@go-to-k/cdkd 0.146.0 → 0.147.0

package/README.md

@@ -581,11 +581,16 @@ The Custom Resource Lambda must be idempotent AND must POST to
 `event.ResponseURL` per the cfn-response protocol. Without the flag,
 the command refuses to proceed and the user is expected to destroy
 the offending resources (or accept abandoning them) first. Nested
-`AWS::CloudFormation::Stack` references block in this release —
-[#464](https://github.com/go-to-k/cdkd/issues/464) will lift the
-restriction. Fresh `cdkd deploy` of nested stacks works via
-[#459](https://github.com/go-to-k/cdkd/issues/459); only the
-cdkd → CFn migration direction is deferred.
+`AWS::CloudFormation::Stack` rows have partial support as of
+[#464](https://github.com/go-to-k/cdkd/issues/464) PR B1: `cdkd export`
+recursively walks the cdkd state tree, validates every parent → child
+link, and surfaces the full leaf-first migration scope to the user;
+the CFn-side `--include-nested-stacks` IMPORT changeset submission
+itself is deferred to PR B2, so the command warns on `--dry-run` /
+hard-errors on real run with a clear pointer + workaround (keep on
+cdkd, or destroy children leaf-first via `cdkd state destroy <child>`
+and re-export the flattened parent). Fresh `cdkd deploy` of nested
+stacks works via [#459](https://github.com/go-to-k/cdkd/issues/459).
 
 ```bash
 cdkd export MyStack                           # confirmation prompt; CFn stack name = cdkd stack name

package/dist/cli.js

@@ -31721,6 +31721,18 @@ function getCurrentNestedStackContext() {
 //#endregion
 //#region src/provisioning/providers/nested-stack-provider.ts
 /**
+* Returns `true` when `p` is absolute on the current platform OR begins
+* with a forward slash. The `startsWith('/')` arm covers the cross-platform
+* leak where `path.isAbsolute('/abs/foo')` returns `true` on POSIX but
+* `false` on Windows (Windows absolute paths require a drive letter or
+* UNC root) — a POSIX-style absolute path embedded in a synth template
+* generated on Linux and consumed on a Windows host would slip past
+* `path.isAbsolute()` alone. Exported for unit testing.
+*/
+function isAbsoluteCrossPlatform(p) {
+	return path.isAbsolute(p) || p.startsWith("/");
+}
+/**
 * Provider for `AWS::CloudFormation::Stack` — cdkd's recursive nested-stack
 * adapter. Issue [#459](https://github.com/go-to-k/cdkd/issues/459); see
 * [docs/design/459-nested-stacks.md](../../../docs/design/459-nested-stacks.md)
@@ -31940,7 +31952,7 @@ var NestedStackProvider = class {
 			if (resource?.Type !== "AWS::CloudFormation::Stack") continue;
 			const assetPath = resource.Metadata?.["aws:asset:path"];
 			if (typeof assetPath !== "string" || assetPath.length === 0) continue;
-			if (path.isAbsolute(assetPath)) throw new Error(`NestedStackProvider: nested-stack '${grandLogicalId}' has Metadata['aws:asset:path']='${assetPath}' which is absolute. CDK emits relative asset paths for nested templates; an absolute path indicates the synth output was hand-modified or generated by a non-CDK toolchain. Refusing to load.`);
+			if (isAbsoluteCrossPlatform(assetPath)) throw new Error(`NestedStackProvider: nested-stack '${grandLogicalId}' has Metadata['aws:asset:path']='${assetPath}' which is absolute. CDK emits relative asset paths for nested templates; an absolute path indicates the synth output was hand-modified or generated by a non-CDK toolchain. Refusing to load.`);
 			result[grandLogicalId] = path.join(dir, assetPath);
 		}
 		return result;
@@ -54023,11 +54035,6 @@ function createLocalCommand() {
 *
 *   - `AWS::CDK::Metadata` is a CDK sentinel; not a real AWS resource and
 *     CFn refuses to import it.
-*   - `AWS::CloudFormation::Stack` is a nested stack reference. Fresh
-*     `cdkd deploy` of nested stacks IS supported (issue #459), but
-*     moving an existing nested-stack hierarchy from cdkd back into
-*     CloudFormation via `cdkd export` is deferred to the
-*     [#464](https://github.com/go-to-k/cdkd/issues/464) follow-up.
 *   - `AWS::CloudFormation::CustomResource` is the CFn resource type CDK
 *     emits for `new cdk.CustomResource(...)` when no `resourceType` is
 *     passed. Functionally identical to `Custom::*` — Lambda-backed,
@@ -54037,11 +54044,19 @@ function createLocalCommand() {
 *     custom-resource state — invocation history lives in the provider
 *     Lambda, not in AWS resource state, so there is nothing to import.
 *
+* `AWS::CloudFormation::Stack` is **intentionally NOT in this set** — it is
+* handled by a dedicated branch in {@link buildImportPlan} that routes the
+* row through the nested-stack tree walker (issue
+* [#464](https://github.com/go-to-k/cdkd/issues/464) PR B1). The CFn-side
+* `--include-nested-stacks` IMPORT changeset submission is tracked under
+* PR B2 — until that lands, the orchestrator hard-errors at submission
+* time with a clear pointer.
+*
 * The list is intentionally narrow. Other resource types CFn may not yet
 * support for import are surfaced as errors by the CreateChangeSet call
 * itself; we do not try to maintain a closed allowlist here.
 */
-const NEVER_IMPORTABLE_TYPES = new Set(["AWS::CDK::Metadata", "AWS::CloudFormation::Stack"]);
+const NEVER_IMPORTABLE_TYPES = new Set(["AWS::CDK::Metadata"]);
 function isNeverImportableType(resourceType) {
 	if (NEVER_IMPORTABLE_TYPES.has(resourceType)) return true;
 	if (isCustomResourceType(resourceType)) return true;
@@ -54312,12 +54327,24 @@ async function exportCommand(stackArg, options) {
 			if (!await lockManager.acquireLock(resolvedStackName, targetRegion, owner, "export")) throw new Error(`Could not acquire lock for stack '${resolvedStackName}' (${targetRegion}) — another cdkd process holds it. Wait for it to finish, or run 'cdkd force-unlock ${resolvedStackName}' if you are certain no other process is active.`);
 		}
 		try {
-			const { phase1Imports, phase2Creates, recreateBeforePhase2, blocked } = await buildImportPlan(state, template, awsClients.cloudFormation, { recreateImportUnsupported: options.recreateImportUnsupported });
+			const { phase1Imports, phase2Creates, recreateBeforePhase2, nestedStackRows, blocked } = await buildImportPlan(state, template, awsClients.cloudFormation, resolvedStackName, { recreateImportUnsupported: options.recreateImportUnsupported });
 			if (blocked.length > 0) {
 				logger.error("The following resources block migration:");
 				for (const b of blocked) logger.error(`  - ${b.logicalId} (${b.resourceType}): ${b.reason}`);
 				throw new Error(`${blocked.length} resource(s) block migration. Either destroy them first (cdkd destroy / cdkd state destroy cherry-picked), or remove them from the CDK app and re-synthesize.`);
 			}
+			if (nestedStackRows.length > 0) {
+				const leafFirst = flattenCdkdStateTreeLeafFirst(await buildCdkdStateStackTree(resolvedStackName, targetRegion, stateBackend, state));
+				logger.info(`Stack '${resolvedStackName}' contains ${nestedStackRows.length} top-level nested stack row(s); cdkd state tree spans ${leafFirst.length} stack(s) total (leaf-first migration order):`);
+				for (const node of leafFirst) logger.info(`  - cdkd/${node.stackName}/${node.region}/state.json`);
+				const deferralMessage = `cdkd export does not yet submit nested-stack trees to CloudFormation (${nestedStackRows.length} top-level nested-stack row(s) detected; ${leafFirst.length} cdkd state record(s) in the tree). Recursive --include-nested-stacks IMPORT changeset submission is tracked under issue #464 PR B2. Workarounds until PR B2 ships:\n  - Keep the stack on cdkd (recommended — nested-stack deploy / destroy / drift already work via the SDK provider path).\n  - OR destroy the nested children first via 'cdkd state destroy <child>' (leaf-first), then re-run 'cdkd export <parent>' against the flattened parent.`;
+				if (options.dryRun) {
+					logger.warn(deferralMessage);
+					logger.info("--dry-run: no CloudFormation changeset will be created.");
+					return;
+				}
+				throw new Error(deferralMessage);
+			}
 			if (phase1Imports.length === 0 && phase2Creates.length === 0 && recreateBeforePhase2.length === 0) {
 				logger.warn("No resources to migrate — cdkd state is empty.");
 				return;
@@ -54484,10 +54511,11 @@ async function assertCfnStackAbsent(cfnClient, stackName) {
 * `AWS::CloudFormation::Stack` (nested stacks) is intentionally NOT in
 * this set: CFn would CREATE a duplicate nested stack rather than adopt
 * the existing one, which would conflict with whatever the cdkd state
-* thought it owned. Fresh `cdkd deploy` of nested stacks is supported
-* via the recursive `NestedStackProvider` (#459), but `cdkd export`
-* adoption back into CloudFormation is deferred to the
-* [#464](https://github.com/go-to-k/cdkd/issues/464) follow-up.
+* thought it owned. Nested-stack rows are handled by a dedicated branch
+* in {@link buildImportPlan} (issue
+* [#464](https://github.com/go-to-k/cdkd/issues/464) PR B1) that routes
+* the row to the cdkd-state-side tree walker. The CFn-side
+* `--include-nested-stacks` IMPORT changeset submission lands in PR B2.
 *
 * Exported for unit testing.
 */
@@ -54495,6 +54523,86 @@ function isPhase2CreatableType(resourceType) {
 	return isCustomResourceType(resourceType);
 }
 /**
+* Recursively load the cdkd-state tree rooted at `(rootStackName, region)`.
+* For every `AWS::CloudFormation::Stack` row in each level's
+* `state.resources`, derives the child's v6 state key
+* (`<parent>~<childLogicalId>`) and loads the child state file from S3,
+* then recurses.
+*
+* Throws if any expected child state file is missing — the parent's state
+* lists a nested-stack row but the child's `cdkd/<parent>~<child>/<region>/state.json`
+* does not exist. That state-tree inconsistency must be resolved before
+* any export attempt (typically via `cdkd state orphan <parent>` and a
+* full re-deploy, or by completing whatever partial operation left the
+* tree torn).
+*
+* Children at each level are loaded sequentially today (not `Promise.all`)
+* because the failure-mode shape is "fail fast on the first missing
+* child" rather than "list every missing child" — a single missing-child
+* pointer is enough for the user to identify the root cause without
+* fanning out N parallel `getState` calls on a torn tree. PR B2 may
+* revisit this once the per-child template-fetch / preprocessing /
+* upload pass dominates the wall-clock cost.
+*
+* Exported so the walker can be unit-tested independently of the orchestrator.
+*
+* Callers that already loaded the root state record up front (the typical
+* orchestrator shape — `exportCommand` always reads it via
+* `stateBackend.getState` before plan-build) can pass it via the optional
+* `prefetchedRootState` argument to save one S3 round-trip per export run.
+* Otherwise the walker fetches it itself, matching the standalone-use
+* signature.
+*/
+async function buildCdkdStateStackTree(rootStackName, region, stateBackend, prefetchedRootState) {
+	let rootState;
+	if (prefetchedRootState !== void 0) rootState = prefetchedRootState;
+	else {
+		const rootResult = await stateBackend.getState(rootStackName, region);
+		if (!rootResult) throw new Error(`No cdkd state found for stack '${rootStackName}' (${region}). Cannot build nested-stack tree.`);
+		rootState = rootResult.state;
+	}
+	return walkCdkdStateStackTree(rootStackName, region, rootState, stateBackend);
+}
+async function walkCdkdStateStackTree(stackName, region, state, stateBackend) {
+	const nestedChildren = /* @__PURE__ */ new Map();
+	for (const [logicalId, resource] of Object.entries(state.resources)) {
+		if (resource.resourceType !== "AWS::CloudFormation::Stack") continue;
+		const childStackName = `${stackName}~${logicalId}`;
+		const childResult = await stateBackend.getState(childStackName, region);
+		if (!childResult) throw new Error(`cdkd state is missing nested-child '${childStackName}' (${region}). Parent stack '${stackName}' lists '${logicalId}' as an ${NESTED_STACK_RESOURCE_TYPE} row but no child state file exists at 'cdkd/${childStackName}/${region}/state.json'. The cdkd state tree is inconsistent — re-deploy the parent stack to refresh, or run 'cdkd state orphan ${stackName}' and re-import.`);
+		if (childResult.state.region !== void 0 && childResult.state.region !== region) throw new Error(`cdkd state region mismatch: nested-child '${childStackName}' has state.region='${childResult.state.region}' but its parent '${stackName}' is being walked against region='${region}'. AWS does not support cross-region nested stacks; the state tree appears corrupt — re-deploy the parent stack to refresh.`);
+		nestedChildren.set(logicalId, await walkCdkdStateStackTree(childStackName, region, childResult.state, stateBackend));
+	}
+	return {
+		stackName,
+		region,
+		state,
+		nestedChildren
+	};
+}
+/**
+* Flatten a {@link CdkdStateStackTree} into a depth-first list of
+* `(stackName, region)` pairs in **leaf-first** order — same order PR B2's
+* state-cleanup pass will use to delete each adopted stack's cdkd state
+* after the CFn-side IMPORT succeeds (so a mid-walk failure leaves the
+* earlier parent's state intact for retry).
+*
+* Exported so callers (orchestrator user-facing summary, unit tests) can
+* iterate the tree in the same order without re-implementing the walk.
+*/
+function flattenCdkdStateTreeLeafFirst(tree) {
+	const out = [];
+	walk(tree);
+	return out;
+	function walk(node) {
+		for (const child of node.nestedChildren.values()) walk(child);
+		out.push({
+			stackName: node.stackName,
+			region: node.region
+		});
+	}
+}
+/**
 * Build the import plan from cdkd state + the synthesized template.
 *
 * Classifies every template resource into one of:
@@ -54510,14 +54618,22 @@ function isPhase2CreatableType(resourceType) {
 *     phases so CFn's phase-2 CREATE doesn't collide. When the user
 *     passes `--no-recreate-import-unsupported`, these are moved to
 *     `blocked` instead.
+*   - `nestedStackRows`: `AWS::CloudFormation::Stack` rows in the parent
+*     template. Surfaced separately because they are handled by the
+*     nested-stack tree walker, not the per-resource IMPORT path
+*     (issue [#464](https://github.com/go-to-k/cdkd/issues/464) PR B1 + PR B2).
+*     The orchestrator currently hard-errors when any are present —
+*     CFn-side `--include-nested-stacks` IMPORT changeset submission
+*     lands in PR B2.
 *   - `blocked`: anything else. A non-empty `blocked` aborts the run.
 */
-async function buildImportPlan(state, template, cfnClient, options = { recreateImportUnsupported: true }) {
+async function buildImportPlan(state, template, cfnClient, parentStackName, options = { recreateImportUnsupported: true }) {
 	const templateResources = template["Resources"];
 	if (!templateResources || typeof templateResources !== "object" || Array.isArray(templateResources)) throw new Error("Template has no Resources section.");
 	const phase1Imports = [];
 	const phase2Creates = [];
 	const recreateBeforePhase2 = [];
+	const nestedStackRows = [];
 	const blocked = [];
 	const identifierCache = /* @__PURE__ */ new Map();
 	for (const [logicalId, raw] of Object.entries(templateResources)) {
@@ -54525,6 +54641,22 @@ async function buildImportPlan(state, template, cfnClient, options = { recreateI
 		const resourceType = raw.Type ?? "";
 		if (!resourceType) continue;
 		if (resourceType === "AWS::CDK::Metadata") continue;
+		if (resourceType === "AWS::CloudFormation::Stack") {
+			const parentRow = state.resources[logicalId];
+			if (!parentRow || parentRow.resourceType !== "AWS::CloudFormation::Stack") {
+				blocked.push({
+					logicalId,
+					resourceType,
+					reason: `template has AWS::CloudFormation::Stack row '${logicalId}' but cdkd state has no matching nested-stack entry on parent '${parentStackName}'. Re-deploy or re-import the parent stack to refresh state.`
+				});
+				continue;
+			}
+			nestedStackRows.push({
+				logicalId,
+				childStackName: `${parentStackName}~${logicalId}`
+			});
+			continue;
+		}
 		if (isNeverImportableType(resourceType)) {
 			if (isPhase2CreatableType(resourceType)) phase2Creates.push({
 				logicalId,
@@ -54583,6 +54715,7 @@ async function buildImportPlan(state, template, cfnClient, options = { recreateI
 		phase1Imports,
 		phase2Creates,
 		recreateBeforePhase2,
+		nestedStackRows,
 		blocked
 	};
 }
@@ -56460,7 +56593,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.146.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.147.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());