@go-to-k/cdkd 0.13.0 → 0.15.0

package/dist/cli.js

@@ -447,7 +447,7 @@ var init_aws_clients = __esm({
 });
 
 // src/cli/index.ts
-import { Command as Command10 } from "commander";
+import { Command as Command12 } from "commander";
 
 // src/cli/commands/bootstrap.ts
 import { Command, Option as Option2 } from "commander";
@@ -998,15 +998,15 @@ async function resolveStateBucketWithDefaultAndSource(cliBucket, region) {
     return syncResult;
   const logger = getLogger();
   logger.debug("No state bucket specified, resolving default from account...");
-  const { GetCallerIdentityCommand: GetCallerIdentityCommand8 } = await import("@aws-sdk/client-sts");
-  const { S3Client: S3Client10 } = await import("@aws-sdk/client-s3");
+  const { GetCallerIdentityCommand: GetCallerIdentityCommand9 } = await import("@aws-sdk/client-sts");
+  const { S3Client: S3Client11 } = await import("@aws-sdk/client-s3");
   const { getAwsClients: getAwsClients2 } = await Promise.resolve().then(() => (init_aws_clients(), aws_clients_exports));
   const awsClients = getAwsClients2();
-  const identity = await awsClients.sts.send(new GetCallerIdentityCommand8({}));
+  const identity = await awsClients.sts.send(new GetCallerIdentityCommand9({}));
   const accountId = identity.Account;
   const newName = getDefaultStateBucketName(accountId);
   const legacyName = getLegacyStateBucketName(accountId, region);
-  const probe = new S3Client10({ region: "us-east-1" });
+  const probe = new S3Client11({ region: "us-east-1" });
   try {
     if (await bucketExists(probe, newName)) {
       logger.debug(`State bucket: ${newName}`);
@@ -1014,7 +1014,11 @@ async function resolveStateBucketWithDefaultAndSource(cliBucket, region) {
     }
     if (await bucketExists(probe, legacyName)) {
       logger.warn(
-        `Using legacy state bucket name '${legacyName}'. The default has changed to '${newName}'. Future cdkd versions will drop legacy support; consider migrating with cdkd state migrate-bucket (coming in a future release).`
+        `Using legacy state bucket name '${legacyName}'. The default has changed to '${newName}'. To migrate, run:
+
+    cdkd state migrate-bucket --region ${region}
+
+(add --remove-legacy to delete the legacy bucket after a successful copy; legacy support will be dropped in a future release.)`
       );
       return { bucket: legacyName, source: "default-legacy" };
     }
@@ -1026,9 +1030,9 @@ async function resolveStateBucketWithDefaultAndSource(cliBucket, region) {
   }
 }
 async function bucketExists(client, bucketName) {
-  const { HeadBucketCommand: HeadBucketCommand3 } = await import("@aws-sdk/client-s3");
+  const { HeadBucketCommand: HeadBucketCommand5 } = await import("@aws-sdk/client-s3");
   try {
-    await client.send(new HeadBucketCommand3({ Bucket: bucketName }));
+    await client.send(new HeadBucketCommand5({ Bucket: bucketName }));
     return true;
   } catch (error) {
     const err = error;
@@ -1072,10 +1076,10 @@ async function bootstrapCommand(options) {
     logger.info(`Using default state bucket: ${bucketName}`);
   }
   try {
-    let bucketExists2 = false;
+    let bucketExists3 = false;
     try {
       await s3Client.send(new HeadBucketCommand({ Bucket: bucketName }));
-      bucketExists2 = true;
+      bucketExists3 = true;
       logger.info(`Bucket ${bucketName} already exists`);
     } catch (error) {
       const err = error;
@@ -1085,7 +1089,7 @@ async function bootstrapCommand(options) {
         throw normalizeAwsError(error, { bucket: bucketName, operation: "HeadBucket" });
       }
     }
-    if (bucketExists2) {
+    if (bucketExists3) {
       if (!options.force) {
         logger.warn(
           `Bucket ${bucketName} already exists. Use --force to reconfigure (this will not delete existing state)`
@@ -3239,9 +3243,9 @@ var AssetPublisher = class {
       const region = options.region || process.env["AWS_REGION"] || "us-east-1";
       let accountId = options.accountId;
       if (!accountId) {
-        const { STSClient: STSClient7, GetCallerIdentityCommand: GetCallerIdentityCommand8 } = await import("@aws-sdk/client-sts");
+        const { STSClient: STSClient7, GetCallerIdentityCommand: GetCallerIdentityCommand9 } = await import("@aws-sdk/client-sts");
         const stsClient = new STSClient7({ region });
-        const identity = await stsClient.send(new GetCallerIdentityCommand8({}));
+        const identity = await stsClient.send(new GetCallerIdentityCommand9({}));
         accountId = identity.Account;
         stsClient.destroy();
       }
@@ -7670,6 +7674,8 @@ import {
   UntagRoleCommand,
   PutRolePermissionsBoundaryCommand,
   DeleteRolePermissionsBoundaryCommand,
+  ListRolesCommand,
+  ListRoleTagsCommand,
   NoSuchEntityException
 } from "@aws-sdk/client-iam";
 init_aws_clients();
@@ -7778,6 +7784,32 @@ function applyDefaultNameForFallback(logicalId, resourceType, properties) {
   };
 }
 
+// src/provisioning/import-helpers.ts
+function readNameProperty(input, propertyName) {
+  const value = input.properties?.[propertyName];
+  return typeof value === "string" && value.length > 0 ? value : void 0;
+}
+function resolveExplicitPhysicalId(input, nameProperty) {
+  if (input.knownPhysicalId)
+    return input.knownPhysicalId;
+  if (nameProperty) {
+    const name = readNameProperty(input, nameProperty);
+    if (name)
+      return name;
+  }
+  return void 0;
+}
+var CDK_PATH_TAG = "aws:cdk:path";
+function matchesCdkPath(tags, cdkPath) {
+  if (!tags || !cdkPath)
+    return false;
+  for (const t of tags) {
+    if (t.Key === CDK_PATH_TAG && t.Value === cdkPath)
+      return true;
+  }
+  return false;
+}
+
 // src/provisioning/providers/iam-role-provider.ts
 var IAMRoleProvider = class {
   iamClient;
@@ -8284,6 +8316,58 @@ var IAMRoleProvider = class {
       this.logger.debug(`Added/updated ${tagsToAdd.length} tags on role ${roleName}`);
     }
   }
+  /**
+   * Adopt an existing IAM role into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource` override or `Properties.RoleName` → use directly,
+   *     verify via `GetRole`.
+   *  2. `ListRoles` + `ListRoleTags`, match `aws:cdk:path` tag.
+   *
+   * `ListRoles` is paginated and IAM is global (no region scoping), so this
+   * walks every role in the account once. Acceptable for the cardinalities
+   * we expect (typically <100 roles per account); larger accounts may want
+   * to provide `--resource` overrides instead.
+   */
+  async import(input) {
+    const explicit = resolveExplicitPhysicalId(input, "RoleName");
+    if (explicit) {
+      try {
+        await this.iamClient.send(new GetRoleCommand({ RoleName: explicit }));
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err instanceof NoSuchEntityException)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.iamClient.send(
+        new ListRolesCommand({ ...marker && { Marker: marker } })
+      );
+      for (const role of list.Roles ?? []) {
+        if (!role.RoleName)
+          continue;
+        try {
+          const tags = await this.iamClient.send(
+            new ListRoleTagsCommand({ RoleName: role.RoleName })
+          );
+          if (matchesCdkPath(tags.Tags, input.cdkPath)) {
+            return { physicalId: role.RoleName, attributes: {} };
+          }
+        } catch (err) {
+          if (err instanceof NoSuchEntityException)
+            continue;
+          throw err;
+        }
+      }
+      marker = list.IsTruncated ? list.Marker : void 0;
+    } while (marker);
+    return null;
+  }
 };
 
 // src/provisioning/providers/iam-policy-provider.ts
@@ -9864,6 +9948,8 @@ var IAMUserGroupProvider = class {
 import {
   CreateBucketCommand as CreateBucketCommand2,
   DeleteBucketCommand,
+  HeadBucketCommand as HeadBucketCommand3,
+  ListBucketsCommand,
   PutBucketVersioningCommand as PutBucketVersioningCommand2,
   PutBucketTaggingCommand,
   PutBucketOwnershipControlsCommand,
@@ -9881,6 +9967,7 @@ import {
   PutBucketInventoryConfigurationCommand,
   PutBucketReplicationCommand,
   PutObjectLockConfigurationCommand,
+  GetBucketTaggingCommand,
   NoSuchBucket,
   ListObjectVersionsCommand,
   DeleteObjectsCommand
@@ -10719,6 +10806,53 @@ var S3BucketProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing S3 bucket into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource <id>=<name>` override or `Properties.BucketName` → use directly,
+   *     verify with `HeadBucket`.
+   *  2. `ListBuckets` + `GetBucketTagging`, match `aws:cdk:path` against the
+   *     CDK construct path.
+   *
+   * Returns `null` when nothing matches — caller treats this as
+   * "not deployed yet" rather than a failure.
+   */
+  async import(input) {
+    const explicit = resolveExplicitPhysicalId(input, "BucketName");
+    if (explicit) {
+      try {
+        await this.s3Client.send(new HeadBucketCommand3({ Bucket: explicit }));
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        const e = err;
+        if (e.name === "NotFound" || e.name === "NoSuchBucket") {
+          return null;
+        }
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    const list = await this.s3Client.send(new ListBucketsCommand({}));
+    for (const b of list.Buckets ?? []) {
+      if (!b.Name)
+        continue;
+      try {
+        const tagging = await this.s3Client.send(new GetBucketTaggingCommand({ Bucket: b.Name }));
+        if (matchesCdkPath(tagging.TagSet, input.cdkPath)) {
+          return { physicalId: b.Name, attributes: {} };
+        }
+      } catch (err) {
+        const e = err;
+        if (e.name === "NoSuchTagSet" || e.name === "AccessDenied" || e.$metadata?.httpStatusCode === 301) {
+          continue;
+        }
+        throw err;
+      }
+    }
+    return null;
+  }
   /**
    * Delete a bucket, emptying it first if not empty.
    * Handles the race condition where objects (e.g., ALB logs) are written
@@ -10955,6 +11089,9 @@ import {
   CreateQueueCommand,
   DeleteQueueCommand,
   GetQueueAttributesCommand,
+  GetQueueUrlCommand,
+  ListQueuesCommand,
+  ListQueueTagsCommand,
   SetQueueAttributesCommand,
   QueueDoesNotExist
 } from "@aws-sdk/client-sqs";
@@ -11163,6 +11300,68 @@ var SQSQueueProvider = class {
       return `arn:aws:sqs:unknown:unknown:${queueName}`;
     }
   }
+  /**
+   * Adopt an existing SQS queue into cdkd state.
+   *
+   * SQS physical IDs are queue URLs (`https://sqs.us-east-1.amazonaws.com/<account>/<name>`).
+   *
+   * Lookup order:
+   *  1. `--resource` override (URL) → verify via `GetQueueAttributes`.
+   *  2. `Properties.QueueName` → `GetQueueUrl` for direct lookup.
+   *  3. `aws:cdk:path` tag match via `ListQueues` + `ListQueueTags`.
+   */
+  async import(input) {
+    if (input.knownPhysicalId) {
+      try {
+        await this.sqsClient.send(
+          new GetQueueAttributesCommand({
+            QueueUrl: input.knownPhysicalId,
+            AttributeNames: ["QueueArn"]
+          })
+        );
+        return { physicalId: input.knownPhysicalId, attributes: {} };
+      } catch (err) {
+        if (err instanceof QueueDoesNotExist)
+          return null;
+        throw err;
+      }
+    }
+    const explicitName = resolveExplicitPhysicalId(input, "QueueName");
+    if (explicitName && !input.knownPhysicalId) {
+      try {
+        const resp = await this.sqsClient.send(new GetQueueUrlCommand({ QueueName: explicitName }));
+        if (resp.QueueUrl)
+          return { physicalId: resp.QueueUrl, attributes: {} };
+        return null;
+      } catch (err) {
+        if (err instanceof QueueDoesNotExist)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let nextToken;
+    do {
+      const list = await this.sqsClient.send(
+        new ListQueuesCommand({ ...nextToken && { NextToken: nextToken } })
+      );
+      for (const url of list.QueueUrls ?? []) {
+        try {
+          const tagsResp = await this.sqsClient.send(new ListQueueTagsCommand({ QueueUrl: url }));
+          if (tagsResp.Tags?.[CDK_PATH_TAG] === input.cdkPath) {
+            return { physicalId: url, attributes: {} };
+          }
+        } catch (err) {
+          if (err instanceof QueueDoesNotExist)
+            continue;
+          throw err;
+        }
+      }
+      nextToken = list.NextToken;
+    } while (nextToken);
+    return null;
+  }
 };
 
 // src/provisioning/providers/sqs-queue-policy-provider.ts
@@ -11325,6 +11524,9 @@ var SQSQueuePolicyProvider = class {
 import {
   CreateTopicCommand,
   DeleteTopicCommand,
+  GetTopicAttributesCommand,
+  ListTopicsCommand,
+  ListTagsForResourceCommand,
   SetTopicAttributesCommand,
   TagResourceCommand,
   UntagResourceCommand,
@@ -11614,6 +11816,63 @@ var SNSTopicProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing SNS topic into cdkd state.
+   *
+   * SNS physical IDs are full ARNs (`arn:aws:sns:...:TopicName`). The
+   * `--resource` override is expected to receive an ARN; bare topic names
+   * trigger a `ListTopics` walk that resolves to the ARN.
+   *
+   * Lookup order:
+   *  1. `--resource` override → trust as ARN, verify via `GetTopicAttributes`.
+   *  2. `Properties.TopicName` → `ListTopics` to find matching ARN.
+   *  3. `aws:cdk:path` tag match via `ListTopics` + `ListTagsForResource`.
+   */
+  async import(input) {
+    if (input.knownPhysicalId) {
+      try {
+        await this.snsClient.send(
+          new GetTopicAttributesCommand({ TopicArn: input.knownPhysicalId })
+        );
+        return { physicalId: input.knownPhysicalId, attributes: {} };
+      } catch (err) {
+        if (err instanceof NotFoundException)
+          return null;
+        throw err;
+      }
+    }
+    const desiredName = typeof input.properties?.["TopicName"] === "string" ? input.properties["TopicName"] : void 0;
+    let nextToken;
+    do {
+      const list = await this.snsClient.send(
+        new ListTopicsCommand({ ...nextToken && { NextToken: nextToken } })
+      );
+      for (const t of list.Topics ?? []) {
+        if (!t.TopicArn)
+          continue;
+        const arnTail = t.TopicArn.substring(t.TopicArn.lastIndexOf(":") + 1);
+        if (desiredName && arnTail === desiredName) {
+          return { physicalId: t.TopicArn, attributes: {} };
+        }
+        if (input.cdkPath) {
+          try {
+            const tagsResp = await this.snsClient.send(
+              new ListTagsForResourceCommand({ ResourceArn: t.TopicArn })
+            );
+            if (matchesCdkPath(tagsResp.Tags, input.cdkPath)) {
+              return { physicalId: t.TopicArn, attributes: {} };
+            }
+          } catch (err) {
+            if (err instanceof NotFoundException)
+              continue;
+            throw err;
+          }
+        }
+      }
+      nextToken = list.NextToken;
+    } while (nextToken);
+    return null;
+  }
 };
 
 // src/provisioning/providers/sns-subscription-provider.ts
@@ -11913,6 +12172,8 @@ import {
   UpdateFunctionCodeCommand,
   DeleteFunctionCommand,
   GetFunctionCommand,
+  ListFunctionsCommand,
+  ListTagsCommand,
   ResourceNotFoundException
 } from "@aws-sdk/client-lambda";
 import {
@@ -12497,6 +12758,57 @@ var LambdaFunctionProvider = class {
     }
     return (crc ^ 4294967295) >>> 0;
   }
+  /**
+   * Adopt an existing Lambda function into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource` override or `Properties.FunctionName` → use directly,
+   *     verify via `GetFunction`.
+   *  2. `ListFunctions` + `ListTags`, match `aws:cdk:path` tag.
+   *
+   * Lambda's `ListTags` returns a `Tags` map keyed by tag name (unlike
+   * EC2/S3 which return an array of `{Key, Value}`), so we read it directly
+   * instead of going through the shared `matchesCdkPath` helper.
+   */
+  async import(input) {
+    const explicit = resolveExplicitPhysicalId(input, "FunctionName");
+    if (explicit) {
+      try {
+        await this.lambdaClient.send(new GetFunctionCommand({ FunctionName: explicit }));
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err instanceof ResourceNotFoundException)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.lambdaClient.send(
+        new ListFunctionsCommand({ ...marker && { Marker: marker } })
+      );
+      for (const fn of list.Functions ?? []) {
+        if (!fn.FunctionArn || !fn.FunctionName)
+          continue;
+        try {
+          const tagsResp = await this.lambdaClient.send(
+            new ListTagsCommand({ Resource: fn.FunctionArn })
+          );
+          if (tagsResp.Tags?.[CDK_PATH_TAG] === input.cdkPath) {
+            return { physicalId: fn.FunctionName, attributes: {} };
+          }
+        } catch (err) {
+          if (err instanceof ResourceNotFoundException)
+            continue;
+          throw err;
+        }
+      }
+      marker = list.NextMarker;
+    } while (marker);
+    return null;
+  }
 };
 
 // src/provisioning/providers/lambda-permission-provider.ts
@@ -13218,6 +13530,8 @@ import {
   CreateTableCommand,
   DeleteTableCommand,
   DescribeTableCommand as DescribeTableCommand2,
+  ListTablesCommand,
+  ListTagsOfResourceCommand,
   ResourceNotFoundException as ResourceNotFoundException6
 } from "@aws-sdk/client-dynamodb";
 init_aws_clients();
@@ -13429,12 +13743,70 @@ var DynamoDBTableProvider = class {
     }
     throw new Error(`Table ${tableName} did not reach ACTIVE status within ${maxAttempts} seconds`);
   }
+  /**
+   * Adopt an existing DynamoDB table into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource` override or `Properties.TableName` → verify via `DescribeTable`.
+   *  2. `ListTables` + `ListTagsOfResource`, match `aws:cdk:path` tag.
+   *
+   * Tags require the table ARN, which `DescribeTable` provides; the loop
+   * therefore costs one `DescribeTable` per table just to read the ARN.
+   * Acceptable for typical DynamoDB cardinalities.
+   */
+  async import(input) {
+    const explicit = resolveExplicitPhysicalId(input, "TableName");
+    if (explicit) {
+      try {
+        await this.dynamoDBClient.send(new DescribeTableCommand2({ TableName: explicit }));
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err instanceof ResourceNotFoundException6)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let exclusiveStartTableName;
+    do {
+      const list = await this.dynamoDBClient.send(
+        new ListTablesCommand({
+          ...exclusiveStartTableName && { ExclusiveStartTableName: exclusiveStartTableName }
+        })
+      );
+      for (const name of list.TableNames ?? []) {
+        try {
+          const desc = await this.dynamoDBClient.send(
+            new DescribeTableCommand2({ TableName: name })
+          );
+          const arn = desc.Table?.TableArn;
+          if (!arn)
+            continue;
+          const tagsResp = await this.dynamoDBClient.send(
+            new ListTagsOfResourceCommand({ ResourceArn: arn })
+          );
+          if (matchesCdkPath(tagsResp.Tags, input.cdkPath)) {
+            return { physicalId: name, attributes: {} };
+          }
+        } catch (err) {
+          if (err instanceof ResourceNotFoundException6)
+            continue;
+          throw err;
+        }
+      }
+      exclusiveStartTableName = list.LastEvaluatedTableName;
+    } while (exclusiveStartTableName);
+    return null;
+  }
 };
 
 // src/provisioning/providers/logs-loggroup-provider.ts
 import {
   CreateLogGroupCommand,
   DeleteLogGroupCommand,
+  DescribeLogGroupsCommand,
+  ListTagsForResourceCommand as ListTagsForResourceCommand2,
   PutRetentionPolicyCommand,
   DeleteRetentionPolicyCommand,
   TagResourceCommand as TagResourceCommand2,
@@ -13658,6 +14030,61 @@ var LogsLogGroupProvider = class {
       return `arn:aws:logs:unknown:unknown:log-group:${logGroupName}:*`;
     }
   }
+  /**
+   * Adopt an existing CloudWatch Logs log group into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource` override or `Properties.LogGroupName` → verify via
+   *     `DescribeLogGroups` (filtered by name prefix).
+   *  2. `aws:cdk:path` tag match via `DescribeLogGroups` + `ListTagsForResource`.
+   *
+   * `ListTagsForResource` for log groups uses the log-group ARN. The
+   * `DescribeLogGroups` response includes the ARN, so no extra round-trip
+   * is needed beyond the per-group tag lookup.
+   */
+  async import(input) {
+    const explicit = resolveExplicitPhysicalId(input, "LogGroupName");
+    if (explicit) {
+      try {
+        const resp = await this.logsClient.send(
+          new DescribeLogGroupsCommand({ logGroupNamePrefix: explicit })
+        );
+        const found = resp.logGroups?.find((g) => g.logGroupName === explicit);
+        return found ? { physicalId: explicit, attributes: {} } : null;
+      } catch (err) {
+        if (err instanceof ResourceNotFoundException7)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let nextToken;
+    do {
+      const list = await this.logsClient.send(
+        new DescribeLogGroupsCommand({ ...nextToken && { nextToken } })
+      );
+      for (const g of list.logGroups ?? []) {
+        if (!g.logGroupName || !g.arn)
+          continue;
+        const arnForTags = g.arn.replace(/:\*$/, "");
+        try {
+          const tagsResp = await this.logsClient.send(
+            new ListTagsForResourceCommand2({ resourceArn: arnForTags })
+          );
+          if (tagsResp.tags?.["aws:cdk:path"] === input.cdkPath) {
+            return { physicalId: g.logGroupName, attributes: {} };
+          }
+        } catch (err) {
+          if (err instanceof ResourceNotFoundException7)
+            continue;
+          throw err;
+        }
+      }
+      nextToken = list.nextToken;
+    } while (nextToken);
+    return null;
+  }
 };
 
 // src/provisioning/providers/cloudwatch-alarm-provider.ts
@@ -13888,6 +14315,8 @@ var CloudWatchAlarmProvider = class {
 import {
   CreateSecretCommand,
   DeleteSecretCommand,
+  DescribeSecretCommand,
+  ListSecretsCommand,
   UpdateSecretCommand,
   TagResourceCommand as TagResourceCommand3,
   UntagResourceCommand as UntagResourceCommand3,
@@ -14155,10 +14584,65 @@ var SecretsManagerSecretProvider = class {
     }
     return password;
   }
+  /**
+   * Adopt an existing Secrets Manager secret into cdkd state.
+   *
+   * Secrets Manager physical IDs are full secret ARNs. The CDK template's
+   * `Properties.Name` (secret name) is enough to fetch the ARN via
+   * `DescribeSecret`.
+   *
+   * Lookup order:
+   *  1. `--resource` override (ARN) → verify via `DescribeSecret`.
+   *  2. `Properties.Name` → `DescribeSecret` (accepts name).
+   *  3. `aws:cdk:path` tag match via `ListSecrets` (which already returns Tags).
+   */
+  async import(input) {
+    if (input.knownPhysicalId) {
+      try {
+        const resp = await this.smClient.send(
+          new DescribeSecretCommand({ SecretId: input.knownPhysicalId })
+        );
+        return resp.ARN ? { physicalId: resp.ARN, attributes: {} } : null;
+      } catch (err) {
+        if (err instanceof ResourceNotFoundException8)
+          return null;
+        throw err;
+      }
+    }
+    const name = typeof input.properties?.["Name"] === "string" ? input.properties["Name"] : void 0;
+    if (name) {
+      try {
+        const resp = await this.smClient.send(new DescribeSecretCommand({ SecretId: name }));
+        return resp.ARN ? { physicalId: resp.ARN, attributes: {} } : null;
+      } catch (err) {
+        if (err instanceof ResourceNotFoundException8)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let nextToken;
+    do {
+      const list = await this.smClient.send(
+        new ListSecretsCommand({ ...nextToken && { NextToken: nextToken } })
+      );
+      for (const s of list.SecretList ?? []) {
+        if (s.ARN && matchesCdkPath(s.Tags, input.cdkPath)) {
+          return { physicalId: s.ARN, attributes: {} };
+        }
+      }
+      nextToken = list.NextToken;
+    } while (nextToken);
+    return null;
+  }
 };
 
 // src/provisioning/providers/ssm-parameter-provider.ts
 import {
+  DescribeParametersCommand,
+  GetParameterCommand as GetParameterCommand3,
+  ListTagsForResourceCommand as ListTagsForResourceCommand3,
   PutParameterCommand,
   DeleteParameterCommand,
   AddTagsToResourceCommand,
@@ -14370,6 +14854,57 @@ var SSMParameterProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing SSM parameter into cdkd state.
+   *
+   * SSM physical IDs ARE the parameter names (`/foo/bar`). The CDK template
+   * usually carries `Properties.Name` explicitly, so the explicit-name path
+   * covers most cases. The tag-based fallback is rarely needed.
+   *
+   * Lookup order:
+   *  1. `--resource` override or `Properties.Name` → verify via `GetParameter`.
+   *  2. `aws:cdk:path` tag match via `DescribeParameters` + `ListTagsForResource`
+   *     (`ResourceType: 'Parameter'`, `ResourceId: <name>`).
+   */
+  async import(input) {
+    const explicit = resolveExplicitPhysicalId(input, "Name");
+    if (explicit) {
+      try {
+        await this.ssmClient.send(new GetParameterCommand3({ Name: explicit }));
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err instanceof ParameterNotFound)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let nextToken;
+    do {
+      const list = await this.ssmClient.send(
+        new DescribeParametersCommand({ ...nextToken && { NextToken: nextToken } })
+      );
+      for (const p of list.Parameters ?? []) {
+        if (!p.Name)
+          continue;
+        try {
+          const tagsResp = await this.ssmClient.send(
+            new ListTagsForResourceCommand3({ ResourceType: "Parameter", ResourceId: p.Name })
+          );
+          if (matchesCdkPath(tagsResp.TagList, input.cdkPath)) {
+            return { physicalId: p.Name, attributes: {} };
+          }
+        } catch (err) {
+          if (err instanceof ParameterNotFound)
+            continue;
+          throw err;
+        }
+      }
+      nextToken = list.NextToken;
+    } while (nextToken);
+    return null;
+  }
 };
 
 // src/provisioning/providers/eventbridge-rule-provider.ts
@@ -14668,7 +15203,9 @@ import {
   DeleteEventBusCommand,
   UpdateEventBusCommand,
   DescribeEventBusCommand,
+  ListEventBusesCommand,
   ListRulesCommand,
+  ListTagsForResourceCommand as ListTagsForResourceCommand4,
   RemoveTargetsCommand as RemoveTargetsCommand2,
   DeleteRuleCommand as DeleteRuleCommand2,
   ListTargetsByRuleCommand as ListTargetsByRuleCommand2,
@@ -14909,6 +15446,52 @@ var EventBridgeBusProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing EventBridge event bus into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource` override or `Properties.Name` → verify via `DescribeEventBus`.
+   *  2. `aws:cdk:path` tag match via `ListEventBuses` + `ListTagsForResource`.
+   */
+  async import(input) {
+    const explicit = resolveExplicitPhysicalId(input, "Name");
+    if (explicit) {
+      try {
+        await this.eventBridgeClient.send(new DescribeEventBusCommand({ Name: explicit }));
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err instanceof ResourceNotFoundException10)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let nextToken;
+    do {
+      const list = await this.eventBridgeClient.send(
+        new ListEventBusesCommand({ ...nextToken && { NextToken: nextToken } })
+      );
+      for (const bus of list.EventBuses ?? []) {
+        if (!bus.Name || !bus.Arn)
+          continue;
+        try {
+          const tagsResp = await this.eventBridgeClient.send(
+            new ListTagsForResourceCommand4({ ResourceARN: bus.Arn })
+          );
+          if (matchesCdkPath(tagsResp.Tags, input.cdkPath)) {
+            return { physicalId: bus.Name, attributes: {} };
+          }
+        } catch (err) {
+          if (err instanceof ResourceNotFoundException10)
+            continue;
+          throw err;
+        }
+      }
+      nextToken = list.NextToken;
+    } while (nextToken);
+    return null;
+  }
 };
 
 // src/provisioning/providers/ec2-provider.ts
@@ -24215,6 +24798,10 @@ var GlueProvider = class {
 import {
   KMSClient as KMSClient2,
   CreateKeyCommand,
+  DescribeKeyCommand,
+  ListAliasesCommand as ListAliasesCommand2,
+  ListKeysCommand,
+  ListResourceTagsCommand,
   ScheduleKeyDeletionCommand,
   CreateAliasCommand,
   DeleteAliasCommand,
@@ -24597,6 +25184,81 @@ var KMSProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing KMS key or alias into cdkd state.
+   *
+   * KMS keys have no `Properties.KeyName` field — physical IDs are
+   * AWS-generated UUIDs. So:
+   *  - For `AWS::KMS::Key`: `--resource MyKey=<keyId>` is the only explicit
+   *    path; auto-lookup walks `ListKeys` + `ListResourceTags` matching
+   *    `aws:cdk:path`.
+   *  - For `AWS::KMS::Alias`: `Properties.AliasName` is explicit and reliable.
+   */
+  async import(input) {
+    if (input.resourceType === "AWS::KMS::Alias") {
+      const aliasName = input.knownPhysicalId ?? (typeof input.properties?.["AliasName"] === "string" ? input.properties["AliasName"] : void 0);
+      if (!aliasName)
+        return null;
+      try {
+        let marker2;
+        do {
+          const list = await this.getClient().send(
+            new ListAliasesCommand2({ ...marker2 && { Marker: marker2 } })
+          );
+          const found = list.Aliases?.find(
+            (a) => a.AliasName === aliasName
+          );
+          if (found)
+            return { physicalId: aliasName, attributes: {} };
+          marker2 = list.NextMarker;
+        } while (marker2);
+        return null;
+      } catch (err) {
+        if (err instanceof NotFoundException5)
+          return null;
+        throw err;
+      }
+    }
+    if (input.knownPhysicalId) {
+      try {
+        await this.getClient().send(new DescribeKeyCommand({ KeyId: input.knownPhysicalId }));
+        return { physicalId: input.knownPhysicalId, attributes: {} };
+      } catch (err) {
+        if (err instanceof NotFoundException5)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.getClient().send(
+        new ListKeysCommand({ ...marker && { Marker: marker } })
+      );
+      for (const key of list.Keys ?? []) {
+        if (!key.KeyId)
+          continue;
+        try {
+          const tagsResp = await this.getClient().send(
+            new ListResourceTagsCommand({ KeyId: key.KeyId })
+          );
+          for (const tag of tagsResp.Tags ?? []) {
+            if (tag.TagKey === CDK_PATH_TAG && tag.TagValue === input.cdkPath) {
+              return { physicalId: key.KeyId, attributes: {} };
+            }
+          }
+        } catch (err) {
+          const name = err.name;
+          if (name === "AccessDeniedException" || err instanceof NotFoundException5)
+            continue;
+          throw err;
+        }
+      }
+      marker = list.NextMarker;
+    } while (marker);
+    return null;
+  }
 };
 
 // src/provisioning/providers/kinesis-provider.ts
@@ -26575,7 +27237,7 @@ import {
   CreateTableCommand as CreateTableCommand3,
   DeleteTableCommand as DeleteTableCommand3,
   ListNamespacesCommand,
-  ListTablesCommand,
+  ListTablesCommand as ListTablesCommand2,
   NotFoundException as NotFoundException6
 } from "@aws-sdk/client-s3tables";
 var S3TablesProvider = class {
@@ -26721,7 +27383,7 @@ var S3TablesProvider = class {
         let tableContinuationToken;
         do {
           const tablesResult = await this.getClient().send(
-            new ListTablesCommand({
+            new ListTablesCommand2({
               tableBucketARN,
               namespace: namespaceName,
               continuationToken: tableContinuationToken
@@ -28716,11 +29378,11 @@ async function deployCommand(stacks, options) {
         addDependencies(stack.stackName);
       }
     }
-    const { STSClient: STSClient7, GetCallerIdentityCommand: GetCallerIdentityCommand8 } = await import("@aws-sdk/client-sts");
+    const { STSClient: STSClient7, GetCallerIdentityCommand: GetCallerIdentityCommand9 } = await import("@aws-sdk/client-sts");
     const stsClient = new STSClient7({
       region: options.region || process.env["AWS_REGION"] || "us-east-1"
     });
-    const callerIdentity = await stsClient.send(new GetCallerIdentityCommand8({}));
+    const callerIdentity = await stsClient.send(new GetCallerIdentityCommand9({}));
     const accountId = callerIdentity.Account;
     stsClient.destroy();
     const assetPublisher = new AssetPublisher();
@@ -29551,14 +30213,321 @@ function createForceUnlockCommand() {
 }
 
 // src/cli/commands/state.ts
-import * as readline2 from "node:readline/promises";
-import { Command as Command9, Option as Option5 } from "commander";
+import * as readline3 from "node:readline/promises";
+import { Command as Command10, Option as Option5 } from "commander";
 import {
   GetBucketLocationCommand as GetBucketLocationCommand2,
   GetObjectCommand as GetObjectCommand4,
-  ListObjectsV2Command as ListObjectsV2Command3
+  ListObjectsV2Command as ListObjectsV2Command4
 } from "@aws-sdk/client-s3";
 init_aws_clients();
+
+// src/cli/commands/state-migrate-bucket.ts
+import * as readline2 from "node:readline/promises";
+import { Command as Command9 } from "commander";
+import {
+  CopyObjectCommand,
+  CreateBucketCommand as CreateBucketCommand4,
+  DeleteBucketCommand as DeleteBucketCommand3,
+  DeleteObjectsCommand as DeleteObjectsCommand3,
+  HeadBucketCommand as HeadBucketCommand4,
+  ListObjectVersionsCommand as ListObjectVersionsCommand2,
+  ListObjectsV2Command as ListObjectsV2Command3,
+  PutBucketEncryptionCommand as PutBucketEncryptionCommand3,
+  PutBucketPolicyCommand as PutBucketPolicyCommand3,
+  PutBucketVersioningCommand as PutBucketVersioningCommand3,
+  S3Client as S3Client10
+} from "@aws-sdk/client-s3";
+import { GetCallerIdentityCommand as GetCallerIdentityCommand8 } from "@aws-sdk/client-sts";
+init_aws_clients();
+async function stateMigrateBucketCommand(options) {
+  const logger = getLogger();
+  if (options.verbose)
+    logger.setLevel("debug");
+  const region = options.region || process.env["AWS_REGION"] || "us-east-1";
+  const awsClients = new AwsClients({
+    region,
+    ...options.profile && { profile: options.profile }
+  });
+  setAwsClients(awsClients);
+  try {
+    const identity = await awsClients.sts.send(new GetCallerIdentityCommand8({}));
+    const accountId = identity.Account;
+    if (!accountId) {
+      throw new Error("STS GetCallerIdentity returned no Account id.");
+    }
+    const legacyBucket = options.legacyBucket ?? getLegacyStateBucketName(accountId, region);
+    const newBucket = options.newBucket ?? getDefaultStateBucketName(accountId);
+    if (legacyBucket === newBucket) {
+      logger.warn(
+        `Source and destination resolve to the same bucket (${legacyBucket}); nothing to do.`
+      );
+      return;
+    }
+    logger.info("Migrating state bucket:");
+    logger.info(`  source:      ${legacyBucket} (resolved for --region ${region})`);
+    logger.info(`  destination: ${newBucket}`);
+    const probeRegion = "us-east-1";
+    const probe = new S3Client10({ region: probeRegion });
+    let sourceExists;
+    try {
+      sourceExists = await bucketExists2(probe, legacyBucket);
+    } finally {
+      probe.destroy();
+    }
+    if (!sourceExists) {
+      throw new Error(
+        `Source bucket '${legacyBucket}' does not exist. Nothing to migrate. (Tip: run \`cdkd state info\` to confirm which bucket cdkd is reading from.)`
+      );
+    }
+    const legacyRegion = await resolveBucketRegion(legacyBucket);
+    logger.info(`  source bucket actual region: ${legacyRegion}`);
+    const legacyS3 = new S3Client10({ region: legacyRegion });
+    try {
+      await assertNoActiveLocks(legacyS3, legacyBucket);
+      const sourceObjects = await listAllObjects(legacyS3, legacyBucket);
+      logger.info(`  source object count: ${sourceObjects.length}`);
+      if (sourceObjects.length === 0) {
+        logger.info("Source bucket is empty \u2014 no objects to copy.");
+      }
+      if (!options.yes) {
+        const action = options.removeLegacy ? "and DELETE the source bucket" : "(source bucket will be kept)";
+        const ok = await confirmPrompt(
+          `Copy ${sourceObjects.length} object(s) from ${legacyBucket} -> ${newBucket} ${action}?`
+        );
+        if (!ok) {
+          logger.info("Migration cancelled.");
+          return;
+        }
+      }
+      if (options.dryRun) {
+        logger.info("--dry-run: no changes will be made. Stopping here.");
+        return;
+      }
+      const newS3 = await ensureDestinationBucket(newBucket, legacyRegion, accountId, logger);
+      try {
+        let copied = 0;
+        for (const obj of sourceObjects) {
+          if (!obj.Key)
+            continue;
+          await newS3.send(
+            new CopyObjectCommand({
+              Bucket: newBucket,
+              Key: obj.Key,
+              // CopySource needs encoding for slashes inside the key path.
+              CopySource: encodeURIComponent(`${legacyBucket}/${obj.Key}`)
+            })
+          );
+          copied++;
+          logger.debug(`  copied ${obj.Key}`);
+        }
+        logger.info(`\u2713 Copied ${copied} object(s) to ${newBucket}`);
+        const destObjects = await listAllObjects(newS3, newBucket);
+        if (destObjects.length < sourceObjects.length) {
+          throw new Error(
+            `Migration verification failed: source has ${sourceObjects.length} object(s), destination has ${destObjects.length}. Aborting before any source-bucket cleanup.`
+          );
+        }
+        logger.info("\u2713 Object count verified at destination");
+        if (options.removeLegacy) {
+          logger.info(`Emptying source bucket ${legacyBucket} (all versions + delete markers)...`);
+          await emptyBucketAllVersions(legacyS3, legacyBucket);
+          logger.info(`Deleting source bucket ${legacyBucket}...`);
+          await legacyS3.send(new DeleteBucketCommand3({ Bucket: legacyBucket }));
+          logger.info(`\u2713 Deleted source bucket: ${legacyBucket}`);
+        } else {
+          logger.info(
+            `Source bucket ${legacyBucket} kept. Pass --remove-legacy on a future run to delete it.`
+          );
+        }
+        logger.info(`\u2713 Migration complete: ${legacyBucket} -> ${newBucket}`);
+      } finally {
+        newS3.destroy();
+      }
+    } finally {
+      legacyS3.destroy();
+    }
+  } finally {
+    awsClients.destroy();
+  }
+}
+async function bucketExists2(s3, bucketName) {
+  try {
+    await s3.send(new HeadBucketCommand4({ Bucket: bucketName }));
+    return true;
+  } catch (error) {
+    const err = error;
+    const status = err.$metadata?.httpStatusCode;
+    if (err.name === "NotFound" || err.name === "NoSuchBucket" || status === 404) {
+      return false;
+    }
+    if (status === 301 || status === 403)
+      return true;
+    throw error;
+  }
+}
+async function listAllObjects(s3, bucket) {
+  const all = [];
+  let continuationToken;
+  do {
+    const resp = await s3.send(
+      new ListObjectsV2Command3({
+        Bucket: bucket,
+        ...continuationToken && { ContinuationToken: continuationToken }
+      })
+    );
+    if (resp.Contents)
+      all.push(...resp.Contents);
+    continuationToken = resp.NextContinuationToken;
+  } while (continuationToken);
+  return all;
+}
+async function assertNoActiveLocks(s3, bucket) {
+  const all = await listAllObjects(s3, bucket);
+  const locks = all.map((o) => o.Key).filter((k) => typeof k === "string" && k.endsWith("/lock.json"));
+  if (locks.length > 0) {
+    const sample = locks.slice(0, 3).join(", ");
+    const more = locks.length > 3 ? ` (+${locks.length - 3} more)` : "";
+    throw new Error(
+      `Refusing to migrate: ${locks.length} active lock file(s) found in '${bucket}': ${sample}${more}. Wait for in-flight cdkd operations to complete, or run 'cdkd force-unlock <stack>' if a lock is stale.`
+    );
+  }
+}
+async function ensureDestinationBucket(bucketName, region, accountId, logger) {
+  const probe = new S3Client10({ region });
+  let exists;
+  try {
+    exists = await bucketExists2(probe, bucketName);
+  } finally {
+    probe.destroy();
+  }
+  if (exists) {
+    logger.info(`Destination bucket ${bucketName} already exists; reusing it.`);
+    const actual = await resolveBucketRegion(bucketName);
+    if (actual !== region) {
+      logger.warn(
+        `Destination bucket lives in ${actual}, but source is in ${region}. Cross-region copy is supported but slower; objects will be replicated to ${actual}.`
+      );
+    }
+    return new S3Client10({ region: actual });
+  }
+  logger.info(`Creating destination bucket ${bucketName} in ${region}...`);
+  const s3 = new S3Client10({ region });
+  const createParams = { Bucket: bucketName };
+  if (region !== "us-east-1") {
+    createParams.CreateBucketConfiguration = {
+      LocationConstraint: region
+    };
+  }
+  await s3.send(new CreateBucketCommand4(createParams));
+  logger.info(`\u2713 Created destination bucket: ${bucketName}`);
+  await s3.send(
+    new PutBucketVersioningCommand3({
+      Bucket: bucketName,
+      VersioningConfiguration: { Status: "Enabled" }
+    })
+  );
+  await s3.send(
+    new PutBucketEncryptionCommand3({
+      Bucket: bucketName,
+      ServerSideEncryptionConfiguration: {
+        Rules: [
+          {
+            ApplyServerSideEncryptionByDefault: { SSEAlgorithm: "AES256" },
+            BucketKeyEnabled: true
+          }
+        ]
+      }
+    })
+  );
+  await s3.send(
+    new PutBucketPolicyCommand3({
+      Bucket: bucketName,
+      Policy: JSON.stringify({
+        Version: "2012-10-17",
+        Statement: [
+          {
+            Sid: "DenyExternalAccess",
+            Effect: "Deny",
+            Principal: "*",
+            Action: "s3:*",
+            Resource: [`arn:aws:s3:::${bucketName}`, `arn:aws:s3:::${bucketName}/*`],
+            Condition: { StringNotEquals: { "aws:PrincipalAccount": accountId } }
+          }
+        ]
+      })
+    })
+  );
+  logger.info("\u2713 Applied versioning, encryption, and account-only access policy");
+  return s3;
+}
+async function emptyBucketAllVersions(s3, bucket) {
+  let keyMarker;
+  let versionIdMarker;
+  do {
+    const resp = await s3.send(
+      new ListObjectVersionsCommand2({
+        Bucket: bucket,
+        ...keyMarker && { KeyMarker: keyMarker },
+        ...versionIdMarker && { VersionIdMarker: versionIdMarker }
+      })
+    );
+    const ids = [];
+    for (const v of resp.Versions ?? []) {
+      if (v.Key && v.VersionId)
+        ids.push({ Key: v.Key, VersionId: v.VersionId });
+    }
+    for (const dm of resp.DeleteMarkers ?? []) {
+      if (dm.Key && dm.VersionId)
+        ids.push({ Key: dm.Key, VersionId: dm.VersionId });
+    }
+    for (let i = 0; i < ids.length; i += 1e3) {
+      const batch = ids.slice(i, i + 1e3);
+      await s3.send(
+        new DeleteObjectsCommand3({
+          Bucket: bucket,
+          Delete: {
+            Objects: batch,
+            Quiet: true
+          }
+        })
+      );
+    }
+    keyMarker = resp.NextKeyMarker;
+    versionIdMarker = resp.NextVersionIdMarker;
+  } while (keyMarker || versionIdMarker);
+}
+async function confirmPrompt(prompt) {
+  const rl = readline2.createInterface({ input: process.stdin, output: process.stdout });
+  try {
+    const ans = await rl.question(`${prompt} [y/N] `);
+    return /^y(es)?$/i.test(ans.trim());
+  } finally {
+    rl.close();
+  }
+}
+function createStateMigrateBucketCommand() {
+  const cmd = new Command9("migrate-bucket").description(
+    "Migrate state from the legacy region-suffixed bucket (cdkd-state-{account}-{region}) to the new region-free default (cdkd-state-{account}). Source bucket is kept by default; pass --remove-legacy to delete it after a successful migration."
+  ).option(
+    "--region <region>",
+    "Region of the legacy bucket to migrate. Defaults to AWS_REGION or us-east-1. Run once per region for multi-region setups."
+  ).option(
+    "--legacy-bucket <name>",
+    "Override the legacy (source) bucket name (default: derived from STS account + --region)."
+  ).option(
+    "--new-bucket <name>",
+    "Override the new (destination) bucket name (default: cdkd-state-{accountId})."
+  ).option("--dry-run", "Show planned actions without making changes", false).option(
+    "--remove-legacy",
+    "Delete the source bucket after successful migration. Default: keep it.",
+    false
+  ).action(withErrorHandling(stateMigrateBucketCommand));
+  commonOptions.forEach((o) => cmd.addOption(o));
+  return cmd;
+}
+
+// src/cli/commands/state.ts
 function formatStackRef(ref) {
   return ref.region ? `${ref.stackName} (${ref.region})` : ref.stackName;
 }
@@ -29696,7 +30665,7 @@ async function stateListCommand(options) {
   }
 }
 function createStateListCommand() {
-  const cmd = new Command9("list").alias("ls").description("List stacks registered in the cdkd state bucket").option("-l, --long", "Show resource count, last-modified time, and lock status", false).option("--json", "Output as JSON", false).action(withErrorHandling(stateListCommand));
+  const cmd = new Command10("list").alias("ls").description("List stacks registered in the cdkd state bucket").option("-l, --long", "Show resource count, last-modified time, and lock status", false).option("--json", "Output as JSON", false).action(withErrorHandling(stateListCommand));
   [...commonOptions, ...stateOptions].forEach((opt) => cmd.addOption(opt));
   cmd.addOption(deprecatedRegionOption);
   return cmd;
@@ -29800,7 +30769,7 @@ function formatLockSummary(lockInfo) {
   return `locked by ${lockInfo.owner}${opStr}, ${expiresStr}`;
 }
 function createStateResourcesCommand() {
-  const cmd = new Command9("resources").description("List resources recorded in a stack's state").argument("<stack>", "Stack name (physical CloudFormation name)").option("-l, --long", "Include dependencies and attributes per resource", false).option("--json", "Output as JSON", false).addOption(stackRegionOption()).action(withErrorHandling(stateResourcesCommand));
+  const cmd = new Command10("resources").description("List resources recorded in a stack's state").argument("<stack>", "Stack name (physical CloudFormation name)").option("-l, --long", "Include dependencies and attributes per resource", false).option("--json", "Output as JSON", false).addOption(stackRegionOption()).action(withErrorHandling(stateResourcesCommand));
   [...commonOptions, ...stateOptions].forEach((opt) => cmd.addOption(opt));
   cmd.addOption(deprecatedRegionOption);
   return cmd;
@@ -29888,7 +30857,7 @@ async function stateShowCommand(stackName, options) {
   }
 }
 function createStateShowCommand() {
-  const cmd = new Command9("show").description("Show the full cdkd state record for a stack (metadata, outputs, resources)").argument("<stack>", "Stack name (physical CloudFormation name)").option("--json", "Output the raw state and lock as JSON", false).addOption(stackRegionOption()).action(withErrorHandling(stateShowCommand));
+  const cmd = new Command10("show").description("Show the full cdkd state record for a stack (metadata, outputs, resources)").argument("<stack>", "Stack name (physical CloudFormation name)").option("--json", "Output the raw state and lock as JSON", false).addOption(stackRegionOption()).action(withErrorHandling(stateShowCommand));
   [...commonOptions, ...stateOptions].forEach((opt) => cmd.addOption(opt));
   cmd.addOption(deprecatedRegionOption);
   return cmd;
@@ -29936,7 +30905,7 @@ Use 'cdkd destroy ${stackName}' if you want to delete the actual resources.
 
 `
         );
-        const rl = readline2.createInterface({
+        const rl = readline3.createInterface({
           input: process.stdin,
           output: process.stdout
         });
@@ -29971,7 +30940,7 @@ function stackRegionOption() {
   );
 }
 function createStateRmCommand() {
-  const cmd = new Command9("rm").description("Remove cdkd state for one or more stacks (does NOT delete AWS resources)").argument("<stacks...>", "Stack name(s) to remove from state").option("-f, --force", "Skip confirmation and remove even if the stack is locked", false).addOption(stackRegionOption()).action(withErrorHandling(stateRmCommand));
+  const cmd = new Command10("rm").description("Remove cdkd state for one or more stacks (does NOT delete AWS resources)").argument("<stacks...>", "Stack name(s) to remove from state").option("-f, --force", "Skip confirmation and remove even if the stack is locked", false).addOption(stackRegionOption()).action(withErrorHandling(stateRmCommand));
   [...commonOptions, ...stateOptions].forEach((opt) => cmd.addOption(opt));
   cmd.addOption(deprecatedRegionOption);
   return cmd;
@@ -30021,7 +30990,7 @@ WARNING: This destroys ${stackNames.length} stack(s) and removes their state rec
 `);
       }
       process.stdout.write("\n");
-      const rl = readline2.createInterface({
+      const rl = readline3.createInterface({
         input: process.stdin,
         output: process.stdout
       });
@@ -30096,7 +31065,7 @@ Preparing to destroy stack: ${stackName}${ref.region ? ` (${ref.region})` : ""}`
   }
 }
 function createStateDestroyCommand() {
-  const cmd = new Command9("destroy").description(
+  const cmd = new Command10("destroy").description(
     "Destroy a stack's AWS resources and remove its state record without requiring the CDK app. For removing only the state record (keeping AWS resources intact), use 'cdkd state rm'."
   ).argument("[stacks...]", "Stack name(s) to destroy (physical CloudFormation names)").option("--all", "Destroy every stack in the state bucket", false).addOption(stackRegionOption()).addHelpText(
     "after",
@@ -30149,7 +31118,7 @@ async function listStateFileKeys(awsClients, bucket, prefix) {
   const searchPrefix = `${prefix}/`;
   do {
     const resp = await awsClients.s3.send(
-      new ListObjectsV2Command3({
+      new ListObjectsV2Command4({
         Bucket: bucket,
         Prefix: searchPrefix,
         ...continuationToken && { ContinuationToken: continuationToken }
@@ -30228,22 +31197,358 @@ async function stateInfoCommand(options) {
   }
 }
 function createStateInfoCommand() {
-  const cmd = new Command9("info").description(
+  const cmd = new Command10("info").description(
     "Show cdkd state bucket info (bucket name, region, source, schema version, stack count)"
   ).option("--json", "Output as JSON", false).action(withErrorHandling(stateInfoCommand));
   [...commonOptions, ...stateOptions].forEach((opt) => cmd.addOption(opt));
   return cmd;
 }
 function createStateCommand() {
-  const cmd = new Command9("state").description("Manage cdkd state stored in S3");
+  const cmd = new Command10("state").description("Manage cdkd state stored in S3");
   cmd.addCommand(createStateInfoCommand());
   cmd.addCommand(createStateListCommand());
   cmd.addCommand(createStateResourcesCommand());
   cmd.addCommand(createStateShowCommand());
   cmd.addCommand(createStateRmCommand());
   cmd.addCommand(createStateDestroyCommand());
+  cmd.addCommand(createStateMigrateBucketCommand());
+  return cmd;
+}
+
+// src/cli/commands/import.ts
+import { readFileSync as readFileSync5 } from "node:fs";
+import * as readline4 from "node:readline/promises";
+import { Command as Command11 } from "commander";
+init_aws_clients();
+async function importCommand(stackArg, options) {
+  const logger = getLogger();
+  if (options.verbose) {
+    logger.setLevel("debug");
+    process.env["CDKD_NO_LIVE"] = "1";
+  }
+  const region = options.region || process.env["AWS_REGION"] || "us-east-1";
+  const stateBucket = await resolveStateBucketWithDefault(options.stateBucket, region);
+  if (options.region) {
+    process.env["AWS_REGION"] = options.region;
+    process.env["AWS_DEFAULT_REGION"] = options.region;
+  }
+  const awsClients = new AwsClients({
+    ...options.region && { region: options.region },
+    ...options.profile && { profile: options.profile }
+  });
+  setAwsClients(awsClients);
+  try {
+    const stateConfig = { bucket: stateBucket, prefix: options.statePrefix };
+    const stateBackend = new S3StateBackend(awsClients.s3, stateConfig, {
+      ...options.region && { region: options.region },
+      ...options.profile && { profile: options.profile }
+    });
+    await stateBackend.verifyBucketExists();
+    const lockManager = new LockManager(awsClients.s3, stateConfig);
+    const providerRegistry = new ProviderRegistry();
+    registerAllProviders(providerRegistry);
+    const appCmd = options.app || resolveApp();
+    if (!appCmd) {
+      throw new Error(
+        "`cdkd state import` requires a CDK app: pass --app or set it in cdk.json. The template is read to find logical IDs, resource types, and dependencies."
+      );
+    }
+    logger.info("Synthesizing CDK app to read template...");
+    const synthesizer = new Synthesizer();
+    const context = parseContextOptions(options.context);
+    const result = await synthesizer.synthesize({
+      app: appCmd,
+      output: options.output || "cdk.out",
+      ...Object.keys(context).length > 0 && { context }
+    });
+    let stackInfo;
+    if (stackArg) {
+      stackInfo = result.stacks.find((s) => s.stackName === stackArg || s.displayName === stackArg);
+      if (!stackInfo) {
+        throw new Error(
+          `Stack '${stackArg}' not found in synthesized app. Available: ${result.stacks.map((s) => s.stackName).join(", ")}`
+        );
+      }
+    } else if (result.stacks.length === 1) {
+      stackInfo = result.stacks[0];
+    } else {
+      throw new Error(
+        `Multiple stacks found: ${result.stacks.map((s) => s.stackName).join(", ")}. Specify the stack name as a positional argument.`
+      );
+    }
+    const targetRegion = stackInfo.region || region;
+    logger.info(`Target stack: ${stackInfo.stackName} (${targetRegion})`);
+    const existing = await stateBackend.stateExists(stackInfo.stackName, targetRegion);
+    if (existing && !options.force) {
+      throw new Error(
+        `State already exists for stack '${stackInfo.stackName}' (${targetRegion}). Pass --force to overwrite. (cdkd state import rebuilds the resource map from AWS, so the existing state \u2014 including any drift you've manually edited \u2014 will be lost.)`
+      );
+    }
+    const overrides = parseResourceOverrides(options.resource, options.resourceMapping);
+    if (overrides.size > 0) {
+      logger.debug(`User-supplied physical IDs: ${[...overrides.keys()].join(", ")}`);
+    }
+    const template = stackInfo.template;
+    const templateParser = new TemplateParser();
+    const resources = collectImportableResources(template);
+    logger.info(`Found ${resources.length} resource(s) in template`);
+    const owner = `${process.env["USER"] || "unknown"}@${process.env["HOSTNAME"] || "host"}:${process.pid}`;
+    await lockManager.acquireLock(stackInfo.stackName, targetRegion, owner, "import");
+    try {
+      const rows = [];
+      for (const { logicalId, resource } of resources) {
+        const outcome = await importOne({
+          logicalId,
+          resource,
+          stackName: stackInfo.stackName,
+          region: targetRegion,
+          providerRegistry,
+          override: overrides.get(logicalId)
+        });
+        rows.push(outcome);
+      }
+      printSummary(rows);
+      if (options.dryRun) {
+        logger.info("--dry-run: state will NOT be written. Re-run without --dry-run to apply.");
+        return;
+      }
+      const importedRows = rows.filter((r) => r.outcome === "imported");
+      if (importedRows.length === 0) {
+        logger.warn("No resources were successfully imported. State will not be written.");
+        return;
+      }
+      if (!options.yes) {
+        const ok = await confirmPrompt2(
+          `Write state for ${stackInfo.stackName} (${targetRegion}) with ${importedRows.length} resource(s)?`
+        );
+        if (!ok) {
+          logger.info("Import cancelled.");
+          return;
+        }
+      }
+      const stackState = buildStackState(
+        stackInfo.stackName,
+        targetRegion,
+        rows,
+        templateParser,
+        template
+      );
+      await stateBackend.saveState(stackInfo.stackName, targetRegion, stackState);
+      logger.info(`\u2713 State written: ${stackInfo.stackName} (${targetRegion})`);
+      logger.info(
+        `  ${importedRows.length} resource(s) imported. Run 'cdkd diff' to see how the imported state lines up with the template.`
+      );
+    } finally {
+      await lockManager.releaseLock(stackInfo.stackName, targetRegion).catch((err) => {
+        logger.warn(`Failed to release lock: ${err instanceof Error ? err.message : String(err)}`);
+      });
+    }
+  } finally {
+    awsClients.destroy();
+  }
+}
+async function importOne(task) {
+  const logger = getLogger();
+  const { logicalId, resource, stackName, region, providerRegistry, override } = task;
+  if (!providerRegistry.hasProvider(resource.Type)) {
+    return {
+      logicalId,
+      resourceType: resource.Type,
+      outcome: "skipped-no-impl",
+      reason: "no provider registered"
+    };
+  }
+  const provider = providerRegistry.getProvider(resource.Type);
+  if (!provider.import) {
+    return {
+      logicalId,
+      resourceType: resource.Type,
+      outcome: "skipped-no-impl",
+      reason: `provider does not implement import (yet)`
+    };
+  }
+  const cdkPath = readCdkPath(resource);
+  const input = {
+    logicalId,
+    resourceType: resource.Type,
+    cdkPath,
+    stackName,
+    region,
+    properties: resource.Properties ?? {},
+    ...override !== void 0 && { knownPhysicalId: override }
+  };
+  try {
+    const result = await provider.import(input);
+    if (!result) {
+      return {
+        logicalId,
+        resourceType: resource.Type,
+        outcome: "skipped-not-found",
+        reason: "no matching AWS resource"
+      };
+    }
+    return {
+      logicalId,
+      resourceType: resource.Type,
+      outcome: "imported",
+      physicalId: result.physicalId
+    };
+  } catch (error) {
+    const msg = error instanceof Error ? error.message : String(error);
+    logger.error(`Failed to import ${logicalId} (${resource.Type}): ${msg}`);
+    return {
+      logicalId,
+      resourceType: resource.Type,
+      outcome: "failed",
+      reason: msg
+    };
+  }
+}
+function parseResourceOverrides(flags, mappingFile) {
+  const map = /* @__PURE__ */ new Map();
+  if (mappingFile) {
+    let parsed;
+    try {
+      parsed = JSON.parse(readFileSync5(mappingFile, "utf-8"));
+    } catch (err) {
+      throw new Error(
+        `Failed to read --resource-mapping file '${mappingFile}': ` + (err instanceof Error ? err.message : String(err))
+      );
+    }
+    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+      throw new Error(
+        `--resource-mapping file '${mappingFile}' must be a JSON object {logicalId: physicalId}`
+      );
+    }
+    for (const [key, value] of Object.entries(parsed)) {
+      if (typeof value !== "string") {
+        throw new Error(
+          `--resource-mapping: value for '${key}' must be a string, got ${typeof value}`
+        );
+      }
+      map.set(key, value);
+    }
+  }
+  for (const entry of flags ?? []) {
+    const eq = entry.indexOf("=");
+    if (eq <= 0 || eq === entry.length - 1) {
+      throw new Error(`--resource expects 'logicalId=physicalId', got '${entry}'`);
+    }
+    map.set(entry.slice(0, eq), entry.slice(eq + 1));
+  }
+  return map;
+}
+function readCdkPath(resource) {
+  const meta = resource.Metadata;
+  if (!meta)
+    return "";
+  const v = meta["aws:cdk:path"];
+  return typeof v === "string" ? v : "";
+}
+function collectImportableResources(template) {
+  const out = [];
+  for (const [logicalId, resource] of Object.entries(template.Resources)) {
+    if (resource.Type === "AWS::CDK::Metadata")
+      continue;
+    out.push({ logicalId, resource });
+  }
+  return out;
+}
+function buildStackState(stackName, region, rows, templateParser, template) {
+  const resources = {};
+  for (const row of rows) {
+    if (row.outcome !== "imported" || !row.physicalId)
+      continue;
+    const tmplResource = template.Resources[row.logicalId];
+    if (!tmplResource)
+      continue;
+    const deps = templateParser.extractDependencies(tmplResource);
+    resources[row.logicalId] = {
+      physicalId: row.physicalId,
+      resourceType: row.resourceType,
+      properties: tmplResource.Properties ?? {},
+      attributes: {},
+      dependencies: [...deps]
+    };
+  }
+  return {
+    version: 2,
+    stackName,
+    region,
+    resources,
+    outputs: {},
+    lastModified: Date.now()
+  };
+}
+function printSummary(rows) {
+  const logger = getLogger();
+  const counts = {
+    imported: 0,
+    "skipped-no-impl": 0,
+    "skipped-not-found": 0,
+    failed: 0
+  };
+  logger.info("");
+  logger.info("Import plan:");
+  for (const r of rows) {
+    counts[r.outcome]++;
+    const tag = formatOutcome(r.outcome);
+    const detail = r.outcome === "imported" ? ` (${r.physicalId})` : r.reason ? ` \u2014 ${r.reason}` : "";
+    logger.info(`  ${tag} ${r.logicalId} (${r.resourceType})${detail}`);
+  }
+  logger.info("");
+  logger.info(
+    `Summary: ${counts.imported} imported, ${counts["skipped-not-found"]} not found, ${counts["skipped-no-impl"]} unsupported, ${counts.failed} failed`
+  );
+}
+function formatOutcome(outcome) {
+  switch (outcome) {
+    case "imported":
+      return "\u2713";
+    case "skipped-not-found":
+      return "\xB7";
+    case "skipped-no-impl":
+      return "?";
+    case "failed":
+      return "\u2717";
+  }
+}
+async function confirmPrompt2(prompt) {
+  const rl = readline4.createInterface({ input: process.stdin, output: process.stdout });
+  try {
+    const ans = await rl.question(`${prompt} [y/N] `);
+    return /^y(es)?$/i.test(ans.trim());
+  } finally {
+    rl.close();
+  }
+}
+function createImportCommand() {
+  const cmd = new Command11("import").description(
+    "Adopt already-deployed AWS resources into cdkd state. Reads the CDK app to find logical IDs, resource types, and dependencies; uses the aws:cdk:path tag (or explicit --resource overrides) to find each resource in AWS."
+  ).argument(
+    "[stack]",
+    "Stack to import. Optional when the synthesized app contains exactly one stack."
+  ).option(
+    "--resource <id=physical>",
+    "Explicit physical-id override for one logical ID. Repeatable. Bypasses tag-based auto-lookup for that resource only.",
+    collectMultiple,
+    []
+  ).option(
+    "--resource-mapping <file>",
+    "Path to a JSON file of {logicalId: physicalId} overrides (CDK CLI `cdk import --resource-mapping` compatible)."
+  ).option("--dry-run", "Show planned imports without writing state", false).option(
+    "--force",
+    "Overwrite an existing state record. Without this, an existing state file aborts the import.",
+    false
+  ).action(withErrorHandling(importCommand));
+  [...commonOptions, ...appOptions, ...stateOptions, ...contextOptions].forEach(
+    (o) => cmd.addOption(o)
+  );
   return cmd;
 }
+function collectMultiple(value, previous) {
+  return [...previous ?? [], value];
+}
 
 // src/cli/index.ts
 var SUBCOMMANDS = /* @__PURE__ */ new Set([
@@ -30254,6 +31559,7 @@ var SUBCOMMANDS = /* @__PURE__ */ new Set([
   "deploy",
   "diff",
   "destroy",
+  "import",
   "publish-assets",
   "force-unlock",
   "state"
@@ -30269,14 +31575,15 @@ function reorderArgs(argv) {
   return [...prefix, ...cmdAndAfter, ...beforeCmd];
 }
 async function main() {
-  const program = new Command10();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.13.0");
+  const program = new Command12();
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.15.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());
   program.addCommand(createDeployCommand());
   program.addCommand(createDiffCommand());
   program.addCommand(createDestroyCommand());
+  program.addCommand(createImportCommand());
   program.addCommand(createPublishAssetsCommand());
   program.addCommand(createForceUnlockCommand());
   program.addCommand(createStateCommand());