@go-to-k/cdkd 0.14.0 → 0.15.0

package/dist/index.js

@@ -7063,6 +7063,8 @@ import {
   UntagRoleCommand,
   PutRolePermissionsBoundaryCommand,
   DeleteRolePermissionsBoundaryCommand,
+  ListRolesCommand,
+  ListRoleTagsCommand,
   NoSuchEntityException
 } from "@aws-sdk/client-iam";
 init_aws_clients();
@@ -7171,6 +7173,32 @@ function applyDefaultNameForFallback(logicalId, resourceType, properties) {
   };
 }
 
+// src/provisioning/import-helpers.ts
+function readNameProperty(input, propertyName) {
+  const value = input.properties?.[propertyName];
+  return typeof value === "string" && value.length > 0 ? value : void 0;
+}
+function resolveExplicitPhysicalId(input, nameProperty) {
+  if (input.knownPhysicalId)
+    return input.knownPhysicalId;
+  if (nameProperty) {
+    const name = readNameProperty(input, nameProperty);
+    if (name)
+      return name;
+  }
+  return void 0;
+}
+var CDK_PATH_TAG = "aws:cdk:path";
+function matchesCdkPath(tags, cdkPath) {
+  if (!tags || !cdkPath)
+    return false;
+  for (const t of tags) {
+    if (t.Key === CDK_PATH_TAG && t.Value === cdkPath)
+      return true;
+  }
+  return false;
+}
+
 // src/provisioning/providers/iam-role-provider.ts
 var IAMRoleProvider = class {
   iamClient;
@@ -7677,6 +7705,58 @@ var IAMRoleProvider = class {
       this.logger.debug(`Added/updated ${tagsToAdd.length} tags on role ${roleName}`);
     }
   }
+  /**
+   * Adopt an existing IAM role into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource` override or `Properties.RoleName` → use directly,
+   *     verify via `GetRole`.
+   *  2. `ListRoles` + `ListRoleTags`, match `aws:cdk:path` tag.
+   *
+   * `ListRoles` is paginated and IAM is global (no region scoping), so this
+   * walks every role in the account once. Acceptable for the cardinalities
+   * we expect (typically <100 roles per account); larger accounts may want
+   * to provide `--resource` overrides instead.
+   */
+  async import(input) {
+    const explicit = resolveExplicitPhysicalId(input, "RoleName");
+    if (explicit) {
+      try {
+        await this.iamClient.send(new GetRoleCommand({ RoleName: explicit }));
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err instanceof NoSuchEntityException)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.iamClient.send(
+        new ListRolesCommand({ ...marker && { Marker: marker } })
+      );
+      for (const role of list.Roles ?? []) {
+        if (!role.RoleName)
+          continue;
+        try {
+          const tags = await this.iamClient.send(
+            new ListRoleTagsCommand({ RoleName: role.RoleName })
+          );
+          if (matchesCdkPath(tags.Tags, input.cdkPath)) {
+            return { physicalId: role.RoleName, attributes: {} };
+          }
+        } catch (err) {
+          if (err instanceof NoSuchEntityException)
+            continue;
+          throw err;
+        }
+      }
+      marker = list.IsTruncated ? list.Marker : void 0;
+    } while (marker);
+    return null;
+  }
 };
 
 // src/deployment/dag-executor.ts