@go-to-k/cdkd 0.14.0 → 0.16.0

package/dist/index.js

@@ -6399,6 +6399,60 @@ Error: ${err.message || "Unknown error"}`,
     }
     return resourceType.startsWith("AWS::");
   }
+  /**
+   * Adopt an already-deployed resource into cdkd state via Cloud Control API.
+   *
+   * Strategy: explicit-override only.
+   *   - With `knownPhysicalId` (from `--resource <id>=<physicalId>` or
+   *     `--resource-mapping`): call `GetResource(TypeName, Identifier)`,
+   *     parse `ResourceModel` (returned as a JSON string by CC API), and
+   *     return its keys as `attributes`.
+   *   - Without `knownPhysicalId`: return `null`. CC API has no efficient
+   *     `aws:cdk:path`-tag lookup — `ListResources` returns identifiers
+   *     only, so tag lookup would require one `GetResource` per resource
+   *     in the account, plus per-service tag-API calls (which CC API
+   *     doesn't expose uniformly). Cost vs. value isn't worth it; users
+   *     who need adoption for CC-API-only resource types should pass
+   *     `--resource <id>=<physicalId>` for those resources.
+   *
+   * SDK providers (S3, Lambda, IAM Role, etc.) implement their own
+   * `import` with tag-based auto-lookup; this fallback only kicks in for
+   * resource types that don't have a dedicated SDK provider.
+   */
+  async import(input) {
+    if (!input.knownPhysicalId) {
+      return null;
+    }
+    try {
+      const resp = await this.cloudControlClient.send(
+        new GetResourceCommand2({
+          TypeName: input.resourceType,
+          Identifier: input.knownPhysicalId
+        })
+      );
+      let attributes = {};
+      const raw = resp.ResourceDescription?.Properties;
+      if (typeof raw === "string" && raw.length > 0) {
+        try {
+          const parsed = JSON.parse(raw);
+          if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+            attributes = parsed;
+          }
+        } catch (parseErr) {
+          this.logger.debug(
+            `Failed to parse CC API ResourceModel for ${input.resourceType}/${input.knownPhysicalId}: ${parseErr instanceof Error ? parseErr.message : String(parseErr)}`
+          );
+        }
+      }
+      return { physicalId: input.knownPhysicalId, attributes };
+    } catch (error) {
+      const err = error;
+      if (err.name === "ResourceNotFoundException") {
+        return null;
+      }
+      throw error;
+    }
+  }
 };
 
 // src/provisioning/providers/custom-resource-provider.ts
@@ -7063,6 +7117,8 @@ import {
   UntagRoleCommand,
   PutRolePermissionsBoundaryCommand,
   DeleteRolePermissionsBoundaryCommand,
+  ListRolesCommand,
+  ListRoleTagsCommand,
   NoSuchEntityException
 } from "@aws-sdk/client-iam";
 init_aws_clients();
@@ -7171,6 +7227,32 @@ function applyDefaultNameForFallback(logicalId, resourceType, properties) {
   };
 }
 
+// src/provisioning/import-helpers.ts
+function readNameProperty(input, propertyName) {
+  const value = input.properties?.[propertyName];
+  return typeof value === "string" && value.length > 0 ? value : void 0;
+}
+function resolveExplicitPhysicalId(input, nameProperty) {
+  if (input.knownPhysicalId)
+    return input.knownPhysicalId;
+  if (nameProperty) {
+    const name = readNameProperty(input, nameProperty);
+    if (name)
+      return name;
+  }
+  return void 0;
+}
+var CDK_PATH_TAG = "aws:cdk:path";
+function matchesCdkPath(tags, cdkPath) {
+  if (!tags || !cdkPath)
+    return false;
+  for (const t of tags) {
+    if (t.Key === CDK_PATH_TAG && t.Value === cdkPath)
+      return true;
+  }
+  return false;
+}
+
 // src/provisioning/providers/iam-role-provider.ts
 var IAMRoleProvider = class {
   iamClient;
@@ -7677,6 +7759,58 @@ var IAMRoleProvider = class {
       this.logger.debug(`Added/updated ${tagsToAdd.length} tags on role ${roleName}`);
     }
   }
+  /**
+   * Adopt an existing IAM role into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource` override or `Properties.RoleName` → use directly,
+   *     verify via `GetRole`.
+   *  2. `ListRoles` + `ListRoleTags`, match `aws:cdk:path` tag.
+   *
+   * `ListRoles` is paginated and IAM is global (no region scoping), so this
+   * walks every role in the account once. Acceptable for the cardinalities
+   * we expect (typically <100 roles per account); larger accounts may want
+   * to provide `--resource` overrides instead.
+   */
+  async import(input) {
+    const explicit = resolveExplicitPhysicalId(input, "RoleName");
+    if (explicit) {
+      try {
+        await this.iamClient.send(new GetRoleCommand({ RoleName: explicit }));
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err instanceof NoSuchEntityException)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.iamClient.send(
+        new ListRolesCommand({ ...marker && { Marker: marker } })
+      );
+      for (const role of list.Roles ?? []) {
+        if (!role.RoleName)
+          continue;
+        try {
+          const tags = await this.iamClient.send(
+            new ListRoleTagsCommand({ RoleName: role.RoleName })
+          );
+          if (matchesCdkPath(tags.Tags, input.cdkPath)) {
+            return { physicalId: role.RoleName, attributes: {} };
+          }
+        } catch (err) {
+          if (err instanceof NoSuchEntityException)
+            continue;
+          throw err;
+        }
+      }
+      marker = list.IsTruncated ? list.Marker : void 0;
+    } while (marker);
+    return null;
+  }
 };
 
 // src/deployment/dag-executor.ts