@go-to-k/cdkd 0.14.0 → 0.15.0

package/dist/cli.js

@@ -447,7 +447,7 @@ var init_aws_clients = __esm({
 });
 
 // src/cli/index.ts
-import { Command as Command11 } from "commander";
+import { Command as Command12 } from "commander";
 
 // src/cli/commands/bootstrap.ts
 import { Command, Option as Option2 } from "commander";
@@ -1030,9 +1030,9 @@ async function resolveStateBucketWithDefaultAndSource(cliBucket, region) {
   }
 }
 async function bucketExists(client, bucketName) {
-  const { HeadBucketCommand: HeadBucketCommand4 } = await import("@aws-sdk/client-s3");
+  const { HeadBucketCommand: HeadBucketCommand5 } = await import("@aws-sdk/client-s3");
   try {
-    await client.send(new HeadBucketCommand4({ Bucket: bucketName }));
+    await client.send(new HeadBucketCommand5({ Bucket: bucketName }));
     return true;
   } catch (error) {
     const err = error;
@@ -7674,6 +7674,8 @@ import {
   UntagRoleCommand,
   PutRolePermissionsBoundaryCommand,
   DeleteRolePermissionsBoundaryCommand,
+  ListRolesCommand,
+  ListRoleTagsCommand,
   NoSuchEntityException
 } from "@aws-sdk/client-iam";
 init_aws_clients();
@@ -7782,6 +7784,32 @@ function applyDefaultNameForFallback(logicalId, resourceType, properties) {
   };
 }
 
+// src/provisioning/import-helpers.ts
+function readNameProperty(input, propertyName) {
+  const value = input.properties?.[propertyName];
+  return typeof value === "string" && value.length > 0 ? value : void 0;
+}
+function resolveExplicitPhysicalId(input, nameProperty) {
+  if (input.knownPhysicalId)
+    return input.knownPhysicalId;
+  if (nameProperty) {
+    const name = readNameProperty(input, nameProperty);
+    if (name)
+      return name;
+  }
+  return void 0;
+}
+var CDK_PATH_TAG = "aws:cdk:path";
+function matchesCdkPath(tags, cdkPath) {
+  if (!tags || !cdkPath)
+    return false;
+  for (const t of tags) {
+    if (t.Key === CDK_PATH_TAG && t.Value === cdkPath)
+      return true;
+  }
+  return false;
+}
+
 // src/provisioning/providers/iam-role-provider.ts
 var IAMRoleProvider = class {
   iamClient;
@@ -8288,6 +8316,58 @@ var IAMRoleProvider = class {
       this.logger.debug(`Added/updated ${tagsToAdd.length} tags on role ${roleName}`);
     }
   }
+  /**
+   * Adopt an existing IAM role into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource` override or `Properties.RoleName` → use directly,
+   *     verify via `GetRole`.
+   *  2. `ListRoles` + `ListRoleTags`, match `aws:cdk:path` tag.
+   *
+   * `ListRoles` is paginated and IAM is global (no region scoping), so this
+   * walks every role in the account once. Acceptable for the cardinalities
+   * we expect (typically <100 roles per account); larger accounts may want
+   * to provide `--resource` overrides instead.
+   */
+  async import(input) {
+    const explicit = resolveExplicitPhysicalId(input, "RoleName");
+    if (explicit) {
+      try {
+        await this.iamClient.send(new GetRoleCommand({ RoleName: explicit }));
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err instanceof NoSuchEntityException)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.iamClient.send(
+        new ListRolesCommand({ ...marker && { Marker: marker } })
+      );
+      for (const role of list.Roles ?? []) {
+        if (!role.RoleName)
+          continue;
+        try {
+          const tags = await this.iamClient.send(
+            new ListRoleTagsCommand({ RoleName: role.RoleName })
+          );
+          if (matchesCdkPath(tags.Tags, input.cdkPath)) {
+            return { physicalId: role.RoleName, attributes: {} };
+          }
+        } catch (err) {
+          if (err instanceof NoSuchEntityException)
+            continue;
+          throw err;
+        }
+      }
+      marker = list.IsTruncated ? list.Marker : void 0;
+    } while (marker);
+    return null;
+  }
 };
 
 // src/provisioning/providers/iam-policy-provider.ts
@@ -9868,6 +9948,8 @@ var IAMUserGroupProvider = class {
 import {
   CreateBucketCommand as CreateBucketCommand2,
   DeleteBucketCommand,
+  HeadBucketCommand as HeadBucketCommand3,
+  ListBucketsCommand,
   PutBucketVersioningCommand as PutBucketVersioningCommand2,
   PutBucketTaggingCommand,
   PutBucketOwnershipControlsCommand,
@@ -9885,6 +9967,7 @@ import {
   PutBucketInventoryConfigurationCommand,
   PutBucketReplicationCommand,
   PutObjectLockConfigurationCommand,
+  GetBucketTaggingCommand,
   NoSuchBucket,
   ListObjectVersionsCommand,
   DeleteObjectsCommand
@@ -10723,6 +10806,53 @@ var S3BucketProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing S3 bucket into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource <id>=<name>` override or `Properties.BucketName` → use directly,
+   *     verify with `HeadBucket`.
+   *  2. `ListBuckets` + `GetBucketTagging`, match `aws:cdk:path` against the
+   *     CDK construct path.
+   *
+   * Returns `null` when nothing matches — caller treats this as
+   * "not deployed yet" rather than a failure.
+   */
+  async import(input) {
+    const explicit = resolveExplicitPhysicalId(input, "BucketName");
+    if (explicit) {
+      try {
+        await this.s3Client.send(new HeadBucketCommand3({ Bucket: explicit }));
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        const e = err;
+        if (e.name === "NotFound" || e.name === "NoSuchBucket") {
+          return null;
+        }
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    const list = await this.s3Client.send(new ListBucketsCommand({}));
+    for (const b of list.Buckets ?? []) {
+      if (!b.Name)
+        continue;
+      try {
+        const tagging = await this.s3Client.send(new GetBucketTaggingCommand({ Bucket: b.Name }));
+        if (matchesCdkPath(tagging.TagSet, input.cdkPath)) {
+          return { physicalId: b.Name, attributes: {} };
+        }
+      } catch (err) {
+        const e = err;
+        if (e.name === "NoSuchTagSet" || e.name === "AccessDenied" || e.$metadata?.httpStatusCode === 301) {
+          continue;
+        }
+        throw err;
+      }
+    }
+    return null;
+  }
   /**
    * Delete a bucket, emptying it first if not empty.
    * Handles the race condition where objects (e.g., ALB logs) are written
@@ -10959,6 +11089,9 @@ import {
   CreateQueueCommand,
   DeleteQueueCommand,
   GetQueueAttributesCommand,
+  GetQueueUrlCommand,
+  ListQueuesCommand,
+  ListQueueTagsCommand,
   SetQueueAttributesCommand,
   QueueDoesNotExist
 } from "@aws-sdk/client-sqs";
@@ -11167,6 +11300,68 @@ var SQSQueueProvider = class {
       return `arn:aws:sqs:unknown:unknown:${queueName}`;
     }
   }
+  /**
+   * Adopt an existing SQS queue into cdkd state.
+   *
+   * SQS physical IDs are queue URLs (`https://sqs.us-east-1.amazonaws.com/<account>/<name>`).
+   *
+   * Lookup order:
+   *  1. `--resource` override (URL) → verify via `GetQueueAttributes`.
+   *  2. `Properties.QueueName` → `GetQueueUrl` for direct lookup.
+   *  3. `aws:cdk:path` tag match via `ListQueues` + `ListQueueTags`.
+   */
+  async import(input) {
+    if (input.knownPhysicalId) {
+      try {
+        await this.sqsClient.send(
+          new GetQueueAttributesCommand({
+            QueueUrl: input.knownPhysicalId,
+            AttributeNames: ["QueueArn"]
+          })
+        );
+        return { physicalId: input.knownPhysicalId, attributes: {} };
+      } catch (err) {
+        if (err instanceof QueueDoesNotExist)
+          return null;
+        throw err;
+      }
+    }
+    const explicitName = resolveExplicitPhysicalId(input, "QueueName");
+    if (explicitName && !input.knownPhysicalId) {
+      try {
+        const resp = await this.sqsClient.send(new GetQueueUrlCommand({ QueueName: explicitName }));
+        if (resp.QueueUrl)
+          return { physicalId: resp.QueueUrl, attributes: {} };
+        return null;
+      } catch (err) {
+        if (err instanceof QueueDoesNotExist)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let nextToken;
+    do {
+      const list = await this.sqsClient.send(
+        new ListQueuesCommand({ ...nextToken && { NextToken: nextToken } })
+      );
+      for (const url of list.QueueUrls ?? []) {
+        try {
+          const tagsResp = await this.sqsClient.send(new ListQueueTagsCommand({ QueueUrl: url }));
+          if (tagsResp.Tags?.[CDK_PATH_TAG] === input.cdkPath) {
+            return { physicalId: url, attributes: {} };
+          }
+        } catch (err) {
+          if (err instanceof QueueDoesNotExist)
+            continue;
+          throw err;
+        }
+      }
+      nextToken = list.NextToken;
+    } while (nextToken);
+    return null;
+  }
 };
 
 // src/provisioning/providers/sqs-queue-policy-provider.ts
@@ -11329,6 +11524,9 @@ var SQSQueuePolicyProvider = class {
 import {
   CreateTopicCommand,
   DeleteTopicCommand,
+  GetTopicAttributesCommand,
+  ListTopicsCommand,
+  ListTagsForResourceCommand,
   SetTopicAttributesCommand,
   TagResourceCommand,
   UntagResourceCommand,
@@ -11618,6 +11816,63 @@ var SNSTopicProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing SNS topic into cdkd state.
+   *
+   * SNS physical IDs are full ARNs (`arn:aws:sns:...:TopicName`). The
+   * `--resource` override is expected to receive an ARN; bare topic names
+   * trigger a `ListTopics` walk that resolves to the ARN.
+   *
+   * Lookup order:
+   *  1. `--resource` override → trust as ARN, verify via `GetTopicAttributes`.
+   *  2. `Properties.TopicName` → `ListTopics` to find matching ARN.
+   *  3. `aws:cdk:path` tag match via `ListTopics` + `ListTagsForResource`.
+   */
+  async import(input) {
+    if (input.knownPhysicalId) {
+      try {
+        await this.snsClient.send(
+          new GetTopicAttributesCommand({ TopicArn: input.knownPhysicalId })
+        );
+        return { physicalId: input.knownPhysicalId, attributes: {} };
+      } catch (err) {
+        if (err instanceof NotFoundException)
+          return null;
+        throw err;
+      }
+    }
+    const desiredName = typeof input.properties?.["TopicName"] === "string" ? input.properties["TopicName"] : void 0;
+    let nextToken;
+    do {
+      const list = await this.snsClient.send(
+        new ListTopicsCommand({ ...nextToken && { NextToken: nextToken } })
+      );
+      for (const t of list.Topics ?? []) {
+        if (!t.TopicArn)
+          continue;
+        const arnTail = t.TopicArn.substring(t.TopicArn.lastIndexOf(":") + 1);
+        if (desiredName && arnTail === desiredName) {
+          return { physicalId: t.TopicArn, attributes: {} };
+        }
+        if (input.cdkPath) {
+          try {
+            const tagsResp = await this.snsClient.send(
+              new ListTagsForResourceCommand({ ResourceArn: t.TopicArn })
+            );
+            if (matchesCdkPath(tagsResp.Tags, input.cdkPath)) {
+              return { physicalId: t.TopicArn, attributes: {} };
+            }
+          } catch (err) {
+            if (err instanceof NotFoundException)
+              continue;
+            throw err;
+          }
+        }
+      }
+      nextToken = list.NextToken;
+    } while (nextToken);
+    return null;
+  }
 };
 
 // src/provisioning/providers/sns-subscription-provider.ts
@@ -11917,6 +12172,8 @@ import {
   UpdateFunctionCodeCommand,
   DeleteFunctionCommand,
   GetFunctionCommand,
+  ListFunctionsCommand,
+  ListTagsCommand,
   ResourceNotFoundException
 } from "@aws-sdk/client-lambda";
 import {
@@ -12501,6 +12758,57 @@ var LambdaFunctionProvider = class {
     }
     return (crc ^ 4294967295) >>> 0;
   }
+  /**
+   * Adopt an existing Lambda function into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource` override or `Properties.FunctionName` → use directly,
+   *     verify via `GetFunction`.
+   *  2. `ListFunctions` + `ListTags`, match `aws:cdk:path` tag.
+   *
+   * Lambda's `ListTags` returns a `Tags` map keyed by tag name (unlike
+   * EC2/S3 which return an array of `{Key, Value}`), so we read it directly
+   * instead of going through the shared `matchesCdkPath` helper.
+   */
+  async import(input) {
+    const explicit = resolveExplicitPhysicalId(input, "FunctionName");
+    if (explicit) {
+      try {
+        await this.lambdaClient.send(new GetFunctionCommand({ FunctionName: explicit }));
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err instanceof ResourceNotFoundException)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.lambdaClient.send(
+        new ListFunctionsCommand({ ...marker && { Marker: marker } })
+      );
+      for (const fn of list.Functions ?? []) {
+        if (!fn.FunctionArn || !fn.FunctionName)
+          continue;
+        try {
+          const tagsResp = await this.lambdaClient.send(
+            new ListTagsCommand({ Resource: fn.FunctionArn })
+          );
+          if (tagsResp.Tags?.[CDK_PATH_TAG] === input.cdkPath) {
+            return { physicalId: fn.FunctionName, attributes: {} };
+          }
+        } catch (err) {
+          if (err instanceof ResourceNotFoundException)
+            continue;
+          throw err;
+        }
+      }
+      marker = list.NextMarker;
+    } while (marker);
+    return null;
+  }
 };
 
 // src/provisioning/providers/lambda-permission-provider.ts
@@ -13222,6 +13530,8 @@ import {
   CreateTableCommand,
   DeleteTableCommand,
   DescribeTableCommand as DescribeTableCommand2,
+  ListTablesCommand,
+  ListTagsOfResourceCommand,
   ResourceNotFoundException as ResourceNotFoundException6
 } from "@aws-sdk/client-dynamodb";
 init_aws_clients();
@@ -13433,12 +13743,70 @@ var DynamoDBTableProvider = class {
     }
     throw new Error(`Table ${tableName} did not reach ACTIVE status within ${maxAttempts} seconds`);
   }
+  /**
+   * Adopt an existing DynamoDB table into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource` override or `Properties.TableName` → verify via `DescribeTable`.
+   *  2. `ListTables` + `ListTagsOfResource`, match `aws:cdk:path` tag.
+   *
+   * Tags require the table ARN, which `DescribeTable` provides; the loop
+   * therefore costs one `DescribeTable` per table just to read the ARN.
+   * Acceptable for typical DynamoDB cardinalities.
+   */
+  async import(input) {
+    const explicit = resolveExplicitPhysicalId(input, "TableName");
+    if (explicit) {
+      try {
+        await this.dynamoDBClient.send(new DescribeTableCommand2({ TableName: explicit }));
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err instanceof ResourceNotFoundException6)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let exclusiveStartTableName;
+    do {
+      const list = await this.dynamoDBClient.send(
+        new ListTablesCommand({
+          ...exclusiveStartTableName && { ExclusiveStartTableName: exclusiveStartTableName }
+        })
+      );
+      for (const name of list.TableNames ?? []) {
+        try {
+          const desc = await this.dynamoDBClient.send(
+            new DescribeTableCommand2({ TableName: name })
+          );
+          const arn = desc.Table?.TableArn;
+          if (!arn)
+            continue;
+          const tagsResp = await this.dynamoDBClient.send(
+            new ListTagsOfResourceCommand({ ResourceArn: arn })
+          );
+          if (matchesCdkPath(tagsResp.Tags, input.cdkPath)) {
+            return { physicalId: name, attributes: {} };
+          }
+        } catch (err) {
+          if (err instanceof ResourceNotFoundException6)
+            continue;
+          throw err;
+        }
+      }
+      exclusiveStartTableName = list.LastEvaluatedTableName;
+    } while (exclusiveStartTableName);
+    return null;
+  }
 };
 
 // src/provisioning/providers/logs-loggroup-provider.ts
 import {
   CreateLogGroupCommand,
   DeleteLogGroupCommand,
+  DescribeLogGroupsCommand,
+  ListTagsForResourceCommand as ListTagsForResourceCommand2,
   PutRetentionPolicyCommand,
   DeleteRetentionPolicyCommand,
   TagResourceCommand as TagResourceCommand2,
@@ -13662,6 +14030,61 @@ var LogsLogGroupProvider = class {
       return `arn:aws:logs:unknown:unknown:log-group:${logGroupName}:*`;
     }
   }
+  /**
+   * Adopt an existing CloudWatch Logs log group into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource` override or `Properties.LogGroupName` → verify via
+   *     `DescribeLogGroups` (filtered by name prefix).
+   *  2. `aws:cdk:path` tag match via `DescribeLogGroups` + `ListTagsForResource`.
+   *
+   * `ListTagsForResource` for log groups uses the log-group ARN. The
+   * `DescribeLogGroups` response includes the ARN, so no extra round-trip
+   * is needed beyond the per-group tag lookup.
+   */
+  async import(input) {
+    const explicit = resolveExplicitPhysicalId(input, "LogGroupName");
+    if (explicit) {
+      try {
+        const resp = await this.logsClient.send(
+          new DescribeLogGroupsCommand({ logGroupNamePrefix: explicit })
+        );
+        const found = resp.logGroups?.find((g) => g.logGroupName === explicit);
+        return found ? { physicalId: explicit, attributes: {} } : null;
+      } catch (err) {
+        if (err instanceof ResourceNotFoundException7)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let nextToken;
+    do {
+      const list = await this.logsClient.send(
+        new DescribeLogGroupsCommand({ ...nextToken && { nextToken } })
+      );
+      for (const g of list.logGroups ?? []) {
+        if (!g.logGroupName || !g.arn)
+          continue;
+        const arnForTags = g.arn.replace(/:\*$/, "");
+        try {
+          const tagsResp = await this.logsClient.send(
+            new ListTagsForResourceCommand2({ resourceArn: arnForTags })
+          );
+          if (tagsResp.tags?.["aws:cdk:path"] === input.cdkPath) {
+            return { physicalId: g.logGroupName, attributes: {} };
+          }
+        } catch (err) {
+          if (err instanceof ResourceNotFoundException7)
+            continue;
+          throw err;
+        }
+      }
+      nextToken = list.nextToken;
+    } while (nextToken);
+    return null;
+  }
 };
 
 // src/provisioning/providers/cloudwatch-alarm-provider.ts
@@ -13892,6 +14315,8 @@ var CloudWatchAlarmProvider = class {
 import {
   CreateSecretCommand,
   DeleteSecretCommand,
+  DescribeSecretCommand,
+  ListSecretsCommand,
   UpdateSecretCommand,
   TagResourceCommand as TagResourceCommand3,
   UntagResourceCommand as UntagResourceCommand3,
@@ -14159,10 +14584,65 @@ var SecretsManagerSecretProvider = class {
     }
     return password;
   }
+  /**
+   * Adopt an existing Secrets Manager secret into cdkd state.
+   *
+   * Secrets Manager physical IDs are full secret ARNs. The CDK template's
+   * `Properties.Name` (secret name) is enough to fetch the ARN via
+   * `DescribeSecret`.
+   *
+   * Lookup order:
+   *  1. `--resource` override (ARN) → verify via `DescribeSecret`.
+   *  2. `Properties.Name` → `DescribeSecret` (accepts name).
+   *  3. `aws:cdk:path` tag match via `ListSecrets` (which already returns Tags).
+   */
+  async import(input) {
+    if (input.knownPhysicalId) {
+      try {
+        const resp = await this.smClient.send(
+          new DescribeSecretCommand({ SecretId: input.knownPhysicalId })
+        );
+        return resp.ARN ? { physicalId: resp.ARN, attributes: {} } : null;
+      } catch (err) {
+        if (err instanceof ResourceNotFoundException8)
+          return null;
+        throw err;
+      }
+    }
+    const name = typeof input.properties?.["Name"] === "string" ? input.properties["Name"] : void 0;
+    if (name) {
+      try {
+        const resp = await this.smClient.send(new DescribeSecretCommand({ SecretId: name }));
+        return resp.ARN ? { physicalId: resp.ARN, attributes: {} } : null;
+      } catch (err) {
+        if (err instanceof ResourceNotFoundException8)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let nextToken;
+    do {
+      const list = await this.smClient.send(
+        new ListSecretsCommand({ ...nextToken && { NextToken: nextToken } })
+      );
+      for (const s of list.SecretList ?? []) {
+        if (s.ARN && matchesCdkPath(s.Tags, input.cdkPath)) {
+          return { physicalId: s.ARN, attributes: {} };
+        }
+      }
+      nextToken = list.NextToken;
+    } while (nextToken);
+    return null;
+  }
 };
 
 // src/provisioning/providers/ssm-parameter-provider.ts
 import {
+  DescribeParametersCommand,
+  GetParameterCommand as GetParameterCommand3,
+  ListTagsForResourceCommand as ListTagsForResourceCommand3,
   PutParameterCommand,
   DeleteParameterCommand,
   AddTagsToResourceCommand,
@@ -14374,6 +14854,57 @@ var SSMParameterProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing SSM parameter into cdkd state.
+   *
+   * SSM physical IDs ARE the parameter names (`/foo/bar`). The CDK template
+   * usually carries `Properties.Name` explicitly, so the explicit-name path
+   * covers most cases. The tag-based fallback is rarely needed.
+   *
+   * Lookup order:
+   *  1. `--resource` override or `Properties.Name` → verify via `GetParameter`.
+   *  2. `aws:cdk:path` tag match via `DescribeParameters` + `ListTagsForResource`
+   *     (`ResourceType: 'Parameter'`, `ResourceId: <name>`).
+   */
+  async import(input) {
+    const explicit = resolveExplicitPhysicalId(input, "Name");
+    if (explicit) {
+      try {
+        await this.ssmClient.send(new GetParameterCommand3({ Name: explicit }));
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err instanceof ParameterNotFound)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let nextToken;
+    do {
+      const list = await this.ssmClient.send(
+        new DescribeParametersCommand({ ...nextToken && { NextToken: nextToken } })
+      );
+      for (const p of list.Parameters ?? []) {
+        if (!p.Name)
+          continue;
+        try {
+          const tagsResp = await this.ssmClient.send(
+            new ListTagsForResourceCommand3({ ResourceType: "Parameter", ResourceId: p.Name })
+          );
+          if (matchesCdkPath(tagsResp.TagList, input.cdkPath)) {
+            return { physicalId: p.Name, attributes: {} };
+          }
+        } catch (err) {
+          if (err instanceof ParameterNotFound)
+            continue;
+          throw err;
+        }
+      }
+      nextToken = list.NextToken;
+    } while (nextToken);
+    return null;
+  }
 };
 
 // src/provisioning/providers/eventbridge-rule-provider.ts
@@ -14672,7 +15203,9 @@ import {
   DeleteEventBusCommand,
   UpdateEventBusCommand,
   DescribeEventBusCommand,
+  ListEventBusesCommand,
   ListRulesCommand,
+  ListTagsForResourceCommand as ListTagsForResourceCommand4,
   RemoveTargetsCommand as RemoveTargetsCommand2,
   DeleteRuleCommand as DeleteRuleCommand2,
   ListTargetsByRuleCommand as ListTargetsByRuleCommand2,
@@ -14913,6 +15446,52 @@ var EventBridgeBusProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing EventBridge event bus into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource` override or `Properties.Name` → verify via `DescribeEventBus`.
+   *  2. `aws:cdk:path` tag match via `ListEventBuses` + `ListTagsForResource`.
+   */
+  async import(input) {
+    const explicit = resolveExplicitPhysicalId(input, "Name");
+    if (explicit) {
+      try {
+        await this.eventBridgeClient.send(new DescribeEventBusCommand({ Name: explicit }));
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err instanceof ResourceNotFoundException10)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let nextToken;
+    do {
+      const list = await this.eventBridgeClient.send(
+        new ListEventBusesCommand({ ...nextToken && { NextToken: nextToken } })
+      );
+      for (const bus of list.EventBuses ?? []) {
+        if (!bus.Name || !bus.Arn)
+          continue;
+        try {
+          const tagsResp = await this.eventBridgeClient.send(
+            new ListTagsForResourceCommand4({ ResourceARN: bus.Arn })
+          );
+          if (matchesCdkPath(tagsResp.Tags, input.cdkPath)) {
+            return { physicalId: bus.Name, attributes: {} };
+          }
+        } catch (err) {
+          if (err instanceof ResourceNotFoundException10)
+            continue;
+          throw err;
+        }
+      }
+      nextToken = list.NextToken;
+    } while (nextToken);
+    return null;
+  }
 };
 
 // src/provisioning/providers/ec2-provider.ts
@@ -24219,6 +24798,10 @@ var GlueProvider = class {
 import {
   KMSClient as KMSClient2,
   CreateKeyCommand,
+  DescribeKeyCommand,
+  ListAliasesCommand as ListAliasesCommand2,
+  ListKeysCommand,
+  ListResourceTagsCommand,
   ScheduleKeyDeletionCommand,
   CreateAliasCommand,
   DeleteAliasCommand,
@@ -24601,6 +25184,81 @@ var KMSProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing KMS key or alias into cdkd state.
+   *
+   * KMS keys have no `Properties.KeyName` field — physical IDs are
+   * AWS-generated UUIDs. So:
+   *  - For `AWS::KMS::Key`: `--resource MyKey=<keyId>` is the only explicit
+   *    path; auto-lookup walks `ListKeys` + `ListResourceTags` matching
+   *    `aws:cdk:path`.
+   *  - For `AWS::KMS::Alias`: `Properties.AliasName` is explicit and reliable.
+   */
+  async import(input) {
+    if (input.resourceType === "AWS::KMS::Alias") {
+      const aliasName = input.knownPhysicalId ?? (typeof input.properties?.["AliasName"] === "string" ? input.properties["AliasName"] : void 0);
+      if (!aliasName)
+        return null;
+      try {
+        let marker2;
+        do {
+          const list = await this.getClient().send(
+            new ListAliasesCommand2({ ...marker2 && { Marker: marker2 } })
+          );
+          const found = list.Aliases?.find(
+            (a) => a.AliasName === aliasName
+          );
+          if (found)
+            return { physicalId: aliasName, attributes: {} };
+          marker2 = list.NextMarker;
+        } while (marker2);
+        return null;
+      } catch (err) {
+        if (err instanceof NotFoundException5)
+          return null;
+        throw err;
+      }
+    }
+    if (input.knownPhysicalId) {
+      try {
+        await this.getClient().send(new DescribeKeyCommand({ KeyId: input.knownPhysicalId }));
+        return { physicalId: input.knownPhysicalId, attributes: {} };
+      } catch (err) {
+        if (err instanceof NotFoundException5)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.getClient().send(
+        new ListKeysCommand({ ...marker && { Marker: marker } })
+      );
+      for (const key of list.Keys ?? []) {
+        if (!key.KeyId)
+          continue;
+        try {
+          const tagsResp = await this.getClient().send(
+            new ListResourceTagsCommand({ KeyId: key.KeyId })
+          );
+          for (const tag of tagsResp.Tags ?? []) {
+            if (tag.TagKey === CDK_PATH_TAG && tag.TagValue === input.cdkPath) {
+              return { physicalId: key.KeyId, attributes: {} };
+            }
+          }
+        } catch (err) {
+          const name = err.name;
+          if (name === "AccessDeniedException" || err instanceof NotFoundException5)
+            continue;
+          throw err;
+        }
+      }
+      marker = list.NextMarker;
+    } while (marker);
+    return null;
+  }
 };
 
 // src/provisioning/providers/kinesis-provider.ts
@@ -26579,7 +27237,7 @@ import {
   CreateTableCommand as CreateTableCommand3,
   DeleteTableCommand as DeleteTableCommand3,
   ListNamespacesCommand,
-  ListTablesCommand,
+  ListTablesCommand as ListTablesCommand2,
   NotFoundException as NotFoundException6
 } from "@aws-sdk/client-s3tables";
 var S3TablesProvider = class {
@@ -26725,7 +27383,7 @@ var S3TablesProvider = class {
         let tableContinuationToken;
         do {
           const tablesResult = await this.getClient().send(
-            new ListTablesCommand({
+            new ListTablesCommand2({
               tableBucketARN,
               namespace: namespaceName,
               continuationToken: tableContinuationToken
@@ -29572,7 +30230,7 @@ import {
   CreateBucketCommand as CreateBucketCommand4,
   DeleteBucketCommand as DeleteBucketCommand3,
   DeleteObjectsCommand as DeleteObjectsCommand3,
-  HeadBucketCommand as HeadBucketCommand3,
+  HeadBucketCommand as HeadBucketCommand4,
   ListObjectVersionsCommand as ListObjectVersionsCommand2,
   ListObjectsV2Command as ListObjectsV2Command3,
   PutBucketEncryptionCommand as PutBucketEncryptionCommand3,
@@ -29695,7 +30353,7 @@ async function stateMigrateBucketCommand(options) {
 }
 async function bucketExists2(s3, bucketName) {
   try {
-    await s3.send(new HeadBucketCommand3({ Bucket: bucketName }));
+    await s3.send(new HeadBucketCommand4({ Bucket: bucketName }));
     return true;
   } catch (error) {
     const err = error;
@@ -30557,6 +31215,341 @@ function createStateCommand() {
   return cmd;
 }
 
+// src/cli/commands/import.ts
+import { readFileSync as readFileSync5 } from "node:fs";
+import * as readline4 from "node:readline/promises";
+import { Command as Command11 } from "commander";
+init_aws_clients();
+async function importCommand(stackArg, options) {
+  const logger = getLogger();
+  if (options.verbose) {
+    logger.setLevel("debug");
+    process.env["CDKD_NO_LIVE"] = "1";
+  }
+  const region = options.region || process.env["AWS_REGION"] || "us-east-1";
+  const stateBucket = await resolveStateBucketWithDefault(options.stateBucket, region);
+  if (options.region) {
+    process.env["AWS_REGION"] = options.region;
+    process.env["AWS_DEFAULT_REGION"] = options.region;
+  }
+  const awsClients = new AwsClients({
+    ...options.region && { region: options.region },
+    ...options.profile && { profile: options.profile }
+  });
+  setAwsClients(awsClients);
+  try {
+    const stateConfig = { bucket: stateBucket, prefix: options.statePrefix };
+    const stateBackend = new S3StateBackend(awsClients.s3, stateConfig, {
+      ...options.region && { region: options.region },
+      ...options.profile && { profile: options.profile }
+    });
+    await stateBackend.verifyBucketExists();
+    const lockManager = new LockManager(awsClients.s3, stateConfig);
+    const providerRegistry = new ProviderRegistry();
+    registerAllProviders(providerRegistry);
+    const appCmd = options.app || resolveApp();
+    if (!appCmd) {
+      throw new Error(
+        "`cdkd state import` requires a CDK app: pass --app or set it in cdk.json. The template is read to find logical IDs, resource types, and dependencies."
+      );
+    }
+    logger.info("Synthesizing CDK app to read template...");
+    const synthesizer = new Synthesizer();
+    const context = parseContextOptions(options.context);
+    const result = await synthesizer.synthesize({
+      app: appCmd,
+      output: options.output || "cdk.out",
+      ...Object.keys(context).length > 0 && { context }
+    });
+    let stackInfo;
+    if (stackArg) {
+      stackInfo = result.stacks.find((s) => s.stackName === stackArg || s.displayName === stackArg);
+      if (!stackInfo) {
+        throw new Error(
+          `Stack '${stackArg}' not found in synthesized app. Available: ${result.stacks.map((s) => s.stackName).join(", ")}`
+        );
+      }
+    } else if (result.stacks.length === 1) {
+      stackInfo = result.stacks[0];
+    } else {
+      throw new Error(
+        `Multiple stacks found: ${result.stacks.map((s) => s.stackName).join(", ")}. Specify the stack name as a positional argument.`
+      );
+    }
+    const targetRegion = stackInfo.region || region;
+    logger.info(`Target stack: ${stackInfo.stackName} (${targetRegion})`);
+    const existing = await stateBackend.stateExists(stackInfo.stackName, targetRegion);
+    if (existing && !options.force) {
+      throw new Error(
+        `State already exists for stack '${stackInfo.stackName}' (${targetRegion}). Pass --force to overwrite. (cdkd state import rebuilds the resource map from AWS, so the existing state \u2014 including any drift you've manually edited \u2014 will be lost.)`
+      );
+    }
+    const overrides = parseResourceOverrides(options.resource, options.resourceMapping);
+    if (overrides.size > 0) {
+      logger.debug(`User-supplied physical IDs: ${[...overrides.keys()].join(", ")}`);
+    }
+    const template = stackInfo.template;
+    const templateParser = new TemplateParser();
+    const resources = collectImportableResources(template);
+    logger.info(`Found ${resources.length} resource(s) in template`);
+    const owner = `${process.env["USER"] || "unknown"}@${process.env["HOSTNAME"] || "host"}:${process.pid}`;
+    await lockManager.acquireLock(stackInfo.stackName, targetRegion, owner, "import");
+    try {
+      const rows = [];
+      for (const { logicalId, resource } of resources) {
+        const outcome = await importOne({
+          logicalId,
+          resource,
+          stackName: stackInfo.stackName,
+          region: targetRegion,
+          providerRegistry,
+          override: overrides.get(logicalId)
+        });
+        rows.push(outcome);
+      }
+      printSummary(rows);
+      if (options.dryRun) {
+        logger.info("--dry-run: state will NOT be written. Re-run without --dry-run to apply.");
+        return;
+      }
+      const importedRows = rows.filter((r) => r.outcome === "imported");
+      if (importedRows.length === 0) {
+        logger.warn("No resources were successfully imported. State will not be written.");
+        return;
+      }
+      if (!options.yes) {
+        const ok = await confirmPrompt2(
+          `Write state for ${stackInfo.stackName} (${targetRegion}) with ${importedRows.length} resource(s)?`
+        );
+        if (!ok) {
+          logger.info("Import cancelled.");
+          return;
+        }
+      }
+      const stackState = buildStackState(
+        stackInfo.stackName,
+        targetRegion,
+        rows,
+        templateParser,
+        template
+      );
+      await stateBackend.saveState(stackInfo.stackName, targetRegion, stackState);
+      logger.info(`\u2713 State written: ${stackInfo.stackName} (${targetRegion})`);
+      logger.info(
+        `  ${importedRows.length} resource(s) imported. Run 'cdkd diff' to see how the imported state lines up with the template.`
+      );
+    } finally {
+      await lockManager.releaseLock(stackInfo.stackName, targetRegion).catch((err) => {
+        logger.warn(`Failed to release lock: ${err instanceof Error ? err.message : String(err)}`);
+      });
+    }
+  } finally {
+    awsClients.destroy();
+  }
+}
+async function importOne(task) {
+  const logger = getLogger();
+  const { logicalId, resource, stackName, region, providerRegistry, override } = task;
+  if (!providerRegistry.hasProvider(resource.Type)) {
+    return {
+      logicalId,
+      resourceType: resource.Type,
+      outcome: "skipped-no-impl",
+      reason: "no provider registered"
+    };
+  }
+  const provider = providerRegistry.getProvider(resource.Type);
+  if (!provider.import) {
+    return {
+      logicalId,
+      resourceType: resource.Type,
+      outcome: "skipped-no-impl",
+      reason: `provider does not implement import (yet)`
+    };
+  }
+  const cdkPath = readCdkPath(resource);
+  const input = {
+    logicalId,
+    resourceType: resource.Type,
+    cdkPath,
+    stackName,
+    region,
+    properties: resource.Properties ?? {},
+    ...override !== void 0 && { knownPhysicalId: override }
+  };
+  try {
+    const result = await provider.import(input);
+    if (!result) {
+      return {
+        logicalId,
+        resourceType: resource.Type,
+        outcome: "skipped-not-found",
+        reason: "no matching AWS resource"
+      };
+    }
+    return {
+      logicalId,
+      resourceType: resource.Type,
+      outcome: "imported",
+      physicalId: result.physicalId
+    };
+  } catch (error) {
+    const msg = error instanceof Error ? error.message : String(error);
+    logger.error(`Failed to import ${logicalId} (${resource.Type}): ${msg}`);
+    return {
+      logicalId,
+      resourceType: resource.Type,
+      outcome: "failed",
+      reason: msg
+    };
+  }
+}
+function parseResourceOverrides(flags, mappingFile) {
+  const map = /* @__PURE__ */ new Map();
+  if (mappingFile) {
+    let parsed;
+    try {
+      parsed = JSON.parse(readFileSync5(mappingFile, "utf-8"));
+    } catch (err) {
+      throw new Error(
+        `Failed to read --resource-mapping file '${mappingFile}': ` + (err instanceof Error ? err.message : String(err))
+      );
+    }
+    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+      throw new Error(
+        `--resource-mapping file '${mappingFile}' must be a JSON object {logicalId: physicalId}`
+      );
+    }
+    for (const [key, value] of Object.entries(parsed)) {
+      if (typeof value !== "string") {
+        throw new Error(
+          `--resource-mapping: value for '${key}' must be a string, got ${typeof value}`
+        );
+      }
+      map.set(key, value);
+    }
+  }
+  for (const entry of flags ?? []) {
+    const eq = entry.indexOf("=");
+    if (eq <= 0 || eq === entry.length - 1) {
+      throw new Error(`--resource expects 'logicalId=physicalId', got '${entry}'`);
+    }
+    map.set(entry.slice(0, eq), entry.slice(eq + 1));
+  }
+  return map;
+}
+function readCdkPath(resource) {
+  const meta = resource.Metadata;
+  if (!meta)
+    return "";
+  const v = meta["aws:cdk:path"];
+  return typeof v === "string" ? v : "";
+}
+function collectImportableResources(template) {
+  const out = [];
+  for (const [logicalId, resource] of Object.entries(template.Resources)) {
+    if (resource.Type === "AWS::CDK::Metadata")
+      continue;
+    out.push({ logicalId, resource });
+  }
+  return out;
+}
+function buildStackState(stackName, region, rows, templateParser, template) {
+  const resources = {};
+  for (const row of rows) {
+    if (row.outcome !== "imported" || !row.physicalId)
+      continue;
+    const tmplResource = template.Resources[row.logicalId];
+    if (!tmplResource)
+      continue;
+    const deps = templateParser.extractDependencies(tmplResource);
+    resources[row.logicalId] = {
+      physicalId: row.physicalId,
+      resourceType: row.resourceType,
+      properties: tmplResource.Properties ?? {},
+      attributes: {},
+      dependencies: [...deps]
+    };
+  }
+  return {
+    version: 2,
+    stackName,
+    region,
+    resources,
+    outputs: {},
+    lastModified: Date.now()
+  };
+}
+function printSummary(rows) {
+  const logger = getLogger();
+  const counts = {
+    imported: 0,
+    "skipped-no-impl": 0,
+    "skipped-not-found": 0,
+    failed: 0
+  };
+  logger.info("");
+  logger.info("Import plan:");
+  for (const r of rows) {
+    counts[r.outcome]++;
+    const tag = formatOutcome(r.outcome);
+    const detail = r.outcome === "imported" ? ` (${r.physicalId})` : r.reason ? ` \u2014 ${r.reason}` : "";
+    logger.info(`  ${tag} ${r.logicalId} (${r.resourceType})${detail}`);
+  }
+  logger.info("");
+  logger.info(
+    `Summary: ${counts.imported} imported, ${counts["skipped-not-found"]} not found, ${counts["skipped-no-impl"]} unsupported, ${counts.failed} failed`
+  );
+}
+function formatOutcome(outcome) {
+  switch (outcome) {
+    case "imported":
+      return "\u2713";
+    case "skipped-not-found":
+      return "\xB7";
+    case "skipped-no-impl":
+      return "?";
+    case "failed":
+      return "\u2717";
+  }
+}
+async function confirmPrompt2(prompt) {
+  const rl = readline4.createInterface({ input: process.stdin, output: process.stdout });
+  try {
+    const ans = await rl.question(`${prompt} [y/N] `);
+    return /^y(es)?$/i.test(ans.trim());
+  } finally {
+    rl.close();
+  }
+}
+function createImportCommand() {
+  const cmd = new Command11("import").description(
+    "Adopt already-deployed AWS resources into cdkd state. Reads the CDK app to find logical IDs, resource types, and dependencies; uses the aws:cdk:path tag (or explicit --resource overrides) to find each resource in AWS."
+  ).argument(
+    "[stack]",
+    "Stack to import. Optional when the synthesized app contains exactly one stack."
+  ).option(
+    "--resource <id=physical>",
+    "Explicit physical-id override for one logical ID. Repeatable. Bypasses tag-based auto-lookup for that resource only.",
+    collectMultiple,
+    []
+  ).option(
+    "--resource-mapping <file>",
+    "Path to a JSON file of {logicalId: physicalId} overrides (CDK CLI `cdk import --resource-mapping` compatible)."
+  ).option("--dry-run", "Show planned imports without writing state", false).option(
+    "--force",
+    "Overwrite an existing state record. Without this, an existing state file aborts the import.",
+    false
+  ).action(withErrorHandling(importCommand));
+  [...commonOptions, ...appOptions, ...stateOptions, ...contextOptions].forEach(
+    (o) => cmd.addOption(o)
+  );
+  return cmd;
+}
+function collectMultiple(value, previous) {
+  return [...previous ?? [], value];
+}
+
 // src/cli/index.ts
 var SUBCOMMANDS = /* @__PURE__ */ new Set([
   "bootstrap",
@@ -30566,6 +31559,7 @@ var SUBCOMMANDS = /* @__PURE__ */ new Set([
   "deploy",
   "diff",
   "destroy",
+  "import",
   "publish-assets",
   "force-unlock",
   "state"
@@ -30581,14 +31575,15 @@ function reorderArgs(argv) {
   return [...prefix, ...cmdAndAfter, ...beforeCmd];
 }
 async function main() {
-  const program = new Command11();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.14.0");
+  const program = new Command12();
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.15.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());
   program.addCommand(createDeployCommand());
   program.addCommand(createDiffCommand());
   program.addCommand(createDestroyCommand());
+  program.addCommand(createImportCommand());
   program.addCommand(createPublishAssetsCommand());
   program.addCommand(createForceUnlockCommand());
   program.addCommand(createStateCommand());