@go-to-k/cdkd 0.121.0 → 0.123.0

package/dist/{deploy-engine-B2RZT3ai.js → deploy-engine-DWpeb9wT.js}

@@ -6,7 +6,7 @@ import { CloudControlClient, CreateResourceCommand, DeleteResourceCommand, GetRe
 import { AttachRolePolicyCommand, CreateRoleCommand, DeleteRoleCommand, DeleteRolePermissionsBoundaryCommand, DeleteRolePolicyCommand, DetachRolePolicyCommand, GetRoleCommand, GetRolePolicyCommand, IAMClient, ListAttachedRolePoliciesCommand, ListInstanceProfilesForRoleCommand, ListRolePoliciesCommand, ListRoleTagsCommand, ListRolesCommand, NoSuchEntityException, PutRolePermissionsBoundaryCommand, PutRolePolicyCommand, RemoveRoleFromInstanceProfileCommand, TagRoleCommand, UntagRoleCommand, UpdateAssumeRolePolicyCommand, UpdateRoleCommand } from "@aws-sdk/client-iam";
 import { PublishCommand, SNSClient } from "@aws-sdk/client-sns";
 import { GetFunctionUrlConfigCommand, InvokeCommand, LambdaClient, waitUntilFunctionActiveV2, waitUntilFunctionUpdatedV2 } from "@aws-sdk/client-lambda";
-import { GetCallerIdentityCommand, STSClient } from "@aws-sdk/client-sts";
+import { AssumeRoleCommand, GetCallerIdentityCommand, STSClient } from "@aws-sdk/client-sts";
 import { DescribeAvailabilityZonesCommand, DescribeImagesCommand, DescribeLaunchTemplatesCommand, DescribeRouteTablesCommand, DescribeSecurityGroupsCommand, DescribeSubnetsCommand, DescribeVpcsCommand, DescribeVpnGatewaysCommand, EC2Client } from "@aws-sdk/client-ec2";
 import { DescribeTableCommand } from "@aws-sdk/client-dynamodb";
 import { GetRestApiCommand } from "@aws-sdk/client-api-gateway";
@@ -1294,6 +1294,45 @@ async function resolveBucketRegion(bucketName, opts = {}) {
 function clearBucketRegionCache() {
 	cache.clear();
 }
+/**
+* Resolve the cdkd state bucket name + region for a sibling AWS account.
+*
+* Used by cross-account `Fn::GetStackOutput`: once the consumer's resolver
+* has assumed the producer's role, it needs to know which bucket the
+* producer's `cdkd deploy` wrote state to. cdkd's canonical bucket name
+* (since v0.7.0) is `cdkd-state-{accountId}` — region-free because S3
+* names are globally unique. The bucket's actual region is then looked
+* up via `GetBucketLocation` using the supplied (assumed) credentials.
+*
+* Why not reuse the consumer-side bucket-name resolution path: that path
+* supports legacy region-suffixed names (`cdkd-state-{accountId}-{region}`)
+* and an "empty-new-bucket" fallback, both of which require listing the
+* bucket contents to disambiguate. For cross-account reads we accept the
+* narrower scope — the producer must be on the canonical region-free
+* bucket layout (PR #60+, v0.10.0+) — because supporting the legacy
+* layout cross-account would require account-wide `s3:ListAllMyBuckets`
+* permission in the assumed role for no real-world benefit (legacy
+* accounts are nearing 5 years old; cross-account features land
+* post-legacy).
+*
+* @param accountId  12-digit AWS account ID of the producer (extracted
+*                   from the role ARN via `parseIamRoleArn`).
+* @param credentials Assumed credentials produced by
+*                   `assumeRoleForCrossAccountStateRead`. Threaded into the
+*                   `GetBucketLocation` call so the producer's bucket
+*                   policy can authorize the read against the assumed
+*                   principal (not the consumer's default credentials).
+*
+* @returns `{ bucket, region }` — the producer's canonical state bucket
+*          name and its actual region.
+*/
+async function resolveCrossAccountStateBucket(accountId, credentials) {
+	const bucket = `cdkd-state-${accountId}`;
+	return {
+		bucket,
+		region: await resolveBucketRegion(bucket, { credentials })
+	};
+}
 
 //#endregion
 //#region src/synthesis/app-executor.ts
@@ -3591,6 +3630,18 @@ var S3StateBackend = class {
 		this.clientOpts = clientOpts;
 	}
 	/**
+	* Read-only accessor for the S3 key prefix this backend writes under
+	* (defaults to `cdkd`). Used by the cross-account `Fn::GetStackOutput`
+	* resolver when it constructs an ephemeral state backend pointed at
+	* the producer account's bucket — the producer's prefix should match
+	* the consumer's prefix (both sides almost always default to `cdkd`,
+	* but `--state-prefix` overrides at the consumer side propagate
+	* cleanly).
+	*/
+	get prefix() {
+		return this.config.prefix;
+	}
+	/**
 	* Get the new (region-scoped) S3 key for a stack's state file.
 	*/
 	getStateKey(stackName, region) {
@@ -5389,6 +5440,200 @@ var DiffCalculator = class DiffCalculator {
 	}
 };
 
+//#endregion
+//#region src/utils/role-arn.ts
+/**
+* Process-lifetime cache of assumed credentials keyed by RoleArn.
+*
+* Storing the in-flight `Promise` (rather than the resolved value) collapses
+* concurrent first-time callers into a single `sts:AssumeRole` request. After
+* the promise resolves we keep the same entry for subsequent callers so a
+* stack that references the same producer N times via `Fn::GetStackOutput`
+* only pays the STS hop once.
+*
+* The cache is keyed by RoleArn alone (not RoleArn + region) because STS
+* credentials are global — assumed credentials work against any region's
+* service endpoint. The downstream S3 client built from these credentials
+* picks its own region via `GetBucketLocation`.
+*
+* **Expiration handling**: on every cache hit, the cached credentials'
+* `expiration` is compared against `Date.now()` with a 60-second safety
+* buffer to avoid the "STS expires 1-2s early due to clock skew" race.
+* Expired entries are evicted and a fresh AssumeRole is issued.
+*
+* **Rejection handling**: when the in-flight promise rejects (e.g.
+* transient STS throttle, AccessDenied), the cache entry is evicted so a
+* subsequent caller will retry. Without this, a single transient failure
+* would pin the rest of the deploy to the same error.
+*/
+const crossAccountCredentialsCache = /* @__PURE__ */ new Map();
+/**
+* Safety buffer applied when checking whether cached credentials are still
+* valid. STS occasionally reports `Expiration` 1-2 seconds AFTER the moment
+* the token actually stops working (clock skew between AWS's auth plane and
+* the local machine), so we evict the cache entry one minute BEFORE the
+* recorded expiration to keep long-running deploys safe.
+*/
+const CRED_EXPIRY_SAFETY_MS = 6e4;
+/**
+* Regex for an IAM role ARN. Accepts every published AWS partition
+* (`aws`, `aws-us-gov`, `aws-cn`, `aws-iso`, `aws-iso-b`, etc. — matched
+* loosely as `aws[a-z0-9-]*`) and any role-name shape including
+* service-linked roles with a `/path/` prefix
+* (e.g. `arn:aws:iam::111122223333:role/aws-service-role/.../AWSServiceRoleForX`).
+*
+* Capture group 1 is the partition, group 2 is the 12-digit account ID.
+*/
+const IAM_ROLE_ARN_RE = /^arn:(aws[a-z0-9-]*):iam::(\d{12}):role\/[\w+=,.@-]+(?:\/[\w+=,.@-]+)*$/;
+/**
+* Parse an IAM role ARN into its component parts.
+*
+* @param roleArn  The full role ARN to parse.
+* @returns        `{ partition, accountId }` on success, `null` on a
+*                 structurally-invalid input. The caller is responsible for
+*                 surfacing a clear error message when this returns `null`.
+*/
+function parseIamRoleArn(roleArn) {
+	const match = IAM_ROLE_ARN_RE.exec(roleArn);
+	if (!match || !match[1] || !match[2]) return null;
+	return {
+		partition: match[1],
+		accountId: match[2]
+	};
+}
+/**
+* Assume an IAM role across accounts and return temporary credentials for
+* reading the producer account's cdkd state bucket.
+*
+* **Why a dedicated helper (instead of reusing `applyRoleArnIfSet`).** The
+* `--role-arn` flag writes assumed credentials into the process's `AWS_*`
+* env vars so EVERY subsequent SDK client picks them up. That is the right
+* behavior for the CLI-wide flag, but the wrong behavior for cross-account
+* `Fn::GetStackOutput`: the producer's role should authorize ONLY the S3
+* state read, not the consumer's provisioning calls (which still run under
+* the consumer account's normal credentials). Threading the credentials
+* through a fresh `S3Client` via this helper keeps the scope narrow.
+*
+* **Why cache per-RoleArn for the process lifetime.** A multi-resource
+* stack typically references `Fn::GetStackOutput` from many template sites
+* (every IAM policy / Lambda env / ALB listener that pulls a shared VPC ID
+* from a platform stack). Assuming the role once per deploy is sufficient;
+* the cached credentials are valid for the STS session lifetime (default
+* 1 hour) which dwarfs the typical deploy duration.
+*
+* **Cache miss / refresh paths.** On every call we look up the cached
+* entry. If it exists AND its `Expiration` is still further in the
+* future than {@link CRED_EXPIRY_SAFETY_MS}, we return it. Otherwise the
+* entry is evicted and a fresh AssumeRole hop runs — important for
+* deploys longer than the 1-hour STS session window (multi-stack
+* `--all` runs, big Custom-Resource trees, etc.).
+*
+* **Rejection handling.** When the underlying STS call throws (e.g.
+* transient throttle, AccessDenied, trust policy mismatch), the cache
+* entry is evicted INSIDE the IIFE before the error propagates, so a
+* subsequent caller will retry the AssumeRole hop rather than getting
+* pinned to the same rejection. Concurrent first-time callers still
+* share the SAME in-flight promise (so a single failure surfaces
+* uniformly), but the next caller after rejection gets a clean slate.
+*/
+async function assumeRoleForCrossAccountStateRead(roleArn) {
+	const cached = crossAccountCredentialsCache.get(roleArn);
+	if (cached) {
+		const cachedCreds = await cached;
+		if (!cachedCreds.expiration || Date.now() < cachedCreds.expiration.getTime() - CRED_EXPIRY_SAFETY_MS) return cachedCreds;
+		crossAccountCredentialsCache.delete(roleArn);
+	}
+	const promise = (async () => {
+		const logger = getLogger().child("role-arn");
+		logger.debug(`Assuming role for cross-account state read: ${roleArn}`);
+		const sts = new STSClient({});
+		try {
+			let response;
+			try {
+				response = await sts.send(new AssumeRoleCommand({
+					RoleArn: roleArn,
+					RoleSessionName: `cdkd-xacc-${Date.now()}`,
+					DurationSeconds: 3600
+				}));
+			} catch (err) {
+				const message = err instanceof Error ? err.message : String(err);
+				throw new Error(`AssumeRole into ${roleArn} failed: ${message}. If this is a trust-policy issue, the producer's role must allow sts:AssumeRole from the consumer's principal. See docs/cross-stack-references.md for the trust-policy template.`, { cause: err instanceof Error ? err : void 0 });
+			}
+			if (!response.Credentials) throw new Error(`AssumeRole for cross-account Fn::GetStackOutput returned no credentials (RoleArn=${roleArn})`);
+			const { AccessKeyId, SecretAccessKey, SessionToken, Expiration } = response.Credentials;
+			if (!AccessKeyId || !SecretAccessKey || !SessionToken) throw new Error(`AssumeRole response missing required credentials fields for cross-account state read (RoleArn=${roleArn})`);
+			logger.info(`Assumed role for cross-account state read: ${roleArn} (session expires ${Expiration?.toISOString() ?? "unknown"})`);
+			return {
+				accessKeyId: AccessKeyId,
+				secretAccessKey: SecretAccessKey,
+				sessionToken: SessionToken,
+				...Expiration && { expiration: Expiration }
+			};
+		} finally {
+			sts.destroy();
+		}
+	})().catch((err) => {
+		if (crossAccountCredentialsCache.get(roleArn) === promise) crossAccountCredentialsCache.delete(roleArn);
+		throw err;
+	});
+	crossAccountCredentialsCache.set(roleArn, promise);
+	return promise;
+}
+/**
+* Resolve the role-arn argument (CLI flag or `CDKD_ROLE_ARN` env var) and,
+* when set, assume the role and write the resulting temporary credentials
+* into `AWS_ACCESS_KEY_ID` / `AWS_SECRET_ACCESS_KEY` / `AWS_SESSION_TOKEN`
+* for the rest of the process.
+*
+* **Why env vars, not threaded credentials.** cdkd constructs ~13
+* independent `AwsClients` instances across deploy / destroy / state /
+* import / etc. paths (each with its own region, sometimes — e.g. the
+* state-bucket client lives in a different region from the provisioning
+* clients). Threading a `credentials` object through every site is high
+* churn for an opt-in flag. AWS SDK v3 reads the standard `AWS_*` env
+* vars at the top of its default credentials chain, so writing into them
+* once at the command's entry makes every later `new XxxClient()` pick
+* up the assumed-role credentials automatically without touching the
+* client construction sites.
+*
+* **Why cdkd needs admin-equivalent on the assumed role.** Unlike `cdk
+* deploy`, cdkd does NOT route through CloudFormation. There is no
+* cfn-exec-role to delegate to. Every IAM / EC2 / Lambda / etc. API
+* call is issued from the cdkd process directly. The role you pass to
+* `--role-arn` (or set in `CDKD_ROLE_ARN`) MUST therefore have
+* admin-equivalent permissions on the resources being deployed; CDK
+* CLI's `cdk-hnb659fds-deploy-role-*` is NOT sufficient — that role
+* only carries CFn + asset-publish permissions.
+*
+* Default session duration is 1 hour. For longer-running deploys, the
+* caller should re-issue the cdkd command (the in-flight credentials
+* stay valid until expiry, but a re-run is the simplest recovery for
+* the rare case where a deploy outlives them).
+*/
+async function applyRoleArnIfSet(opts) {
+	const roleArn = opts.roleArn || process.env["CDKD_ROLE_ARN"];
+	if (!roleArn) return;
+	const logger = getLogger().child("role-arn");
+	logger.debug(`Assuming role ${roleArn}...`);
+	const sts = new STSClient({ ...opts.region && { region: opts.region } });
+	try {
+		const response = await sts.send(new AssumeRoleCommand({
+			RoleArn: roleArn,
+			RoleSessionName: `cdkd-${Date.now()}`,
+			DurationSeconds: 3600
+		}));
+		if (!response.Credentials) throw new Error(`AssumeRole returned no credentials for role ${roleArn}`);
+		const { AccessKeyId, SecretAccessKey, SessionToken, Expiration } = response.Credentials;
+		if (!AccessKeyId || !SecretAccessKey || !SessionToken) throw new Error(`AssumeRole response missing credentials fields for role ${roleArn}`);
+		process.env["AWS_ACCESS_KEY_ID"] = AccessKeyId;
+		process.env["AWS_SECRET_ACCESS_KEY"] = SecretAccessKey;
+		process.env["AWS_SESSION_TOKEN"] = SessionToken;
+		logger.info(`Assumed role ${roleArn} (session expires ${Expiration?.toISOString() ?? "unknown"})`);
+	} finally {
+		sts.destroy();
+	}
+}
+
 //#endregion
 //#region src/deployment/intrinsic-function-resolver.ts
 /**
@@ -6122,7 +6367,8 @@ var IntrinsicFunctionResolver = class {
 		});
 	}
 	/**
-	* Resolve Fn::GetStackOutput (cross-stack / cross-region output reference)
+	* Resolve Fn::GetStackOutput (cross-stack / cross-region / cross-account
+	* output reference).
 	*
 	* Shape: { "Fn::GetStackOutput": { "StackName": "...", "OutputName": "...",
 	*                                   "Region": "...", "RoleArn": "..." } }
@@ -6133,11 +6379,20 @@ var IntrinsicFunctionResolver = class {
 	* `s3://{bucket}/cdkd/{StackName}/{Region}/state.json`. When `Region` is
 	* omitted, the consumer's deploy region is used.
 	*
-	* RoleArn (cross-account) is intentionally rejected — cdkd uses S3 state,
-	* not CloudFormation DescribeStacks, so a cross-account reference would
-	* require assuming the role and reading the producer's separate state
-	* bucket. That path is not yet implemented; we surface a clear error
-	* instead of silently downgrading.
+	* **RoleArn (cross-account)**: when set, cdkd issues `sts:AssumeRole`
+	* against the supplied role and reads the PRODUCER ACCOUNT's separate
+	* cdkd state bucket (`cdkd-state-{producerAccountId}`) — bucket name
+	* derived from the role ARN's account ID and the canonical
+	* region-free bucket convention. The assumed credentials are cached
+	* per-RoleArn for the deploy lifetime so a stack that references the
+	* same producer multiple times only pays one STS hop. **The inline
+	* `RoleArn` argument is constrained to literal strings only** — no
+	* `Ref` / `Fn::GetAtt` / `Fn::Sub` chains — because the resolver
+	* context isn't guaranteed to have the producer-account info available
+	* at intrinsic-resolution time and a typo'd role lookup is far worse
+	* than a clear "literal-string required" error at template-author
+	* time. Same-account references (no RoleArn) take the original
+	* shared-state-backend path.
 	*/
 	async resolveGetStackOutput(arg, context) {
 		if (!arg || typeof arg !== "object" || Array.isArray(arg)) throw new Error(`Fn::GetStackOutput: argument must be an object with StackName/OutputName/Region/RoleArn, got ${arg === null ? "null" : Array.isArray(arg) ? "array" : typeof arg}`);
@@ -6156,26 +6411,90 @@ var IntrinsicFunctionResolver = class {
 		}
 		let roleArn;
 		if ("RoleArn" in args && args["RoleArn"] !== void 0 && args["RoleArn"] !== null) {
-			const resolvedRoleArn = await this.resolveValue(args["RoleArn"], context);
-			if (typeof resolvedRoleArn !== "string" || resolvedRoleArn === "") throw new Error(`Fn::GetStackOutput: RoleArn must resolve to a non-empty string, got ${typeof resolvedRoleArn}`);
-			roleArn = resolvedRoleArn;
-		}
-		if (roleArn) throw new Error(`Fn::GetStackOutput: cross-account references via RoleArn are not yet supported by cdkd (StackName=${stackName}, Region=${region}, RoleArn=${roleArn}). cdkd reads outputs from S3 state instead of CloudFormation DescribeStacks, so cross-account requires assuming the role and reading the producer account's state bucket — not yet implemented.`);
-		if (!context.stateBackend) throw new Error("Fn::GetStackOutput: state backend is required for cross-stack references");
-		if (context.stackName && context.stackName === stackName && region === this.resolverRegion) throw new Error(`Fn::GetStackOutput: cannot reference own stack '${stackName}' in the same region '${region}'`);
-		this.logger.debug(`Resolving Fn::GetStackOutput: StackName=${stackName}, Region=${region}, OutputName=${outputName}`);
-		const stateData = await context.stateBackend.getState(stackName, region);
-		if (!stateData) throw new Error(`Fn::GetStackOutput: stack '${stackName}' not found in region '${region}'. Make sure the producer stack has been deployed via cdkd.`);
+			const raw = args["RoleArn"];
+			if (typeof raw !== "string" || raw === "") throw new Error(`Fn::GetStackOutput: RoleArn must be a literal string in the template (no Ref / Fn::GetAtt / Fn::Sub allowed for cross-account references). Got ${raw === null ? "null" : Array.isArray(raw) ? "array" : typeof raw}${typeof raw === "object" ? ` (intrinsic shape: ${JSON.stringify(raw).slice(0, 80)})` : ""}.`);
+			roleArn = raw;
+		}
+		if (!roleArn && context.stackName && context.stackName === stackName && region === this.resolverRegion) throw new Error(`Fn::GetStackOutput: cannot reference own stack '${stackName}' in the same region '${region}'`);
+		this.logger.debug(`Resolving Fn::GetStackOutput: StackName=${stackName}, Region=${region}, OutputName=${outputName}${roleArn ? `, RoleArn=${roleArn}` : ""}`);
+		const stateData = roleArn ? await this.getCrossAccountStackState(roleArn, stackName, region, context) : await this.getSameAccountStackState(stackName, region, context);
+		if (!stateData) throw new Error(`Fn::GetStackOutput: stack '${stackName}' not found in region '${region}'${roleArn ? ` (cross-account via ${roleArn})` : ""}. Make sure the producer stack has been deployed via cdkd.`);
 		const outputs = stateData.state.outputs ?? {};
 		if (!(outputName in outputs)) {
 			const available = Object.keys(outputs).join(", ") || "(none)";
 			throw new Error(`Fn::GetStackOutput: output '${outputName}' not found in stack '${stackName}' (${region}). Available outputs: ${available}`);
 		}
 		const value = outputs[outputName];
-		this.logger.info(`Resolved Fn::GetStackOutput: StackName=${stackName}, Region=${region}, OutputName=${outputName} -> ${JSON.stringify(value)}`);
+		this.logger.info(`Resolved Fn::GetStackOutput: StackName=${stackName}, Region=${region}, OutputName=${outputName}${roleArn ? `, RoleArn=${roleArn}` : ""} -> ${JSON.stringify(value)}`);
 		return value;
 	}
 	/**
+	* Read the producer's state from the SAME AWS account (no RoleArn).
+	*
+	* Uses the consumer's shared `context.stateBackend` — the same backend
+	* the consumer used to read / write its own state. The same-account
+	* path covers cross-region cleanly because the bucket name is
+	* account-scoped (not region-scoped).
+	*/
+	async getSameAccountStackState(stackName, region, context) {
+		if (!context.stateBackend) throw new Error("Fn::GetStackOutput: state backend is required for cross-stack references");
+		return context.stateBackend.getState(stackName, region);
+	}
+	/**
+	* Read the producer's state from a DIFFERENT AWS account (RoleArn set).
+	*
+	* Pipeline:
+	*   1. Parse `roleArn` for the producer's account id (rejects malformed
+	*      ARNs up front with a clear message — no opaque STS error later).
+	*   2. `sts:AssumeRole` against `roleArn`, cached per role for the
+	*      deploy lifetime (typical: 1 STS hop covering many `Fn::GetStackOutput`
+	*      sites in the same deploy).
+	*   3. Derive the producer's canonical state bucket
+	*      (`cdkd-state-{producerAccountId}`) and auto-detect its region
+	*      via `GetBucketLocation` with the assumed credentials.
+	*   4. Build a fresh, narrowly-scoped `S3StateBackend` against that
+	*      bucket with the assumed credentials and call `getState` —
+	*      reuses the entire state-parsing + schema-version-tolerance
+	*      machinery (legacy `version: 1` keys, migration warnings, etc.).
+	*
+	* The constructed `S3Client` and backend live only for the duration of
+	* this call. cdkd does NOT mutate the process's `AWS_*` env vars (that
+	* would leak the assumed credentials into every subsequent provisioning
+	* client — opposite of what we want; provisioning still runs under the
+	* consumer's normal credentials).
+	*/
+	async getCrossAccountStackState(roleArn, stackName, region, context) {
+		const parsed = parseIamRoleArn(roleArn);
+		if (!parsed) throw new Error(`Fn::GetStackOutput: RoleArn '${roleArn}' is not a valid IAM role ARN. Expected shape: arn:<partition>:iam::<12-digit-account-id>:role/<role-name> (e.g. arn:aws:iam::123456789012:role/MyRole, arn:aws-us-gov:iam::...).`);
+		const credentials = await assumeRoleForCrossAccountStateRead(roleArn);
+		const { bucket, region: bucketRegion } = await resolveCrossAccountStateBucket(parsed.accountId, credentials);
+		const prefix = context.stateBackend?.prefix ?? "cdkd";
+		return new S3StateBackend(new S3Client({
+			region: bucketRegion,
+			credentials: {
+				accessKeyId: credentials.accessKeyId,
+				secretAccessKey: credentials.secretAccessKey,
+				sessionToken: credentials.sessionToken
+			},
+			logger: {
+				debug: () => {},
+				info: () => {},
+				warn: () => {},
+				error: () => {}
+			}
+		}), {
+			bucket,
+			prefix
+		}, {
+			region: bucketRegion,
+			credentials: {
+				accessKeyId: credentials.accessKeyId,
+				secretAccessKey: credentials.secretAccessKey,
+				sessionToken: credentials.sessionToken
+			}
+		}).getState(stackName, region);
+	}
+	/**
 	* Resolve Fn::FindInMap intrinsic function
 	*
 	* Fn::FindInMap: [MapName, TopLevelKey, SecondLevelKey]
@@ -9856,5 +10175,5 @@ var DeployEngine = class {
 };
 
 //#endregion
-export { LocalInvokeBuildError as $, stringifyValue as A, resolveApp as B, DiffCalculator as C, withSkipPrefix as Ct, S3StateBackend as D, LockManager as E, runDockerForeground as F, warnDeprecatedNoPrefixCliFlag as G, resolveSkipPrefix as H, runDockerStreaming as I, resolveBucketRegion as J, AssemblyReader as K, Synthesizer as L, buildDockerImage as M, formatDockerLoginError as N, shouldRetainResource as O, getDockerCmd as P, DependencyError as Q, getDefaultStateBucketName as R, IntrinsicFunctionResolver as S, generateResourceNameWithFallback as St, TemplateParser as T, resolveStateBucketWithDefault as U, resolveCaptureObservedState as V, resolveStateBucketWithDefaultAndSource as W, CdkdError as X, AssetError as Y, ConfigError as Z, normalizeAwsTagsToCfn as _, runStackBuffered as _t, withRetry as a, RouteDiscoveryError as at, CloudControlProvider as b, PATTERN_B_RESOURCE_TYPES as bt, cyan as c, StateError as ct, red as d, isCdkdError as dt, LockError as et, yellow as f, normalizeAwsError as ft, matchesCdkPath as g, setLogger as gt, CDK_PATH_TAG as h, getLogger as ht, withResourceDeadline as i, ResourceUpdateNotSupportedError as it, WorkGraph as j, AssetPublisher as k, gray as l, SynthesisError as lt, collectInlinePolicyNamesManagedBySiblings as m, ConsoleLogger as mt, DEFAULT_RESOURCE_WARN_AFTER_MS as n, ProvisioningError as nt, IMPLICIT_DELETE_DEPENDENCIES as o, StackHasActiveImportsError as ot, IAMRoleProvider as p, withErrorHandling as pt, clearBucketRegionCache as q, DeployEngine as r, ResourceTimeoutError as rt, bold as s, StackTerminationProtectionError as st, DEFAULT_RESOURCE_TIMEOUT_MS as t, PartialFailureError as tt, green as u, formatError as ut, resolveExplicitPhysicalId as v, getLiveRenderer as vt, DagBuilder as w, withStackName as wt, assertRegionMatch as x, generateResourceName as xt, ProviderRegistry as y, PATTERN_B_NAME_PROPERTIES as yt, getLegacyStateBucketName as z };
-//# sourceMappingURL=deploy-engine-B2RZT3ai.js.map
+export { DependencyError as $, AssetPublisher as A, getLegacyStateBucketName as B, applyRoleArnIfSet as C, generateResourceNameWithFallback as Ct, LockManager as D, TemplateParser as E, getDockerCmd as F, resolveStateBucketWithDefaultAndSource as G, resolveCaptureObservedState as H, runDockerForeground as I, clearBucketRegionCache as J, warnDeprecatedNoPrefixCliFlag as K, runDockerStreaming as L, WorkGraph as M, buildDockerImage as N, S3StateBackend as O, formatDockerLoginError as P, ConfigError as Q, Synthesizer as R, IntrinsicFunctionResolver as S, generateResourceName as St, DagBuilder as T, withStackName as Tt, resolveSkipPrefix as U, resolveApp as V, resolveStateBucketWithDefault as W, AssetError as X, resolveBucketRegion as Y, CdkdError as Z, normalizeAwsTagsToCfn as _, setLogger as _t, withRetry as a, ResourceUpdateNotSupportedError as at, CloudControlProvider as b, PATTERN_B_NAME_PROPERTIES as bt, cyan as c, StackTerminationProtectionError as ct, red as d, formatError as dt, LocalInvokeBuildError as et, yellow as f, isCdkdError as ft, matchesCdkPath as g, getLogger as gt, CDK_PATH_TAG as h, ConsoleLogger as ht, withResourceDeadline as i, ResourceTimeoutError as it, stringifyValue as j, shouldRetainResource as k, gray as l, StateError as lt, collectInlinePolicyNamesManagedBySiblings as m, withErrorHandling as mt, DEFAULT_RESOURCE_WARN_AFTER_MS as n, PartialFailureError as nt, IMPLICIT_DELETE_DEPENDENCIES as o, RouteDiscoveryError as ot, IAMRoleProvider as p, normalizeAwsError as pt, AssemblyReader as q, DeployEngine as r, ProvisioningError as rt, bold as s, StackHasActiveImportsError as st, DEFAULT_RESOURCE_TIMEOUT_MS as t, LockError as tt, green as u, SynthesisError as ut, resolveExplicitPhysicalId as v, runStackBuffered as vt, DiffCalculator as w, withSkipPrefix as wt, assertRegionMatch as x, PATTERN_B_RESOURCE_TYPES as xt, ProviderRegistry as y, getLiveRenderer as yt, getDefaultStateBucketName as z };
+//# sourceMappingURL=deploy-engine-DWpeb9wT.js.map