, options) {
 			...options.region !== void 0 && { region: options.region }
 		});
 	}
+	const tmpfs = resolveTmpfsForLambda(lambda);
 	return {
 		image: imageRef,
 		mounts: [],
@@ -44072,7 +44460,8 @@ async function resolveContainerImagePlan(lambda, options) {
 		cmd: lambda.imageConfig.command ?? [],
 		platform,
 		...lambda.imageConfig.entryPoint && lambda.imageConfig.entryPoint.length > 0 && { entryPoint: lambda.imageConfig.entryPoint },
-		...lambda.imageConfig.workingDirectory !== void 0 && { workingDir: lambda.imageConfig.workingDirectory }
+		...lambda.imageConfig.workingDirectory !== void 0 && { workingDir: lambda.imageConfig.workingDirectory },
+		...tmpfs !== void 0 && { tmpfs }
 	};
 }
 /**
@@ -45642,7 +46031,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.116.1");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.117.1");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());