npm - @go-to-k/cdkd - Versions diffs - 0.14.0 → 0.16.0 - Mend

@go-to-k/cdkd 0.14.0 → 0.16.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md +9 -0
package/dist/cli.js +1066 -17
package/dist/cli.js.map +4 -4
package/dist/go-to-k-cdkd-0.16.0.tgz +0 -0
package/dist/index.js +134 -0
package/dist/index.js.map +3 -3
package/package.json +1 -1
package/dist/go-to-k-cdkd-0.14.0.tgz +0 -0

package/dist/cli.js CHANGED Viewed

@@ -447,7 +447,7 @@ var init_aws_clients = __esm({
 });
 // src/cli/index.ts
-import { Command as Command11 } from "commander";
+import { Command as Command12 } from "commander";
 // src/cli/commands/bootstrap.ts
 import { Command, Option as Option2 } from "commander";
@@ -1016,7 +1016,7 @@ async function resolveStateBucketWithDefaultAndSource(cliBucket, region) {
       logger.warn(
         `Using legacy state bucket name '${legacyName}'. The default has changed to '${newName}'. To migrate, run:
-    cdkd state migrate-bucket --region ${region}
+    cdkd state migrate --region ${region}
 (add --remove-legacy to delete the legacy bucket after a successful copy; legacy support will be dropped in a future release.)`
       );
@@ -1030,9 +1030,9 @@ async function resolveStateBucketWithDefaultAndSource(cliBucket, region) {
   }
 }
 async function bucketExists(client, bucketName) {
-  const { HeadBucketCommand: HeadBucketCommand4 } = await import("@aws-sdk/client-s3");
+  const { HeadBucketCommand: HeadBucketCommand5 } = await import("@aws-sdk/client-s3");
   try {
-    await client.send(new HeadBucketCommand4({ Bucket: bucketName }));
+    await client.send(new HeadBucketCommand5({ Bucket: bucketName }));
     return true;
   } catch (error) {
     const err = error;
@@ -7010,6 +7010,60 @@ Error: ${err.message || "Unknown error"}`,
     }
     return resourceType.startsWith("AWS::");
   }
+  /**
+   * Adopt an already-deployed resource into cdkd state via Cloud Control API.
+   *
+   * Strategy: explicit-override only.
+   *   - With `knownPhysicalId` (from `--resource <id>=<physicalId>` or
+   *     `--resource-mapping`): call `GetResource(TypeName, Identifier)`,
+   *     parse `ResourceModel` (returned as a JSON string by CC API), and
+   *     return its keys as `attributes`.
+   *   - Without `knownPhysicalId`: return `null`. CC API has no efficient
+   *     `aws:cdk:path`-tag lookup — `ListResources` returns identifiers
+   *     only, so tag lookup would require one `GetResource` per resource
+   *     in the account, plus per-service tag-API calls (which CC API
+   *     doesn't expose uniformly). Cost vs. value isn't worth it; users
+   *     who need adoption for CC-API-only resource types should pass
+   *     `--resource <id>=<physicalId>` for those resources.
+   *
+   * SDK providers (S3, Lambda, IAM Role, etc.) implement their own
+   * `import` with tag-based auto-lookup; this fallback only kicks in for
+   * resource types that don't have a dedicated SDK provider.
+   */
+  async import(input) {
+    if (!input.knownPhysicalId) {
+      return null;
+    }
+    try {
+      const resp = await this.cloudControlClient.send(
+        new GetResourceCommand2({
+          TypeName: input.resourceType,
+          Identifier: input.knownPhysicalId
+        })
+      );
+      let attributes = {};
+      const raw = resp.ResourceDescription?.Properties;
+      if (typeof raw === "string" && raw.length > 0) {
+        try {
+          const parsed = JSON.parse(raw);
+          if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+            attributes = parsed;
+          }
+        } catch (parseErr) {
+          this.logger.debug(
+            `Failed to parse CC API ResourceModel for ${input.resourceType}/${input.knownPhysicalId}: ${parseErr instanceof Error ? parseErr.message : String(parseErr)}`
+          );
+        }
+      }
+      return { physicalId: input.knownPhysicalId, attributes };
+    } catch (error) {
+      const err = error;
+      if (err.name === "ResourceNotFoundException") {
+        return null;
+      }
+      throw error;
+    }
+  }
 };
 // src/provisioning/providers/custom-resource-provider.ts
@@ -7674,6 +7728,8 @@ import {
   UntagRoleCommand,
   PutRolePermissionsBoundaryCommand,
   DeleteRolePermissionsBoundaryCommand,
+  ListRolesCommand,
+  ListRoleTagsCommand,
   NoSuchEntityException
 } from "@aws-sdk/client-iam";
 init_aws_clients();
@@ -7782,6 +7838,32 @@ function applyDefaultNameForFallback(logicalId, resourceType, properties) {
   };
 }
+// src/provisioning/import-helpers.ts
+function readNameProperty(input, propertyName) {
+  const value = input.properties?.[propertyName];
+  return typeof value === "string" && value.length > 0 ? value : void 0;
+}
+function resolveExplicitPhysicalId(input, nameProperty) {
+  if (input.knownPhysicalId)
+    return input.knownPhysicalId;
+  if (nameProperty) {
+    const name = readNameProperty(input, nameProperty);
+    if (name)
+      return name;
+  }
+  return void 0;
+}
+var CDK_PATH_TAG = "aws:cdk:path";
+function matchesCdkPath(tags, cdkPath) {
+  if (!tags || !cdkPath)
+    return false;
+  for (const t of tags) {
+    if (t.Key === CDK_PATH_TAG && t.Value === cdkPath)
+      return true;
+  }
+  return false;
+}
 // src/provisioning/providers/iam-role-provider.ts
 var IAMRoleProvider = class {
   iamClient;
@@ -8288,6 +8370,58 @@ var IAMRoleProvider = class {
       this.logger.debug(`Added/updated ${tagsToAdd.length} tags on role ${roleName}`);
     }
   }
+  /**
+   * Adopt an existing IAM role into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource` override or `Properties.RoleName` → use directly,
+   *     verify via `GetRole`.
+   *  2. `ListRoles` + `ListRoleTags`, match `aws:cdk:path` tag.
+   *
+   * `ListRoles` is paginated and IAM is global (no region scoping), so this
+   * walks every role in the account once. Acceptable for the cardinalities
+   * we expect (typically <100 roles per account); larger accounts may want
+   * to provide `--resource` overrides instead.
+   */
+  async import(input) {
+    const explicit = resolveExplicitPhysicalId(input, "RoleName");
+    if (explicit) {
+      try {
+        await this.iamClient.send(new GetRoleCommand({ RoleName: explicit }));
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err instanceof NoSuchEntityException)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.iamClient.send(
+        new ListRolesCommand({ ...marker && { Marker: marker } })
+      );
+      for (const role of list.Roles ?? []) {
+        if (!role.RoleName)
+          continue;
+        try {
+          const tags = await this.iamClient.send(
+            new ListRoleTagsCommand({ RoleName: role.RoleName })
+          );
+          if (matchesCdkPath(tags.Tags, input.cdkPath)) {
+            return { physicalId: role.RoleName, attributes: {} };
+          }
+        } catch (err) {
+          if (err instanceof NoSuchEntityException)
+            continue;
+          throw err;
+        }
+      }
+      marker = list.IsTruncated ? list.Marker : void 0;
+    } while (marker);
+    return null;
+  }
 };
 // src/provisioning/providers/iam-policy-provider.ts
@@ -9868,6 +10002,8 @@ var IAMUserGroupProvider = class {
 import {
   CreateBucketCommand as CreateBucketCommand2,
   DeleteBucketCommand,
+  HeadBucketCommand as HeadBucketCommand3,
+  ListBucketsCommand,
   PutBucketVersioningCommand as PutBucketVersioningCommand2,
   PutBucketTaggingCommand,
   PutBucketOwnershipControlsCommand,
@@ -9885,6 +10021,7 @@ import {
   PutBucketInventoryConfigurationCommand,
   PutBucketReplicationCommand,
   PutObjectLockConfigurationCommand,
+  GetBucketTaggingCommand,
   NoSuchBucket,
   ListObjectVersionsCommand,
   DeleteObjectsCommand
@@ -10723,6 +10860,53 @@ var S3BucketProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing S3 bucket into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource <id>=<name>` override or `Properties.BucketName` → use directly,
+   *     verify with `HeadBucket`.
+   *  2. `ListBuckets` + `GetBucketTagging`, match `aws:cdk:path` against the
+   *     CDK construct path.
+   *
+   * Returns `null` when nothing matches — caller treats this as
+   * "not deployed yet" rather than a failure.
+   */
+  async import(input) {
+    const explicit = resolveExplicitPhysicalId(input, "BucketName");
+    if (explicit) {
+      try {
+        await this.s3Client.send(new HeadBucketCommand3({ Bucket: explicit }));
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        const e = err;
+        if (e.name === "NotFound" || e.name === "NoSuchBucket") {
+          return null;
+        }
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    const list = await this.s3Client.send(new ListBucketsCommand({}));
+    for (const b of list.Buckets ?? []) {
+      if (!b.Name)
+        continue;
+      try {
+        const tagging = await this.s3Client.send(new GetBucketTaggingCommand({ Bucket: b.Name }));
+        if (matchesCdkPath(tagging.TagSet, input.cdkPath)) {
+          return { physicalId: b.Name, attributes: {} };
+        }
+      } catch (err) {
+        const e = err;
+        if (e.name === "NoSuchTagSet" || e.name === "AccessDenied" || e.$metadata?.httpStatusCode === 301) {
+          continue;
+        }
+        throw err;
+      }
+    }
+    return null;
+  }
   /**
    * Delete a bucket, emptying it first if not empty.
    * Handles the race condition where objects (e.g., ALB logs) are written
@@ -10959,6 +11143,9 @@ import {
   CreateQueueCommand,
   DeleteQueueCommand,
   GetQueueAttributesCommand,
+  GetQueueUrlCommand,
+  ListQueuesCommand,
+  ListQueueTagsCommand,
   SetQueueAttributesCommand,
   QueueDoesNotExist
 } from "@aws-sdk/client-sqs";
@@ -11167,6 +11354,68 @@ var SQSQueueProvider = class {
       return `arn:aws:sqs:unknown:unknown:${queueName}`;
     }
   }
+  /**
+   * Adopt an existing SQS queue into cdkd state.
+   *
+   * SQS physical IDs are queue URLs (`https://sqs.us-east-1.amazonaws.com/<account>/<name>`).
+   *
+   * Lookup order:
+   *  1. `--resource` override (URL) → verify via `GetQueueAttributes`.
+   *  2. `Properties.QueueName` → `GetQueueUrl` for direct lookup.
+   *  3. `aws:cdk:path` tag match via `ListQueues` + `ListQueueTags`.
+   */
+  async import(input) {
+    if (input.knownPhysicalId) {
+      try {
+        await this.sqsClient.send(
+          new GetQueueAttributesCommand({
+            QueueUrl: input.knownPhysicalId,
+            AttributeNames: ["QueueArn"]
+          })
+        );
+        return { physicalId: input.knownPhysicalId, attributes: {} };
+      } catch (err) {
+        if (err instanceof QueueDoesNotExist)
+          return null;
+        throw err;
+      }
+    }
+    const explicitName = resolveExplicitPhysicalId(input, "QueueName");
+    if (explicitName && !input.knownPhysicalId) {
+      try {
+        const resp = await this.sqsClient.send(new GetQueueUrlCommand({ QueueName: explicitName }));
+        if (resp.QueueUrl)
+          return { physicalId: resp.QueueUrl, attributes: {} };
+        return null;
+      } catch (err) {
+        if (err instanceof QueueDoesNotExist)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let nextToken;
+    do {
+      const list = await this.sqsClient.send(
+        new ListQueuesCommand({ ...nextToken && { NextToken: nextToken } })
+      );
+      for (const url of list.QueueUrls ?? []) {
+        try {
+          const tagsResp = await this.sqsClient.send(new ListQueueTagsCommand({ QueueUrl: url }));
+          if (tagsResp.Tags?.[CDK_PATH_TAG] === input.cdkPath) {
+            return { physicalId: url, attributes: {} };
+          }
+        } catch (err) {
+          if (err instanceof QueueDoesNotExist)
+            continue;
+          throw err;
+        }
+      }
+      nextToken = list.NextToken;
+    } while (nextToken);
+    return null;
+  }
 };
 // src/provisioning/providers/sqs-queue-policy-provider.ts
@@ -11329,6 +11578,9 @@ var SQSQueuePolicyProvider = class {
 import {
   CreateTopicCommand,
   DeleteTopicCommand,
+  GetTopicAttributesCommand,
+  ListTopicsCommand,
+  ListTagsForResourceCommand,
   SetTopicAttributesCommand,
   TagResourceCommand,
   UntagResourceCommand,
@@ -11618,6 +11870,63 @@ var SNSTopicProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing SNS topic into cdkd state.
+   *
+   * SNS physical IDs are full ARNs (`arn:aws:sns:...:TopicName`). The
+   * `--resource` override is expected to receive an ARN; bare topic names
+   * trigger a `ListTopics` walk that resolves to the ARN.
+   *
+   * Lookup order:
+   *  1. `--resource` override → trust as ARN, verify via `GetTopicAttributes`.
+   *  2. `Properties.TopicName` → `ListTopics` to find matching ARN.
+   *  3. `aws:cdk:path` tag match via `ListTopics` + `ListTagsForResource`.
+   */
+  async import(input) {
+    if (input.knownPhysicalId) {
+      try {
+        await this.snsClient.send(
+          new GetTopicAttributesCommand({ TopicArn: input.knownPhysicalId })
+        );
+        return { physicalId: input.knownPhysicalId, attributes: {} };
+      } catch (err) {
+        if (err instanceof NotFoundException)
+          return null;
+        throw err;
+      }
+    }
+    const desiredName = typeof input.properties?.["TopicName"] === "string" ? input.properties["TopicName"] : void 0;
+    let nextToken;
+    do {
+      const list = await this.snsClient.send(
+        new ListTopicsCommand({ ...nextToken && { NextToken: nextToken } })
+      );
+      for (const t of list.Topics ?? []) {
+        if (!t.TopicArn)
+          continue;
+        const arnTail = t.TopicArn.substring(t.TopicArn.lastIndexOf(":") + 1);
+        if (desiredName && arnTail === desiredName) {
+          return { physicalId: t.TopicArn, attributes: {} };
+        }
+        if (input.cdkPath) {
+          try {
+            const tagsResp = await this.snsClient.send(
+              new ListTagsForResourceCommand({ ResourceArn: t.TopicArn })
+            );
+            if (matchesCdkPath(tagsResp.Tags, input.cdkPath)) {
+              return { physicalId: t.TopicArn, attributes: {} };
+            }
+          } catch (err) {
+            if (err instanceof NotFoundException)
+              continue;
+            throw err;
+          }
+        }
+      }
+      nextToken = list.NextToken;
+    } while (nextToken);
+    return null;
+  }
 };
 // src/provisioning/providers/sns-subscription-provider.ts
@@ -11917,6 +12226,8 @@ import {
   UpdateFunctionCodeCommand,
   DeleteFunctionCommand,
   GetFunctionCommand,
+  ListFunctionsCommand,
+  ListTagsCommand,
   ResourceNotFoundException
 } from "@aws-sdk/client-lambda";
 import {
@@ -12501,6 +12812,57 @@ var LambdaFunctionProvider = class {
     }
     return (crc ^ 4294967295) >>> 0;
   }
+  /**
+   * Adopt an existing Lambda function into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource` override or `Properties.FunctionName` → use directly,
+   *     verify via `GetFunction`.
+   *  2. `ListFunctions` + `ListTags`, match `aws:cdk:path` tag.
+   *
+   * Lambda's `ListTags` returns a `Tags` map keyed by tag name (unlike
+   * EC2/S3 which return an array of `{Key, Value}`), so we read it directly
+   * instead of going through the shared `matchesCdkPath` helper.
+   */
+  async import(input) {
+    const explicit = resolveExplicitPhysicalId(input, "FunctionName");
+    if (explicit) {
+      try {
+        await this.lambdaClient.send(new GetFunctionCommand({ FunctionName: explicit }));
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err instanceof ResourceNotFoundException)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.lambdaClient.send(
+        new ListFunctionsCommand({ ...marker && { Marker: marker } })
+      );
+      for (const fn of list.Functions ?? []) {
+        if (!fn.FunctionArn || !fn.FunctionName)
+          continue;
+        try {
+          const tagsResp = await this.lambdaClient.send(
+            new ListTagsCommand({ Resource: fn.FunctionArn })
+          );
+          if (tagsResp.Tags?.[CDK_PATH_TAG] === input.cdkPath) {
+            return { physicalId: fn.FunctionName, attributes: {} };
+          }
+        } catch (err) {
+          if (err instanceof ResourceNotFoundException)
+            continue;
+          throw err;
+        }
+      }
+      marker = list.NextMarker;
+    } while (marker);
+    return null;
+  }
 };
 // src/provisioning/providers/lambda-permission-provider.ts
@@ -13222,6 +13584,8 @@ import {
   CreateTableCommand,
   DeleteTableCommand,
   DescribeTableCommand as DescribeTableCommand2,
+  ListTablesCommand,
+  ListTagsOfResourceCommand,
   ResourceNotFoundException as ResourceNotFoundException6
 } from "@aws-sdk/client-dynamodb";
 init_aws_clients();
@@ -13433,12 +13797,70 @@ var DynamoDBTableProvider = class {
     }
     throw new Error(`Table ${tableName} did not reach ACTIVE status within ${maxAttempts} seconds`);
   }
+  /**
+   * Adopt an existing DynamoDB table into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource` override or `Properties.TableName` → verify via `DescribeTable`.
+   *  2. `ListTables` + `ListTagsOfResource`, match `aws:cdk:path` tag.
+   *
+   * Tags require the table ARN, which `DescribeTable` provides; the loop
+   * therefore costs one `DescribeTable` per table just to read the ARN.
+   * Acceptable for typical DynamoDB cardinalities.
+   */
+  async import(input) {
+    const explicit = resolveExplicitPhysicalId(input, "TableName");
+    if (explicit) {
+      try {
+        await this.dynamoDBClient.send(new DescribeTableCommand2({ TableName: explicit }));
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err instanceof ResourceNotFoundException6)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let exclusiveStartTableName;
+    do {
+      const list = await this.dynamoDBClient.send(
+        new ListTablesCommand({
+          ...exclusiveStartTableName && { ExclusiveStartTableName: exclusiveStartTableName }
+        })
+      );
+      for (const name of list.TableNames ?? []) {
+        try {
+          const desc = await this.dynamoDBClient.send(
+            new DescribeTableCommand2({ TableName: name })
+          );
+          const arn = desc.Table?.TableArn;
+          if (!arn)
+            continue;
+          const tagsResp = await this.dynamoDBClient.send(
+            new ListTagsOfResourceCommand({ ResourceArn: arn })
+          );
+          if (matchesCdkPath(tagsResp.Tags, input.cdkPath)) {
+            return { physicalId: name, attributes: {} };
+          }
+        } catch (err) {
+          if (err instanceof ResourceNotFoundException6)
+            continue;
+          throw err;
+        }
+      }
+      exclusiveStartTableName = list.LastEvaluatedTableName;
+    } while (exclusiveStartTableName);
+    return null;
+  }
 };
 // src/provisioning/providers/logs-loggroup-provider.ts
 import {
   CreateLogGroupCommand,
   DeleteLogGroupCommand,
+  DescribeLogGroupsCommand,
+  ListTagsForResourceCommand as ListTagsForResourceCommand2,
   PutRetentionPolicyCommand,
   DeleteRetentionPolicyCommand,
   TagResourceCommand as TagResourceCommand2,
@@ -13662,6 +14084,61 @@ var LogsLogGroupProvider = class {
       return `arn:aws:logs:unknown:unknown:log-group:${logGroupName}:*`;
     }
   }
+  /**
+   * Adopt an existing CloudWatch Logs log group into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource` override or `Properties.LogGroupName` → verify via
+   *     `DescribeLogGroups` (filtered by name prefix).
+   *  2. `aws:cdk:path` tag match via `DescribeLogGroups` + `ListTagsForResource`.
+   *
+   * `ListTagsForResource` for log groups uses the log-group ARN. The
+   * `DescribeLogGroups` response includes the ARN, so no extra round-trip
+   * is needed beyond the per-group tag lookup.
+   */
+  async import(input) {
+    const explicit = resolveExplicitPhysicalId(input, "LogGroupName");
+    if (explicit) {
+      try {
+        const resp = await this.logsClient.send(
+          new DescribeLogGroupsCommand({ logGroupNamePrefix: explicit })
+        );
+        const found = resp.logGroups?.find((g) => g.logGroupName === explicit);
+        return found ? { physicalId: explicit, attributes: {} } : null;
+      } catch (err) {
+        if (err instanceof ResourceNotFoundException7)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let nextToken;
+    do {
+      const list = await this.logsClient.send(
+        new DescribeLogGroupsCommand({ ...nextToken && { nextToken } })
+      );
+      for (const g of list.logGroups ?? []) {
+        if (!g.logGroupName || !g.arn)
+          continue;
+        const arnForTags = g.arn.replace(/:\*$/, "");
+        try {
+          const tagsResp = await this.logsClient.send(
+            new ListTagsForResourceCommand2({ resourceArn: arnForTags })
+          );
+          if (tagsResp.tags?.["aws:cdk:path"] === input.cdkPath) {
+            return { physicalId: g.logGroupName, attributes: {} };
+          }
+        } catch (err) {
+          if (err instanceof ResourceNotFoundException7)
+            continue;
+          throw err;
+        }
+      }
+      nextToken = list.nextToken;
+    } while (nextToken);
+    return null;
+  }
 };
 // src/provisioning/providers/cloudwatch-alarm-provider.ts
@@ -13892,6 +14369,8 @@ var CloudWatchAlarmProvider = class {
 import {
   CreateSecretCommand,
   DeleteSecretCommand,
+  DescribeSecretCommand,
+  ListSecretsCommand,
   UpdateSecretCommand,
   TagResourceCommand as TagResourceCommand3,
   UntagResourceCommand as UntagResourceCommand3,
@@ -14159,10 +14638,65 @@ var SecretsManagerSecretProvider = class {
     }
     return password;
   }
+  /**
+   * Adopt an existing Secrets Manager secret into cdkd state.
+   *
+   * Secrets Manager physical IDs are full secret ARNs. The CDK template's
+   * `Properties.Name` (secret name) is enough to fetch the ARN via
+   * `DescribeSecret`.
+   *
+   * Lookup order:
+   *  1. `--resource` override (ARN) → verify via `DescribeSecret`.
+   *  2. `Properties.Name` → `DescribeSecret` (accepts name).
+   *  3. `aws:cdk:path` tag match via `ListSecrets` (which already returns Tags).
+   */
+  async import(input) {
+    if (input.knownPhysicalId) {
+      try {
+        const resp = await this.smClient.send(
+          new DescribeSecretCommand({ SecretId: input.knownPhysicalId })
+        );
+        return resp.ARN ? { physicalId: resp.ARN, attributes: {} } : null;
+      } catch (err) {
+        if (err instanceof ResourceNotFoundException8)
+          return null;
+        throw err;
+      }
+    }
+    const name = typeof input.properties?.["Name"] === "string" ? input.properties["Name"] : void 0;
+    if (name) {
+      try {
+        const resp = await this.smClient.send(new DescribeSecretCommand({ SecretId: name }));
+        return resp.ARN ? { physicalId: resp.ARN, attributes: {} } : null;
+      } catch (err) {
+        if (err instanceof ResourceNotFoundException8)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let nextToken;
+    do {
+      const list = await this.smClient.send(
+        new ListSecretsCommand({ ...nextToken && { NextToken: nextToken } })
+      );
+      for (const s of list.SecretList ?? []) {
+        if (s.ARN && matchesCdkPath(s.Tags, input.cdkPath)) {
+          return { physicalId: s.ARN, attributes: {} };
+        }
+      }
+      nextToken = list.NextToken;
+    } while (nextToken);
+    return null;
+  }
 };
 // src/provisioning/providers/ssm-parameter-provider.ts
 import {
+  DescribeParametersCommand,
+  GetParameterCommand as GetParameterCommand3,
+  ListTagsForResourceCommand as ListTagsForResourceCommand3,
   PutParameterCommand,
   DeleteParameterCommand,
   AddTagsToResourceCommand,
@@ -14374,6 +14908,57 @@ var SSMParameterProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing SSM parameter into cdkd state.
+   *
+   * SSM physical IDs ARE the parameter names (`/foo/bar`). The CDK template
+   * usually carries `Properties.Name` explicitly, so the explicit-name path
+   * covers most cases. The tag-based fallback is rarely needed.
+   *
+   * Lookup order:
+   *  1. `--resource` override or `Properties.Name` → verify via `GetParameter`.
+   *  2. `aws:cdk:path` tag match via `DescribeParameters` + `ListTagsForResource`
+   *     (`ResourceType: 'Parameter'`, `ResourceId: <name>`).
+   */
+  async import(input) {
+    const explicit = resolveExplicitPhysicalId(input, "Name");
+    if (explicit) {
+      try {
+        await this.ssmClient.send(new GetParameterCommand3({ Name: explicit }));
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err instanceof ParameterNotFound)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let nextToken;
+    do {
+      const list = await this.ssmClient.send(
+        new DescribeParametersCommand({ ...nextToken && { NextToken: nextToken } })
+      );
+      for (const p of list.Parameters ?? []) {
+        if (!p.Name)
+          continue;
+        try {
+          const tagsResp = await this.ssmClient.send(
+            new ListTagsForResourceCommand3({ ResourceType: "Parameter", ResourceId: p.Name })
+          );
+          if (matchesCdkPath(tagsResp.TagList, input.cdkPath)) {
+            return { physicalId: p.Name, attributes: {} };
+          }
+        } catch (err) {
+          if (err instanceof ParameterNotFound)
+            continue;
+          throw err;
+        }
+      }
+      nextToken = list.NextToken;
+    } while (nextToken);
+    return null;
+  }
 };
 // src/provisioning/providers/eventbridge-rule-provider.ts
@@ -14672,7 +15257,9 @@ import {
   DeleteEventBusCommand,
   UpdateEventBusCommand,
   DescribeEventBusCommand,
+  ListEventBusesCommand,
   ListRulesCommand,
+  ListTagsForResourceCommand as ListTagsForResourceCommand4,
   RemoveTargetsCommand as RemoveTargetsCommand2,
   DeleteRuleCommand as DeleteRuleCommand2,
   ListTargetsByRuleCommand as ListTargetsByRuleCommand2,
@@ -14913,6 +15500,52 @@ var EventBridgeBusProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing EventBridge event bus into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource` override or `Properties.Name` → verify via `DescribeEventBus`.
+   *  2. `aws:cdk:path` tag match via `ListEventBuses` + `ListTagsForResource`.
+   */
+  async import(input) {
+    const explicit = resolveExplicitPhysicalId(input, "Name");
+    if (explicit) {
+      try {
+        await this.eventBridgeClient.send(new DescribeEventBusCommand({ Name: explicit }));
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err instanceof ResourceNotFoundException10)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let nextToken;
+    do {
+      const list = await this.eventBridgeClient.send(
+        new ListEventBusesCommand({ ...nextToken && { NextToken: nextToken } })
+      );
+      for (const bus of list.EventBuses ?? []) {
+        if (!bus.Name || !bus.Arn)
+          continue;
+        try {
+          const tagsResp = await this.eventBridgeClient.send(
+            new ListTagsForResourceCommand4({ ResourceARN: bus.Arn })
+          );
+          if (matchesCdkPath(tagsResp.Tags, input.cdkPath)) {
+            return { physicalId: bus.Name, attributes: {} };
+          }
+        } catch (err) {
+          if (err instanceof ResourceNotFoundException10)
+            continue;
+          throw err;
+        }
+      }
+      nextToken = list.NextToken;
+    } while (nextToken);
+    return null;
+  }
 };
 // src/provisioning/providers/ec2-provider.ts
@@ -24219,6 +24852,10 @@ var GlueProvider = class {
 import {
   KMSClient as KMSClient2,
   CreateKeyCommand,
+  DescribeKeyCommand,
+  ListAliasesCommand as ListAliasesCommand2,
+  ListKeysCommand,
+  ListResourceTagsCommand,
   ScheduleKeyDeletionCommand,
   CreateAliasCommand,
   DeleteAliasCommand,
@@ -24601,6 +25238,81 @@ var KMSProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing KMS key or alias into cdkd state.
+   *
+   * KMS keys have no `Properties.KeyName` field — physical IDs are
+   * AWS-generated UUIDs. So:
+   *  - For `AWS::KMS::Key`: `--resource MyKey=<keyId>` is the only explicit
+   *    path; auto-lookup walks `ListKeys` + `ListResourceTags` matching
+   *    `aws:cdk:path`.
+   *  - For `AWS::KMS::Alias`: `Properties.AliasName` is explicit and reliable.
+   */
+  async import(input) {
+    if (input.resourceType === "AWS::KMS::Alias") {
+      const aliasName = input.knownPhysicalId ?? (typeof input.properties?.["AliasName"] === "string" ? input.properties["AliasName"] : void 0);
+      if (!aliasName)
+        return null;
+      try {
+        let marker2;
+        do {
+          const list = await this.getClient().send(
+            new ListAliasesCommand2({ ...marker2 && { Marker: marker2 } })
+          );
+          const found = list.Aliases?.find(
+            (a) => a.AliasName === aliasName
+          );
+          if (found)
+            return { physicalId: aliasName, attributes: {} };
+          marker2 = list.NextMarker;
+        } while (marker2);
+        return null;
+      } catch (err) {
+        if (err instanceof NotFoundException5)
+          return null;
+        throw err;
+      }
+    }
+    if (input.knownPhysicalId) {
+      try {
+        await this.getClient().send(new DescribeKeyCommand({ KeyId: input.knownPhysicalId }));
+        return { physicalId: input.knownPhysicalId, attributes: {} };
+      } catch (err) {
+        if (err instanceof NotFoundException5)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.getClient().send(
+        new ListKeysCommand({ ...marker && { Marker: marker } })
+      );
+      for (const key of list.Keys ?? []) {
+        if (!key.KeyId)
+          continue;
+        try {
+          const tagsResp = await this.getClient().send(
+            new ListResourceTagsCommand({ KeyId: key.KeyId })
+          );
+          for (const tag of tagsResp.Tags ?? []) {
+            if (tag.TagKey === CDK_PATH_TAG && tag.TagValue === input.cdkPath) {
+              return { physicalId: key.KeyId, attributes: {} };
+            }
+          }
+        } catch (err) {
+          const name = err.name;
+          if (name === "AccessDeniedException" || err instanceof NotFoundException5)
+            continue;
+          throw err;
+        }
+      }
+      marker = list.NextMarker;
+    } while (marker);
+    return null;
+  }
 };
 // src/provisioning/providers/kinesis-provider.ts
@@ -26579,7 +27291,7 @@ import {
   CreateTableCommand as CreateTableCommand3,
   DeleteTableCommand as DeleteTableCommand3,
   ListNamespacesCommand,
-  ListTablesCommand,
+  ListTablesCommand as ListTablesCommand2,
   NotFoundException as NotFoundException6
 } from "@aws-sdk/client-s3tables";
 var S3TablesProvider = class {
@@ -26725,7 +27437,7 @@ var S3TablesProvider = class {
         let tableContinuationToken;
         do {
           const tablesResult = await this.getClient().send(
-            new ListTablesCommand({
+            new ListTablesCommand2({
               tableBucketARN,
               namespace: namespaceName,
               continuationToken: tableContinuationToken
@@ -29564,7 +30276,7 @@ import {
 } from "@aws-sdk/client-s3";
 init_aws_clients();
-// src/cli/commands/state-migrate-bucket.ts
+// src/cli/commands/state-migrate.ts
 import * as readline2 from "node:readline/promises";
 import { Command as Command9 } from "commander";
 import {
@@ -29572,7 +30284,7 @@ import {
   CreateBucketCommand as CreateBucketCommand4,
   DeleteBucketCommand as DeleteBucketCommand3,
   DeleteObjectsCommand as DeleteObjectsCommand3,
-  HeadBucketCommand as HeadBucketCommand3,
+  HeadBucketCommand as HeadBucketCommand4,
   ListObjectVersionsCommand as ListObjectVersionsCommand2,
   ListObjectsV2Command as ListObjectsV2Command3,
   PutBucketEncryptionCommand as PutBucketEncryptionCommand3,
@@ -29582,7 +30294,7 @@ import {
 } from "@aws-sdk/client-s3";
 import { GetCallerIdentityCommand as GetCallerIdentityCommand8 } from "@aws-sdk/client-sts";
 init_aws_clients();
-async function stateMigrateBucketCommand(options) {
+async function stateMigrateCommand(options) {
   const logger = getLogger();
   if (options.verbose)
     logger.setLevel("debug");
@@ -29695,7 +30407,7 @@ async function stateMigrateBucketCommand(options) {
 }
 async function bucketExists2(s3, bucketName) {
   try {
-    await s3.send(new HeadBucketCommand3({ Bucket: bucketName }));
+    await s3.send(new HeadBucketCommand4({ Bucket: bucketName }));
     return true;
   } catch (error) {
     const err = error;
@@ -29848,8 +30560,8 @@ async function confirmPrompt(prompt) {
     rl.close();
   }
 }
-function createStateMigrateBucketCommand() {
-  const cmd = new Command9("migrate-bucket").description(
+function createStateMigrateCommand() {
+  const cmd = new Command9("migrate").description(
     "Migrate state from the legacy region-suffixed bucket (cdkd-state-{account}-{region}) to the new region-free default (cdkd-state-{account}). Source bucket is kept by default; pass --remove-legacy to delete it after a successful migration."
   ).option(
     "--region <region>",
@@ -29864,7 +30576,7 @@ function createStateMigrateBucketCommand() {
     "--remove-legacy",
     "Delete the source bucket after successful migration. Default: keep it.",
     false
-  ).action(withErrorHandling(stateMigrateBucketCommand));
+  ).action(withErrorHandling(stateMigrateCommand));
   commonOptions.forEach((o) => cmd.addOption(o));
   return cmd;
 }
@@ -30438,7 +31150,7 @@ function formatBucketSource(source) {
     case "default":
       return "default (account ID from STS)";
     case "default-legacy":
-      return "default (legacy region-suffixed name; cdkd state migrate-bucket recommended)";
+      return "default (legacy region-suffixed name; cdkd state migrate recommended)";
   }
 }
 async function detectBucketRegion(awsClients, bucket) {
@@ -30553,9 +31265,344 @@ function createStateCommand() {
   cmd.addCommand(createStateShowCommand());
   cmd.addCommand(createStateRmCommand());
   cmd.addCommand(createStateDestroyCommand());
-  cmd.addCommand(createStateMigrateBucketCommand());
+  cmd.addCommand(createStateMigrateCommand());
+  return cmd;
+}
+// src/cli/commands/import.ts
+import { readFileSync as readFileSync5 } from "node:fs";
+import * as readline4 from "node:readline/promises";
+import { Command as Command11 } from "commander";
+init_aws_clients();
+async function importCommand(stackArg, options) {
+  const logger = getLogger();
+  if (options.verbose) {
+    logger.setLevel("debug");
+    process.env["CDKD_NO_LIVE"] = "1";
+  }
+  const region = options.region || process.env["AWS_REGION"] || "us-east-1";
+  const stateBucket = await resolveStateBucketWithDefault(options.stateBucket, region);
+  if (options.region) {
+    process.env["AWS_REGION"] = options.region;
+    process.env["AWS_DEFAULT_REGION"] = options.region;
+  }
+  const awsClients = new AwsClients({
+    ...options.region && { region: options.region },
+    ...options.profile && { profile: options.profile }
+  });
+  setAwsClients(awsClients);
+  try {
+    const stateConfig = { bucket: stateBucket, prefix: options.statePrefix };
+    const stateBackend = new S3StateBackend(awsClients.s3, stateConfig, {
+      ...options.region && { region: options.region },
+      ...options.profile && { profile: options.profile }
+    });
+    await stateBackend.verifyBucketExists();
+    const lockManager = new LockManager(awsClients.s3, stateConfig);
+    const providerRegistry = new ProviderRegistry();
+    registerAllProviders(providerRegistry);
+    const appCmd = options.app || resolveApp();
+    if (!appCmd) {
+      throw new Error(
+        "`cdkd state import` requires a CDK app: pass --app or set it in cdk.json. The template is read to find logical IDs, resource types, and dependencies."
+      );
+    }
+    logger.info("Synthesizing CDK app to read template...");
+    const synthesizer = new Synthesizer();
+    const context = parseContextOptions(options.context);
+    const result = await synthesizer.synthesize({
+      app: appCmd,
+      output: options.output || "cdk.out",
+      ...Object.keys(context).length > 0 && { context }
+    });
+    let stackInfo;
+    if (stackArg) {
+      stackInfo = result.stacks.find((s) => s.stackName === stackArg || s.displayName === stackArg);
+      if (!stackInfo) {
+        throw new Error(
+          `Stack '${stackArg}' not found in synthesized app. Available: ${result.stacks.map((s) => s.stackName).join(", ")}`
+        );
+      }
+    } else if (result.stacks.length === 1) {
+      stackInfo = result.stacks[0];
+    } else {
+      throw new Error(
+        `Multiple stacks found: ${result.stacks.map((s) => s.stackName).join(", ")}. Specify the stack name as a positional argument.`
+      );
+    }
+    const targetRegion = stackInfo.region || region;
+    logger.info(`Target stack: ${stackInfo.stackName} (${targetRegion})`);
+    const existing = await stateBackend.stateExists(stackInfo.stackName, targetRegion);
+    if (existing && !options.force) {
+      throw new Error(
+        `State already exists for stack '${stackInfo.stackName}' (${targetRegion}). Pass --force to overwrite. (cdkd state import rebuilds the resource map from AWS, so the existing state \u2014 including any drift you've manually edited \u2014 will be lost.)`
+      );
+    }
+    const overrides = parseResourceOverrides(options.resource, options.resourceMapping);
+    if (overrides.size > 0) {
+      logger.debug(`User-supplied physical IDs: ${[...overrides.keys()].join(", ")}`);
+    }
+    const template = stackInfo.template;
+    const templateParser = new TemplateParser();
+    const resources = collectImportableResources(template);
+    logger.info(`Found ${resources.length} resource(s) in template`);
+    const owner = `${process.env["USER"] || "unknown"}@${process.env["HOSTNAME"] || "host"}:${process.pid}`;
+    await lockManager.acquireLock(stackInfo.stackName, targetRegion, owner, "import");
+    try {
+      const rows = [];
+      for (const { logicalId, resource } of resources) {
+        const outcome = await importOne({
+          logicalId,
+          resource,
+          stackName: stackInfo.stackName,
+          region: targetRegion,
+          providerRegistry,
+          override: overrides.get(logicalId)
+        });
+        rows.push(outcome);
+      }
+      printSummary(rows);
+      if (options.dryRun) {
+        logger.info("--dry-run: state will NOT be written. Re-run without --dry-run to apply.");
+        return;
+      }
+      const importedRows = rows.filter((r) => r.outcome === "imported");
+      if (importedRows.length === 0) {
+        logger.warn("No resources were successfully imported. State will not be written.");
+        return;
+      }
+      if (!options.yes) {
+        const ok = await confirmPrompt2(
+          `Write state for ${stackInfo.stackName} (${targetRegion}) with ${importedRows.length} resource(s)?`
+        );
+        if (!ok) {
+          logger.info("Import cancelled.");
+          return;
+        }
+      }
+      const stackState = buildStackState(
+        stackInfo.stackName,
+        targetRegion,
+        rows,
+        templateParser,
+        template
+      );
+      await stateBackend.saveState(stackInfo.stackName, targetRegion, stackState);
+      logger.info(`\u2713 State written: ${stackInfo.stackName} (${targetRegion})`);
+      logger.info(
+        `  ${importedRows.length} resource(s) imported. Run 'cdkd diff' to see how the imported state lines up with the template.`
+      );
+    } finally {
+      await lockManager.releaseLock(stackInfo.stackName, targetRegion).catch((err) => {
+        logger.warn(`Failed to release lock: ${err instanceof Error ? err.message : String(err)}`);
+      });
+    }
+  } finally {
+    awsClients.destroy();
+  }
+}
+async function importOne(task) {
+  const logger = getLogger();
+  const { logicalId, resource, stackName, region, providerRegistry, override } = task;
+  if (!providerRegistry.hasProvider(resource.Type)) {
+    return {
+      logicalId,
+      resourceType: resource.Type,
+      outcome: "skipped-no-impl",
+      reason: "no provider registered"
+    };
+  }
+  const provider = providerRegistry.getProvider(resource.Type);
+  if (!provider.import) {
+    return {
+      logicalId,
+      resourceType: resource.Type,
+      outcome: "skipped-no-impl",
+      reason: `provider does not implement import (yet)`
+    };
+  }
+  const cdkPath = readCdkPath(resource);
+  const input = {
+    logicalId,
+    resourceType: resource.Type,
+    cdkPath,
+    stackName,
+    region,
+    properties: resource.Properties ?? {},
+    ...override !== void 0 && { knownPhysicalId: override }
+  };
+  try {
+    const result = await provider.import(input);
+    if (!result) {
+      return {
+        logicalId,
+        resourceType: resource.Type,
+        outcome: "skipped-not-found",
+        reason: "no matching AWS resource"
+      };
+    }
+    return {
+      logicalId,
+      resourceType: resource.Type,
+      outcome: "imported",
+      physicalId: result.physicalId
+    };
+  } catch (error) {
+    const msg = error instanceof Error ? error.message : String(error);
+    logger.error(`Failed to import ${logicalId} (${resource.Type}): ${msg}`);
+    return {
+      logicalId,
+      resourceType: resource.Type,
+      outcome: "failed",
+      reason: msg
+    };
+  }
+}
+function parseResourceOverrides(flags, mappingFile) {
+  const map = /* @__PURE__ */ new Map();
+  if (mappingFile) {
+    let parsed;
+    try {
+      parsed = JSON.parse(readFileSync5(mappingFile, "utf-8"));
+    } catch (err) {
+      throw new Error(
+        `Failed to read --resource-mapping file '${mappingFile}': ` + (err instanceof Error ? err.message : String(err))
+      );
+    }
+    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+      throw new Error(
+        `--resource-mapping file '${mappingFile}' must be a JSON object {logicalId: physicalId}`
+      );
+    }
+    for (const [key, value] of Object.entries(parsed)) {
+      if (typeof value !== "string") {
+        throw new Error(
+          `--resource-mapping: value for '${key}' must be a string, got ${typeof value}`
+        );
+      }
+      map.set(key, value);
+    }
+  }
+  for (const entry of flags ?? []) {
+    const eq = entry.indexOf("=");
+    if (eq <= 0 || eq === entry.length - 1) {
+      throw new Error(`--resource expects 'logicalId=physicalId', got '${entry}'`);
+    }
+    map.set(entry.slice(0, eq), entry.slice(eq + 1));
+  }
+  return map;
+}
+function readCdkPath(resource) {
+  const meta = resource.Metadata;
+  if (!meta)
+    return "";
+  const v = meta["aws:cdk:path"];
+  return typeof v === "string" ? v : "";
+}
+function collectImportableResources(template) {
+  const out = [];
+  for (const [logicalId, resource] of Object.entries(template.Resources)) {
+    if (resource.Type === "AWS::CDK::Metadata")
+      continue;
+    out.push({ logicalId, resource });
+  }
+  return out;
+}
+function buildStackState(stackName, region, rows, templateParser, template) {
+  const resources = {};
+  for (const row of rows) {
+    if (row.outcome !== "imported" || !row.physicalId)
+      continue;
+    const tmplResource = template.Resources[row.logicalId];
+    if (!tmplResource)
+      continue;
+    const deps = templateParser.extractDependencies(tmplResource);
+    resources[row.logicalId] = {
+      physicalId: row.physicalId,
+      resourceType: row.resourceType,
+      properties: tmplResource.Properties ?? {},
+      attributes: {},
+      dependencies: [...deps]
+    };
+  }
+  return {
+    version: 2,
+    stackName,
+    region,
+    resources,
+    outputs: {},
+    lastModified: Date.now()
+  };
+}
+function printSummary(rows) {
+  const logger = getLogger();
+  const counts = {
+    imported: 0,
+    "skipped-no-impl": 0,
+    "skipped-not-found": 0,
+    failed: 0
+  };
+  logger.info("");
+  logger.info("Import plan:");
+  for (const r of rows) {
+    counts[r.outcome]++;
+    const tag = formatOutcome(r.outcome);
+    const detail = r.outcome === "imported" ? ` (${r.physicalId})` : r.reason ? ` \u2014 ${r.reason}` : "";
+    logger.info(`  ${tag} ${r.logicalId} (${r.resourceType})${detail}`);
+  }
+  logger.info("");
+  logger.info(
+    `Summary: ${counts.imported} imported, ${counts["skipped-not-found"]} not found, ${counts["skipped-no-impl"]} unsupported, ${counts.failed} failed`
+  );
+}
+function formatOutcome(outcome) {
+  switch (outcome) {
+    case "imported":
+      return "\u2713";
+    case "skipped-not-found":
+      return "\xB7";
+    case "skipped-no-impl":
+      return "?";
+    case "failed":
+      return "\u2717";
+  }
+}
+async function confirmPrompt2(prompt) {
+  const rl = readline4.createInterface({ input: process.stdin, output: process.stdout });
+  try {
+    const ans = await rl.question(`${prompt} [y/N] `);
+    return /^y(es)?$/i.test(ans.trim());
+  } finally {
+    rl.close();
+  }
+}
+function createImportCommand() {
+  const cmd = new Command11("import").description(
+    "Adopt already-deployed AWS resources into cdkd state. Reads the CDK app to find logical IDs, resource types, and dependencies; uses the aws:cdk:path tag (or explicit --resource overrides) to find each resource in AWS."
+  ).argument(
+    "[stack]",
+    "Stack to import. Optional when the synthesized app contains exactly one stack."
+  ).option(
+    "--resource <id=physical>",
+    "Explicit physical-id override for one logical ID. Repeatable. Bypasses tag-based auto-lookup for that resource only.",
+    collectMultiple,
+    []
+  ).option(
+    "--resource-mapping <file>",
+    "Path to a JSON file of {logicalId: physicalId} overrides (CDK CLI `cdk import --resource-mapping` compatible)."
+  ).option("--dry-run", "Show planned imports without writing state", false).option(
+    "--force",
+    "Overwrite an existing state record. Without this, an existing state file aborts the import.",
+    false
+  ).action(withErrorHandling(importCommand));
+  [...commonOptions, ...appOptions, ...stateOptions, ...contextOptions].forEach(
+    (o) => cmd.addOption(o)
+  );
   return cmd;
 }
+function collectMultiple(value, previous) {
+  return [...previous ?? [], value];
+}
 // src/cli/index.ts
 var SUBCOMMANDS = /* @__PURE__ */ new Set([
@@ -30566,6 +31613,7 @@ var SUBCOMMANDS = /* @__PURE__ */ new Set([
   "deploy",
   "diff",
   "destroy",
+  "import",
   "publish-assets",
   "force-unlock",
   "state"
@@ -30581,14 +31629,15 @@ function reorderArgs(argv) {
   return [...prefix, ...cmdAndAfter, ...beforeCmd];
 }
 async function main() {
-  const program = new Command11();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.14.0");
+  const program = new Command12();
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.16.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());
   program.addCommand(createDeployCommand());
   program.addCommand(createDiffCommand());
   program.addCommand(createDestroyCommand());
+  program.addCommand(createImportCommand());
   program.addCommand(createPublishAssetsCommand());
   program.addCommand(createForceUnlockCommand());
   program.addCommand(createStateCommand());